Changelog
2.8.0 “Drupa” (2024-10-02)
Open Forms 2.8.0 is a feature release.
“Drupa” is an establishment close to the offices of the Open Forms development team. They have provided us with the necessary caffeinated beverages and occasional snack, and thus indirectly and unknowingly powered the development of Open Forms 😉.
—☕
Upgrade notes
There are no manual actions required - all upgrades and migrations are automatic.
Note
The UX rework in the ZGW APIs registration plugin is not entirely finished yet. The Objects API integration in particular can be a bit confusing since it’s not possible yet to select which Objects API should be used. The plugin now uses the API group that’s listed first in the admin interface (Admin > Miscellaneous > Objects API Groups).
Major features
📧 Email verification
We added an additional (optional) layer of robustness for (confirmation) email delivery and provide stronger guarantees about ownership of an email address.
You can now require email verification on email fields. Users submitting the form receive a verification code on the provided email address, which they must enter to confirm that it is indeed their email address. Forms with unverified email addresses fail to submit and display useful error messages to the user.
📜 Introduction page
You can now define an optional introduction page that is shown before the users starts the form submission. This is the ideal place to inform the users of the required documents, what the procedure looks like or how long it typically takes to fill out the form, for example.
🚸 User experience (UX) improvements
With Open Forms, we have every ambition to make work easier for form designers. When setting up the registration plugins that process the form submissions especially we knew we could make substantial improvements. For the Objects API’s and ZGW API’s plugins, we have reduced the need to copy-and-paste “magic” hyperlinks and aim to remove this need entirely in the future.
For the ZGW API’s, this even means you don’t have to worry anymore of updating the configuration when you publish a new version of a “zaaktype” - the right version will now automatically be selected.
Detailed changes
This contains the changes from the alpha, beta and fixes applied between the beta and stable version.
New features
[#4267, #4567, #4577] Improved the UX of the Objects API registration options:
Configuration is now in a modal and changes in configuration require an explicit confirmation, meaning you can now explore more without potentially breaking the configuration.
Upgraded the API group, object type and object type version dropdowns with search functionality.
Configuration fields are now logically grouped. Optional settings are shown in a collapsed group to declutter the UI.
You can now select a catalogue from a dropdown (with search functionality) that contains the document types to use.
API groups (admin): you can now specify a catalogue and the descriptions of document types to use rather than entering the API URL to a specific version.
These UX and configuration improvements are still work-in-progress, more will become available in next releases and we will also rework the ZGW API registration options.
[#4051] Added a better JSON-editor in a number of places, bringing them up to parity with the editor in the form builder:
Editing JSON logic triggers.
Editing JSON logic variable assignment expressions.
Editing service fetch mapping expressions.
Viewing the JSON-definition of logic rules and/or actions.
[#4555] Improved the UX of pre-fill configuration on the variables tab:
There is now a single summary column for the prefill configuration, instead of three separate columns.
Improved the wording/language used to differentiate between authorizee/authorised roles.
Editing the configuration is now done in a separate modal.
[#4456] The admin interface now clearly displays which environment you are on. You can disable displaying this information, and you can change the text and colors to easily differentiate between acceptance/production environments.
[#4488] The submisson report PDF now no longer opens in a new tab/window, the browser is forced to download it.
[#4432] Improved robustness in form designer interface when crashes occur because of external systems.
[#4442] Improved certificate handling and DigiD/eHerkenning via SAML configuration:
You can now upload password-protected private keys.
You can now configure multiple certificates for DigiD/eHerkenning. The “next” certificate will be included in the generated metadata so you can seamlessly transition when your old certificate is about to expire.
The metadata files are now forced as download to prevent formatting and copy/paste errors.
You can now configure some django-log-outgoing-requests settings with environment variables.
[#4575] You can now configure the
SENDFILE_BACKEND
with an environment variable.[#4577] We improved the user experience when configuring the Objects API registration plugin. Copy-pasting URLs is being phased out - you can now select the relevant configurations in dropdowns.
[#4606] Improved the user experience of the ZGW APIs registration plugin. We’re making this consistent with the Objects API. More improvements will be done in the future.
[#4542] Email components now support optional verification - when enabled, users must verify their email address before they can continue submitting the form.
[#4582] The SAML metadata for the DigiD/eHerkenning identity providers is now automatically refreshed on a weekly basis.
[#4380] The StUF-ZDS registration plugin now supports sending payment details in the
extraElementen
data. For 2.7 this was available in an extension, which has been merged in core - migrating is automatic.[#4545] You can now optionally configure an introduction page, which is displayed before the start of the form.
[#4543] You can now optionally enable a short progress summary showing the current step number and the total number of steps in a form.
Note
The addressNL
component is not yet a fully capable replacement for
individual address fields. Currently, it’s only recommended for BRK-validation
purposes.
Bugfixes
Fixed a crash in the validation of form variables used in logic rules.
[#4516] Fixed imports (and error feedback) of legacy exports with Objects API registration backends. It should now be more clear that admins possibly need to check the Objects API groups configuration.
[#4191] Fixed a couple of bugs when adding a company as initator in the ZGW API’s registration plugin:
Fixed the datatype of
vestiging
field in ZGW registration rollen/betrokkenen.Fixed the
aoaIdentificatie
being empty - this is not allowed.
[#4533] Fixed Objects API registration options checkboxes not toggling.
[#4502] Fixed a problem where the registration-backend routing logic is not calculated again after pausing and resuming a submission.
[#4334] Fixed the email registration plugin not sending a payment-received email when “wait for payment to register” is enabled. This behaviour is to ensure that financial departments can always be informed of payment administration.
[#4519] Fixed form variable dropdowns taking up too much horizontal space.
Backend checks of form component validation configuration are mandatory. All components support the same set of validation mechanism in frontend and backend.
[#4560] Fixed more PDF generation overlapping content issues. The layout no longer uses two columns, but just stacks the labels and answers below each other since a compromise was not feasible.
Fixed upgrade check scripts for 2.7.x.
[#4597] Revert message for not-filled-in-fields in confirmation PDF back to just empty space.
Fixed processing of empty file upload components in the Objects API registration plugin.
Fixed an upgrade check incorrectly reporting problems.
[#4627] Fixed a crash in the eHerkenning-via-OIDC plugin if no ActingSubjectID claim is present.
[#4602] Fixed missing Dutch translation for minimum required checked items error message in the selectboxes component.
[#4587] Fixed the product not being copied along when copying a form.
Project maintenance
[#4267] Converted more existing tests from mocks to VCR.
Added static type checking to the CI pipeline. We will continue to improve the type-safety of the code, which should result in fewer bugs and improve the developer experience.
Upgraded a number of third-party packages.
Simplified testing tools to test translation-enabled forms.
[#4492] Upload IDs are no longer stored in the session, which was obsoleted by relating uploads to a submission.
[#4534] Applied some memory-usage optimizations when interacting with the Catalogi API.
Swapped out pip-tools with uv because it has much better performance.
[#3197] Upgraded to Python 3.12 from Python 3.10.
Fixed some more sources of test flakiness.
The random state from factory boy is now reported in CI to help reproduce test flakiness issues.
[#4380] There is now a mock service (docker-compose based) for a StUF-ZDS server.
Added CI job to test upgrade check scripts/machinery.
Addressed broken test isolation in CI leading to flaky tests.
Upgraded a number of dependencies to their latest (security) releases.
Improved the static type annotations in the codebase.
Failing end-to-end tests now produce Playwright traces in CI to help debug the problem.
Added a utility script to find VCR cassette directories.
[#4646, #4396] Restructured the Objects API configuration to be in a shared code package, which can be used by the registration and prefill plugins.
[#4648] Corrected the documentation about the minimum PostgreSQL version (v12) and confirmed support for PostgreSQL 15.
Squashed migrations.
2.8.0-beta.0 (2024-09-17)
The (first) beta version for 2.8.0 is available for testing now.
Warning
We encourage you to test out this beta version on non-production environments and report your findings back to use. This release is not suitable for production yet though.
Upgrade notes
There are no manual actions required - all upgrades and migrations are automatic.
Note
The UX rework in the ZGW APIs registration plugin is not entirely finished yet. The Objects API integration in particular can be a bit confusing since it’s not possible yet to select which Objects API should be used. The plugin now uses the API group that’s listed first in the admin interface (Admin > Miscellaneous > Objects API Groups).
Detailed changes
New features
[#4577] We improved the user experience when configuring the Objects API registration plugin. Copy-pasting URLs is being phased out - you can now select the relevant configurations in dropdowns.
[#4606] Improved the user experience of the ZGW APIs registration plugin. We’re making this consistent with the Objects API. More improvements will be done in the future.
[#4542] Email components now support optional verification - when enabled, users must verify their email address before they can continue submitting the form.
[#4582] The SAML metadata for the DigiD/eHerkenning identity providers is now automatically refreshed on a weekly basis.
[#4380] The StUF-ZDS registration plugin now supports sending payment details in the
extraElementen
data. For 2.7 this was available in an extension, which has been merged in core - migrating is automatic.[#4545] You can now optionally configure an introduction page, which is displayed before the start of the form.
[#4543] You can now optionally enable a short progress summary showing the current step number and the total number of steps in a form.
Note
The addressNL
component is not yet a fully capable replacement for
individual address fields. Currently, it’s only recommended for BRK-validation
purposes.
Bugfixes
[#4597] Revert message for not-filled-in-fields in confirmation PDF back to just empty space.
Fixed processing of empty file upload components in the Objects API registration plugin.
Fixed an upgrade check incorrectly reporting problems.
[#4627] Fixed a crash in the eHerkenning-via-OIDC plugin if no ActingSubjectID claim is present.
[#4602] Fixed missing Dutch translation for minimum required checked items error message in the selectboxes component.
[#4587] Fixed the product not being copied along when copying a form.
Project maintenance
Addressed broken test isolation in CI leading to flaky tests.
Upgraded a number of dependencies to their latest (security) releases.
Improved the static type annotations in the codebase.
Failing end-to-end tests now produce Playwright traces in CI to help debug the problem.
Added a utility script to find VCR cassette directories.
[#4646, #4396] Restructured the Objects API configuration to be in a shared code package, which can be used by the registration and prefill plugins.
[#4648] Corrected the documentation about the minimum PostgreSQL version (v12) and confirmed support for PostgreSQL 15.
Squashed migrations.
2.7.6 (2024-09-05)
Hotfix release.
[#4627] The previous patch was incomplete, fixed another crash that would occur if no ActingSubjectID is present.
2.7.5 (2024-09-02)
Periodic bugfix release
Applied the latest security patches for dependencies.
[#4380] Added missing ability to store payment provider payment ID references.
[#4597] Revert message for not-filled-in-fields in confirmation PDF back to just empty space.
Fixed processing of empty file upload components in the Objects API registration plugin.
Fixed an upgrade check incorrectly reporting problems.
[#4627] Fixed a crash in the eHerkenning-via-OIDC plugin if no ActingSubjectID claim is present.
2.6.14 (2024-09-02)
Periodic bugfix release
[#4597] Revert message for not-filled-in-fields in confirmation PDF back to just empty space.
Fixed processing of empty file upload components in the Objects API registration plugin.
2.8.0-alpha.0 (2024-08-09)
This is an alpha release, meaning it is not finished yet or suitable for production use.
Detailed changes
New features
[#4267, #4567, #4577] Improved the UX of the Objects API registration options:
Configuration is now in a modal and changes in configuration require an explicit confirmation, meaning you can now explore more without potentially breaking the configuration.
Upgraded the API group, object type and object type version dropdowns with search functionality.
Configuration fields are now logically grouped. Optional settings are shown in a collapsed group to declutter the UI.
You can now select a catalogue from a dropdown (with search functionality) that contains the document types to use.
API groups (admin): you can now specify a catalogue and the descriptions of document types to use rather than entering the API URL to a specific version.
These UX and configuration improvements are still work-in-progress, more will become available in next releases and we will also rework the ZGW API registration options.
[#4051] Added a better JSON-editor in a number of places, bringing them up to parity with the editor in the form builder:
Editing JSON logic triggers.
Editing JSON logic variable assignment expressions.
Editing service fetch mapping expressions.
Viewing the JSON-definition of logic rules and/or actions.
[#4555] Improved the UX of pre-fill configuration on the variables tab:
There is now a single summary column for the prefill configuration, instead of three separate columns.
Improved the wording/language used to differentiate between authorizee/authorised roles.
Editing the configuration is now done in a separate modal.
[#4456] The admin interface now clearly displays which environment you are on. You can disable displaying this information, and you can change the text and colors to easily differentiate between acceptance/production environments.
[#4488] The submisson report PDF now no longer opens in a new tab/window, the browser is forced to download it.
Support pre-filling form fields from existing data in the Objects API:
This feature is currently under heavy development.
[#4432] Improved robustness in form designer interface when crashes occur because of external systems.
[#4442] Improved certificate handling and DigiD/eHerkenning via SAML configuration:
You can now upload password-protected private keys.
You can now configure multiple certificates for DigiD/eHerkenning. The “next” certificate will be included in the generated metadata so you can seamlessly transition when your old certificate is about to expire.
The metadata files are now forced as download to prevent formatting and copy/paste errors.
[#4380] You can now include more payment details/information in the StUF-ZDS and Objects API registration plugins:
Added support for storing and including the payment ID from the payment provider.
Added support to send the order ID, payment status and payment amount as
extraElementen
in StUF-ZDS.
Note
Currently this requires the
open-forms-ext-stuf-zds-payments
extension, but it will land in Open Forms core in the future.You can now configure some django-log-outgoing-requests settings with environment variables.
[#4575] You can now configure the
SENDFILE_BACKEND
with an environment variable.
Bugfixes
Fixed a crash in the validation of form variables used in logic rules.
[#4516] Fixed imports (and error feedback) of legacy exports with Objects API registration backends. It should now be more clear that admins possibly need to check the Objects API groups configuration.
[#4191] Fixed a couple of bugs when adding a company as initator in the ZGW API’s registration plugin:
Fixed the datatype of
vestiging
field in ZGW registration rollen/betrokkenen.Fixed the
aoaIdentificatie
being empty - this is not allowed.
[#4533] Fixed Objects API registration options checkboxes not toggling.
[#4502] Fixed a problem where the registration-backend routing logic is not calculated again after pausing and resuming a submission.
[#4334] Fixed the email registration plugin not sending a payment-received email when “wait for payment to register” is enabled. This behaviour is to ensure that financial departments can always be informed of payment administration.
[#4519] Fixed form variable dropdowns taking up too much horizontal space.
Backend checks of form component validation configuration are mandatory. All components support the same set of validation mechanism in frontend and backend.
[#4560] Fixed more PDF generation overlapping content issues. The layout no longer uses two columns, but just stacks the labels and answers below each other since a compromise was not feasible.
Fixed upgrade check scripts for 2.7.x.
Project maintenance
[#4267] Converted more existing tests from mocks to VCR.
Added static type checking to the CI pipeline. We will continue to improve the type-safety of the code, which should result in fewer bugs and improve the developer experience.
Upgraded a number of third-party packages.
Simplified testing tools to test translation-enabled forms.
[#4492] Upload IDs are no longer stored in the session, which was obsoleted by relating uploads to a submission.
[#4534] Applied some memory-usage optimizations when interacting with the Catalogi API.
Swapped out pip-tools with uv because it has much better performance.
[#3197] Upgraded to Python 3.12 from Python 3.10.
Fixed some more sources of test flakiness.
The random state from factory boy is now reported in CI to help reproduce test flakiness issues.
[#4380] There is now a mock service (docker-compose based) for a StUF-ZDS server.
Added CI job to test upgrade check scripts/machinery.
2.7.4 (2024-08-06)
Fixed a crash in upgrade check script and set up CI to prevent these problems in the future.
2.7.3 (2024-08-05)
Fixed a typo in upgrade check script name.
2.7.2 (2024-08-05)
Fixed a build error where some upgrade check scripts were not included in the Docker image.
2.7.1 (2024-07-29)
First bugfix release for 2.7.x.
[#4533] Fixed Objects API registration options checkboxes not toggling.
[#4516] Fixed imports (and error feedback) of legacy exports with Objects API registration backends. It should now be more clear that admins possibly need to check the Objects API groups configuration.
[#4191] Fixed the datatype of
vestiging
field in ZGW registration rollen/betrokkenen.[#4334] Fixed the email registration plugin not sending a payment-received email when “wait for payment to register” is enabled. This behaviour is to ensure that financial departments can always be informed of payment administration.
[#4502] Fixed a problem where the registration-backend routing logic is not calculated again after pausing and resuming a submission.
[#4560] Fixed more PDF generation overlapping content issues. The layout no longer uses two columns, but just stacks the labels and answers below each other since a compromise was not feasible.
[#4519] Fixed form variable dropdowns taking up too much horizontal space.
Backend checks of form component validation configuration are mandatory. All components support the same set of validation mechanism in frontend and backend.
2.6.13 (2024-07-29)
Bugfix release.
[#4191] Fixed the datatype of
vestiging
field in ZGW registration rollen/betrokkenen.[#4334] Fixed the email registration plugin not sending a payment-received email when “wait for payment to register” is enabled. This behaviour is to ensure that financial departments can always be informed of payment administration.
[#4502] Fixed a problem where the registration-backend routing logic is not calculated again after pausing and resuming a submission.
[#4560] Fixed more PDF generation overlapping content issues. The layout no longer uses two columns, but just stacks the labels and answers below each other since a compromise was not feasible.
[#4519] Fixed form variable dropdowns taking up too much horizontal space.
Backend checks of form component validation configuration are mandatory. All components support the same set of validation mechanism in frontend and backend.
2.5.13 (2024-07-29)
Bugfix release.
[#4334] Fixed the email registration plugin not sending a payment-received email when “wait for payment to register” is enabled. This behaviour is to ensure that financial departments can always be informed of payment administration.
[#4502] Fixed a problem where the registration-backend routing logic is not calculated again after pausing and resuming a submission.
[#4560] Fixed more PDF generation overlapping content issues. The layout no longer uses two columns, but just stacks the labels and answers below each other since a compromise was not feasible.
2.6.12 (2024-07-12)
Bugfix release to address PDF generation issue.
2.5.12 (2024-07-12)
Bugfix release to address PDF generation issue.
2.7.0 “Berlage” (2024-07-09)
Open Forms 2.7.0 is a feature release.
Maykin was founded in 2008 and originally located in the ‘Beurs van Berlage’ in Amsterdam. The monumental building, designed by Hendrik Petrus Berlage and build around 1900, inspired us to create innovative applications, of which some are still maintained and in production to this day.
Upgrade notes
⚠️ The feature flag to disable backend validation is now removed, instances relying on it should verify that their forms still work now that validation is enforced.
⚠️ If you make use of the Objects API - even the legacy configuration, you now need to have a valid configuration for the objecttypes API service. The plugin accesses this API during registration. You can configure this for each api group via Admin > Overige > Objecten API-groepen after upgrading to 2.7.
We’re consolidating the OpenID Connect Redirect URI endpoints into a single endpoint:
/auth/oidc/callback/
. The legacy endpoints are still enabled, but scheduled for removal in Open Forms 3.0.You can opt-in to the new behaviour through three environment variables (and we recommend doing so on fresh instances):
USE_LEGACY_OIDC_ENDPOINTS=false
: admin loginUSE_LEGACY_DIGID_EH_OIDC_ENDPOINTS=false
: DigiD/eHerkenning pluginsUSE_LEGACY_ORG_OIDC_ENDPOINTS=false
: Organization OIDC plugin
Note that the OpenID applications need to be updated on the identity provider, specifically the allowed “Redirect URIs” setting needs to be updated with the following path replacements:
/oidc/callback/
->/auth/oidc/callback/
/digid-oidc/callback/
->/auth/oidc/callback/
/eherkenning-oidc/callback/
->/auth/oidc/callback/
/digid-machtigen-oidc/callback/
->/auth/oidc/callback/
/eherkenning-bewindvoering-oidc/callback/
->/auth/oidc/callback/
/org-oidc/callback/
->/auth/oidc/callback/
We are deprecating location autofill in
textfield
components. Instead, use theaddressNL
component and enable address derivation.
Major features
🛂 Mandates (“machtigen”) for DigiD and eHerkenning
We now provide better integration for DigiD Machtigen and eHerkenning Bewindvoering ( via OpenID Connect). Open Forms registers the details in which capacity a user is logged in and whether a mandate is used or not.
This information is available during the registration of a form submission, making it possible to register it to the Objects API and ZGW API’s for further processing.
📍 Dutch addresses
We’re making it easier to deal with Dutch addresses.
The addressNL
component is meant for these - it (optionally) integrates with the
Kadaster API to derive street name and city from the provided postcode and house number,
while making sure the full address details are sent to the registration plugins.
Support for single-column layout was added so that the layout can adapt to your organization’s form design.
We’re adding more flexbility to better integrate with registration plugins, so keep an eye on this component for Open Forms 2.8.
🚸 User experience improvements in the form designer
Staff users typically spend a lot of time in the form designer to create or update forms. We’re making some changes to improve the user experience so that it becomes easier to:
configure forms, and make configuration less error-prone with better UI elements
export and import forms across environments (staging -> production, for example)
detect problems and configuration issues
Detailed changes
New features
Submission registration improvements:
Objects API’s:
[#4031] Added a warning when switching back to the legacy configuration.
[#4041] Improved robustness of document registration.
[#4267] Add support for multiple Documents API’s.
[#4323] Added envvar/setting to disable sending hidden fields to Objects API. This is a temporary workaround - the proper solution is to update your object type definitions.
Added missing
public_reference
registration variable.[#4475] Added submission UUID and language code static variables.
[#4416] The
ontvangstdatum
attribute is now set for uploaded documents.
ZGW API’s
[#4267] Improve UX of Objects API and ZGW API’s configuration. More will come in Open Forms 2.8.
Authentication plugins:
[#4246] Reworked the OpenID Connect integration:
Claims with a
.
character are now supported.Added configuration options to extract more metadata about the authentication.
Defined a formal schema for authentication context data
Updated DigiD/eHerkenning plugin flavours to store additional information, such as level of assurance, representee/authorizee, mandate context…
Added static variables to access/register the authentication context in submissions.
[#3967] Company branch number is now recorded for eHerkenning via OpenID.
DMN plugins:
[#4269, #4278] Improved Camunda DMN engine integration:
The UI now shows the input variables, even from complex expressions.
DMN tables that depend on other tables now don’t show intermediate input variables that are already automatically provided.
Added overview table for all the expected input expressions.
Added automatic problem detection.
Selecting another decision definition now resets the input and output mapping.
You can now map static form variables to DMN input variables.
[#72] All supported components are now covered in the backend validation. Support is added for: time, selectboxes, textarea, postcode, bsn, select, checkbox, currency, signature, map, cosign, password, iban, file, datetime, addressNL and licenseplate components.
[#4009] Improved the representation of submission data in the admin interface.
[#4005] Added the ability to search submission reports by public registration reference and submission in the admin.
[#4005] The title of the submission PDF now includes the public registration reference.
[#3725] The admin email digest now detects and reports more problems.
[#3889] You can now export the audit trails and GDPR log entries.
[#3889] Viewing an outgoing request log entry in the admin will now create a GDPR log entry.
[#4101] The “Show form” button in the admin is now only displayed for active forms.
[#4080] Added generation timestamp to PDF submission report.
[#4215] Email logs older than 90 days are now periodically deleted.
[#4229] Improved performance of KVK number validation.
Optimized performance of the appointment information admin page and added search support.
Removed the feature flag to disable backend validation.
[#4277] You can now upload a (separate) logo image file to be used in emails.
[#3807] You can now configure the template for the co-sign request email.
[#4347] When Organization login is enabled, the username/password fields are initially collapsed.
[#4356] Added support for the Expoints feedback tool.
[#4377] Added support for token-exchange extension to BRK client.
[#3993] The
addressNL
component now supports autofill of street and city for entered postcode and house number.[#4423] You can now specify a layout (single or double column) for the
addressNL
component.
Bugfixes
[#3969] Removed the level of assurance override for eHerkenning/eIDAS authentication. In its existing form it was not supported by brokers, but it will be re-introduced in another form in the future.
Fixed more backend validation issues:
[#4065] Hidden fields/components are not longer taken into account during backend validation.
[#4068] Fixed various backend validation issues:
Allow empty string as empty value for date field.
Don’t reject textfield (and derivatives) with multiple=True when items inside are null (treat them as empty value/string).
Allow empty lists for edit grid/repeating group when field is not required.
Skip validation for layout components, they never get data.
Ensure that empty string values for optional text fields are allowed (also covers derived fields).
Fixed validation error being returned that doesn’t point to a particular component.
Fixed validation being run for form steps that are (conditionally) marked as “not applicable”.
[#4126] Fixed incorrect validation of components inside repeating groups that are conditionally visible (with frontend logic).
[#4143] Added additional backend validation: now when form step data is being saved (including pausing a form), the values are validated against the component configuration too.
[#4151] Fixed backend validation error being triggered for radio/select/selectboxes components that get their values/options from another variable.
[#4172] Fixed a crash while running input validation on date fields when min/max date validations are specified.
[DH#671] Fixed conditionally making components required/optional via backend logic.
Fixed validation of empty/optional select components.
[#4096] Fixed validation of hidden (with
clearOnHide: false
) radio components.[DH#667] Fixed components inside a repeating group causing validation issues when they are nested inside a fieldset or columns.
[#4241] Fixed some backend validation being skipped when there is component key overlap with layout components (like fieldsets and columns).
[#4069] Fixed a crash in the form designer when navigating to the variables tab if you use any of the following registration backends: email, MS Graph (OneDrive/Sharepoint) or StUF-ZDS.
[#4061] Fixed not all form components being visible in the form builder when other components can be selected.
[#4079] Fixed metadata retrieval for DigiD failure when certificates signed by the G1 root are used.
[#4099] Fixed a crash in the form designer when editing (user defined) variables and the template-based Objects API registration backend is configured.
[#4103] Fixed incorrect appointment details being included in the submission PDF.
[#4073] Removed unused StUF-ZDS ‘gemeentecode’.
[#4015] Fixed possible traversal attack in service fetch service.
[#4084] Fixed default values of select components set to multiple.
[#4134] Fixed form designer admin crashes when component/variable keys are edited.
[#4131] Fixed bug where component validators all had to be valid rather than at least one.
[#4072] Fixed recovery token flow redirecting back to login screen, making it impossible to use recovery tokens.
[#4145] Fixed the payment status not being registered correctly for StUF-ZDS.
[#4124] Fixed forms being shown multiple times in the admin list overview.
[#4052] Fixed payment (reminder) emails being sent more often than intended.
[#4156] Fixed the format of order references sent to payment providers. You can now provide your own template.
[#4141] Fixed a crash in the Objects API registration when using periods in component keys.
[#4165] A cookie consent group for analytics is now required.
[#4187] Selectboxes/radio with dynamic options are considered invalid when submitting the form.
[#4202] Fixed Objects API registration v2 crash with hidden fields.
[#4115] Support different kinds of GovMetric feedback (aborting the form vs. completing the form).
[#4197] Ensured all uploaded images are being resized if necessary.
[#4191] Added missing required
aoaIdentificatie
field to ZGW registration.[#4173] Fixed registration backends not being included when copying a form.
[#4146] Fixed SOAP timeout not being used for Stuf-ZDS client.
[#3964] Toggling visibility with frontend logic and number/currency components leads to fields being emptied.
[#4247] Fixed migration crash because of particular key-structure with repeating groups.
[#4174] Fixed submission pre-registration being stuck in a loop when failing to do so.
[#4184] Fixed broken references to form steps when copying a form.
[#4205] The CSP
form-action
directive now allows anyhttps:
target, to avoid errors on eHerkenning login redirects.[#4158] Added missing English translation for
invalid_time
custom error message.[#4302] Made co-sign data (date and co-sign attribute) available in the Objects API registration.
[#1906] Fixed a cause of form imports sometimes creating new form definitions instead of linking the already existing one.
[#4291] Fixed logic triggers with boolean user defined variables.
[#4199] Fixed submissions remembering authentication context from a previous submission, even though the form was started without explicit login action.
[#4255] Fixed a performance issue in the confirmation PDF generation when large blocks of text are rendered.
[#4403] Fixed broken submission PDF layout when empty values are present.
[#4450] Fixed submission PDF rows overlapping.
[#4012] Fixed WYSIWYG editor link popup not always clearing.
[#4368] Fixed URLs to the same domain being broken in the WYSIWYG editors.
[#4362] Fixed a crash in the form designer when a textfield/textarea allows multiple values in forms with translations enabled.
[#4363] Fixed option descriptions not being translated for radio and selectboxes components.
[#4338] Fixed prefill for StUF-BG with SOAP 1.2 not properly extracting attributes.
[#4379] Fixed logout requests for OpenID Connect triggering a server error because of bad redirect responses.
[#4350] Disabled link protocol warning in WYSIWYG editors.
[#4409] Updated language for payment amount in submission PDF.
[#4051] The JSON view/editor in the form builder now has syntax highlighting.
[#4425] Fixed the wrong price being sent to the Objects API when multiple payment attempts are made.
[#4425] Fixed incorrectly marking failed/non-completed payment attempts as registered in the registration backend.
[#4425] Added missing (audit) logging for payments started from the confirmation email link.
[#4313] Fixed theme styling for organisation OIDC login.
Fixed temporary file uloads not being associated with the active form submission.
Project maintenance
[#4035] Added an E2E test for the file component.
Cleaned up logging config: removed unused performance logging config, added tools to mute logging.
Cleaned up structure of local setting overrides.
[#4057] Upgraded to
zgw-consumers
0.32.0. This drops the dependency ongemma-zds-client
.Vendored
decorator-include
, as it is not maintained anymore.Updated dependencies to drop
setuptools
.[#3878] Updated some dependencies after the Django 4.2 upgrade.
Switched to Docker Compose V2 in CI, as V1 was removed from Github Ubuntu images.
Moved EOL changelog to archive.
Ordered changelog entries by version instead of date in archive.
Added feature to log flaky tests in CI.
Documented versioning policy change.
uv
is now used to install dependencies in Docker build.Improved release process documentation.
[#3878] Updated docs dependencies.
Added PR checklist template.
[#4009, #979] Removed the
get_merged_data
of the submission model.[#4044] Improved developer documentation of submission state and component configuration.
[#3878] Updated to the latest version of
django-yubin
, removed the temporary patch.[#3878] Updated to the latest version of
celery
, including related dependencies.[#4247] Improved robustness of the
FormioConfigurationWrapper
with editgrids.[#4236] Removed form copy API endpoint, as it is not used anymore.
[#4246] Rewrote the OIDC-flow tests to be much more representative, added docker-compose configuration and docs to easily replicate this in a local dev environment.
Changelog now links to the relevant (Github) issues.
Upgraded to the latest django-cookie-consent: updated the fixtures to use natural keys and bundle the package Javascript instead of inlining it.
[#4285] Upgraded schwifty to v2024.5.3
[#4262] Added script for reporting invalid default values in radio component.
Various type-annotation improvements.
[#4341] Upgraded to Storybook 8, added automatic visual regression tests.
Upgraded dependencies to their latest (security) releases.
[#4346] Refactored feature flag management to use django-flags.
[#598] Added unit tests for appointments failure flows.
Upgraded lxml and xmlsec so that binary wheels can be installed, speeding up CI and docker image build.
Re-generated expired self-signed certificates for test suite.
Squased migrations again for the release, removed earlier squashed migrations.
Removed some sources of test flakiness in CI.
Updated release issue template to mention all VCR tests to re-record.
The docker-compose for Open Zaak and Objects/Objecttypes API’s now load the fixtures automatically, and use the latest available versions.
2.6.11 (2024-06-20)
Hotfix for payment integration in Objects API
[#4425] Fixed the wrong price being sent to the Objects API when multiple payment attempts are made.
[#4425] Fixed incorrectly marking failed/non-completed payment attempts as registered in the registration backend.
[#4425] Added missing (audit) logging for payments started from the confirmation email link.
2.5.11 (2024-06-20)
Hotfix for payment integration in Objects API
[#4425] Fixed the wrong price being sent to the Objects API when multiple payment attempts are made.
[#4425] Fixed incorrectly marking failed/non-completed payment attempts as registered in the registration backend.
[#4425] Added missing (audit) logging for payments started from the confirmation email link.
2.6.10 (2024-06-19)
Hotfix fixing a regression in the PDF generation.
2.5.10 (2024-06-19)
Hotfix fixing a regression in the PDF generation.
2.6.9 (2024-06-14)
Bugfix release fixing some issues (still) in 2.6.8
2.6.8 (2024-06-14)
Bugfix release
[#4255] Fixed a performance issue in the confirmation PDF generation when large blocks of text are rendered.
[#4241] Fixed some backend validation being skipped when there is component key overlap with layout components (like fieldsets and columns).
[#4368] Fixed URLs to the same domain being broken in the WYSIWYG editors.
[#4377] Added support for pre-request context/extensions in BRK client implementation.
[#4363] Fixed option descriptions not being translated for radio and selectboxes components.
[#4362] Fixed a crash in the form designer when a textfield/textarea allows multiple values in forms with translations enabled.
2.5.9 (2024-06-14)
Bugfix release fixing some issues (still) in 2.5.8
Note that 2.5.8 was never published to Docker Hub.
2.5.8 (2024-06-14)
Bugfix release
[#4255] Fixed a performance issue in the confirmation PDF generation when large blocks of text are rendered.
[#4368] Fixed URLs to the same domain being broken in the WYSIWYG editors.
[#4362] Fixed a crash in the form designer when a textfield/textarea allows multiple values in forms with translations enabled.
2.6.7 (2024-05-22)
Bugfix release
2.6.6 (2024-05-13)
Bugfix release
2.5.7 (2024-05-13)
Bugfix release
[#4052] Fixed payment (reminder) emails being sent more often than intended.
[#4124] Fixed forms being shown multiple times in the admin list overview.
[#3964] Toggling visibility with frontend logic and number/currency components leads to fields being emptied.
[#4205] The CSP
form-action
directive now allows anyhttps:
target, to avoid errors on eHerkenning login redirects.
2.7.0-alpha.0 (2024-05-06)
This is an alpha release, meaning it is not finished yet or suitable for production use.
Detailed changes
New features
Improved backend validation robustness, mainly by validating new components:
[#72] Improved validation for the following components: time, selectboxes, textarea, postcode, bsn, select, checkbox, currency, signature, map, cosign, password, iban and licenseplate.
Submission registration:
Other features:
[#3969] For eHerkenning/eIDAS authentication, the level of assurance can no longer be overridden (as brokers do not support this).
[#4009] Improved the representation of submission data in the admin interface.
[#4005] Added the ability to search submission reports by public registration reference and submission in the admin.
[#4005] Updated title of the PDF submission report to include the public registration reference.
[#3725] Expanded email digest by detecting more problems in features actively used, such as:
Submissions with failed registration status.
Prefill plugins failures.
Missing or wrong BRK client configuration.
Address autofill (based on postal code and house numer) misconfiguration.
Form logic rules referring to non-existent fields.
Invalid registration backends configuration.
ZGW services: Mutual TLS certificates/certificate pairs and (nearly) expired certificates.
[#3889] You can now export the audit trails and GDPR log entries.
[#3889] Viewing an outgoing request log entry in the admin will now create a GDPR log entry.
[#4101] The “Show form” button in the admin is now only displayed for active forms.
[#4080] Added generation timestamp to PDF submission report.
[#4215] Email logs older than 90 days are now periodically deleted.
[#4229] Improved performance of KVK number validation.
Bugfixes
Fixed more backend validation issues:
[#4065] Hidden fields/components are not longer taken into account during backend validation.
[#4068] Fixed various backend validation issues:
Allow empty string as empty value for date field.
Don’t reject textfield (and derivatives) with multiple=True when items inside are null (treat them as empty value/string).
Allow empty lists for edit grid/repeating group when field is not required.
Skip validation for layout components, they never get data.
Ensure that empty string values for optional text fields are allowed (also covers derived fields).
Fixed validation error being returned that doesn’t point to a particular component.
Fixed validation being run for form steps that are (conditionally) marked as “not applicable”.
[#4126] Fixed incorrect validation of components inside repeating groups that are conditionally visible (with frontend logic).
[#4143] Added additional backend validation: now when form step data is being saved (including pausing a form), the values are validated against the component configuration too.
[#4151] Fixed backend validation error being triggered for radio/select/selectboxes components that get their values/options from another variable.
[#4172] Fixed a crash while running input validation on date fields when min/max date validations are specified.
[DH#671] Fixed conditionally making components required/optional via backend logic.
Fixed validation of empty/optional select components.
[#4096] Fixed validation of hidden (with
clearOnHide: false
) radio components.[DH#667] Fixed components inside a repeating group causing validation issues when they are nested inside a fieldset or columns.
[#4069] Fixed a crash in the form designer when navigating to the variables tab if you use any of the following registration backends: email, MS Graph (OneDrive/Sharepoint) or StUF-ZDS.
[#4061] Fixed not all form components being visible in the form builder when other components can be selected.
[#4079] Fixed metadata retrieval for DigiD failing when certificates signed by the G1 root are used.
[#4099] Fixed a crash in the form designer when editing (user defined) variables and the template-based Objects API registration backend is configured.
[#4103] Fixed incorrect appointment details being included in the submission PDF.
[#4073] Removed unused StUF-ZDS ‘gemeentecode’.
[#4015] Fixed possible traversal attack in service fetch service.
[#4084] Fixed default values of select components set to multiple.
[#4134] Fixed form designer admin crashes when component/variable keys are edited.
[#4131] Fixed bug where component validators all had to be valid rather than at least one.
[#4072] Fixed recovery token flow redirecting back to login screen, making it impossible to use recovery tokens.
[#4145] Fixed the payment status not being registered correctly for StUF-ZDS.
[#4124] Fixed forms being shown multiple times in the admin list overview.
[#4052] Fixed payment (reminder) emails being sent more often than intended.
[#4156] Fixed the format of order references sent to payment providers. You can now provide your own template.
[#4141] Fixed a crash in the Objects API registration when using periods in component keys.
[#4165] A cookie consent group for analytics is now required.
[#4187] Selectboxes/radio with dynamic options are considered invalid when submitting the form.
[#4202] Fixed Objects API registration v2 crash with hidden fields.
[#4115] Support different kinds of GovMetric feedback (aborting the form vs. completing the form).
[#4197] Ensured all uploaded images are being resized if necessary.
[#4191] Added missing required
aoaIdentificatie
field to ZGW registration.[#4173] Fixed registration backends not being included when copying a form.
[#4146] Fixed SOAP timeout not being used for Stuf-ZDS client.
[#3964] Toggling visibility with frontend logic and number/currency components leads to fields being emptied.
[#4247] Fixed migration crash because of particular key-structure with repeating groups.
[#4174] Fixed submission pre-registration being stuck in a loop when failing to do so.
Project maintenance
[#4035] Added an E2E test for the file component.
Cleaned up logging config: removed unused performance logging config, added tools to mute logging.
Cleaned up structure of local setting overrides.
[#4057] Upgraded to
zgw-consumers
0.32.0. This drops the dependency ongemma-zds-client
.Vendored
decorator-include
, as it is not maintained anymore.Updated dependencies to drop
setuptools
.[#3878] Updated some dependencies after the Django 4.2 upgrade.
Switched to Docker Compose V2 in CI, as V1 was removed from Github Ubuntu images.
Moved EOL changelog to archive.
Ordered changelog entries by version instead of date in archive.
Added feature to log flaky tests in CI.
Documented versioning policy change.
Used
uv
to install dependencies in Docker build.Improved release process documentation.
[#3878] Updated docs dependencies.
Added PR checklist template.
[#4009, #979] Removed the
get_merged_data
of the submission model.[#4044] Improved developer documentation of submission state and component configuration.
[#3878] Updated to the latest version of
django-yubin
, removed the temporary patch.[#3878] Updated to the latest version of
celery
, including related dependencies.[#4247] Improved robustness of the
FormioConfigurationWrapper
with editgrids.[#4236] Removed form copy API endpoint, as it is not used anymore.
2.6.5 (2024-04-24)
Bugfix release
2.6.5-beta.0 (2024-04-17)
Bugfix beta release
2.6.4 (2024-04-16)
Bugfix release
[#4151] Fixed backend validation error being triggered for radio/select/selectboxes components that get their values/options from another variable.
[#4052] Fixed payment (reminder) emails being sent more often than intended.
[#4124] Fixed forms being shown multiple times in the admin list overview.
[#4156] Fixed the format of order references sent to payment providers. You can now provide your own template.
Fixed some bugs in the form builder:
Added missing error message codes (for translations) for the selectboxes component.
Fixed the “client-side logic” to take the correct data type into account.
Fixed the validation tab not being marked as invalid in some validation error situations.
Upgraded some dependencies with their latest (security) patches.
[#4172] Fixed a crash while running input validation on date fields when min/max date validations are specified.
[#4141] Fixed a crash in the Objects API registration when using periods in component keys.
2.6.3 (2024-04-10)
Bugfix release following feedback on 2.6.2
[#4126] Fixed incorrect validation of components inside repeating groups that are conditionally visible (with frontend logic).
[#4134] Fixed form designer admin crashes when component/variable keys are edited.
[#4131] Fixed bug where component validators all had to be valid rather than at least one.
[#4140] Added deploy configuration parameter to not send hidden field values to the Objects API during registration, restoring the old behaviour. Note that this is a workaround and the correct behaviour (see ticket #3890) will be enforced from Open Forms 2.7.0 and newer.
[#4072] Fixed not being able to enter an MFA recovery token.
[#4143] Added additional backend validation: now when form step data is being saved ( including pausing a form), the values are validated against the component configuration too.
[#4145] Fixed the payment status not being registered correctly for StUF-ZDS.
2.5.6 (2024-04-10)
Hotfix release for StUF-ZDS users.
[#4145] Fixed the payment status not being registered correctly for StUF-ZDS.
2.6.2 (2024-04-05)
Bugfix release - not all issues were fixed in 2.6.1.
Fixed various more mismatches between frontend and backend input validation:
[DH#671] Fixed conditionally making components required/optional via backend logic.
Fixed validation of empty/optional select components.
[#4096] Fixed validation of hidden (with
clearOnHide: false
) radio components.[DH#667] Fixed components inside a repeating group causing validation issues when they are nested inside a fieldset or columns.
[#4061] Fixed not all form components being visible in the form builder when other components can be selected.
[#4079] Fixed metadata retrieval for DigiD failing when certificates signed by the G1 root are used.
[#4103] Fixed incorrect appointment details being included in the submission PDF.
[#4099] Fixed a crash in the form designer when editing (user defined) variables and the template-based Objects API registration backend is configured.
Update image processing library with latest security fixes.
[DH#673] Fixed wrong datatype for field empty value being sent in the Objects API registration backend when the field is not visible.
[DH#673] Fixed fields hidden because the parent fieldset or column is hidden not being sent to the Objects API. This is a follow up of #3980.
2.5.5 (2023-04-03)
Hotfix release for appointments bug
[#4103] Fixed incorrect appointment details being included in the submission PDF.
[#4079] Fixed metadata retrieval for DigiD failing when certificates signed by the G1 root are used.
[#4061] Fixed not all form components being visible in the form builder when other components can be selected.
Updated dependencies to their latest security releases.
2.6.1 (2024-03-28)
Hotfix release
A number of issues were discovered in 2.6.0, in particular related to the additional validation performed on the backend.
[#4065] Fixed validation being run for fields/components that are (conditionally) hidden. The behaviour is now consistent with the frontend.
[#4068] Fixed more backend validation issues:
Allow empty string as empty value for date field.
Don’t reject textfield (and derivatives) with multiple=True when items inside are null (treat them as empty value/string).
Allow empty lists for edit grid/repeating group when field is not required.
Skip validation for layout components, they never get data.
Ensure that empty string values for optional text fields are allowed (also covers derived fields).
Fixed validation error being returned that doesn’t point to a particular component.
Fixed validation being run for form steps that are (conditionally) marked as “not applicable”.
[#4069] Fixed a crash in the form designer when navigating to the variables tab if you use any of the following registration backends: email, MS Graph (OneDrive/Sharepoint) or StUF-ZDS.
2.6.0 “Traiectum” (2024-03-25)
Open Forms 2.6.0 is a feature release.
Traiectum is the name of a Roman Fort in Germania inferior, what is currently modern Utrecht. The remains of the fort are in the center of Utrecht.
Upgrade notes
Ensure you upgrade to (at least) Open Forms 2.5.2 before upgrading to 2.6.
⚠️ The
CSRF_TRUSTED_ORIGINS
setting now requires items to have a scheme. E.g. if you specified this asexample.com,cms.example.com
, then the value needs to be updated tohttps://example.com,https://cms.example.com
.Check (and update) your infrastructure code/configuration for this setting before deploying.
The Objects API registration backend can now update the payment status after registering an object. For this feature to work, the minimum version of the Objects API is now
v2.2
(raised fromv2.0
). If you don’t make use of payments or don’t store payment information in the object, you can likely keep using older versions, but this is at your own risk.The
TWO_FACTOR_FORCE_OTP_ADMIN
andTWO_FACTOR_PATCH_ADMIN
environment variables are removed, you can remove them from your infrastructure configuration. Disabling MFA in the admin is no longer possible. Note that the OpenID Connect login backends do not require (additional) MFA in the admin and we’ve added support for hardware tokens (like the YubiKey) which make MFA less of a nuisance.
Major features
📄 Objects API contract
We completely revamped our Objects API registration backend - there is now tight integration with the “contract” imposed by the selected object type. This makes it much more user friendly to map form variables to properties defined in the object type.
The existing template-based approach is still available, giving you plenty of time to convert existing forms. It is not scheduled for removal yet.
👔 Decision engine (DMN) support
At times, form logic can become very complex to capture all the business needs. We’ve added support for evaluation of “Decision models” defined in a decision evaluation engine, such as Camunda DMN. This provides a better user experience for the people modelling the decisions, centralizes the definitions and gives more control to the business, all while simplifying the form logic configuration.
Currently only Camunda 7 is supported, and using this feature requires you to have access to a Camunda instance in your infrastructure.
🔑 Multi-factor rework
We’ve improved the login flow for staff users by making it more secure and removing friction:
users of OIDC authentication never have to provide a second factor in Open Forms
you can now set up an automatic redirect to the OIDC-provider, saving a couple of clicks
users logging in with username/password can now use hardware tokens (like YubiKey), as an alternative one-time-password tokens (via apps like Google/Microsoft Authenticator)
🔓 Added explicit, public API endpoints
We’ve explicitly divided up our API into public and private parts, and this is reflected in the URLs. Public API endpoints can be used by CMS integrations to present lists of available forms, for example. Public API endpoints are subject to semantic versioning, i.e. we will not introduce breaking changes without bumping the major version.
Currently there are public endpoints for available form categories and available forms. The existing, private, API endpoints will continue to work for the foreseeable future to give integrations time to adapt. The performance of these endpoints is now optimized too.
The other API endpoints are private unless documented otherwise. They are not subject to our semantic versioning policy anymore, and using these is at your own risk. Changes will continue to be documented in the release notes.
Detailed changes
The 2.6.0-alpha.0 changes are included as well, see the earlier changelog entry.
New features
[#3688] Objects API registration rework
Added support for selecting an available object type/version in a dropdown instead of copy-pasting a URL.
The objecttype definition (JSON-schema) is processed and will be used for validation.
Registration configuration is specified on the “variables” tab for each available (built-in or user-defined) variable, where you can select the appropriate object type property in a dropdown.
Added the ability to explicitly map a file upload variable into a specific object property for better data quality.
Ensured that the legacy format is still available (100% backwards compatible).
[#3855] Improved user experience of DMN integration
The available input/output parameters can now be selected in a dropdown instead of entering them manually.
Added robustness in case the DMN engine is not available.
Added caching of DMN evaluation results.
Automatically select the only option if there’s only one.
Added documentation on how to configure Camunda for DMN.
Tweaked the dark-mode styling of WYSIWYG editors to better fit in the page.
[#3164] Added explicit timeout fields to services so they can be different from the global default.
[#3695] Improved login screen and flow
Allow opt-in to automatically redirect to OIDC provider.
Support WebAuthn (like YubiKey) hardware tokens.
[#3885] The admin form list now keeps track of open/collapsed form categories.
[#3957] Updated the eIDAS logo.
[#3825] Added a well-performing public API endpoint to list available forms, returning only minimal information.
[#3825] Added public API endpoint to list available form categories.
[#3879] Added documentation on how to add services for the service fetch feature.
[#3823] Added more extensive documentation for template filters, field regex validation and integrated this documentation more into the form builder.
[#3950] Added additional values to the eHerkenning CSP-header configuration.
[#3977] Added additional validation checks on submission completion of the configured formio components in form steps.
[#4000] Deleted the ‘save and add another’ button in the form designer to maintain safe blood pressure levels for users who accidentally clicked it.
Bugfixes
[#3672] Fixed the handling of object/array variable types in service fetch configuration.
[#3890] Fixed visually hidden fields not being sent to Objects API registration backend.
[#1052] Upgraded DigiD/eHerkenning library.
[#3924] Fixed updating of payment status when the “registration after payment is received” option is enabled.
[#3909] Fixed a crash in the form designer when you use the ZGW registration plugin and remove a variable that is mapped to a case property (“Zaakeigenschap”).
[#3921] Fixed not all (parent/sibling) components being available for selection in the form builder.
[#3922] Fixed a crash because of invalid prefill configuration in the form builder.
[#3958] Fixed the preview appearance of read-only components.
[#3961] Reverted the merged KVK API services (basisprofiel, zoeken) back into separate configuration fields. API gateways can expose these services on different endpoints.
[#3705] Fixed the representation of timestamps (again).
[#3975, #3052] Fixed legacy service fetch configuration being picked over the intended format.
[#3881] Fixed updating a re-usable form definition in one form causing issues in other forms that also use this same form definition.
[#4022] Fix crash on registration handling of post-payment registration. The patch for #3924 was bugged.
[#2827] Worked around an infinite loop when assigning the variable
now
to a field via logic.[#2828] Fixed a crash when assigning the variable
today
to a variable via logic.
Project maintenance
Removed the legacy translation handling which became obsolete with the new form builder.
[#3049] Upgraded the Django framework to version 4.2 (LTS) to guarantee future security and stability updates.
Bumped dependencies to pull in their latest security/patch updates.
Removed stale data migrations, squashed migrations and cleaned up old squashed migrations.
[#851] Cleaned up
DocumentenClient
language handling.[#3359] Cleaned up the registration flow and plugin requirements.
[#3735] Updated developer documentation about pre-request clients.
[#3838] Divided the API into public and private API and their implied versioning policies.
[#3718] Removed obsolete translation data store.
[#4006] Added utility to detect KVK integration via API gateway.
[#3931] Remove dependencies on PyOpenSSL.
2.5.4 (2024-03-19)
Hotfix release to address a regression in 2.5.3
2.5.3 (2024-03-14)
Bugfix release
[#3863] Fixed the generated XML for StUF-BG requests when retrieving partners/children.
[#3920] Fixed not being able to clear some dropdows in the new form builder (advanced logic, WYSIWYG content styling).
[#3858] Fixed a race condition that would manifest during parallel file uploads, leading to permission errors.
[#3864] Fixed handling of StUF-BG responses where one partner is returned.
[#1052] Upgraded DigiD/eHerkenning library.
[#3924] Fixed updating of payment status when the “registration after payment is received” option is enabled.
[#3921] Fixed not all (parent/sibling) components being available for selection in the form builder.
[#3922] Fixed a crash because of invalid prefill configuration in the form builder.
[#3975, #3052] Fixed legacy service fetch configuration being picked over the intended format.
[#3881] Fixed updating a re-usable form definition in one form causing issues in other forms that also use this same form definition.
2.6.0-alpha.0 (2024-02-20)
This is an alpha release, meaning it is not finished yet or suitable for production use.
Warnings
Objects API
The Objects API registration backend can now update the payment status after registering an object - this depends on a version of the Objects API with the PATCH method fixes. At the time of writing, such a version has not been released yet.
Todo
At release time (2.6.0), check if we need to gate this functionality behind a feature flag to prevent issues.
If you would like information about the payment to be sent to the Object API registration
backend when the user submits a form, you can add a payment
field to the
JSON content template
field in the settings for the Object API registration backend.
For example, if the JSON content template
was:
{
"data": {% json_summary %},
"type": "{{ productaanvraag_type }}",
"bsn": "{{ variables.auth_bsn }}",
"pdf_url": "{{ submission.pdf_url }}",
"submission_id": "{{ submission.kenmerk }}",
"language_code": "{{ submission.language_code }}"
}
It could become:
{
"data": {% json_summary %},
"type": "{{ productaanvraag_type }}",
"bsn": "{{ variables.auth_bsn }}",
"pdf_url": "{{ submission.pdf_url }}",
"submission_id": "{{ submission.kenmerk }}",
"language_code": "{{ submission.language_code }}"
"payment": {
"completed": {% if payment.completed %}true{% else %}false{% endif %},
"amount": {{ payment.amount }},
"public_order_ids": {{ payment.public_order_ids }}
}
}
Two factor authentication
The TWO_FACTOR_FORCE_OTP_ADMIN
and TWO_FACTOR_PATCH_ADMIN
environment variables
are removed. Disabling MFA in the admin is no longer possible. Note that the OpenID
Connect login backends do not require (additional) MFA in the admin and we’ve added
support for hardware tokens (like the YubiKey) which make MFA less of a nuisance.
Detailed changes
New features
[#713] Added JSON-template support for payment status update in the Objects API.
[#3783] Added minimal statistics for form submissions in the admin.
[#3793] Reworked the payment reference number generation to include the submission reference.
[#3680] Removed extraneous authentication plugin configuration on cosign V2 component.
[#3688] Added plumbing for improved objects API configuration to enforce data-constracts through json-schema validation. This is very work-in-progress.
[#3730] Added DMN-capabilities to our logic engine. You can now evaluate a Camunda decision definition and use the outputs for further form logic control.
[#3600] Added support for mapping form variables to case properties in the ZGW API’s registration backend.
[#3049] Reworked the two-factor solution. You can now enforce 2FA for username/password accounts while not requiring this when authenticating through OpenID Connect.
Added support for WebAuthn-compatible 2FA hardware tokens.
[#2617] Reworked the payment flow to only enter payment mode if the price is not zero.
[#3727] Added validation for minimum/maximum number of checked options in the selectboxes component.
[#3853] Added support for the KVK-Zoeken API v2.0. V1 is deprecated and will be shut down this year.
Bugfixes
[#3809] Fixed a crash when viewing a non-existing submission via the admin.
[#3616] Fixed broken PDF template for appointment data.
[#3774] Fixed dark-mode support in new form builder.
[#3382] Fixed translation warnings for date and datetime placeholders in the form builder.
[CVE-2024-24771] Fixed (non-exploitable) multi-factor authentication weakness.
[#3623] Fixed some OpenID Connect compatibility issues with certain providers.
[#3863] Fixed the generated XML for StUF-BG requests when retrieving partners/children.
[#3864] Fixed handling of StUF-BG responses where one partner is returned.
[#3858] Fixed a race condition that would manifest during parallel file uploads, leading to permission errors.
[#3822] Fixed searching in form versions admin.
Project maintenance
Updated to Python 3.10+ typing syntax.
Update contributing documentation regarding type annotations.
[#3806] Added email field to customer detail fields for demo appointments plugin.
Updated CI action versions to use the latest NodeJS version.
[#3798] Removed unused
get_absolute_url
in the form definition model.Updated to black version 2024.
[#3049] More preparations to upgrade to Django 4.2 LTS.
[#3616] Added docker-compose setup for testing SDK embedding.
[#3709] Improved documentation for embedding forms.
[#3239] Removed logic rule evaluation logging as it was incomplete and not very usable.
Cleaned up some test helpers after moving them into libraries.
Upgraded external librariesto their newest (security) releases.
2.5.2 (2024-02-06)
Bugfix release
This release addresses a security weakness. We believe there was no way to actually exploit it.
[CVE-2024-24771] Fixed (non-exploitable) multi-factor authentication weakness.
[#642] Fixed DigiD error message via SDK patch release.
[#3774] Fixed dark-mode support in new form builder.
Upgraded dependencies to their latest available security releases.
2.5.1 (2024-01-30)
Hotfix release to address an upgrade problem.
Included missing UI code for GovMetric analytics.
Fixed a broken migration preventing upgrading to 2.4.x and newer.
[#3616] Fixed broken PDF template for appointment data.
2.5.0 “Noaberschap” (2024-01-24)
Open Forms 2.5.0 is a feature release.
Noaberschap of naoberschap bunt de gezamenleke noabers in ne kleine sociale, oaverweagend agrarische samenleaving. Binnen den noaberschap besteet de noaberplicht. Dit höldt de verplichting in, dat de noabers mekare bi-j mot stoan in road en doad as dat neudig is. Et begrip is veural bekand in den Achterhook, Twente Salland en Drenthe, moar i-j kunt et eavenens in et westen van Duutslaand vinden (Graofschap Bentheim en umgeaving).
—definition in Achterhoeks, Dutch dialect
Upgrade procedure
⚠️ Ensure you upgrade to Open Forms 2.4.0 before upgrading to the 2.5 release series.
⚠️ Please review the instructions in the documentation under Installation > Upgrade details to Open Forms 2.5.0 before and during upgrading.
We recommend running the
bin/report_component_problems.py
script to diagnose any problems in existing form definitions. These will be patched up during the upgrade, but it’s good to know which form definitions will be touched in case something looks odd.Existing instances need to enable the new formio builder feature flag in the admin configuration.
Major features
🏗️ Form builder rework
We have taken lessons from the past into account and decided to implement our form builder from the ground up so that we are not limited anymore by third party limitations.
The new form builder looks visually (mostly) the same, but the interface is a bit snappier and much more accessible. Most importantly for us, it’s now easier to change and extend functionalities.
There are some further implementation details that have not been fully replaced yet, but those do not affect the available functionality. We’ll keep improving on this topic!
🌐 Translation improvements
Doing the form builder rework was crucial to be able to improve on our translation machinery of form field components. We’ve resolved the issues with translations in fieldsets, repeating groups and columns and translations are now directly tied to the component/field they apply too, making everything much more intuitive.
Additionally, in the translations table we are now able to provide more context to help translators in providing the correct literals.
💰 Payment flow rework
Before this version, we would always register the submission in the configured backend and then send an update when payment is fulfilled. Now, you can configure to only perform the registration after payment is completed.
On top of that, we’ve updated the UI to make it more obvious to the end user that payment is required.
🏡 BRK integration
We’ve added support for the Basiregistratie Kadaster Haal Centraal API. You can now validate that the authenticated user (DigiD) is “zaakgerechtigd” for the property at a given address (postcode + number and suffixes).
🧵 Embedding rework
We have overhauled our embedding and redirect flows between backend and frontend. This should now properly support all features when using hash based routing. Please let us know if you run into any edge cases that don’t work as expected yet!
🧩 More NL Design System components
We’ve restructured page-scaffolding to make use of NL Design System components, which makes your themes more reusable and portable accross different applications.
Detailed changes
The 2.5.0-alpha.0 changes are included as well, see the earlier changelog entry.
New features
Form designer
[#3712] Replaced the form builder with our own implementation. The feature flag is now on by default for new instances. Existing instances need to toggle this.
[#2958] Converted component translations to the new format used by the new form builder.
[#3607] Added a new component type
addressNL
to integrate with the BRK.[#2710] Added “initials” to StufBG prefill options.
Registration plugins
[#3601], ZGW plugin: you can now register (part of) the submission data in the Objects API, and it will be related to the created Zaak.
⚠️ This requires a compatible version of the Objects API, see the upstream issue.
[#3726] Reworked the payment flow to make it more obvious that payment is required.
[#3707] group synchronization/mapping can now be disabled with OIDC SSO.
[#3201] Updated more language to be B1-level.
[#3702] Simplified language in co-sign emails.
[#180] Added support for GovMetric analytics.
[#3779] Updated the menu structure following user feedback about the form building experience.
[#3731] Added support for “protocollering” headers when using the BRP Personen Bevragen API.
Bugfixes
[#3656] Fixed incorrect DigiD error messages being shown when using OIDC-based plugins.
[#3705] Fixed the
__str__
datetime representation of submissions to take the timezone into account.[#3692] Fixed crash when using OIDC DigiD login while logged into the admin interface.
[#3704] Fixed the family members component not retrieving the partners when using StUF-BG as data source.
Fixed ‘none’ value in CSP configugration.
[#3744] Fixed conditionally marking a postcode component as required/optional.
[#3743] Fixed a crash in the admin with bad ZGW API configuration.
[#3778] Ensured that the
content
component label is consistently not displayed anywhere.[#3755] Fixed date/datetime fields clearing invalid values rather than showing a validation error.
Project maintenance
[#3626] Added end-to-end tests for submission resume flows.
[#3694] Upgraded to React 18.
Removed some development tooling which was superceded by Storybook.
Added documentation for a DigiD/eHerkenning LoA error and its solution.
Refactored the utilities for dealing with JSON templates.
Removed (EOL) 2.1.x from CI configuration.
[#2958] Added formio component Hypothesis search strategies.
Upgraded to the latest
drf-spectacular
version.[#3049] Replaced the admin array widget with another library.
Upgraded libraries to have their latest security fixes.
Improved documentation for the release process.
Documented typing philosophy in contributing guidelines.
Modernized dev-tooling configuration (isort, flake8, coverage).
Squashed forms and config app migrations.
2.5.0-alpha.0 (2023-12-15)
This is an alpha release, meaning it is not finished yet or suitable for production use.
Upgrade procedure
⚠️ Ensure you upgrade to Open Forms 2.4.0 before upgrading to the 2.5 release series.
⚠️ Please review the instructions in the documentation under Installation > Upgrade details to Open Forms 2.5.0 before and during upgrading.
Detailed changes
New features
[#3178] Replaced more custom components with NL Design System components for improved themeing. You can now use design tokens for:
utrecht-document
utrecht-page
utrecht-page-header
utrecht-page-footer
utrecht-page-content
[#3573] Added support for sending geo (Point2D) coordinates as GeoJSON to the Objects API.
Added CSP
object-src
directive to settings (preventing embedding by default).Upgraded the version of the new (experimental) form builder.
[#3559] Added support for Piwik PRO Tag Manager as an alternative for Piwik PRO Analytics.
[#3403] Added support for multiple themes. You can now configure a default theme and specify form-specific styles to apply.
[#3649] Improved support for different vendors of the Documenten API implementation.
[#3651] The suffix to a field label for optional fields now uses simpler language.
[#3005] Submission processing can now be deferred until payment is completed (when relevant).
Bugfixes
[#3362] We’ve reworked and fixed the flow to redirect from the backend back to the form in the frontend, fixing the issues with hash-based routing in the process. Resuming forms after pausing, cosign flows… should now all work properly when you use hash-based routing.
[#3548] Fixed not being able to remove the MS Graph service/registration configuration.
[#3604] Fixed a regression in the Objects API and ZGW API’s registration backends. The required
Content-Crs
request header was no longer sent in outgoing requests after the API client refactoring.[#3625] Fixed crashes during StUF response parsing when certain
nil
values are present.Updated the CSP
frame-ancestors
directive to match theX-Frame-Options
configuration.[#3605] Fixed unintended number localization in StUF/SOAP messages.
[#3613] Fixed submission resume flow not sending the user through the authentication flow again when they authenticated for forms that have optional authentication. This unfortunately resulted in hashed BSNs being sent to registration backends, which we can not recover/translate back to the plain-text values.
[#3641] Fixed the DigiD/eHerkenning authentication flows aborting when the user changes connection/IP address.
[#3647] Fixed a backend (logic check) crash when non-parsable time, date or datetime values are passed. The values are now ignored as if nothing was submitted.
Project maintenance
Deleted dead/unused CSS.
Upgraded dependencies having new patch/security releases.
[#3620] Upgraded storybook to v7.
Updated the Docker image workflow, OS packages are now upgraded during the build and image vulnerability scanning added to the CI pipeline.
Fixed generic type hinting of registry.
[#3558] Refactored the CSP setting generation from analytics configuration mechanism to be more resilient.
Ensured that we send tracebacks to Sentry on DigiD errors.
Refactored card component usage to use the component from the SDK.
Upgraded WeasyPrint for PDF generation.
[#3049] Replaced deprecated calls to
ugettext*
.Fixed a deprecation warning when using new-style middlewares.
[#3005] Simplified/refactored the task orchestration for submission processing.
Require OF to be minimum of 2.4 before upgrading to 2.5.
Removed original source migrations that were squashed in Open Forms 2.4.
Replaced some (vendored) code with their equivalent library versions.
Upgraded the NodeJS version from v16 to v20.