Membership System Version 2.6.1.sunset 🌇

Well, this has been a saga.

South London Makerspace is migrating to a new membership system, based on Wordpress/WooCommerce. Benefits include PCI compliance, regular security updates and (expensive) support. The new system also incorpoates tool control - a feature that SLMS members have been waiting for a very long time for.

OK, but why didn't we try to just improve this membership system to do all of those things? Well ... the reason is mostly over-zealous information security.

South London Makerspace assigned the role of looking after all systems to one person. That person did not trust anyone else to look at or touch any system that was running in production. They also didn't trust the process of updating the software to work correctly, and therefore did not allow any updates to be performed on the system either.

This left us, the developers of the membership system, in a difficult position - users were reporting bugs, we were fixing them, and applying security updates to dependencies, adding new functionality that the users wanted and indeed needed - but had absolutely no ability to make them live.

Even without touching the live system, even testing it became difficult. We were forced to use a somewhat inexplicable "data drier" to test against data from the live system with the personal information removed (which, as you might expect, is close to useless in terms of actually validating functionality).

The most ironic thing is that, in the name of security, no security updates were performed on the live system for almost 2 years. Sometimes, you can go infosec so hard you end up coming right back around the other side...

As you may imagine, this caused the developers to become rather disenfranchised, as we were spending our volunteered time delivering functionality that never saw the light of day. So we all buggered off to do something less futile with our time - whilst the rest of the makerspace moaned about various bugs we had already addressed, and features we had already built.

There were also concerns about legislatory compliance including GDPR and PCI. We absolutely worked towards improving GDPR related features (the system is compliant from a software point of view, it entirely depends on how it's been configured and deployed) - but there are features that would make life easier for administrators (like the self-service personal data exporter). There is no need for this membership system to be PCI compliant as it never recieves, stores or forwards any payment card or bank account details (GoCardless handles all sensitive payment data - that is in fact half the point of using their service :) ).

With all the developers gone, SLMS had to figure out what to do next. They got something off the shelf which mostly does what they need, with a little fettling. Now we have to figure out how to port the data from this system to that one.

After that, there's no point in us doing any more work on this - so this will be the last release.

tl;dr: if you want to kill a perfectly good open source project, prevent the developers from ever releasing the software they're working on :)

Release Notes

Without further ado, here are the things to expect in this release:

New Features

• A CSV data exporter for super-admins to export member and permission data in CSV format
• Numerous fixes in templates
• Numerous security fixes
• A new more granular internal permissions structure for API key capabilities
• A hidden page which unabigiously checks to see if you're a member
• Improved logging where running behind a reverse-proxy
• Improved logging of the mailer code
• Logging enhancements to many apps, #272 #273 #275
• IP and anonymised and non-anonymised user details captured in log messages #276
• #277 Logging now usable in areas outside the express app
• /profile app has been seperated into subapps to make it easier to maintain
• Docker Development environment now includes a Mailcatcher image exposed on localhost:1080, making it easier to test functionality which sends emails

Fixes

• #203 Progressed update of dependencies, Postcodes.io client now up to date, required some changes #301
• Postcodes.io has a different API, which lead to some issues #312
• #253 Minor CSS tweaks
• #248 Error block slightly offset in status page
• #236 Fixed issue where in the Items options page, if you create an item without a default state it will fail, but report success
• #233 If the discourse server is unavailable, the app will crash if a user naviates to /profile/discourse

Known Issues

• #203 Some dependencies require updating
• #182 Items API requires exception handling

🚨 UPGRADING NOTE🚨

When upgrading from a previous version, you will NEED to go through each existing API key that has been issued and assign capabilities to them. By default, all keys created in previous versions will have no permissions!

Membership System Version 2.6.0

Release Notes

The main headline of this release is the implementation of a membership cap, required by South London Makerspace. This feature enables a threshold number of users with the member permission to trigger the disabling of new subscriptions - effectively preventing users from becoming members.

New Features

• #234 Prevent new members from signing up if the number of current active users goes over a set threshold, in order to implement a membership cap.
• #238 Added Dockerfile and docker-compose.yml for testing with Docker.
• #195 Creating logs using bunyan, optionally shipping to syslog
• #244 Members can now see if other members have a tag associated with their account, to enable them to help each other getting set up.
• #246 Adds to the profile page a section showing how much a member pays per visit to the space
• #247 Options are now read from the database every page load - this allows options to be changed outside of the process (e.g. by the gocardless webhook) and have an effect
• #177 #178 A new tool which collects Gocardless subscription amounts and adds them to the member collection.

Fixes

• #224 Issue where inactive users having a password resets got stuck in a redirect loop
• #229 Issue where it was sometimes possible to register with the same email address twice
• #237 Issue where in the admin interface, a templating error caused the active direct debit symbol to be activated when discourse was linked.
• #228 Address a major issue which did not apply restrictions to subscription amount as expected

Known Issues

• #236 In the Items options page, if you create an item without a default state it will fail, but report success
• #233 If the discourse server is unavailable, the app will crash if a user naviates to /profile/discourse
• #248 Error block slightly offset in status page