Release v2.17.0 #8362
Merged
Release v2.17.0 #8362
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![cvat-bot[bot]](https://avatars.githubusercontent.com/in/406724?s=60&v=4){kind=small}
Update develop after v2.16.3
This ensures that requests coming from tus-js-client have the same defaults as the ones coming from the rest of the UI. In particular, this ensures that TUS requests include the `X-CSRFTOKEN` header. Currently, this doesn't matter much, because TUS requests are authenticated using the token. However, I'd like to get rid of token authentication in the UI, after which `X-CSRFTOKEN` will become important.
<!-- Raise an issue to propose your change (https://github.com/cvat-ai/cvat/issues). It helps to avoid duplication of efforts from multiple independent contributors. Discuss your ideas with maintainers to be sure that changes will be approved and merged. Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/). --> <!-- Provide a general summary of your changes in the Title above --> Wait until the canvas is ready to paint points ### Motivation and context <!-- Why is this change required? What problem does it solve? If it fixes an open issue, please link to the issue here. Describe your changes in detail, add screenshots. -->  ### How has this been tested? <!-- Please describe in detail how you tested your changes. Include details of your testing environment, and the tests you ran to see how your change affects other areas of the code, etc. --> ### Checklist <!-- Go over all the following points, and put an `x` in all the boxes that apply. If an item isn't applicable for some reason, then ~~explicitly strikethrough~~ the whole line. If you don't do that, GitHub will show incorrect progress for the pull request. If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] I submit my changes into the `develop` branch - [ ] I have created a changelog fragment <!-- see top comment in CHANGELOG.md --> - [ ] I have updated the documentation accordingly - [ ] I have added tests to cover my changes - [ ] I have linked related issues (see [GitHub docs]( https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword)) - [x] I have increased versions of npm packages if it is necessary ([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning), [cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning), [cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning) and [cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning)) ### License - [x] I submit _my code changes_ under the same [MIT License]( https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the project. Feel free to contact the maintainers if that's a concern.
Currently, this shouldn't have any visible effect, because the UI uses token authentication alongside session cookies, and the tokens last indefinitely. However, I'd like to end this practice and rely solely on session cookies. When that's implemented, the user will get logged out as soon as the session cookie expires, or the server-side session data expires (which should happen at the same time). This will irritate users if it happens too often (or worse, in the middle of their work). Therefore, we should prolong a session as long as it is used.
* Merge these into one class. These classes clearly deal with the same concept, so it doesn't make sense to divide the logic into two classes. * Turn `build` into an instance method (`render`). That way, the validation logic can be reused between it and the `RQId` constructor. Adjust the fields so that the first three fields can be specified as positional arguments. * Make the class frozen (I don't see a compelling case to mutate it). * Change string fields into corresponding enums. This reduces the amount of hardcoded string literals everywhere. Note that I had to move the enums into the `models` module to avoid a circular import. * Rename `resource` to `target`, because that's the name of the enum and the corresponding field in the API.
Updated: backend python packages golang image frontend nginx base image
<!-- Raise an issue to propose your change (https://github.com/cvat-ai/cvat/issues). It helps to avoid duplication of efforts from multiple independent contributors. Discuss your ideas with maintainers to be sure that changes will be approved and merged. Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/). --> <!-- Provide a general summary of your changes in the Title above --> ### Motivation and context <!-- Why is this change required? What problem does it solve? If it fixes an open issue, please link to the issue here. Describe your changes in detail, add screenshots. --> Resolved #8257 The problem is in hashing system we use to save the opened tab. It clutters the history and we cant really go back using it. There are two ways to improve that. We eighter save the actual link to go back somewhere in our application or pass it as a state when moving to analytics page `history.push(/analytics, { from: somewhere})`. From my perspective the first way is more elegant TODO: - [x] Analytics page - [x] Check Guide page ### How has this been tested? <!-- Please describe in detail how you tested your changes. Include details of your testing environment, and the tests you ran to see how your change affects other areas of the code, etc. --> ### Checklist <!-- Go over all the following points, and put an `x` in all the boxes that apply. If an item isn't applicable for some reason, then ~~explicitly strikethrough~~ the whole line. If you don't do that, GitHub will show incorrect progress for the pull request. If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] I submit my changes into the `develop` branch - [x] I have created a changelog fragment <!-- see top comment in CHANGELOG.md --> - ~~[ ] I have updated the documentation accordingly~~ - ~~[ ] I have added tests to cover my changes~~ - [x] I have linked related issues (see [GitHub docs]( https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword)) - [x] I have increased versions of npm packages if it is necessary ([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning), [cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning), [cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning) and [cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning)) ### License - [x] I submit _my code changes_ under the same [MIT License]( https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the project. Feel free to contact the maintainers if that's a concern. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **New Features** - Enhanced navigation functionality with a configurable back link for the AnalyticsPage component. - Introduced a dynamic back navigation experience across analytics routes. - Improved the GoBackButton component to accept custom back links. - **Bug Fixes** - Fixed navigation flow issues by ensuring the previous pathname is accurately stored and used. - **Documentation** - Updated documentation to reflect changes in component props and improved navigation logic. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Raise an issue to propose your change (https://github.com/cvat-ai/cvat/issues). It helps to avoid duplication of efforts from multiple independent contributors. Discuss your ideas with maintainers to be sure that changes will be approved and merged. Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/). --> <!-- Provide a general summary of your changes in the Title above --> ### Motivation and context <!-- Why is this change required? What problem does it solve? If it fixes an open issue, please link to the issue here. Describe your changes in detail, add screenshots. --> Tests for #8095 And for the problem with sumultaneous job exports crush ### How has this been tested? <!-- Please describe in detail how you tested your changes. Include details of your testing environment, and the tests you ran to see how your change affects other areas of the code, etc. --> ### Checklist <!-- Go over all the following points, and put an `x` in all the boxes that apply. If an item isn't applicable for some reason, then ~~explicitly strikethrough~~ the whole line. If you don't do that, GitHub will show incorrect progress for the pull request. If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] I submit my changes into the `develop` branch - ~~[ ] I have created a changelog fragment <!-- see top comment in CHANGELOG.md -->~~ - ~~[ ] I have updated the documentation accordingly~~ - [x] I have added tests to cover my changes - ~~[ ] I have linked related issues (see [GitHub docs]( https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword))~ - ~~[ ] I have increased versions of npm packages if it is necessary ([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning), [cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning), [cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning) and [cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning))~~ ### License - [x] I submit _my code changes_ under the same [MIT License]( https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the project. Feel free to contact the maintainers if that's a concern. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **New Features** - Introduced an extensive suite of automated end-to-end tests for the Requests page, enhancing verification of task creation, requests handling, and export processes. - Updated the `downloadExport` command to accept a configuration object, allowing users to control notification verification during tests. - **Bug Fixes** - Improved error handling for task creation with invalid configurations, ensuring proper feedback is provided to users. - **Tests** - Expanded testing coverage to ensure the robustness and reliability of the Requests page functionalities. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
- This commit adds a step to the CVAT development setup guide for users working with WSL (Windows Subsystem for Linux). The added instruction guides users to install the VS Code extension for WSL, ensuring that Visual Studio Code opens correctly inside the WSL environment. - This change addresses an issue where users might encounter a 'DEBUG STOPPED' error if the extension is not installed, improving the overall setup experience. - Related to issue #8313. <!-- Raise an issue to propose your change (https://github.com/cvat-ai/cvat/issues). It helps to avoid duplication of efforts from multiple independent contributors. Discuss your ideas with maintainers to be sure that changes will be approved and merged. Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/). --> <!-- Provide a general summary of your changes in the Title above --> ### Motivation and context <!-- Why is this change required? What problem does it solve? If it fixes an open issue, please link to the issue here. Describe your changes in detail, add screenshots. --> ### How has this been tested? <!-- Please describe in detail how you tested your changes. Include details of your testing environment, and the tests you ran to see how your change affects other areas of the code, etc. --> ### Checklist <!-- Go over all the following points, and put an `x` in all the boxes that apply. If an item isn't applicable for some reason, then ~~explicitly strikethrough~~ the whole line. If you don't do that, GitHub will show incorrect progress for the pull request. If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] I submit my changes into the `develop` branch - [ ] I have created a changelog fragment <!-- see top comment in CHANGELOG.md --> - [x] I have updated the documentation accordingly - [ ] I have added tests to cover my changes - [x] I have linked related issues (see [GitHub docs]( https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword)) - [ ] I have increased versions of npm packages if it is necessary ([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning), [cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning), [cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning) and [cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning)) ### License - [x] I submit _my code changes_ under the same [MIT License]( https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the project. Feel free to contact the maintainers if that's a concern. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **Documentation** - Added instructions for installing a Visual Studio Code extension for WSL to improve the development environment setup. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Andrey Zhavoronkov <andrey@cvat.ai>
…ort API (#8216) This PR fixes the following issues: - [export API v1] do not reinitialize dataset export process when downloading a result file if a resource (project|task|job) has been updated since the first initialized export request - [export API v1] return `rq_id` for all requests with 202 status code (not only for initialization requests) - [requests API] Fixed filtering by format && added resource to allowed filters REST API tests updates: - Added tests to check requests filtration using simple filters - Added tests to check specific requests retrieving - Updated all tests that export project|task|job datasets|annotations|backups: - to test both API versions (including API mixing) - to use only appropriate resources by checking the default export location - Added fixtures to filter projects/tasks assets - Updated default target|source buckets to `import/export` bucket to exclude the same bucket usage as a data source in several tests (when bucket content is used as task data) and as a bucket for results ## Summary by CodeRabbit - **New Features** - Enhanced job handling for exports, improving error management and job state tracking. - Introduced a new `resource` field in the request handling system to improve data categorization. - Added new filtering capabilities for API queries, allowing users to filter by the `resource` field. - **Bug Fixes** - Improved status checks and handling for job requests. - Introduced exception handling for forbidden access during project backup attempts. - **Tests** - Refactored test suites to improve coverage and ensure compatibility across versions with new methods and exception handling. - New tests added to validate request handling functionality. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Maxim Zhiltsov <zhiltsov.max35@gmail.com>
There are several problems with this feature: 1. To use it, you have to put the user's token in the URL. This token lasts forever (unless the user explicitly logs out), so it is nearly as sensitive as the user's password. Embedding such sensitive information in the URL is problematic, because URLs are saved in the browser history, dumped to server logs and displayed on the screen, none of which are secure locations. A user could also accidentally share a URL with an embedded token. 2. If an attacker can get a user to follow a malicious link, they could forcibly log that user into the attacker's account (AKA "login CSRF"). This by itself is just a nuisance, but the attacker could potentially use this to trick the victim into, for example, uploading confidential data to the attacker's account. 3. By design, it requires the use of token authentication, whose drawbacks I have explained in #8289. In fairness, when originally implemented, this feature set the session cookie rather than the token, but this cannot work if the user is already logged in, as the `sessionid` cookie is marked `HTTPOnly` and cannot be overridden by JavaScript. So the only way for this feature to work in all circumstances is to set the token. Generally, the use cases of this feature are better served by single sign-on protocols, which don't suffer from these drawbacks.
Currently, the UI authenticates with the server using two parallel
methods:
* A cookie set by the `/api/auth/login` endpoint.
* A token returned by the same endpoint.
This is redundant and confusing, and also causes several usability &
security issues:
* If a user creates 2 or more concurrent sessions (e.g. logs in on two
computers), and then logs out of one of them, it will effectively log
them out of all other sessions too. This happens because:
1. The same token is shared between all sessions.
2. Logging out destroys the token in the DB.
3. The server tries to authenticate the browser using the token first,
so if a browser presents a token that's no longer present in the DB, the
server responds with a 401 (even if the cookie is still valid).
* When a user changes their password, Django invalidates all of that
user's other sessions... except that doesn't work, because the user's
token remains valid. This is bad, because if an attacker steals a user's
password and logs in, the most obvious recourse (changing the password)
will not work - the attacker will stay logged in.
* Sessions effectively last forever, because, while Django's session
data expires after `SESSION_COOKIE_AGE`, the token never expires.
* The token is stored in local storage, so it could be stolen in an XSS
attack. The session cookie is not susceptible to this, because it's
marked `HttpOnly`.
The common theme in all these problems is the token, so by ceasing to
use it we can fix them all.
Note that this patch does not remove the server-side token creation &
authentication logic, or remove the token from the output of the
`/api/auth/login` endpoint. This is because that would break the
`Client.login` method in the SDK. However, I believe that in the future
we should get rid of the whole "generate token on login" logic, and let
users create API tokens explicitly if (and only if) they wish to use the
SDK.
It's easier to read the logs this way, plus we already do that in the full/nightly workflows.
<!-- Raise an issue to propose your change (https://github.com/cvat-ai/cvat/issues). It helps to avoid duplication of efforts from multiple independent contributors. Discuss your ideas with maintainers to be sure that changes will be approved and merged. Read the [Contribution guide](https://docs.cvat.ai/docs/contributing/). --> <!-- Provide a general summary of your changes in the Title above --> ### Motivation and context <!-- Why is this change required? What problem does it solve? If it fixes an open issue, please link to the issue here. Describe your changes in detail, add screenshots. --> - Added `max_validations_per_job`, `target_metric`, `target_metric_threshold` fields in quality settings - Added `assignee_last_updated` in quality reports - Added separate `accuracy`, `precision`, and `recall` fields in quality summary - Refactored some IAM code ### How has this been tested? <!-- Please describe in detail how you tested your changes. Include details of your testing environment, and the tests you ran to see how your change affects other areas of the code, etc. --> ### Checklist <!-- Go over all the following points, and put an `x` in all the boxes that apply. If an item isn't applicable for some reason, then ~~explicitly strikethrough~~ the whole line. If you don't do that, GitHub will show incorrect progress for the pull request. If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [ ] I submit my changes into the `develop` branch - [ ] I have created a changelog fragment <!-- see top comment in CHANGELOG.md --> - [ ] I have updated the documentation accordingly - [ ] I have added tests to cover my changes - [ ] I have linked related issues (see [GitHub docs]( https://help.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword)) - [ ] I have increased versions of npm packages if it is necessary ([cvat-canvas](https://github.com/cvat-ai/cvat/tree/develop/cvat-canvas#versioning), [cvat-core](https://github.com/cvat-ai/cvat/tree/develop/cvat-core#versioning), [cvat-data](https://github.com/cvat-ai/cvat/tree/develop/cvat-data#versioning) and [cvat-ui](https://github.com/cvat-ai/cvat/tree/develop/cvat-ui#versioning)) ### License - [ ] I submit _my code changes_ under the same [MIT License]( https://github.com/cvat-ai/cvat/blob/develop/LICENSE) that covers the project. Feel free to contact the maintainers if that's a concern. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **New Features** - Enhanced permission handling for jobs, tasks, and projects, streamlining the creation process. - Introduced new quality control metrics and settings, enabling more granular tracking and reporting. - **Bug Fixes** - Improved validation logic to enforce constraints on job validation attempts. - **Documentation** - Added descriptive help texts for new fields in quality report serializers, clarifying their purpose. - **Chores** - Updated method signatures to improve flexibility and maintainability across permission handling and reporting functionalities. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
## Summary by CodeRabbit - **New Features** - Introduced support for YOLOv8 formats, enhancing object detection capabilities. - Added new export and import functions for YOLOv8 formats within the dataset manager. - Expanded documentation to cover YOLOv8 format specifications and export processes. - **Bug Fixes** - Improved handling of various YOLOv8 annotation formats to ensure accurate processing. - **Tests** - Enhanced test coverage for YOLOv8 formats in both dataset export/import and REST API functionalities. - **Documentation** - Updated existing links in the YOLO format documentation for clarity. - Added new documentation detailing YOLOv8 formats and their export processes. Co-authored-by: Roman Donchenko <roman@cvat.ai>
…API (#8331) * Define an RQ ID format for auto-annotation jobs, and make use of it. * Add a `function_id` field to `RequestSerializer`, so that the general request API can expose the same information as the lambda request API. (In truth, the lambda request API also exposes the "threshold" field, but the UI doesn't use it, and I don't see the point in having it.) Note that this doesn't actually _enable_ the general request API for auto-annotation requests. This is because a similar patch needs to first be applied to the Enterprise version, otherwise requests for Roboflow/Hugging Face jobs will be invisible.
Mainly to get the fix for jazzband/django-silk#688.
cvat-bot
bot
requested review from
azhavoro,
zhiltsov-max,
bsekachev,
mdacoca,
SpecLad and
Marishka17
as code owners
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (invoked as PR comments)
Additionally, you can add CodeRabbit Configuration File (
|
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Added
Added support for YOLOv8 formats (YOLOv8 support #8240)
Last assignee update date in quality reports, new options in quality settings (Job validations (public part) #8321)
Changed
User sessions now expire after two weeks of inactivity (Stop using token authentication in the UI #8289)
A user changing their password will now invalidate all of their sessions except for the current one (Stop using token authentication in the UI #8289)
Deprecated
upload:annotations,lock:object,change:attribute,change:label(Clear some client-side events collected by analytics #8304)Removed
Client event
restore:job(Clear some client-side events collected by analytics #8304)Removed the
/auth/login-with-tokenpage (Remove the undocumented login-with-token page #8336)Fixed
Go back button behavior on analytics page (Fixed "Back" button redirection #8277)
Logging out of one session will no longer log the user out of all their other sessions (Stop using token authentication in the UI #8289)
Prevent export process from restarting when downloading a result file, that resulted in downloading a file with new request ID (Add REST API tests for /requests API && test both versions of the export API #8216)
Race condition occurred while handling parallel export requests (Add REST API tests for /requests API && test both versions of the export API #8216)
Requests filtering using format and target filters (Add REST API tests for /requests API && test both versions of the export API #8216)
Sometimes it is not possible to switch workspace because active control broken after trying to create a tag with a shortcut (Fixed
undefinedactive control #8334)