arthexis 0.1.16__py3-none-any.whl → 0.1.28__py3-none-any.whl

core/views.py

@@ -11,7 +11,7 @@ import requests
 from django.conf import settings
 from django.contrib.admin.sites import site as admin_site
 from django.contrib.admin.views.decorators import staff_member_required
-from django.contrib.auth import authenticate, login
+from django.contrib.auth import REDIRECT_FIELD_NAME, authenticate, login
 from django.contrib import messages
 from django.contrib.sites.models import Site
 from django.http import Http404, JsonResponse, HttpResponse
@@ -19,7 +19,6 @@ from django.shortcuts import get_object_or_404, redirect, render, resolve_url
 from django.template.response import TemplateResponse
 from django.utils import timezone
 from django.utils.html import strip_tags
-from django.utils.text import slugify
 from django.utils.translation import gettext as _
 from django.urls import NoReverseMatch, reverse
 from django.views.decorators.csrf import csrf_exempt
@@ -43,6 +42,7 @@ logger = logging.getLogger(__name__)
 PYPI_REQUEST_TIMEOUT = 10
 
 from . import changelog as changelog_utils
+from . import temp_passwords
 from .models import OdooProfile, Product, EnergyAccount, PackageRelease, Todo
 from .models import RFID
 
@@ -58,7 +58,6 @@ def odoo_products(request):
         products = profile.execute(
             "product.product",
             "search_read",
-            [[]],
             fields=["name"],
             limit=50,
         )
@@ -100,7 +99,7 @@ def odoo_quote_report(request):
 
     if not profile or not profile.is_verified:
         context["error"] = _(
-            "Configure and verify your Odoo employee credentials before generating the report."
+            "Configure and verify your CRM employee credentials before generating the report."
         )
         return TemplateResponse(
             request, "admin/core/odoo_quote_report.html", context
@@ -137,7 +136,6 @@ def odoo_quote_report(request):
         templates = profile.execute(
             "sale.order.template",
             "search_read",
-            [[]],
             fields=["name"],
             order="name asc",
         )
@@ -287,7 +285,6 @@ def odoo_quote_report(request):
         products = profile.execute(
             "product.product",
             "search_read",
-            [[]],
             fields=["name", "default_code", "write_date", "create_date"],
             limit=10,
             order="write_date desc, create_date desc",
@@ -336,6 +333,36 @@ def odoo_quote_report(request):
     return TemplateResponse(request, "admin/core/odoo_quote_report.html", context)
 
 
+@staff_member_required
+@require_GET
+def request_temp_password(request):
+    """Generate a temporary password for the authenticated staff member."""
+
+    user = request.user
+    username = user.get_username()
+    password = temp_passwords.generate_password()
+    entry = temp_passwords.store_temp_password(
+        username,
+        password,
+        allow_change=True,
+    )
+    context = {
+        **admin_site.each_context(request),
+        "title": _("Temporary password"),
+        "username": username,
+        "password": password,
+        "expires_at": timezone.localtime(entry.expires_at),
+        "allow_change": entry.allow_change,
+        "return_url": reverse("admin:password_change"),
+    }
+    return TemplateResponse(
+        request,
+        "admin/core/request_temp_password.html",
+        context,
+    )
+
+
+@staff_member_required
 @require_GET
 def version_info(request):
     """Return the running application version and Git revision."""
@@ -418,8 +445,11 @@ def _resolve_release_log_dir(preferred: Path) -> tuple[Path, str | None]:
 
     env_override = os.environ.pop("ARTHEXIS_LOG_DIR", None)
     fallback = select_log_dir(Path(settings.BASE_DIR))
-    if env_override and Path(env_override) != fallback:
-        os.environ["ARTHEXIS_LOG_DIR"] = str(fallback)
+    if env_override is not None:
+        if Path(env_override) == fallback:
+            os.environ["ARTHEXIS_LOG_DIR"] = env_override
+        else:
+            os.environ["ARTHEXIS_LOG_DIR"] = str(fallback)
 
     if fallback == preferred:
         if error:
@@ -440,9 +470,60 @@ def _resolve_release_log_dir(preferred: Path) -> tuple[Path, str | None]:
     return fallback, warning
 
 
+def _commit_todo_fixtures_if_needed(log_path: Path) -> None:
+    """Stage and commit modified TODO fixtures before syncing with origin/main."""
+
+    try:
+        status = subprocess.run(
+            ["git", "status", "--porcelain"],
+            check=True,
+            capture_output=True,
+            text=True,
+        )
+    except subprocess.CalledProcessError:
+        return
+
+    todo_paths: set[Path] = set()
+    for line in (status.stdout or "").splitlines():
+        if not line:
+            continue
+        path_fragment = line[3:].strip()
+        if "->" in path_fragment:
+            path_fragment = path_fragment.split("->", 1)[1].strip()
+        path = Path(path_fragment)
+        if path.suffix == ".json" and path.parent == Path("core/fixtures"):
+            if path.name.startswith("todo__"):
+                todo_paths.add(path)
+
+    if not todo_paths:
+        return
+
+    sorted_paths = sorted(todo_paths)
+    subprocess.run(
+        ["git", "add", *[str(path) for path in sorted_paths]],
+        check=True,
+    )
+    formatted = ", ".join(_format_path(path) for path in sorted_paths)
+    _append_log(log_path, f"Staged TODO fixtures {formatted}")
+
+    diff = subprocess.run(
+        ["git", "diff", "--cached", "--name-only", "--", *[str(path) for path in sorted_paths]],
+        check=True,
+        capture_output=True,
+        text=True,
+    )
+
+    if (diff.stdout or "").strip():
+        message = "chore: update TODO fixtures"
+        subprocess.run(["git", "commit", "-m", message], check=True)
+        _append_log(log_path, f"Committed TODO fixtures ({message})")
+
+
 def _sync_with_origin_main(log_path: Path) -> None:
     """Ensure the current branch is rebased onto ``origin/main``."""
 
+    _commit_todo_fixtures_if_needed(log_path)
+
     if not _has_remote("origin"):
         _append_log(log_path, "No git remote configured; skipping sync with origin/main")
         return
@@ -463,6 +544,16 @@ def _sync_with_origin_main(log_path: Path) -> None:
         if stderr:
             _append_log(log_path, "git errors:\n" + stderr)
 
+        status = subprocess.run(
+            ["git", "status"], capture_output=True, text=True, check=False
+        )
+        status_output = (status.stdout or "").strip()
+        status_errors = (status.stderr or "").strip()
+        if status_output:
+            _append_log(log_path, "git status:\n" + status_output)
+        if status_errors:
+            _append_log(log_path, "git status errors:\n" + status_errors)
+
         branch = _current_branch() or "(detached HEAD)"
         instructions = [
             "Manual intervention required to finish syncing with origin/main.",
@@ -578,6 +669,43 @@ def _git_authentication_missing(exc: subprocess.CalledProcessError) -> bool:
     return any(marker in message for marker in auth_markers)
 
 
+def _push_release_changes(log_path: Path) -> bool:
+    """Push release commits to ``origin`` and log the outcome."""
+
+    if not _has_remote("origin"):
+        _append_log(
+            log_path, "No git remote configured; skipping push of release changes"
+        )
+        return False
+
+    try:
+        branch = _current_branch()
+        if branch is None:
+            push_cmd = ["git", "push", "origin", "HEAD"]
+        elif _has_upstream(branch):
+            push_cmd = ["git", "push"]
+        else:
+            push_cmd = ["git", "push", "--set-upstream", "origin", branch]
+        subprocess.run(push_cmd, check=True, capture_output=True, text=True)
+    except subprocess.CalledProcessError as exc:
+        details = _format_subprocess_error(exc)
+        if _git_authentication_missing(exc):
+            _append_log(
+                log_path,
+                "Authentication is required to push release changes to origin; skipping push",
+            )
+            if details:
+                _append_log(log_path, details)
+            return False
+        _append_log(
+            log_path, f"Failed to push release changes to origin: {details}"
+        )
+        raise Exception("Failed to push release changes") from exc
+
+    _append_log(log_path, "Pushed release changes to origin")
+    return True
+
+
 def _ensure_origin_main_unchanged(log_path: Path) -> None:
     """Verify that ``origin/main`` has not advanced during the release."""
 
@@ -610,42 +738,20 @@ def _ensure_origin_main_unchanged(log_path: Path) -> None:
 def _next_patch_version(version: str) -> str:
     from packaging.version import InvalidVersion, Version
 
+    cleaned = version.rstrip("+")
     try:
-        parsed = Version(version)
+        parsed = Version(cleaned)
     except InvalidVersion:
-        parts = version.split(".")
+        parts = cleaned.split(".") if cleaned else []
         for index in range(len(parts) - 1, -1, -1):
             segment = parts[index]
             if segment.isdigit():
                 parts[index] = str(int(segment) + 1)
                 return ".".join(parts)
-        return version
+        return cleaned or version
     return f"{parsed.major}.{parsed.minor}.{parsed.micro + 1}"
 
 
-def _write_todo_fixture(todo: Todo) -> Path:
-    safe_request = todo.request.replace(".", " ")
-    slug = slugify(safe_request).replace("-", "_")
-    if not slug:
-        slug = "todo"
-    path = TODO_FIXTURE_DIR / f"todos__{slug}.json"
-    path.parent.mkdir(parents=True, exist_ok=True)
-    data = [
-        {
-            "model": "core.todo",
-            "fields": {
-                "request": todo.request,
-                "url": todo.url,
-                "request_details": todo.request_details,
-                "generated_for_version": todo.generated_for_version,
-                "generated_for_revision": todo.generated_for_revision,
-            },
-        }
-    ]
-    path.write_text(json.dumps(data, indent=2) + "\n", encoding="utf-8")
-    return path
-
-
 def _should_use_python_changelog(exc: OSError) -> bool:
     winerror = getattr(exc, "winerror", None)
     if winerror in {193}:
@@ -656,8 +762,8 @@ def _should_use_python_changelog(exc: OSError) -> bool:
 def _generate_changelog_with_python(log_path: Path) -> None:
     _append_log(log_path, "Falling back to Python changelog generator")
     changelog_path = Path("CHANGELOG.rst")
-    range_spec = changelog_utils.determine_range_spec()
     previous = changelog_path.read_text(encoding="utf-8") if changelog_path.exists() else None
+    range_spec = changelog_utils.determine_range_spec(previous_text=previous)
     sections = changelog_utils.collect_sections(range_spec=range_spec, previous_text=previous)
     content = changelog_utils.render_changelog(sections)
     if not content.endswith("\n"):
@@ -666,44 +772,32 @@ def _generate_changelog_with_python(log_path: Path) -> None:
     _append_log(log_path, "Regenerated CHANGELOG.rst using Python fallback")
 
 
-def _ensure_release_todo(
-    release, *, previous_version: str | None = None
-) -> tuple[Todo, Path]:
-    previous_version = (previous_version or "").strip()
-    target_version = _next_patch_version(release.version)
-    if previous_version:
-        try:
-            from packaging.version import InvalidVersion, Version
+def _todo_blocks_publish(todo: Todo, release: PackageRelease) -> bool:
+    """Return ``True`` when ``todo`` should block the release workflow."""
 
-            parsed_previous = Version(previous_version)
-            parsed_target = Version(target_version)
-        except InvalidVersion:
-            pass
-        else:
-            if parsed_target <= parsed_previous:
-                target_version = _next_patch_version(previous_version)
-    request = f"Create release {release.package.name} {target_version}"
-    try:
-        url = reverse("admin:core_packagerelease_changelist")
-    except NoReverseMatch:
-        url = ""
-    todo, _ = Todo.all_objects.update_or_create(
-        request__iexact=request,
-        defaults={
-            "request": request,
-            "url": url,
-            "request_details": "",
-            "generated_for_version": release.version or "",
-            "generated_for_revision": release.revision or "",
-            "is_seed_data": True,
-            "is_deleted": False,
-            "is_user_data": False,
-            "done_on": None,
-            "on_done_condition": "",
-        },
-    )
-    fixture_path = _write_todo_fixture(todo)
-    return todo, fixture_path
+    request = (todo.request or "").strip()
+    release_name = (release.package.name or "").strip()
+    if not request or not release_name:
+        return True
+
+    prefix = f"create release {release_name.lower()} "
+    if not request.lower().startswith(prefix):
+        return True
+
+    release_version = (release.version or "").strip()
+    generated_version = (todo.generated_for_version or "").strip()
+    if not release_version or release_version != generated_version:
+        return True
+
+    generated_revision = (todo.generated_for_revision or "").strip()
+    release_revision = (release.revision or "").strip()
+    if generated_revision and release_revision and generated_revision != release_revision:
+        return True
+
+    if not todo.is_seed_data:
+        return True
+
+    return False
 
 
 def _sync_release_with_revision(release: PackageRelease) -> tuple[bool, str]:
@@ -723,7 +817,9 @@ def _sync_release_with_revision(release: PackageRelease) -> tuple[bool, str]:
     version_path = Path("VERSION")
     if version_path.exists():
         try:
-            repo_version = Version(version_path.read_text(encoding="utf-8").strip())
+            raw_version = version_path.read_text(encoding="utf-8").strip()
+            cleaned_version = raw_version.rstrip("+") or "0.0.0"
+            repo_version = Version(cleaned_version)
         except InvalidVersion:
             repo_version = None
 
@@ -890,14 +986,25 @@ def _refresh_changelog_once(ctx, log_path: Path) -> None:
     ctx["changelog_refreshed"] = True
 
 
-def _step_check_todos(release, ctx, log_path: Path) -> None:
+def _step_check_todos(release, ctx, log_path: Path, *, user=None) -> None:
     _refresh_changelog_once(ctx, log_path)
 
     pending_qs = Todo.objects.filter(is_deleted=False, done_on__isnull=True)
     pending_values = list(
         pending_qs.values("id", "request", "url", "request_details")
     )
+    if not pending_values:
+        ctx["todos_ack"] = True
+
     if not ctx.get("todos_ack"):
+        if not ctx.get("todos_block_logged"):
+            _append_log(
+                log_path,
+                "Release checklist requires acknowledgment before continuing. "
+                "Review outstanding TODO items and confirm the checklist; "
+                "publishing will resume automatically afterward.",
+            )
+            ctx["todos_block_logged"] = True
         ctx["todos"] = pending_values
         ctx["todos_required"] = True
         raise PendingTodos()
@@ -919,7 +1026,7 @@ def _step_check_todos(release, ctx, log_path: Path) -> None:
     ctx["todos_ack"] = True
 
 
-def _step_check_version(release, ctx, log_path: Path) -> None:
+def _step_check_version(release, ctx, log_path: Path, *, user=None) -> None:
     from . import release as release_utils
     from packaging.version import InvalidVersion, Version
 
@@ -1054,10 +1161,12 @@ def _step_check_version(release, ctx, log_path: Path) -> None:
     version_path = Path("VERSION")
     if version_path.exists():
         current = version_path.read_text(encoding="utf-8").strip()
-        if current and Version(release.version) < Version(current):
-            raise Exception(
-                f"Version {release.version} is older than existing {current}"
-            )
+        if current:
+            current_clean = current.rstrip("+") or "0.0.0"
+            if Version(release.version) < Version(current_clean):
+                raise Exception(
+                    f"Version {release.version} is older than existing {current}"
+                )
 
     _append_log(log_path, f"Checking if version {release.version} exists on PyPI")
     if release_utils.network_available():
@@ -1107,47 +1216,17 @@ def _step_check_version(release, ctx, log_path: Path) -> None:
         _append_log(log_path, "Network unavailable, skipping PyPI check")
 
 
-def _step_handle_migrations(release, ctx, log_path: Path) -> None:
+def _step_handle_migrations(release, ctx, log_path: Path, *, user=None) -> None:
     _append_log(log_path, "Freeze, squash and approve migrations")
     _append_log(log_path, "Migration review acknowledged (manual step)")
 
 
-def _step_changelog_docs(release, ctx, log_path: Path) -> None:
+def _step_changelog_docs(release, ctx, log_path: Path, *, user=None) -> None:
     _append_log(log_path, "Compose CHANGELOG and documentation")
     _append_log(log_path, "CHANGELOG and documentation review recorded")
 
 
-def _record_release_todo(
-    release, ctx, log_path: Path, *, previous_version: str | None = None
-) -> None:
-    previous_version = previous_version or ctx.pop(
-        "release_todo_previous_version",
-        getattr(release, "_repo_version_before_sync", ""),
-    )
-    todo, fixture_path = _ensure_release_todo(
-        release, previous_version=previous_version
-    )
-    fixture_display = _format_path(fixture_path)
-    _append_log(log_path, f"Added TODO: {todo.request}")
-    _append_log(log_path, f"Wrote TODO fixture {fixture_display}")
-    subprocess.run(["git", "add", str(fixture_path)], check=True)
-    _append_log(log_path, f"Staged TODO fixture {fixture_display}")
-    fixture_diff = subprocess.run(
-        ["git", "diff", "--cached", "--quiet", "--", str(fixture_path)],
-        check=False,
-    )
-    if fixture_diff.returncode != 0:
-        commit_message = f"chore: add release TODO for {release.package.name}"
-        subprocess.run(["git", "commit", "-m", commit_message], check=True)
-        _append_log(log_path, f"Committed TODO fixture {fixture_display}")
-    else:
-        _append_log(
-            log_path,
-            f"No changes detected for TODO fixture {fixture_display}; skipping commit",
-        )
-
-
-def _step_pre_release_actions(release, ctx, log_path: Path) -> None:
+def _step_pre_release_actions(release, ctx, log_path: Path, *, user=None) -> None:
     _append_log(log_path, "Execute pre-release actions")
     if ctx.get("dry_run"):
         _append_log(log_path, "Dry run: skipping pre-release actions")
@@ -1220,16 +1299,15 @@ def _step_pre_release_actions(release, ctx, log_path: Path) -> None:
         for path in staged_release_fixtures:
             subprocess.run(["git", "reset", "HEAD", str(path)], check=False)
             _append_log(log_path, f"Unstaged release fixture {_format_path(path)}")
-    ctx["release_todo_previous_version"] = repo_version_before_sync
     _append_log(log_path, "Pre-release actions complete")
 
 
-def _step_run_tests(release, ctx, log_path: Path) -> None:
+def _step_run_tests(release, ctx, log_path: Path, *, user=None) -> None:
     _append_log(log_path, "Complete test suite with --all flag")
     _append_log(log_path, "Test suite completion acknowledged")
 
 
-def _step_promote_build(release, ctx, log_path: Path) -> None:
+def _step_promote_build(release, ctx, log_path: Path, *, user=None) -> None:
     from . import release as release_utils
 
     _append_log(log_path, "Generating build files")
@@ -1241,7 +1319,7 @@ def _step_promote_build(release, ctx, log_path: Path) -> None:
         release_utils.promote(
             package=release.to_package(),
             version=release.version,
-            creds=release.to_credentials(),
+            creds=release.to_credentials(user=user),
         )
         _append_log(
             log_path,
@@ -1271,40 +1349,9 @@ def _step_promote_build(release, ctx, log_path: Path) -> None:
                 log_path,
                 f"Committed release metadata for v{release.version}",
             )
-        if _has_remote("origin"):
-            try:
-                branch = _current_branch()
-                if branch is None:
-                    push_cmd = ["git", "push", "origin", "HEAD"]
-                elif _has_upstream(branch):
-                    push_cmd = ["git", "push"]
-                else:
-                    push_cmd = ["git", "push", "--set-upstream", "origin", branch]
-                subprocess.run(push_cmd, check=True, capture_output=True, text=True)
-            except subprocess.CalledProcessError as exc:
-                details = _format_subprocess_error(exc)
-                if _git_authentication_missing(exc):
-                    _append_log(
-                        log_path,
-                        "Authentication is required to push release changes to origin; skipping push",
-                    )
-                    if details:
-                        _append_log(log_path, details)
-                else:
-                    _append_log(
-                        log_path, f"Failed to push release changes to origin: {details}"
-                    )
-                    raise Exception("Failed to push release changes") from exc
-            else:
-                _append_log(log_path, "Pushed release changes to origin")
-        else:
-            _append_log(
-                log_path,
-                "No git remote configured; skipping push of release changes",
-            )
+        _push_release_changes(log_path)
         PackageRelease.dump_fixture()
         _append_log(log_path, "Updated release fixtures")
-        _record_release_todo(release, ctx, log_path)
     except Exception:
         _clean_repo()
         raise
@@ -1320,8 +1367,10 @@ def _step_promote_build(release, ctx, log_path: Path) -> None:
     _append_log(new_log, "Build complete")
 
 
-def _step_release_manager_approval(release, ctx, log_path: Path) -> None:
-    if release.to_credentials() is None:
+def _step_release_manager_approval(
+    release, ctx, log_path: Path, *, user=None
+) -> None:
+    if release.to_credentials(user=user) is None:
         ctx.pop("release_approval", None)
         if not ctx.get("approval_credentials_missing"):
             _append_log(log_path, "Release manager publishing credentials missing")
@@ -1355,14 +1404,14 @@ def _step_release_manager_approval(release, ctx, log_path: Path) -> None:
     raise ApprovalRequired()
 
 
-def _step_publish(release, ctx, log_path: Path) -> None:
+def _step_publish(release, ctx, log_path: Path, *, user=None) -> None:
     from . import release as release_utils
 
     if ctx.get("dry_run"):
         test_repository_url = os.environ.get(
             "PYPI_TEST_REPOSITORY_URL", "https://test.pypi.org/legacy/"
         )
-        test_creds = release.to_credentials()
+        test_creds = release.to_credentials(user=user)
         if not (test_creds and test_creds.has_auth()):
             test_creds = release_utils.Credentials(
                 token=os.environ.get("PYPI_TEST_API_TOKEN"),
@@ -1402,7 +1451,7 @@ def _step_publish(release, ctx, log_path: Path) -> None:
                 release_utils.build(
                     package=package,
                     version=release.version,
-                    creds=release.to_credentials(),
+                    creds=release.to_credentials(user=user),
                     dist=True,
                     tests=False,
                     twine=False,
@@ -1431,13 +1480,13 @@ def _step_publish(release, ctx, log_path: Path) -> None:
         release_utils.publish(
             package=release.to_package(),
             version=release.version,
-            creds=target.credentials or release.to_credentials(),
+            creds=target.credentials or release.to_credentials(user=user),
             repositories=[target],
         )
         _append_log(log_path, "Dry run: skipped release metadata updates")
         return
 
-    targets = release.build_publish_targets()
+    targets = release.build_publish_targets(user=user)
     repo_labels = []
     for target in targets:
         label = target.name
@@ -1451,12 +1500,29 @@ def _step_publish(release, ctx, log_path: Path) -> None:
         )
     else:
         _append_log(log_path, "Uploading distribution")
-    release_utils.publish(
-        package=release.to_package(),
-        version=release.version,
-        creds=release.to_credentials(),
-        repositories=targets,
-    )
+    publish_warning: release_utils.PostPublishWarning | None = None
+    try:
+        release_utils.publish(
+            package=release.to_package(),
+            version=release.version,
+            creds=release.to_credentials(user=user),
+            repositories=targets,
+        )
+    except release_utils.PostPublishWarning as warning:
+        publish_warning = warning
+
+    if publish_warning is not None:
+        message = str(publish_warning)
+        followups = _dedupe_preserve_order(publish_warning.followups)
+        warning_entries = ctx.setdefault("warnings", [])
+        if not any(entry.get("message") == message for entry in warning_entries):
+            entry: dict[str, object] = {"message": message}
+            if followups:
+                entry["followups"] = followups
+            warning_entries.append(entry)
+        _append_log(log_path, message)
+        for note in followups:
+            _append_log(log_path, f"Follow-up: {note}")
     release.pypi_url = (
         f"https://pypi.org/project/{release.package.name}/{release.version}/"
     )
@@ -1475,6 +1541,30 @@ def _step_publish(release, ctx, log_path: Path) -> None:
     _append_log(log_path, f"Recorded PyPI URL: {release.pypi_url}")
     if release.github_url:
         _append_log(log_path, f"Recorded GitHub URL: {release.github_url}")
+    fixture_paths = [
+        str(path) for path in Path("core/fixtures").glob("releases__*.json")
+    ]
+    if fixture_paths:
+        status = subprocess.run(
+            ["git", "status", "--porcelain", "--", *fixture_paths],
+            capture_output=True,
+            text=True,
+            check=True,
+        )
+        if status.stdout.strip():
+            subprocess.run(["git", "add", *fixture_paths], check=True)
+            _append_log(log_path, "Staged publish metadata updates")
+            commit_message = f"chore: record publish metadata for v{release.version}"
+            subprocess.run(["git", "commit", "-m", commit_message], check=True)
+            _append_log(
+                log_path, f"Committed publish metadata for v{release.version}"
+            )
+            _push_release_changes(log_path)
+        else:
+            _append_log(
+                log_path,
+                "No release metadata updates detected after publish; skipping commit",
+            )
     _append_log(log_path, "Upload complete")
 
 
@@ -1510,12 +1600,28 @@ def rfid_login(request):
     if not rfid:
         return JsonResponse({"detail": "rfid required"}, status=400)
 
+    redirect_to = data.get(REDIRECT_FIELD_NAME) or data.get("next")
+    if redirect_to and not url_has_allowed_host_and_scheme(
+        redirect_to,
+        allowed_hosts={request.get_host()},
+        require_https=request.is_secure(),
+    ):
+        redirect_to = ""
+
     user = authenticate(request, rfid=rfid)
     if user is None:
         return JsonResponse({"detail": "invalid RFID"}, status=401)
 
     login(request, user)
-    return JsonResponse({"id": user.id, "username": user.username})
+    if redirect_to:
+        target = redirect_to
+    elif user.is_staff:
+        target = reverse("admin:index")
+    else:
+        target = "/"
+    return JsonResponse(
+        {"id": user.id, "username": user.username, "redirect": target}
+    )
 
 
 @api_login_required
@@ -1668,9 +1774,9 @@ def rfid_batch(request):
             else:
                 post_auth_command = post_auth_command.strip()
 
-            tag, _ = RFID.objects.update_or_create(
-                rfid=rfid.upper(),
-                defaults={
+            tag, _ = RFID.update_or_create_from_code(
+                rfid,
+                {
                     "allowed": allowed,
                     "color": color,
                     "released": released,
@@ -1784,7 +1890,7 @@ def release_progress(request, pk: int, action: str):
         return redirect(request.path)
 
     manager = release.release_manager or release.package.release_manager
-    credentials_ready = bool(release.to_credentials())
+    credentials_ready = bool(release.to_credentials(user=request.user))
     if credentials_ready and ctx.get("approval_credentials_missing"):
         ctx.pop("approval_credentials_missing", None)
 
@@ -1804,8 +1910,16 @@ def release_progress(request, pk: int, action: str):
             ctx["release_approval"] = "approved"
         if request.GET.get("reject"):
             ctx["release_approval"] = "rejected"
+    resume_requested = bool(request.GET.get("resume"))
+
     if request.GET.get("pause") and ctx.get("started"):
         ctx["paused"] = True
+
+    if resume_requested:
+        if not ctx.get("started"):
+            ctx["started"] = True
+        if ctx.get("paused"):
+            ctx["paused"] = False
     restart_count = 0
     if restart_path.exists():
         try:
@@ -1814,26 +1928,42 @@ def release_progress(request, pk: int, action: str):
             restart_count = 0
     step_count = ctx.get("step", 0)
     step_param = request.GET.get("step")
+    if resume_requested and step_param is None:
+        step_param = str(step_count)
 
     pending_qs = Todo.objects.filter(is_deleted=False, done_on__isnull=True)
     pending_items = list(pending_qs)
-    if ack_todos_requested:
-        if pending_items:
-            failures = []
-            for todo in pending_items:
-                result = todo.check_on_done_condition()
-                if not result.passed:
-                    failures.append((todo, result))
-            if failures:
-                ctx.pop("todos_ack", None)
-                for todo, result in failures:
-                    messages.error(request, _format_condition_failure(todo, result))
-            else:
-                ctx["todos_ack"] = True
+    blocking_todos = [
+        todo for todo in pending_items if _todo_blocks_publish(todo, release)
+    ]
+    if not blocking_todos:
+        ctx["todos_ack"] = True
+        ctx["todos_ack_auto"] = True
+    elif ack_todos_requested:
+        failures = []
+        for todo in blocking_todos:
+            result = todo.check_on_done_condition()
+            if not result.passed:
+                failures.append((todo, result))
+        if failures:
+            ctx["todos_ack"] = False
+            ctx.pop("todos_ack_auto", None)
+            for todo, result in failures:
+                messages.error(request, _format_condition_failure(todo, result))
         else:
             ctx["todos_ack"] = True
+            ctx.pop("todos_ack_auto", None)
+    else:
+        if ctx.pop("todos_ack_auto", None):
+            ctx["todos_ack"] = False
+        else:
+            ctx.setdefault("todos_ack", False)
 
-    if not ctx.get("todos_ack"):
+    if ctx.get("todos_ack"):
+        ctx.pop("todos_block_logged", None)
+        ctx.pop("todos", None)
+        ctx.pop("todos_required", None)
+    else:
         ctx["todos"] = [
             {
                 "id": todo.pk,
@@ -1841,12 +1971,9 @@ def release_progress(request, pk: int, action: str):
                 "url": todo.url,
                 "request_details": todo.request_details,
             }
-            for todo in pending_items
+            for todo in blocking_todos
         ]
         ctx["todos_required"] = True
-    else:
-        ctx.pop("todos", None)
-        ctx.pop("todos_required", None)
 
     log_name = _release_log_name(release.package.name, release.version)
     if ctx.get("log") != log_name:
@@ -1856,6 +1983,8 @@ def release_progress(request, pk: int, action: str):
             "started": ctx.get("started", False),
         }
         step_count = 0
+        if not blocking_todos:
+            ctx["todos_ack"] = True
     log_path = log_dir / log_name
     ctx.setdefault("log", log_name)
     ctx.setdefault("paused", False)
@@ -1932,7 +2061,7 @@ def release_progress(request, pk: int, action: str):
         if to_run == step_count:
             name, func = steps[to_run]
             try:
-                func(release, ctx, log_path)
+                func(release, ctx, log_path, user=request.user)
             except PendingTodos:
                 pass
             except ApprovalRequired:
@@ -2049,6 +2178,14 @@ def release_progress(request, pk: int, action: str):
         )
 
     is_running = ctx.get("started") and not paused and not done and not ctx.get("error")
+    resume_available = (
+        ctx.get("started")
+        and not paused
+        and not done
+        and not ctx.get("error")
+        and step_count < len(steps)
+        and next_step is None
+    )
     can_resume = ctx.get("started") and paused and not done and not ctx.get("error")
     release_manager_owner = manager.owner_display() if manager else ""
     try:
@@ -2103,9 +2240,11 @@ def release_progress(request, pk: int, action: str):
         "has_release_manager": bool(manager),
         "current_user_admin_url": current_user_admin_url,
         "is_running": is_running,
+        "resume_available": resume_available,
         "can_resume": can_resume,
         "dry_run": dry_run_active,
         "dry_run_toggle_enabled": dry_run_toggle_enabled,
+        "warnings": ctx.get("warnings", []),
     }
     request.session[session_key] = ctx
     if done or ctx.get("error"):
@@ -2303,6 +2442,7 @@ def todo_focus(request, pk: int):
         "focus_auth": focus_auth,
         "next_url": _get_return_url(request),
         "done_url": reverse("todo-done", args=[todo.pk]),
+        "delete_url": reverse("todo-delete", args=[todo.pk]),
         "snapshot_url": reverse("todo-snapshot", args=[todo.pk]),
     }
     return render(request, "core/todo_focus.html", context)
@@ -2321,7 +2461,29 @@ def todo_done(request, pk: int):
         messages.error(request, _format_condition_failure(todo, result))
         return redirect(redirect_to)
     todo.done_on = timezone.now()
-    todo.save(update_fields=["done_on"])
+    todo.populate_done_metadata(request.user)
+    todo.save(
+        update_fields=[
+            "done_on",
+            "done_node",
+            "done_version",
+            "done_revision",
+            "done_username",
+        ]
+    )
+    return redirect(redirect_to)
+
+
+@staff_member_required
+@require_POST
+def todo_delete(request, pk: int):
+    redirect_to = reverse("admin:index")
+    try:
+        todo = Todo.objects.get(pk=pk, is_deleted=False)
+    except Todo.DoesNotExist:
+        return redirect(redirect_to)
+    todo.is_deleted = True
+    todo.save(update_fields=["is_deleted"])
     return redirect(redirect_to)