- C-1: Move EMAIL_HOST_PASSWORD to os.environ (was hardcoded plaintext)
- C-2: Enable token-user cross-validation in validate_token_and_get_user()
(compares token.user_id with user.id to prevent impersonation)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Event.source field updated: eventify, community, partner (radio select in form)
- EventListAPI: fallback to all events when pincode returns < 6
- EventListAPI: include is_eventify_event and source in serializer
- Admin API: add source to list serializer
- Django admin: source in list_display, list_filter, list_editable
- Event form template: proper radio button rendering for source field
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
0001_initial was referencing events.0011_dashboard_indexes which no
longer exists as a file on disk (the DB has it applied but the file
was removed). Updated dependency to 0010_merge_20260324_1443 which
is the latest events migration file present, resolving the
NodeNotFoundError on management commands.
Users have been migrated from eventify-django SQLite to eventify-backend
PostgreSQL. The temporary users_db workaround is no longer needed:
- settings.py: removed users_db SQLite secondary database config
- views.py: removed _user_db()/_user_qs() helpers; user views now query
the default PostgreSQL directly with plain User.objects.filter()
- docker-compose.yml: SQLite read-only volume mount removed
All 27 users (25 non-superuser customers) now live in PostgreSQL.
The admin_api was querying eventify-backend's empty PostgreSQL. Real users
live in eventify-django's SQLite (db.sqlite3 on host). Fix:
- settings.py: auto-adds 'users_db' database config when users_db.sqlite3
is mounted into the container (read-only volume in docker-compose)
- views.py: _user_db() helper selects the correct database alias;
_user_qs() defers 'partner' field (absent from older SQLite schema)
- UserMetricsView, UserListView, UserDetailView, UserStatusView all use
_user_qs() so they query the 25 real registered customers
- UserListView and UserMetricsView now filter is_superuser=False so only
end-user accounts appear in the admin Users page (not admin/staff)
- _serialize_user now returns avatarUrl from profile_picture field so the
grid view renders profile images instead of broken img tags
- RegisterForm and WebRegisterForm now set is_customer=True and
role='customer' on save so future registrants are correctly classified
- Event model: added is_featured, is_top_event BooleanFields
- Migration 0007 applied to DB
- EventForm: checkboxes for both new fields
- EventAdmin: list_display, list_editable, list_filter for both flags
- FeaturedEventsAPI: POST /api/events/featured-events/ -> is_featured=True events
- TopEventsAPI: POST /api/events/top-events/ -> is_top_event=True events
