w-a-r-m-inventory-system / food-pantry-inventory Goto Github PK

Shelby was alerted to a vulnerability in PyYAML (by GitHub) which was just added to the requirements file. The alert text (summarized):

Known high severity security vulnerability detected in pyyaml <4.2b1 defined in requirements.txt.
... update suggested: pyyaml ~> 4.2b1.

My analysis:

In this case the vulnerability comes about if we use PyYAML to process raw data coming in from the Internet. The existing version of this library (the one we are referencing) has this vulnerability. Since we are not (yet) contemplating using YAML as a data format, we know that it is not a problem for us. We do need to keep this in mind which means that we should prefer JSON or XML as a data format. If we want to use YAML as a data format, we will need to update the PyYAML library to a safe version (e.g. 5.1)

There is more information about this vulnerability at yaml/pyyaml#207.

Scan a QR code and present the appropriate screen.

See T9 in the Outstanding Tasks document located in the /docs/source directory.

Need description of how this is to work. Label as enhancement and milestone 1

"author = 'Travis Risner'
project = "WordTrekSolver"
creation_date = "04/01/2019""

I think this is left in from a past project.

Probably a temporary placeholder, I just wanted to practice making an issue and set a reminder.

When the profile was changed from holding an active location to holding an active pallet record id, the manual menu an some other manual screens are not broken (Throw exceptions, etc.). They need to be brought into alignment with the new thinking.

Isolate all box updating to one class. This will include methods for the following actions:

• add_box - will add a new Box record to the db with appropriate number and box type.

• fill_box - will fill an existing box with product, location, and expiration date.

• move_box - will change the location of a filled box.

• consume_box - will empty a box, e.g. clear product, location, and expiration date information.

Note: these methods will also ensure that the appropriate activity records are written.

This issue does not specify at this time how to handle errors. Details of these method calls and how errors are handled must be documented before this issue can be closed.

With a logged out session, clicking a link to a page that requires a logged in user gives DisallowedRedirect error instead of loading the login screen

The Action class was an attempt to maintain the state of what the user is trying to do across the multiple tabs caused when using external scanning app.

To make the project more accessible, the documentation should be published somewhere so a newcomer can read it without needing to clone the repo, install dependencies, etc...

Read The Docs (RTD) is a good place that hosts Python open source projects for free and handles the doc builds and publishing of different versions all on their own infrastructure. They host the HTML version and also make available PDF and EPUB versions.

We can stop building it ourselves in Github Actions and offload that to RTD.

ManualMenuView (path /fpiweb/manualmenu/) fails if the current user doesn't have an associated Profile record.

Provide a way to manage both individual boxes and pallets of boxes (Checkin, move, checkout) without having to have a camera to enter the box numbers.

• Currently the QR checkin screen allows one to enter the box number without scanning.

If all other QR screens are similarly configured, this additional code may not be needed at all.

Attached is the results of Mike's initial testing. When you address any of these issues, please create a separate issue for it so it can be assigned to you.
QWebPageCheck.pdf

The test suite is currently failing due to an invalid template variable:

Failed: Undefined template variable 'box.location.loc_row.loc_row' in
 '.../Food-Pantry-Inventory/fpiweb/templates/fpiweb/manual_move_box.html'

We've been aware of this test failure for a while, just documenting it here.

Reduce duplication of data. Allow potential of creating a location w/out row,bin,tier (i.e. "pallet assembly location A", "In the broom closet", etc).

Getting following error and traceback:

WARNING: autodoc: failed to import module 'views' from module 'fpiweb'; the following exception was raised:

Traceback (most recent call last):
File "/Volumes/MBPC/Dvl/Python/PythonProjects/Food-Pantry-Inventory/venv/lib/python3.7/site-packages/sphinx/ext/autodoc/importer.py", line 232, in import_module
import(modname)
File "/Volumes/MBPC/Dvl/Python/PythonProjects/Food-Pantry-Inventory/fpiweb/views.py", line 6, in
from django.contrib.auth.mixins import LoginRequiredMixin
File "/Volumes/MBPC/Dvl/Python/PythonProjects/Food-Pantry-Inventory/venv/lib/python3.7/site-packages/django/contrib/auth/mixins.py", line 3, in
from django.contrib.auth.views import redirect_to_login
File "/Volumes/MBPC/Dvl/Python/PythonProjects/Food-Pantry-Inventory/venv/lib/python3.7/site-packages/django/contrib/auth/views.py", line 10, in
from django.contrib.auth.forms import (
File "/Volumes/MBPC/Dvl/Python/PythonProjects/Food-Pantry-Inventory/venv/lib/python3.7/site-packages/django/contrib/auth/forms.py", line 10, in
from django.contrib.auth.models import User
File "/Volumes/MBPC/Dvl/Python/PythonProjects/Food-Pantry-Inventory/venv/lib/python3.7/site-packages/django/contrib/auth/models.py", line 3, in
from django.contrib.contenttypes.models import ContentType
File "/Volumes/MBPC/Dvl/Python/PythonProjects/Food-Pantry-Inventory/venv/lib/python3.7/site-packages/django/contrib/contenttypes/models.py", line 133, in
class ContentType(models.Model):
File "/Volumes/MBPC/Dvl/Python/PythonProjects/Food-Pantry-Inventory/venv/lib/python3.7/site-packages/django/db/models/base.py", line 111, in new
"INSTALLED_APPS." % (module, name)

RuntimeError: Model class django.contrib.contenttypes.models.ContentType doesn't declare an explicit app_label and isn't in an application in INSTALLED_APPS.

To clarify what options a move box operation should permit:

• Adding or moving an individual box to a location should be straightforward.
• If starting a pallet at a location that already has boxes, it would be nice to pre-populate the pallet with the existing boxes, if any.
• If moving an existing pallet is effectively merging two pallets, it would be nice to notify the user how many boxes are already there.
• If more than 40 boxes will be in the new location, perhaps an informational message can be displayed to that effect. However, no limit will be enforced.

Currently if a user is missing a profile record, we get a dump whenever it goes to a page that looks for the user's title. The login view should create a profile record with a default title of "User" so the rest of the site does not need to test for the profile record.

There is already code in fpiweb/support/BoxActivity.py to create new Activity records or modify existing Activity records based on the action a box it taking. However, it is not hooked into the box management code. These hooks need to be added and. tested.

Some of the names of variables, etc. need to be changed now so they are Pep8 compliant. It will only be worse if we wait until later to do this. Since this is my fault, I will fix it now. (Travis)

The project now displays logging messages to the console. Unfortunately, the messages we want to see are drowned out by all the filewatcher messages. We need to add a filter to the logging settings in settings.py to strip those messages from the console.

Add more comments about what the project does, how it plans to accomplish it, sample screen shots, etc. The goal is to provide a first-time visitor with a what they can expect to accomplish with this project.

Perhaps comments about how it could be extended to be used for other food pantries would be helpful.

We need to add a program to print a sheet of QR codes on Avery llabels (or equivalent). More documentation will be added in the next few days.

We may want to consider printing to a dedicated label printer such as a Dymo printer.

Recently we added a new table - product_examples. We need screens to list/add/change/delete the entries in this table. Each entry is associated with exactly one product.

More documentation about this table will be added in the next few days.

Improve the flow to the startup documentation so it is either all in the README.md or linked directly so that someone does not need to visit the wiki and then dig in the docs to find out how to set up their copy of the project.

Add the ability to move a (presumably filled) box from one location to another. Details are given in the Outstanding Tasks document located in the ./docs/source directory.

• Replace "Back to test_scan page" with a link back to /fpiweb/ homepage.
• Display User's current pallet record. And update box.pallet.
• In the confirmation page add a link back to the homepage.
• If box is full prompt user with option to empty or cancel scan

A Dockerfile needs to be made to build an image of the Inventory system so that it can be ran locally in a container. This ultimately might be expanded later to having the app and its components in containers.

An administrative user should be able to select a menu pick and dump the full Activity table to the local computer as a CSV file.

Our requirements.txt specifies wrapt==1.12.0 but the library that needs it specifies 1.11.*

sphinx-autoapi==1.2.1
  - astroid [required: Any, installed: 2.3.3]
    - lazy-object-proxy [required: ==1.4.*, installed: 1.4.3]
    - six [required: ~=1.12, installed: 1.14.0]
    - wrapt [required: ==1.11.*, installed: 1.11.2]

pip throws an error but continues. pipenv fails to install

• Activity records currently have a field for recording the date and time a box was filled and when it it consumed or emptied. In the interest of making it easier for the end user who will be manipulating this information in a spreadsheet, only the date needs to be recorded in the Activity record.

• Activity records only have the descriptions for various fields recorded in them. They do not have foreign keys back to the master tables such as product or location. This is so that if the master tables are updated, the original (historical) values will be kept in Activity.

• Currently, Activity records have separate row, bin, and tier fields. This is so the end user can use them to sort and/or filter the records in additional ways in the spreadsheet. If they are replaced with a single location field, then it will require a SQL statement to export the data in the desired format. Currently, additional options such as PostgreSQL or Django manage commands can be used.

Build screens to list, add, change, and delete box types.

• Include requirement that the user must be logged in before these screens can be used.
• Add link to index page to get to the list screen.

Node this pair of lines. The code is trying to access self.activity.date_consumed right after setting self.activity to None

                self.activity = None
                logger.debug(f'Act Box Fill: Activity box consumed: '
                      f'{self.activity.date_consumed}')

The .PUML's under DevDocs only shows text explanations of what happens with Git in PyCharm. From what I understand, they should be diagrams?

Need screens to list, add, change, and delete product categories.

• Include requirement that the user must be logged in to use these screens.
• Include link on index page to get to the list screen.

You ain't going to need it. There's ways of getting at the meta data of field. Validation against max length of field happens automatically. I think there's somewhere we're referencing one of the variables for help_text somewhere, but we can probably pull help_text from field data if needed so we might want to revisit the decision to create variables for the help_text values.

The current version of the QR label print program does not provide an easy API to be used by a web-based call or a GUI standalone program. It needs to be reworked so that a simple call can be made to get back the SVG XML. Perhaps it should also be able to provide a png on request.

Here's a couple of things we might want to document:

How to clone your fork onto your computer
git clone https://github.com/USERNAMEFood-Pantry-Inventory.git

How to add the main w-a-r-m-inventory-system/Food-Pantry-Inventory repository on your computer so you can pull changes from the main repo into your fork.
git remote add upstream https://github.com/w-a-r-m-inventory-system/Food-Pantry-Inventory.git

This script just changes directory to the docs directory, runs Sphinx and returns to the root directory. The Windows version of this script needs to run the make.bat file in the docs subdirectory. This does not require the make program to be installed. This could be written as a powershell script or as a simple dos batch script.

Using the CLI version as a base, write a GUI front end to it.

• Give it options to connect to the FPI database so it can tell which box numbers to skip.
• Provide options and defaults for all the CLI choices.
• Use PyInstaller or equivalent to allow it to run independently on Windows or Mac.

This should be written after the initial release of FPI.

Build screens to list, add, change, and delete products.

• Include requirement that the user must be logged in to use these screens.
• Add link to index page to get to the list screen.

Tests are throwing 'QuerySet' object has no attribute 'get_latest_by' on current dev branch

======================================================================
ERROR: test_box_consume (Food-Pantry-Inventory.fpiweb.tests.test_support_activity.ActivitySupportTestCase)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/jallman112/PycharmProjects/Food-Pantry-Inventory/fpiweb/tests/test_support_activity.py", line 151, in test_box_consume
    ba.box_empty(empty_box.id)
  File "/home/jallman112/PycharmProjects/Food-Pantry-Inventory/fpiweb/support/BoxActivity.py", line 163, in box_empty
    self.activity = Activity.objects.filter(
AttributeError: 'QuerySet' object has no attribute 'get_latest_by'

----------------------------------------------------------------------

Build screens that will allow one to list all constraints, and add, change, or delete a constraint.

1. Enter "Move from" location using row, bin, and tier <select> elements. Upon submit display form with errors if the location doesn't exist or there are no boxes at that location.
2. If the "Move from" location exists and has boxes display row, bin, and tier <select> elements to select the "Move to" Location. This page will also list the boxes at the "Move from" location. Upon submit display form with errors if the "Move to" location doesn't exist
3. If there are boxes at the "Move to" location let the user know that and give them an option go back and select another location or continue. (continuing is merging pallets and that's ok)
4. Generic "N boxes moved from A to B" message.
5. Use BoxManagementClass.pallet_finish to update the database.

When any page using base.html template loads you'll notice requests going to urls outside our app (Content Delivery Network) sites. Change template to have it load file from our static directory. This may require adding JQuery ... min.js files to the project.

Please assign to @jocassid

When using a QR code to scan a box, the product and expiration date will default to whatever the previous box contained -- including the beginning and ending months. That is valid behavior. The product and expiration date can be adjusted as needed. However, if the previous box had a non-zero start and end month, the start and end month for this box cannot be set back to zero.

• When a Box record is created. Set the Box.quantity to the value specified by Box type.
• Remove the Quantity field from the screens (field is left in place for future reference).
• Copy quantity value from Box to Activity record when Box is empty (Dependency on #67).