Rc/v5.4.0#594
Merged
evilguy4000 merged 10 commits intomainfrom Apr 25, 2026
Merged
Conversation
Create the auto-provisioned demo user with legacy role "user" and the RBAC user role so public demos cannot reach settings or the PDF layout editor. On startup, downgrade an existing demo user that still has admin or super_admin roles left over from older releases. Document behavior in docs/deploy/RENDER.md and README.md.
…ates Add render_sandboxed_string() using SandboxedEnvironment so stored invoice and quote HTML, ReportLab text templates, admin PDF previews, and invoice email HTML are not evaluated with Flask's full template globals (mitigating SSTI). Add regression tests for sandbox behavior and demo user permissions.
Client portal: add min-w-0, break-words, and flex gap/shrink utilities on the projects grid cards so long project names no longer force horizontal overflow and clip against the viewport edge. Desktop: add app and tray icons, adjust Electron main process (window, tray, lifecycle), renderer connection and API client updates, build script and package metadata, and regenerate the bundled renderer script.
Allow the desktop renderer to authenticate through the app login endpoint and call API routes from its packaged origin without weakening non-API responses.
Move the desktop app onto a Vite-powered React shell with username/password setup, diagnostics, themed core views, offline sync queueing, and tighter Electron runtime boundaries.
Keep the new React renderer sources as regular tracked files so packaging changes do not include accidental executable bits.
❌ CI Test ResultsOverall Status: 2 test suite(s) failed Test Results: 0/7 passed Test Suites:
Commit: df04bbf |
Run desktop packaging workflows on Node 24 and load Vite through an ESM config so macOS, Linux, and Windows builds use a runtime compatible with Vite 7.
fix(desktop): use modern Node for Vite builds
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Brief description of the change and why it's needed.
Type of change
Checklist
pytest).Related issues
Fixes # (issue number, if applicable)
See CONTRIBUTING.md and CHANGELOG.md for guidelines.