CHANGELOG.md

# Changelog

All notable changes to the Eventify Backend are documented here.
Format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), versioning follows [Semantic Versioning](https://semver.org/).

---

## [1.8.2] — 2026-04-06

### Fixed
- **`FeaturedEventsAPI` now returns `event_type_name` string** — `model_to_dict()` serialises the `event_type` FK as an integer ID; the hero slider frontend reads `ev.event_type_name` to display the category badge, which was always `null`
  - Added `data_dict['event_type_name'] = e.event_type.event_type if e.event_type else ''` after `model_to_dict(e)` to resolve the FK to its human-readable name (e.g. `"Festivals"`)
  - No frontend changes required — `fetchHeroSlides()` already falls back to `ev.event_type_name`

---

## [1.8.1] — 2026-04-06

### Fixed
- **`FeaturedEventsAPI` now works without authentication** — `POST /api/events/featured-events/` had `AllowAny` permission but still called `validate_token_and_get_user()`, causing the endpoint to return HTTP 200 + `{"status":"error","message":"token and username required"}` for unauthenticated requests (e.g. the desktop hero slider)
  - Removed the `validate_token_and_get_user()` call entirely — the endpoint is public by design and requires no token
  - Also tightened the queryset to `event_status='published'` (was `is_featured=True` only) to match `ConsumerFeaturedEventsView` behaviour and avoid returning draft/cancelled events
  - Root cause: host Nginx routes `/api/` → `eventify-backend` container (port 3001), not `eventify-django` (port 8085); the `validate_token_and_get_user` gate in this container was silently blocking all hero slider requests

---

## [1.8.0] — 2026-04-04

### Added
- **`BulkUserPublicInfoView`** (`POST /api/user/bulk-public-info/`)
  - Internal endpoint for the Node.js gamification server to resolve user details
  - Accepts `{ emails: [...] }` (max 500), returns `{ users: { email: { display_name, district, eventify_id } } }`
  - Used for leaderboard data bridge (syncing user names/districts into gamification DB)
  - CSRF-exempt, returns only public-safe fields (no passwords, tokens, or sensitive PII)

---

## [1.7.0] — 2026-04-04

### Added
- **Home District with 6-month cooldown**
  - `district_changed_at` DateTimeField on User model (migration `0013_user_district_changed_at`) — nullable, no backfill; NULL means "eligible to change immediately"
  - `VALID_DISTRICTS` constant (14 Kerala districts) in `accounts/models.py` for server-side validation
  - `WebRegisterForm` now accepts optional `district` field; stamps `district_changed_at` on valid selection during signup
  - `UpdateProfileView` enforces 183-day (~6 months) cooldown — rejects district changes within the window with a human-readable "Next change: {date}" error
  - `district_changed_at` included in all relevant API responses: `LoginView`, `WebRegisterView`, `StatusView`, `UpdateProfileView`
  - `StatusView` now also returns `district` field (was previously missing)

---

## [1.6.2] — 2026-04-03

### Security
- **Internal exceptions no longer exposed to API callers** — all 15 `except Exception as e` blocks across `mobile_api/views/user.py` and `mobile_api/views/events.py` now log the real error via `eventify_logger` and return a generic `"An unexpected server error occurred."` to the caller
  - Affected views: `RegisterView`, `WebRegisterView`, `LoginView`, `StatusView`, `LogoutView`, `UpdateProfileView`, `EventTypeAPI`, `EventListAPI`, `EventDetailAPI`, `EventImagesListAPI`, `EventsByDateAPI`, `DateSheetAPI`, `PincodeEventsAPI`, `FeaturedEventsAPI`, `TopEventsAPI`
  - `StatusView` and `UpdateProfileView` were also missing `log(...)` calls entirely — added
  - `from eventify_logger.services import log` import added to `events.py` (was absent)

---

## [1.6.1] — 2026-04-03

### Added
- **`eventify_id` in `StatusView` response** (`/api/user/status/`) — consumer app uses this to refresh the Eventify ID badge (`EVT-XXXXXXXX`) for sessions that pre-date the `eventify_id` login field
- **`accounts` migration `0012_user_eventify_id` deployed to production containers** — backfilled all existing users with unique Eventify IDs; previously the migration existed locally but had not been applied in production

---

## [1.6.0] — 2026-04-02

### Added
- **Unique Eventify ID system** (`EVT-XXXXXXXX` format)
  - New `eventify_id` field on `User` model — `CharField(max_length=12, unique=True, editable=False, db_index=True)`
  - Charset `ABCDEFGHJKLMNPQRSTUVWXYZ23456789` (no ambiguous characters I/O/0/1) giving ~1.78T combinations
  - Auto-generated on first `save()` via a 10-attempt retry loop using `secrets.choice()`
  - Migration `0012_user_eventify_id`: add nullable → backfill all existing users → make non-null
- `eventify_id` exposed in `accounts/api.py` → `_partner_user_to_dict()` fields list
- `eventify_id` exposed in `partner/api.py` → `_user_to_dict()` fields list
- `eventify_id` exposed in `mobile_api/views/user.py` → `LoginView` response (populates `localStorage.event_user.eventify_id`)
- `eventifyId` exposed in `admin_api/views.py` → `_serialize_user()` (camelCase for direct TypeScript compatibility)
- Server-side search in `UserListView` now also filters on `eventify_id__icontains`
- Synced migration `0011_user_allowed_modules_alter_user_id` (pulled from server, was missing from local repo)

### Changed
- `accounts/models.py`: merged `allowed_modules` field + `get_allowed_modules()` + `ALL_MODULES` constant from server (previously only existed on server)

---

## [1.5.0] — 2026-03-31

### Added
- `allowed_modules` TextField on `User` model — comma-separated module slug access control
- `get_allowed_modules()` method on `User` — returns list of accessible modules based on role or explicit list
- `ALL_MODULES` class constant listing all platform module slugs
- Migration `0011_user_allowed_modules_alter_user_id`

---

## [1.4.0] — 2026-03-24

### Added
- Partner portal login/logout APIs (`accounts/api.py`) — `PartnerLoginAPI`, `PartnerLogoutAPI`, `PartnerMeAPI`
- `_partner_user_to_dict()` serializer for partner-scoped user data
- Partner CRUD, KYC review, and user management endpoints in `partner/api.py`

---

## [1.3.0] — 2026-03-14

### Changed
- User `id` field changed from `AutoField` to `BigAutoField` (migration `0010_alter_user_id`)

---

## [1.2.0] — 2026-03-10

### Added
- `partner` ForeignKey on `User` model linking users to partners (migration `0009_user_partner`)
- Profile picture upload support (`ImageField`) with `default.png` fallback (migration `0006–0007`)

---

## [1.1.0] — 2026-02-28

### Added
- Location fields on `User`: `pincode`, `district`, `state`, `country`, `place`, `latitude`, `longitude`
- Custom `UserManager` for programmatic user creation

---

## [1.0.0] — 2026-03-01

### Added
- Initial Django project with custom `User` model extending `AbstractUser`
- Role choices: `admin`, `manager`, `staff`, `customer`, `partner`, `partner_manager`, `partner_staff`, `partner_customer`
- JWT authentication via `djangorestframework-simplejwt`
- Admin API foundation: auth, dashboard metrics, partners, users, events
- Docker + Gunicorn + PostgreSQL 16 production setup
-												docs: add CHANGELOG.md and update README version to 1.6.0

- CHANGELOG.md: full history from 1.0.0 → 1.6.0 (Keep a Changelog format)
- README.md: bump version badge 1.5.0 → 1.6.0, add changelog summary table

											
										
										
											2026-04-02 11:03:18 +05:30
+								# Changelog
 								All notable changes to the Eventify Backend are documented here.
 								Format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), versioning follows [Semantic Versioning](https://semver.org/).
 								---
-												fix(featured-events): resolve event_type FK to name string in API response

model_to_dict() returns event_type as an integer PK; the DHS frontend
reads ev.event_type_name to show the category badge. Added
event_type_name resolution so the carousel displays e.g. "Festivals".

											
										
										
											2026-04-06 21:44:11 +05:30
+								## [1.8.2] — 2026-04-06
 								### Fixed
 								- **`FeaturedEventsAPI` now returns `event_type_name` string** — `model_to_dict()` serialises the `event_type` FK as an integer ID; the hero slider frontend reads `ev.event_type_name` to display the category badge, which was always `null`
 								  - Added `data_dict['event_type_name'] = e.event_type.event_type if e.event_type else ''` after `model_to_dict(e)` to resolve the FK to its human-readable name (e.g. `"Festivals"`)
 								  - No frontend changes required — `fetchHeroSlides()` already falls back to `ev.event_type_name`
 								---
-												docs: changelog v1.8.1 — FeaturedEventsAPI token gate fix

											
										
										
											2026-04-06 19:45:46 +05:30
+								## [1.8.1] — 2026-04-06
 								### Fixed
 								- **`FeaturedEventsAPI` now works without authentication** — `POST /api/events/featured-events/` had `AllowAny` permission but still called `validate_token_and_get_user()`, causing the endpoint to return HTTP 200 + `{"status":"error","message":"token and username required"}` for unauthenticated requests (e.g. the desktop hero slider)
 								  - Removed the `validate_token_and_get_user()` call entirely — the endpoint is public by design and requires no token
 								  - Also tightened the queryset to `event_status='published'` (was `is_featured=True` only) to match `ConsumerFeaturedEventsView` behaviour and avoid returning draft/cancelled events
 								  - Root cause: host Nginx routes `/api/` → `eventify-backend` container (port 3001), not `eventify-django` (port 8085); the `validate_token_and_get_user` gate in this container was silently blocking all hero slider requests
 								---
 								## [1.8.0] — 2026-04-04
 								### Added
 								- **`BulkUserPublicInfoView`** (`POST /api/user/bulk-public-info/`)
 								  - Internal endpoint for the Node.js gamification server to resolve user details
 								  - Accepts `{ emails: [...] }` (max 500), returns `{ users: { email: { display_name, district, eventify_id } } }`
 								  - Used for leaderboard data bridge (syncing user names/districts into gamification DB)
 								  - CSRF-exempt, returns only public-safe fields (no passwords, tokens, or sensitive PII)
 								---
-												feat(accounts): home district with 6-month cooldown

- accounts/models.py: add district_changed_at DateTimeField + VALID_DISTRICTS constant (14 Kerala districts)
- migration 0013_user_district_changed_at: nullable DateTimeField, no backfill
- WebRegisterForm: accept optional district during signup, stamp district_changed_at
- UpdateProfileView: enforce 183-day cooldown with human-readable error
- LoginView/WebRegisterView/StatusView: include district_changed_at in responses

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-04-04 10:42:44 +05:30
+								## [1.7.0] — 2026-04-04
 								### Added
 								- **Home District with 6-month cooldown**
 								  - `district_changed_at` DateTimeField on User model (migration `0013_user_district_changed_at`) — nullable, no backfill; NULL means "eligible to change immediately"
 								  - `VALID_DISTRICTS` constant (14 Kerala districts) in `accounts/models.py` for server-side validation
 								  - `WebRegisterForm` now accepts optional `district` field; stamps `district_changed_at` on valid selection during signup
 								  - `UpdateProfileView` enforces 183-day (~6 months) cooldown — rejects district changes within the window with a human-readable "Next change: {date}" error
 								  - `district_changed_at` included in all relevant API responses: `LoginView`, `WebRegisterView`, `StatusView`, `UpdateProfileView`
 								  - `StatusView` now also returns `district` field (was previously missing)
 								---
-												docs: add v1.6.1 and v1.6.2 CHANGELOG entries

Documents StatusView eventify_id addition and the security fix
that stops internal Python exceptions from reaching API callers.

											
										
										
											2026-04-03 09:27:15 +05:30
+								## [1.6.2] — 2026-04-03
 								### Security
 								- **Internal exceptions no longer exposed to API callers** — all 15 `except Exception as e` blocks across `mobile_api/views/user.py` and `mobile_api/views/events.py` now log the real error via `eventify_logger` and return a generic `"An unexpected server error occurred."` to the caller
 								  - Affected views: `RegisterView`, `WebRegisterView`, `LoginView`, `StatusView`, `LogoutView`, `UpdateProfileView`, `EventTypeAPI`, `EventListAPI`, `EventDetailAPI`, `EventImagesListAPI`, `EventsByDateAPI`, `DateSheetAPI`, `PincodeEventsAPI`, `FeaturedEventsAPI`, `TopEventsAPI`
 								  - `StatusView` and `UpdateProfileView` were also missing `log(...)` calls entirely — added
 								  - `from eventify_logger.services import log` import added to `events.py` (was absent)
 								---
 								## [1.6.1] — 2026-04-03
 								### Added
 								- **`eventify_id` in `StatusView` response** (`/api/user/status/`) — consumer app uses this to refresh the Eventify ID badge (`EVT-XXXXXXXX`) for sessions that pre-date the `eventify_id` login field
 								- **`accounts` migration `0012_user_eventify_id` deployed to production containers** — backfilled all existing users with unique Eventify IDs; previously the migration existed locally but had not been applied in production
 								---
-												docs: add CHANGELOG.md and update README version to 1.6.0

- CHANGELOG.md: full history from 1.0.0 → 1.6.0 (Keep a Changelog format)
- README.md: bump version badge 1.5.0 → 1.6.0, add changelog summary table

											
										
										
											2026-04-02 11:03:18 +05:30
+								## [1.6.0] — 2026-04-02
 								### Added
 								- **Unique Eventify ID system** (`EVT-XXXXXXXX` format)
 								  - New `eventify_id` field on `User` model — `CharField(max_length=12, unique=True, editable=False, db_index=True)`
 								  - Charset `ABCDEFGHJKLMNPQRSTUVWXYZ23456789` (no ambiguous characters I/O/0/1) giving ~1.78T combinations
 								  - Auto-generated on first `save()` via a 10-attempt retry loop using `secrets.choice()`
 								  - Migration `0012_user_eventify_id`: add nullable → backfill all existing users → make non-null
 								- `eventify_id` exposed in `accounts/api.py` → `_partner_user_to_dict()` fields list
 								- `eventify_id` exposed in `partner/api.py` → `_user_to_dict()` fields list
 								- `eventify_id` exposed in `mobile_api/views/user.py` → `LoginView` response (populates `localStorage.event_user.eventify_id`)
 								- `eventifyId` exposed in `admin_api/views.py` → `_serialize_user()` (camelCase for direct TypeScript compatibility)
 								- Server-side search in `UserListView` now also filters on `eventify_id__icontains`
 								- Synced migration `0011_user_allowed_modules_alter_user_id` (pulled from server, was missing from local repo)
 								### Changed
 								- `accounts/models.py`: merged `allowed_modules` field + `get_allowed_modules()` + `ALL_MODULES` constant from server (previously only existed on server)
 								---
 								## [1.5.0] — 2026-03-31
 								### Added
 								- `allowed_modules` TextField on `User` model — comma-separated module slug access control
 								- `get_allowed_modules()` method on `User` — returns list of accessible modules based on role or explicit list
 								- `ALL_MODULES` class constant listing all platform module slugs
 								- Migration `0011_user_allowed_modules_alter_user_id`
 								---
 								## [1.4.0] — 2026-03-24
 								### Added
 								- Partner portal login/logout APIs (`accounts/api.py`) — `PartnerLoginAPI`, `PartnerLogoutAPI`, `PartnerMeAPI`
 								- `_partner_user_to_dict()` serializer for partner-scoped user data
 								- Partner CRUD, KYC review, and user management endpoints in `partner/api.py`
 								---
 								## [1.3.0] — 2026-03-14
 								### Changed
 								- User `id` field changed from `AutoField` to `BigAutoField` (migration `0010_alter_user_id`)
 								---
 								## [1.2.0] — 2026-03-10
 								### Added
 								- `partner` ForeignKey on `User` model linking users to partners (migration `0009_user_partner`)
 								- Profile picture upload support (`ImageField`) with `default.png` fallback (migration `0006–0007`)
 								---
 								## [1.1.0] — 2026-02-28
 								### Added
 								- Location fields on `User`: `pincode`, `district`, `state`, `country`, `place`, `latitude`, `longitude`
 								- Custom `UserManager` for programmatic user creation
 								---
 								## [1.0.0] — 2026-03-01
 								### Added
 								- Initial Django project with custom `User` model extending `AbstractUser`
 								- Role choices: `admin`, `manager`, `staff`, `customer`, `partner`, `partner_manager`, `partner_staff`, `partner_customer`
 								- JWT authentication via `djangorestframework-simplejwt`
 								- Admin API foundation: auth, dashboard metrics, partners, users, events
 								- Docker + Gunicorn + PostgreSQL 16 production setup