Changelog

4.0.1 (2026-02-03)

• Fix wrong migration that enables Matrix IDs for existing events

• Enable captchas for newsletter subscriptions and password resets by default, in case the configuration is not in helfertool.yaml

See below at version 4.0.0 for all changes in the 4.0.x release.

4.0.0 (2026-02-02)

• Breaking changes

  • Removed Corona tracing app

  • Enforce additional parameter in validation links, that prevent guessing (added since 3.0.0)

• Security fixes

  • Fix wrong permission checks in badge views

  • Add build timeout for badge PDFs

  • Show warning about debug mode and weak secret keys on “Check installation” page

  • Escape og:description meta property correctly

• Changes in helfertool.yaml:

  • Removed: language -> country

  • Removed: authentication -> oidc -> provider -> thirdparty_domain (not required anymore, SameSite attribute of session cookie is always Lax now)

  • New: authentication -> oidc -> provider -> username_claim

  • New: badges -> build_timeout

  • New: automation (and config below)

• Add password reset via mail for local users

• New users can be added without directly setting a password - the password is then set via password reset

• Add automated reminder mails for event archival (disabled by default)

• Add option to ask for Matrix ID during registration

• When using OpenID Connect, the claim used for the username can be configured now (setting: username_claim)

• When using OpenID Connect, the logout according to the “OpenID Connect RP-Initiated Logout 1.0” standard is supported now (Keycloak and Entra ID for example support that)

• Fix performance issue on main page with list of events

• Improve some redirects after saving a shift or job and setting the presence of helpers

• Update of dependencies (Django, Debian 13 for container, …) and replaced CKEditor

Thanks to the participants of the practical course “Web Application Security” at TUM for analyzing the tool and providing their results:

• Michael Vynogradov

• Bernhard Schmalhofer

• Lukas Tröger

• Martin Halfen

• Xaver Holzapfel

• Pablo Marin Ogalla

• Michael Schmidmaier

3.3.1 (2025-06-03)

• Security update for django-select2 library

3.3.0 (2025-03-16)

• Users, who can add accounts, can read list of all accounts now

• Add captchas for newsletter registration and event registration (two configuration options, disabled by default)

• Add more shirt sizes (not enabled by default)

• Add configuration option for requested OpenID Connect scopes (scopes option)

• Add configuration option to disable multi-language mode (singlelanguage option)

• Add configuration option for LDAP user search instead of direct bind (user_search_base and user_search_filter options)

• Fix broken paginations for audit log and user account list

• Enable extended result logging of Celery tasks in Django database (more details about failed tasks)

• Updates of dependencies

3.2.3 (2024-04-09)

• Security update for Pillow library

3.2.2 (2023-10-07)

• Security update for Pillow library

• Increase upload limit for nginx in container

3.2.1 (2023-10-01)

• Fix validation links (UUID handling)

3.2.0 (2023-09-30)

• Updates of dependencies (Django 4.2, Celery 5, Debian Bookworm for container, …)

• Fix bug in e-mail hanlding during authentication with OpenID Connect

• Minor UI fixes

3.1.2 (2022-10-29)

• Fix bug in badge creation when number of columns is not 2

3.1.1 (2022-09-03)

• Fixes for updated python libraries

• Pin python libraries in requirements.txt files

3.1.0 (2022-07-25)

• Important bug fix: moving an event sets date of all events to same day

• Improved mail tracking: show delivery errors for events and newsletter

• Language chooser for resending of confirmation mail

3.0.0 (2022-06-09)

Have a look at the migration guide before the update.

• Breaking change: New container that requires different Docker parameters to run

  • Container is built with Podman now, but Docker still can be used to run it

  • helfertoolctl still uses Docker and can run old an new containers

• Different roles for job admins: access to mobile phone numbers can be forbidden

• Additional text field with important notes for jobs that is always displayed during registration

• Users and their permisions for events can be merged by admins

• Validation links in mail contain additional parameter to prevent guessing of the link (not enforced yet, will be enforced in future release)

• Bug fix: Allow whitespaces as alternative badge texts to overwrite generated values

• Bug fix: Add pdflatex parameter to prevent waiting for missing files

• Bug fix: Handle DNS errors in mail connection tests on “Check installation” page

• For development: pre-commit and black are used now

2.2.1 (2022-01-06)

• Fix for breaking change in Django security update

1.2.4 (2022-01-06)

• Django update and fix for breaking change in Django security update

2.2.0 (2021-11-29)

• Implement logout at OpenID Connect provider

• Add configuration option for periodical OpenID Connect token validation

• Fix bug: Crop error message from undelivered mails if too long

2.1.3 (2021-11-13)

• Add “2G plus” COVID-19 regulation

• COVID-19 contact tracing information can be changed after registration (if enabled)

• Duplication detection is not based on case-insensitive mail address comparison

• Fix bug: Mixed columns in table of helpers

• Fix bug: Restrict image upload to supported file types (JPG and PNG)

• Fix bug: Event duplication also copies data of disabled features

• Fix bug: Crop error message from undelivered mails if too long

2.1.2 (2021-10-10)

• Add “3G plus” COVID-19 regulation

2.1.1 (2021-10-06)

• Fix crash in event duplication if some features are disabled

2.1.0 (2021-10-02)

• Add feature to collect addresses for COVID-19 contact tracing

2.0.1 (2021-08-28)

• Fixed crash in edit/create event view

2.0.0 (2021-08-14)

Have a look at the migration guide before the update.

• Breaking change: e-mail validation after registration cannot be disabled anymore (see next item)

• Breaking change: Double opt-in for newsletter subscription

  • Subscription without event registration: separate e-mail

  • Subscription during event registration: link in confirmation mail (therefore, it cannot be disabled anymore)

  • New setting for text, that is displayed on subscribe page

• Breaking change: Improved access control for media files

  • Uploaded files are now separated into public and private files

  • One-time migration after update via managemet command necessary

• New fully responsive web design and inclusive language (German)

• More detailed nutrition options and views (no preference, vegetarian, vegan, other)

• Add configuration option to set SameSite attribute to Lax, which is necessary if OpenID Connect provider is hosted on other domain (oidc > provider > thirdparty_domain)

• Add form to delete users

• Default account lockout limit is increased to 5

• Bug fix: mail receiving now handles missing To and From headers

• Bug fix: status of IMAP connection now displayed on status page

• Bug fix: certain shifts were displayed on wrong day due to timezone bug

• Bug fix: administrators, which were configured via the admin interface, can access the Django admin interface now

• Bug fix: block certain event URL names that collide with other URLs (like subscribe)

• Updated HTTP security and caching headers (Only relevant if you do not use the Docker container. In this case, check the diffs in the nginx config)

1.2.3 (2021-05-13)

• Fix bug in event handler for failed logins (event was not created successfully)

1.2.2 (2021-05-11)

• Update chart.js due to CVE-2020-7746 (but no risk for Helfertool)

1.2.1 (2021-01-12)

• Fixed bug in event permission system (crash due to typo)

1.2.0 (2021-01-10)

• Helfertool features like badges can be disabled globally (see here)

• Introduce special badges which are not associated with helpers and numbered serially, for example: Police 1, Police 2, etc.

• Badge barcode numbers start at 1000 (for existing events, there will be a gap of 1000 in the numbers)

• Shifts can be printed on badges (a list of all shifts is generated, there are different format options)

• When merging duplicated helpers, selected helpers can be ignored and kept as duplicates

• T-Shirt statistics are kept when event if archived (only total numbers, not per job)

• Admin view for past events which are not archived added

• Audit log for events is stored in database and can be viewed in web interface (can be disabled, see here)

• Removed X-Real-IP header from “Check installation” page as it is not used and added remote IP instead.

• Set HttpOnly and Secure flags for language cookie (was already set for session and CSRF cookies)

• Updated example nginx config (enabled TLS1.3, updated X- headers)

1.1.0 (2020-08-15)

• Overlapping shifts are greyed out and disabled on registration page

• Different admin roles for events are available (see here)

• Presence of helpers can be set automatically when shift starts (i.e. present if not noted otherwise)

• Presence of helpers integrates better with helper gifts

• Prerequisites for helpers can be managed (for example attendance at a training)

• Internal comment field for helpers added

• Events can be moved to other date (which updates all shift dates)

• Added list of vacant shifts per day

• Hide old events on main page after some years (can be changed in configuration)

• Similarity based search for names (PostgreSQL only, see installation)

• OpenID Connect claims can be matched using JMESPath

• Add management command exampledata to add a test event during development

• Bug fix: wrong day set when duplicating shifts starting at 0:00

• Bug fix: inventory settings were not copied when duplicating an event

• Bug fix: handle OpenID Connect like LDAP on user account pages

• Bug fix: management command for statistics crashed if no archived helpers exist

1.0.2 (2020-06-13)

• Updated jQuery

1.0.1 (2020-05-31)

• OpenID Connect: Allow usage of id_token for claim validation

1.0.0 (2020-04-04)

• First release with version numbers

• Release “1.0” does not mean anything special, but we have to start counting somewhere.