Merge pull request #4886 from mathesar-foundation/release-0.7.0

.github/workflows/test-and-lint-code.yml

@@ -122,7 +122,7 @@ jobs:
     strategy:
       matrix:
         py-version: [3.9-bookworm, 3.10-bookworm, 3.11-bookworm, 3.12-bookworm, 3.13-bookworm]
-        pg-version: [13, 14, 15, 16, 17, 18]
+        pg-version: [13, 14, 15, 16, 17]
         connection-type: ['mathesar_dev_db', '/var/dev_postgres_socket']
     steps:
       - uses: actions/checkout@v4
@@ -153,7 +153,7 @@ jobs:
         needs.all_be_tests_required.outputs.tests_should_run == 'true'
     strategy:
       matrix:
-        pg-version: [13, 14, 15, 16, 17, 18]
+        pg-version: [13, 14, 15, 16, 17]
     steps:
       - uses: actions/checkout@v4
       - name: Copy env file
@@ -181,7 +181,7 @@ jobs:
     strategy:
       matrix:
         py-version: [3.9-bookworm, 3.10-bookworm, 3.11-bookworm, 3.12-bookworm, 3.13-bookworm]
-        pg-version: [13, 14, 15, 16, 17, 18]
+        pg-version: [13, 14, 15, 16, 17]
         init-db-args: ["", "--encoding=SQL_ASCII"]
     steps:
       - uses: actions/checkout@v4

build-scripts/bin/mathesar.sh

@@ -222,7 +222,6 @@ run_mathesar() {
     config.wsgi
     -b "0.0.0.0:${MATHESAR_PORT}"
     --chdir "${BASE_DIR}"
-    --worker-class gevent
   )
   if [[ "${DEBUG}" = "true" ]]; then
     gunicorn_args+=("--log-level=debug")

docs/docs/administration/file-backend-config.md

@@ -113,6 +113,9 @@ default:
 +      region_name: us-east-2
 +      aws_access_key_id: YOUR_ACCESS_KEY
 +      aws_secret_access_key: YOUR_SECRET_KEY
++ public_form_access:
++    enabled: true # Set to false to disable files uplaod via public form
++    max_upload_size: 1073741824 # 1GB in bytes, adjust as-needed or remove for limitless uploads
 ```
 
 ### 4. Activate file storage

docs/docs/administration/forms-config.md

@@ -0,0 +1,134 @@
+# Configuring Forms in Mathesar
+
+Mathesar's [**form builder**](../user-guide/forms.md) allows you to create public-facing data collection forms. While forms work out of the box with default settings, administrators may need to configure file upload capabilities and manage form security settings.
+
+## File Upload Configuration
+
+File uploads in public forms are controlled through the `public_form_access` section in your `file_storage.yml` configuration file.
+
+For details on setting up `file_storage.yml`, see the [File storage backend configuration guide](./file-backend-config.md).
+
+### Basic configuration
+
+```yaml
+public_form_access:
+  enabled: true  # Set to false to disable file uploads via public forms
+  max_upload_size: 104857600  # 100MB in bytes
+```
+
+**Common file size values:**
+
+- 10 MB: `10485760`
+- 50 MB: `52428800`
+- 100 MB: `104857600`
+- 1 GB: `1073741824`
+
+Omit `max_upload_size` entirely to allow unlimited file sizes (subject to your backend's limits).
+
+### Full example
+
+```yaml
+default:
+  protocol: s3
+  nickname: "My Storage Backend"
+  prefix: my-mathesar-bucket
+  kwargs:
+    client_kwargs:
+      endpoint_url: https://s3.us-east-2.amazonaws.com
+      region_name: us-east-2
+      aws_access_key_id: YOUR_ACCESS_KEY
+      aws_secret_access_key: YOUR_SECRET_KEY
+public_form_access:
+  enabled: true
+  max_upload_size: 104857600  # 100MB limit
+```
+
+## Security Considerations
+
+Public forms allow anonymous users to insert data directly into your database. Consider these security measures:
+
+### File uploads
+
+When file uploads are enabled:
+
+- Monitor storage usage to avoid exceeding quotas
+- Set reasonable file size limits (10-100 MB for most use cases)
+- Be aware that all file types are accepted
+- Consider storage costs from your provider
+
+### Rate limiting
+
+Mathesar does not include built-in rate limiting for form submissions. Since public forms allow anonymous data entry, implement rate limiting at your reverse proxy to prevent abuse.
+
+For deployments behind Cloudflare or similar CDNs, consider using their built-in rate limiting or WAF rules to throttle requests before they reach your server. These tools offer easy GUI management, reporting, and CAPTCHA challenges to mitigate abuse without manual reverse-proxy configuration.
+
+
+**Caddy configuration example:**
+
+```caddyfile
+@forms {
+    path /shares/forms/*
+}
+rate_limit @forms {
+    zone forms {
+        key {remote_host}
+        events 10
+        window 1h
+    }
+}
+```
+
+**Nginx configuration example:**
+
+```nginx
+http {
+    limit_req_zone $binary_remote_addr zone=forms:10m rate=10r/m;
+
+    server {
+        location /shares/forms/ {
+            limit_req zone=forms burst=5 nodelay;
+            proxy_pass http://mathesar;
+        }
+    }
+}
+```
+
+**Additional considerations:**
+
+- Monitor your logs to adjust limits based on legitimate usage patterns
+- Consider different limits for different forms based on their sensitivity
+- Implement progressive delays for repeated violations
+
+### Database protection
+
+!!! warning "Anonymous data entry"
+    Anyone with a shared form link can insert data into your database. Always use restrictive database roles, implement rate limiting, and monitor form submissions for abuse.
+
+- **Use restrictive roles**: Assign forms PostgreSQL roles with minimal permissions (see [Associated Roles](#associated-roles) below)
+- **Add database constraints**: Use check constraints, NOT NULL constraints, and foreign keys to validate data
+- **Monitor activity**: Set up alerts for unusual submission patterns
+- **Regenerate links**: Periodically regenerate form links to invalidate old URLs
+
+## Associated Roles
+
+Each form uses an **Associated Role** that determines which PostgreSQL role inserts records when the form is submitted.
+
+For better security, you can create dedicated roles with minimal permissions:
+
+```sql
+-- Create a role for form submissions
+CREATE ROLE form_submitter;
+
+-- Grant only INSERT permission on specific tables
+GRANT INSERT ON TABLE service_requests TO form_submitter;
+GRANT INSERT ON TABLE customers TO form_submitter;
+GRANT USAGE ON SCHEMA public TO form_submitter;
+```
+
+Then select this role in the form's **Associated Role** dropdown in the form editor.
+
+## Related documentation
+
+- [Working with forms](../user-guide/forms.md) - User guide for creating and using forms
+- [File storage backend configuration](./file-backend-config.md) - Setting up file storage backends
+- [PostgreSQL roles](../user-guide/roles.md) - Understanding PostgreSQL roles and permissions

docs/docs/administration/install-from-scratch.md

@@ -312,7 +312,7 @@ If you prefer nginx or another proxy, please refer to their documentation.
   sudo systemctl restart mathesar.service
   ```
 
-#### Install and configure Caddy
+#### Install and configure Caddy {:#install-and-configure-caddy}
 
 1. Install Caddy by following the instructions from the [Caddy documentation](https://caddyserver.com/docs/install).
 

docs/docs/releases/0.6.0.md

@@ -1,13 +1,5 @@
 # Mathesar 0.6.0
 
-!!! question "Want cross-table editing or bulk imports in Mathesar? Talk to us!"
-	For our next release, we're actively working on:
-
-	- the ability to edit data from multiple tables in a single view
-	- bulk import of data into existing tables
-
-	If you're interested in either, we'd love your input so we're prioritizing the right problems to solve. [Talk to us for 20 min](https://cal.com/mathesar/users), we'll give you a $25 gift card as a thank you.
-
 ## Summary
 
 Mathesar 0.6.0 introduces the file data type which allows you to upload, download, and preview files alongside your data. This release also brings a refreshed visual style to Mathesar, introducing semantic colors that make it easier to distinguish between databases, schemas, tables, and more at a glance.

docs/docs/releases/0.7.0.md

@@ -0,0 +1,187 @@
+# Mathesar 0.7.0
+
+!!! question "Want cross-table editing in Mathesar? Talk to us!"
+	For our next release, we're actively working on the ability to edit data from multiple tables in a single view.
+
+	If you're interested, we'd love your input so we're prioritizing the right problems to solve. [Talk to us for 20 min](https://cal.com/mathesar/users), we'll give you a $25 gift card as a thank you.
+
+## Summary
+
+Mathesar 0.7.0 introduces CSV imports into existing tables, the ability to export results from data explorations, and support for file uploads in forms. This release also includes improvements to cell context menus, pasting behavior, and several bug fixes and polish updates across the app.
+
+!!! info ""
+	  This page provides a comprehensive list of all changes in the release.
+
+## Improvements
+
+### Import CSV data into existing tables
+
+![A Mathesar screenshot showing a CSV of bird species being imported with the new importer](../assets/releases/0.7.0/birds-import-example.png)
+
+You can now import CSV files directly into an existing Mathesar table. Headers are automatically matched to column names where possible, and you can map any remaining columns manually. You are also able to specify whether the CSV contains a header row.
+
+*Related work:*
+
+[#4866](https://github.com/mathesar-foundation/mathesar/pull/4866 "UI for importing into existing tables")
+[#4870](https://github.com/mathesar-foundation/mathesar/pull/4870 "Implement bulk insert")
+
+### Export data exploration results
+
+![An example of a downloaded "Birds" csv file](../assets/releases/0.7.0/example-csv-export.png)
+
+Explorations can now be exported as CSV files via an "export" button in the top right corner of the exploration view, allowing you to share or analyze query results outside of Mathesar.
+
+*Related work:*
+
+[#4854](https://github.com/mathesar-foundation/mathesar/pull/4854 "Export explorations")
+
+### File uploads in forms
+
+![example of a Mathesar form accepting uploads](../assets/releases/0.7.0/example-print-job-form.png)
+///caption
+Configure a form in Mathesar (the light mode screen) to accept print jobs via anonymous form submission (dark mode screen), now complete with file uploads.
+///
+
+Forms now support uploading files, enabling richer submissions from users. Uploaded files are previewable directly within the form interface.
+
+To enable this feature:
+
+- [Configure your file storage backend](../administration/file-backend-config.md)
+- (optional) Set a global maximum file size for anonymous uploads
+
+*Related work:*
+
+[#4852](https://github.com/mathesar-foundation/mathesar/pull/4852 "Add files to forms - Frontend") [#4848](https://github.com/mathesar-foundation/mathesar/pull/4848 "Add files to forms - backend")
+
+
+### Improved cell context menus
+
+Right-click context menus have been redesigned to better support multi-selection and more efficient actions. You can now select and delete multiple rows at once, and actions are organized into submenus for easier navigation and future expansion.
+
+*Related work:*
+
+[#4836](https://github.com/mathesar-foundation/mathesar/pull/4836 "Improve cell context menus") [#4865](https://github.com/mathesar-foundation/mathesar/pull/4865 "Fix infinite recursion bug in context menu - focus behaviour")
+
+### Faster numeric and money imports
+
+Importing large CSV or TSV files with numeric or money columns is now significantly faster.
+Mathesar now uses optimized casting functions for these types during import, cutting processing times dramatically—up to 97% faster in internal benchmarks for large datasets (500K rows).
+
+*Related work:*
+
+[#4821](https://github.com/mathesar-foundation/mathesar/pull/4821 "Fast money and numeric cast during import")
+
+### Added support for PostgreSQL 18
+
+Mathesar now supports the latest version of PostgreSQL, version 18, [released on September 25th](https://www.postgresql.org/about/news/postgresql-18-released-3142/).
+
+*Related work:*
+
+[#4874](https://github.com/mathesar-foundation/mathesar/pull/4874 "Add PG 18 to CI")
+
+## Bug fixes
+
+- Preserve sort conditions after re-ordering columns [#4839](https://github.com/mathesar-foundation/mathesar/pull/4839 "Fix for Persisting Sorting Conditions when Re-ordering Columns")
+- Correctly set foreign keys when creating related records via paste in the table widget [#4815](https://github.com/mathesar-foundation/mathesar/pull/4815 "Adds foreign key to new records created via paste in the table widget")
+- Fix casting regression from integer-like to text-like columns [#4868](https://github.com/mathesar-foundation/mathesar/pull/4868 "Fix casting func regression")
+
+## Documentation
+
+- Add developer docs for working with file attachments [#4840](https://github.com/mathesar-foundation/mathesar/pull/4840 "Add dev docs for working with file attachments")
+- Added issue template for managing technical debt [#4869](https://github.com/mathesar-foundation/mathesar/pull/4869 "add tech debt issue template")
+
+## Maintenance
+
+- Improve errors when column alterations fail [#4787](https://github.com/mathesar-foundation/mathesar/pull/4787 "Alter column refactor")
+- Bump django from 4.2.24 to 4.2.25 [#4843](https://github.com/mathesar-foundation/mathesar/pull/4843 "Bump django from 4.2.24 to 4.2.25")
+- Fix typos in the "Custom Database Nickname" help text [#4842](https://github.com/mathesar-foundation/mathesar/pull/4842 "fix: typos")
+- Remove redundant `launchRecordSelector` callback [#4838](https://github.com/mathesar-foundation/mathesar/pull/4838 "Remove a redundant launchRecordSelector on click in LinkedRecordInput")
+- Experiment with concurrency changes
+[#4861](https://github.com/mathesar-foundation/mathesar/pull/4861 "Switch to gevent worker for Gunicorn") [#4929](https://github.com/mathesar-foundation/mathesar/pull/4929)
+
+## Upcoming changes in 0.8.0
+
+Mathesar's 0.8.0 release will end official support for PostgreSQL 13 and Python 3.9. We recommend upgrading these dependencies prior to installing 0.8.0 to ensure continued compatibility and support.
+
+While Mathesar is likely to function with older versions, compatibility is no longer tested, and assistance cannot be provided for issues encountered on unsupported versions.
+
+Learn more about our [version support strategy](../administration/version-support.md).
+
+## Upgrading to 0.7.0 {:#upgrading}
+
+### For installations using Docker Compose
+
+If you have a Docker compose installation, run the command below:
+
+```
+docker compose -f /etc/mathesar/docker-compose.yml up --pull always -d
+```
+
+!!! warning "Your installation directory may be different"
+    You may need to change `/etc/mathesar/` in the command above if you chose to install Mathesar to a different directory.
+
+### For direct installations of Mathesar on Linux, macOS, or WSL
+
+Mathesar provides an install script that automates both fresh installs and upgrades for standalone (non-Docker) installations.
+
+Follow the steps below to upgrade Mathesar:
+
+
+1. Enter your installation directory into the box below and press <kbd>Enter</kbd> to personalize this guide:
+
+    <input data-input-for="MATHESAR_INSTALL_DIR" aria-label="Your Mathesar installation directory"/>
+
+    - Do _not_ include a trailing slash.
+    - Do _not_ use any variables like `$HOME`.
+
+2.  Go to your Mathesar installation directory.
+
+    ```
+    cd xMATHESAR_INSTALL_DIRx
+    ```
+
+    !!! note
+        Your installation directory may be different from above if you used a different directory when installing Mathesar.
+
+3. Download and run the install script for 0.7.0
+    ```
+    curl -sSfL https://github.com/mathesar-foundation/mathesar/releases/download/0.7.0/nstall.sh -o install.sh
+    chmod +x install.sh
+
+    ./install.sh .
+    ```
+
+4. Replace your gunicorn systemd service with a Mathesar systemd service
+
+    1. Disable and stop the existing gunicorn service
+        ```
+        systemctl disable gunicorn.service
+        systemctl stop gunicorn.service
+        ```
+
+    2. Follow the steps in [Run Mathesar as a systemd service](../administration/install-from-scratch.md#run-mathesar-as-a-systemd-service) from the installation guide
+
+    3. Remove the gunicorn service file
+        ```
+        sudo rm /lib/systemd/system/gunicorn.service
+        ```
+
+5. Update your Caddyfile
+
+    1. Use the configuration shown in [Install and configure Caddy](../administration//install-from-scratch.md#install-and-configure-caddy) in the installation guide, and update your Caddyfile accordingly
+
+    2. Ensure that your domains are specified directly in the first line of the Caddyfile
+
+    3. Restart your Caddy service
+      ```
+      systemctl restart caddy.service
+      ```
+
+!!! tip
+    **If you're running Mathesar only on localhost and do not want it to run as a service**, you could:
+
+    1. Remove the gunicorn and caddy services
+    1. Start Mathesar manually with:
+      ```
+      mathesar run
+      ```