Unvalidated sortProperty on GET /api/iot-hub/installedItems was passed straight into Spring Data's Sort.by, so a client could trigger a 500 PropertyReferenceException by naming an unknown entity field. Add ALLOWED_SORT_PROPERTIES on IotHubInstalledItemEntity (createdTime, itemName, itemType, version) and call validatePageLink in the service so the failure is a 400 with a clear message.
- IotHubRestClient.getVersionFileData now streams the response and
enforces a configurable size cap (iot-hub.max-file-data-size-bytes,
env IOT_HUB_MAX_FILE_DATA_SIZE_BYTES, default 100 MiB). Oversized
payloads are rejected up front via Content-Length and mid-stream
for chunked transfers, preventing OOMs from unknown bodies.
- DefaultIotHubService guards every iotHubRestClient.getVersionInfo
call against a null response, and rejects update attempts where
the installed item's type does not match the new version's type
("Installed item type does not match the new version's item type.").
Solution-template descriptor is also populated with
tenantTelemetryKeys / tenantAttributeKeys captured during install.
Drops the empty updateDeviceProfile stub.
- Add a tenant-scoped findByTenantIdAndId + deleteByTenantIdAndId to
IotHubInstalledItemDao (and the bulk deleteByTenantIdAndIdIn JPA
query). IotHubInstalledItemServiceImpl now uses these so reads
and deletes always honour the tenant boundary.
- Database: add lts schema_update.sql + schema-entities-idx.sql
indexes on iot_hub_installed_item(tenant_id),
(tenant_id, item_type), and (tenant_id, item_id) for the new
tenant-scoped lookups.
- DefaultSolutionService: minor cleanup touched alongside.
- .gitignore trailing-newline fix; remove stale superpowers
plan/spec docs that have been folded into the implementation.
Update DeviceConnectivityUtilTest to match the new
getGatewayDockerComposeFile signature: build a DockerComposeParams
(true, "tb-gateway", true, true, true, true) and pass it alongside
the host, image tag, and credentials.
Exposes the dashboard entities-limit check as a reusable public method
so callers outside the validator can enforce the same limit without
duplicating the apiLimitService logic.
Creates missing system images from application/src/main/data/resources/images
during LTS patch startup, mirroring the upgrade-path loadSystemResources logic.
Existing system images in the DB are left untouched.
- postgres: 16.6 -> 18 (dao sql-test.properties / nosql-test.properties)
- timescaledb: latest-pg12 -> latest-pg18 (dao timescale-test.properties)
TimescaleDB pg15+ images crash on cgroup v2 CI hosts because
/docker-entrypoint-initdb.d/001_timescaledb_tune.sh evaluates
[ ${TS_TUNE_MEMORY} -gt ${FREE_BYTES} ] with an empty left operand
after the kernel reports the 64-bit max for /sys/fs/cgroup/memory.max.
Work around the upstream bug by setting NO_TS_TUNE=true.
The Testcontainers JDBC URL (jdbc:tc:timescaledb:...) does not support
docker env vars, so register a custom JdbcDatabaseContainerProvider
(TbTimescaleDBContainerProvider, activated via jdbc:tc:tbtimescaledb:...)
that starts a PostgreSQLContainer backed by timescale/timescaledb with
NO_TS_TUNE=true.
Production docker-compose files and tb-postgres image are untouched.
- Mark force-added entity-field filter mappings as ignored under OR so
EntityDataAdapter keeps the response shape identical to AND (applied
to both findEntityDataByQuery and validateEntityCountQuery paths).
- Skip the ON-clause filter in toLatestJoin when forceLeftJoin=true to
avoid duplicating the predicate that buildQuery already emits at the
middle layer under OR (different bound parameter names, same filter).
- Document the empty-predicate drop in buildQuery (safe under AND,
narrowing under OR) and the defensive vacuously-true return in
RepositoryUtils.checkKeyFilters.
- Explain why validateEntityCountQuery uses the nullable
getKeyFiltersOperation() rather than the OrDefault helper.
- Add regression test asserting latest[ENTITY_FIELD] under OR only
contains keys declared in entityFields.
- New TbIotHubInstalledItemsDialogComponent opened from detail dialog Manage section
- Extract TbIotHubInstalledItemsTableComponent with itemVersion mode for single-item view
- Add installed item counts API (GET /installedItems/counts) and itemId filter to installed items list
- Wire installed counts into home, browse, search, and detail dialog (replaces installedDevices list)
- Propagate ChipOverflowDirective with minChips input; use on detail dialog meta chips
- openEntity opens in new tab; "View item details" swaps to "Review device instructions" for DEVICE items
- EntityKeyMapping: replace fragile null-swap of entityKeyColumn with a useAliasAsField flag threaded through buildKeyQuery/buildPredicateQuery, avoiding mutation of shared instance state
- TbAlarmCountSubCtx, TbAlarmDataSubCtx: normalize keyFiltersOperation at query construction via getKeyFiltersOperationOrDefault(), matching DefaultEntityQueryService
- BaseEntityService: end the disabled-OR validation error with a period and attribute it to the system administrator, aligning with the existing UI translation
- EntityQueryControllerTest: extract helpers (createDeviceWithSharedAttributes, createDeviceWithTimeseries, createAlarm, deviceTypeFilter, numericKeyFilter, stringKeyFilter, pageLinkSortedByName, nameEntityField, extractNames) and replace the pagination test's obscure temperature ternary with an explicit array
Redesign item detail dialog: move install/add/update/open buttons to footer,
move creator to sticky meta bar with avatar and verified badge, add manage
section with solution instructions, remove, and installed items count buttons,
update subtitle with grouped icon+text pairs matching design.
Add getInstalledItemCounts API (backend + frontend) returning item counts
by itemId per type. Replace installedDevices list with count-based tracking
in home, browse, and search components. Add installedItemsCount to item card
and detail dialog data flow.
Apply SsrfProtectionValidator.validateUri() to AI providers with
user-supplied URLs (OpenAI baseUrl, Azure OpenAI endpoint, Ollama
baseUrl). Validation at two layers:
- execution time in Langchain4jChatModelConfigurerImpl
- save time in AiModelDataValidator
Controlled by the existing SSRF_PROTECTION_ENABLED flag.
The admin settings endpoint requires SYS_ADMIN authority but the device
install wizard runs as TENANT_ADMIN.
Fix: add getConnectivityInfo(baseUrl) to DeviceConnectivityService which
resolves host/port with baseUrl fallback (reusing existing getHost/getPort
logic). Expose via new TENANT_ADMIN endpoint GET /api/iot-hub/connectivity.
Remove AdminService dependency from the dialog component.
RuleChainEntity and RuleChainDetailsEntity map to the same DB table.
When RuleChainDetailsEntity is loaded into the persistence context
(e.g. during isUpdateNeeded metadata comparison) and then the same row
is updated via RuleChainEntity (during saveRuleChain), the cached
RuleChainDetailsEntity becomes stale. Subsequent save via
RuleChainDetailsEntity fails with OptimisticLockException.
Fix: detach the entity immediately after loading in findById so it
does not linger in the persistence context.
- Item card: installed chip (non-clickable pill, green) + separate remove icon
button (mdi:trash-can-outline) for both same-version and update-available states
- Detail dialog: info section matches design exactly (badge, links, actions layout),
solution template links on separate row, remove button with warn outline matching
label text color, matButtonIcon + tb-mat-24 on remove icon
- Rename all Delete labels/keys to Remove across locale and components
- Solution template remove dialog: specific description about multiple entities
- getInstalledItems API: change itemType to List<String> itemTypes through full stack
(controller, service, DAO, repository JPQL uses IN clause, UI accepts string|string[])
- Add getInstalledItemsCount endpoint through full stack (controller → DAO)
with optional itemType filter
- Add getInstalledItemsCount to UI IotHubApiService
- Home page: show "Installed Items: N" stroked button at top-right when
count > 0, white bg, primary border, card shadow; navigates to installed items
- Count updates on install/delete via API re-fetch and local decrement
- Move IoT Hub menu item right after Dashboards in sidebar
- Add @Input installedItem to card component with install/installed/update states
- Add updateClick output to card, wire update dialog from browse component
- Add itemType filter to getInstalledItems across full stack (controller → DAO)
- Fetch installed solution templates on browse page when tab selected
- Pass installedItem to detail dialog from browse component
- Reload items on install/update dialog close for solution templates
- Add MpItemVersionResource model and resources field to MpItemVersionView
- Add image carousel (ngx-hm-carousel) to detail dialog for solution templates
- Carousel: screenshots preferred over icons, autoplay 3s, dots below images
- Wrap entityKeyColumn null-swap in try/finally in EntityKeyMapping
- Remove @Setter from BaseEntityService, use ReflectionTestUtils in test
- Replace Thread.sleep with awaitility in all OR test methods
- Fix confusing temperature comment in pagination test
- Add test for OR with textSearch (middle-layer WHERE logic)
- Add test for OR with TIME_SERIES key filters
- Add test for OR with ComplexFilterPredicate within key filter
- Add EDQS tests for STRING/entity-field with OR (including null special case)
- Move validateKeyFiltersOperation from DefaultEntityQueryService to
BaseEntityService.validateEntityCountQuery so both REST and WebSocket
paths are covered
- Fix AND/OR toggle: use valueChanges listener to prevent OR selection
when disabled (instead of [disabled] which broke the control entirely)
- Force AND when OR is disabled and filter had OR saved
- Update test to set flag on BaseEntityService
- Move OR filter predicates to middle-layer WHERE clause where JOIN alias
table references are visible, fixing BadSqlGrammarException
- Use alias name (e.g. alias2) instead of bare column name for entity
field predicates in middle-layer WHERE
- Propagate keyFiltersOperation through BaseEntityService optimization
path and alarm subscription contexts (TbAlarmDataSubCtx, TbAlarmCountSubCtx)
- Replace ThingsboardException with IllegalArgumentException for OR
disabled validation
- Add AlarmCountQuery 3-arg constructor for test convenience
- Add 8 new integration tests: alarm data/count OR, mixed entity field +
attribute OR, string attributes, single filter, 3-way OR, pagination,
and zero-match edge case
- Read keyFiltersOperationOrDefault in countEntitiesByQuery and findEntityDataByQuery
- Under OR: relocate entity field filter predicates from inner WHERE to outer WHERE
- Under OR: pass forceLeftJoin=true to buildLatestJoins for all aliases
- Under OR: combine all filter mappings with OR joiner via buildQuery(ComplexOperation.OR)
- Under OR: ensure entity field filter columns are in inner SELECT for outer WHERE reference
- AND path remains completely unchanged (same execution path as before)
- Add 4-arg buildQuery overload with ComplexOperation parameter that joins predicates with OR
- Add 3-arg toQueries overload with outerContext flag for bare column names in outer WHERE
- Add forceLeftJoin parameter to toLatestJoin and buildLatestJoins for LEFT JOIN under OR
- Modify prepareKeyMapping to create individual mappings per KeyFilter under OR (no same-key grouping)
- Modify prepareEntityCountKeyMapping with same OR ungrouping logic
- All existing 2-arg/3-arg overloads preserved as backward-compatible delegates
Route DataAccessException and PersistenceException (including bare
ConstraintViolationException) to a unified handler that extracts the
constraint name and returns "Constraint violation: <name>" instead of
the raw PSQLException message. Other DB errors continue to return the
generic "Database error" response.
Adds DaoUtil.extractConstraintViolation helper and an integration test
that verifies no SQL details leak when an FK constraint is violated.
- Extract shared parseHostEntries() to deduplicate setAllowedHosts/setAdditionalBlockedHosts
- Add isHostnameAllowed() and propagate hostname allow-list check in resolver
- Move OAuth2 custom mapper URL SSRF validation to save-time (Oauth2ClientDataValidator)
- Remove runtime SSRF checks from CustomOAuth2ClientMapper and GithubOAuth2ClientMapper
(custom URL now validated at save; GitHub emailUrl is server config, not user input)
- Replace example.com with 8.8.8.8 in resolver test to avoid DNS dependency
- Extract RuleChainDetailsDao from RuleChainDao to reuse JpaAbstractDao
save logic (proper @Version increment, flush, detach)
- Reduce notes column size from 10MB to 1MB in schema and migration
- Catch "value too long" DB error with user-friendly message
- Pass tenantId consistently through the details DAO API
- Exclude content/markdownCss from RuleChainNote toString
- Add tests: save/load notes, update notes, preserve notes on
RuleChain save, remove notes, exceeded size limit
- Refactor update/delete endpoints to use installed item's own ID instead of marketplace itemId
- Add SHA-256 checksum comparison to detect local entity modifications before update
- Support force update to skip checksum check when user confirms overwrite
- Add per-type update methods (widget, dashboard, calculated field, rule chain)
- Add entityId field to CalculatedFieldInstalledItemDescriptor
- Replace checkForUpdates with getItemsPublishedVersions API
- Replace getInstalledItemInfos with getInstalledItemIds returning List<UUID>
- Remove unused IotHubInstalledItemInfo class and resolver
- Set metadata version from saved rule chain in install/update flows
- Add entity-modified confirmation dialog in update UI