HumanSignal
diff --git a/‎label_studio/core/all_urls.json‎
Lines changed: 6 additions & 0 deletions b/‎label_studio/core/all_urls.json‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎label_studio/core/middleware.py‎
Lines changed: 2 additions & 2 deletions b/‎label_studio/core/middleware.py‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎label_studio/core/migrations/0002_deletedrow.py‎
Lines changed: 36 additions & 0 deletions b/‎label_studio/core/migrations/0002_deletedrow.py‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎label_studio/core/models.py‎
Lines changed: 38 additions & 0 deletions b/‎label_studio/core/models.py‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎label_studio/core/tests/__init__.py‎ b/‎label_studio/core/tests/__init__.py‎
diff --git a/‎label_studio/core/tests/test_models.py‎
Lines changed: 139 additions & 0 deletions b/‎label_studio/core/tests/test_models.py‎
Lines changed: 139 additions & 0 deletions
diff --git a/‎label_studio/core/urls.py‎
Lines changed: 1 addition & 0 deletions b/‎label_studio/core/urls.py‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎label_studio/feature_flags.json‎
Lines changed: 27 additions & 0 deletions b/‎label_studio/feature_flags.json‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎label_studio/jwt_auth/views.py‎
Lines changed: 6 additions & 1 deletion b/‎label_studio/jwt_auth/views.py‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎label_studio/session_policy/api.py‎
Lines changed: 40 additions & 0 deletions b/‎label_studio/session_policy/api.py‎
Lines changed: 40 additions & 0 deletions
@@ -1972,5 +1972,11 @@
         "module": "jwt_auth.views.LSAPITokenRotateView",
         "name": "jwt_auth:token_rotate",
         "decorators": ""
+    },
+    {
+        "url": "/api/session-policy/",
+        "module": "session_policy.api.SessionTimeoutPolicyView",
+        "name": "session_policy:session-policy",
+        "decorators": ""
     }
 ]
@@ -216,9 +216,9 @@ def process_request(self, request) -> None:
 
         active_org = request.user.active_organization
         if flag_set('fflag_feat_utc_46_session_timeout_policy', user=request.user) and active_org:
-            org_max_session_age = timedelta(hours=active_org.session_timeout_policy.max_session_age).total_seconds()
+            org_max_session_age = timedelta(minutes=active_org.session_timeout_policy.max_session_age).total_seconds()
             max_time_between_activity = timedelta(
-                hours=active_org.session_timeout_policy.max_time_between_activity
+                minutes=active_org.session_timeout_policy.max_time_between_activity
             ).total_seconds()
 
             if (current_time - last_login) > org_max_session_age:
 
@@ -0,0 +1,36 @@
+# Generated by Django 5.1.9 on 2025-06-04 19:36
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("core", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="DeletedRow",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name="ID",
+                    ),
+                ),
+                ("model", models.CharField(max_length=1024)),
+                ("row_id", models.IntegerField(null=True)),
+                ("data", models.JSONField(blank=True, null=True)),
+                ("reason", models.TextField(blank=True, null=True)),
+                ("created_at", models.DateTimeField(auto_now_add=True)),
+                ("updated_at", models.DateTimeField(auto_now=True)),
+                ("organization_id", models.IntegerField(blank=True, null=True)),
+                ("project_id", models.IntegerField(blank=True, null=True)),
+                ("user_id", models.IntegerField(blank=True, null=True)),
+            ],
+        ),
+    ]
@@ -1,5 +1,7 @@
+import json
 import logging
 
+from django.core import serializers
 from django.db import models
 from django.db.models import JSONField
 from django.utils.translation import gettext_lazy as _
@@ -42,3 +44,39 @@ class AsyncMigrationStatus(models.Model):
 
     def __str__(self):
         return f'(id={self.id}) ' + self.name + (' at project ' + str(self.project) if self.project else '')
+
+
+class DeletedRow(models.Model):
+    """
+    Model to store deleted rows of other models.
+    Useful for using as backup for deleted rows, in case we need to restore them.
+    """
+
+    model = models.CharField(max_length=1024)   # tasks.task, projects.project, etc.
+    row_id = models.IntegerField(null=True)   # primary key of the deleted row. task.id, project.id, etc.
+    data = JSONField(null=True, blank=True)   # serialized json of the deleted row.
+    reason = models.TextField(null=True, blank=True)   # reason for deletion.
+    created_at = models.DateTimeField(auto_now_add=True)
+    updated_at = models.DateTimeField(auto_now=True)
+
+    # optional fields for searching purposes
+    organization_id = models.IntegerField(null=True, blank=True)
+    project_id = models.IntegerField(null=True, blank=True)
+    user_id = models.IntegerField(null=True, blank=True)
+
+    @classmethod
+    def serialize_and_create(cls, model, **kwargs) -> 'DeletedRow':
+        data = json.loads(serializers.serialize('json', [model]))[0]
+        model = data['model']
+        row_id = int(data['pk'])
+        return cls.objects.create(model=model, row_id=row_id, data=data, **kwargs)
+
+    @classmethod
+    def bulk_serialize_and_create(cls, queryset, **kwargs) -> list['DeletedRow']:
+        serialized_data = json.loads(serializers.serialize('json', queryset))
+        bulk_objects = []
+        for data in serialized_data:
+            model = data['model']
+            row_id = int(data['pk'])
+            bulk_objects.append(cls(model=model, row_id=row_id, data=data, **kwargs))
+        return cls.objects.bulk_create(bulk_objects)
@@ -0,0 +1,139 @@
+import json
+
+from core.models import DeletedRow
+from django.core import serializers
+from django.test import TestCase
+from organizations.models import Organization
+from organizations.tests.factories import OrganizationFactory
+from projects.models import Project
+from projects.tests.factories import ProjectFactory
+from tasks.models import Task
+from tasks.tests.factories import TaskFactory
+
+
+class TestDeletedRow(TestCase):
+    def _assert_delete_and_restore_equal(self, drow, original):
+        original_dict = original.__dict__.copy()
+        original_id = original.id
+        original_dict.pop('_state')
+        original_created_at = original_dict.pop('created_at')
+        original_updated_at = original_dict.pop('updated_at')
+        original.delete()
+
+        for deserialized_object in serializers.deserialize('json', json.dumps([drow.data])):
+            deserialized_object.save()
+        new_object = original.__class__.objects.get(id=original_id)
+
+        new_dict = new_object.__dict__.copy()
+        new_dict.pop('_state')
+        new_created_at = new_dict.pop('created_at')
+        new_updated_at = new_dict.pop('updated_at')
+
+        assert new_dict == original_dict
+        # Datetime loses microsecond precision, so we can't compare them directly
+        assert abs((new_created_at - original_created_at).total_seconds()) < 0.001
+        assert abs((new_updated_at - original_updated_at).total_seconds()) < 0.001
+
+    def test_serialize_organization(self):
+        organization = OrganizationFactory()
+        drow = DeletedRow.serialize_and_create(organization, reason='reason', organization_id=organization.id)
+        assert drow.row_id == organization.id
+        assert drow.model == 'organizations.organization'
+        assert drow.data['fields']['title'] == organization.title
+        assert drow.data['fields']['token'] == organization.token
+        assert drow.data['fields']['created_by'] == organization.created_by_id
+        assert drow.reason == 'reason'
+        assert drow.organization_id == organization.id
+        assert drow.project_id is None
+        assert drow.user_id is None
+        self._assert_delete_and_restore_equal(drow, organization)
+
+    def test_serialize_project(self):
+        project = ProjectFactory()
+        drow = DeletedRow.serialize_and_create(
+            project, reason='reason', organization_id=project.organization.id, project_id=project.id
+        )
+        assert drow.row_id == project.id
+        assert drow.model == 'projects.project'
+        assert drow.data['fields']['title'] == project.title
+        assert drow.data['fields']['organization'] == project.organization.id
+        assert drow.reason == 'reason'
+        assert drow.organization_id == project.organization.id
+        assert drow.project_id == project.id
+        self._assert_delete_and_restore_equal(drow, project)
+
+    def test_serialize_task(self):
+        organization = OrganizationFactory()
+        project = ProjectFactory(organization=organization)
+        task = TaskFactory(project=project)
+        drow = DeletedRow.serialize_and_create(
+            task,
+            reason='reason',
+            organization_id=organization.id,
+            project_id=project.id,
+            user_id=organization.created_by_id,
+        )
+        assert drow.row_id == task.id
+        assert drow.model == 'tasks.task'
+        assert drow.data['fields']['project'] == project.id
+        assert drow.reason == 'reason'
+        assert drow.organization_id == organization.id
+        assert drow.project_id == project.id
+        assert drow.user_id == organization.created_by_id
+        self._assert_delete_and_restore_equal(drow, task)
+
+    def test_bulk_serialize_and_create(self):
+        organization_1 = OrganizationFactory()
+        organization_2 = OrganizationFactory()
+        drows = DeletedRow.bulk_serialize_and_create(Organization.objects.all(), reason='reason')
+        assert len(drows) == 2
+        assert drows[0].model == 'organizations.organization'
+        assert drows[0].row_id == organization_1.id
+        assert drows[0].data['fields']['title'] == organization_1.title
+        assert drows[0].data['fields']['token'] == organization_1.token
+        assert drows[0].data['fields']['created_by'] == organization_1.created_by_id
+        assert drows[0].reason == 'reason'
+        assert drows[1].model == 'organizations.organization'
+        assert drows[1].row_id == organization_2.id
+        assert drows[1].data['fields']['title'] == organization_2.title
+        assert drows[1].data['fields']['token'] == organization_2.token
+        assert drows[1].data['fields']['created_by'] == organization_2.created_by_id
+        assert drows[1].reason == 'reason'
+
+        project_1 = ProjectFactory(organization=organization_1)
+        project_2 = ProjectFactory(organization=organization_1)
+        drows = DeletedRow.bulk_serialize_and_create(
+            Project.objects.all(), reason='reason', organization_id=organization_1.id
+        )
+        assert len(drows) == 2
+        assert drows[0].model == 'projects.project'
+        assert drows[0].row_id == project_1.id
+        assert drows[0].data['fields']['title'] == project_1.title
+        assert drows[0].data['fields']['organization'] == organization_1.id
+        assert drows[0].reason == 'reason'
+        assert drows[0].organization_id == organization_1.id
+        assert drows[1].model == 'projects.project'
+        assert drows[1].row_id == project_2.id
+        assert drows[1].data['fields']['title'] == project_2.title
+        assert drows[1].data['fields']['organization'] == organization_1.id
+        assert drows[1].reason == 'reason'
+        assert drows[1].organization_id == organization_1.id
+
+        task_1 = TaskFactory(project=project_1)
+        task_2 = TaskFactory(project=project_1)
+        drows = DeletedRow.bulk_serialize_and_create(
+            Task.objects.all(), reason='reason', organization_id=organization_1.id, project_id=project_1.id
+        )
+        assert len(drows) == 2
+        assert drows[0].model == 'tasks.task'
+        assert drows[0].row_id == task_1.id
+        assert drows[0].data['fields']['project'] == project_1.id
+        assert drows[0].reason == 'reason'
+        assert drows[0].organization_id == organization_1.id
+        assert drows[0].project_id == project_1.id
+        assert drows[1].model == 'tasks.task'
+        assert drows[1].row_id == task_2.id
+        assert drows[1].data['fields']['project'] == project_1.id
+        assert drows[1].reason == 'reason'
+        assert drows[1].organization_id == organization_1.id
+        assert drows[1].project_id == project_1.id
@@ -111,6 +111,7 @@
     path('__lsa/', views.collect_metrics, name='collect_metrics'),
     re_path(r'^api-auth/', include('rest_framework.urls', namespace='rest_framework')),
     re_path(r'^', include('jwt_auth.urls')),
+    re_path(r'^', include('session_policy.urls')),
 ]
 
 if settings.DEBUG:
 
@@ -136,6 +136,33 @@
       "version": 3,
       "deleted": false
     },
+    "ff_all_fit_29_org_settings_page": {
+      "key": "ff_all_fit_29_org_settings_page",
+      "on": false,
+      "prerequisites": [],
+      "targets": [],
+      "contextTargets": [],
+      "rules": [],
+      "fallthrough": {
+        "variation": 0
+      },
+      "offVariation": 1,
+      "variations": [
+        true,
+        false
+      ],
+      "clientSideAvailability": {
+        "usingMobileKey": false,
+        "usingEnvironmentId": false
+      },
+      "clientSide": false,
+      "salt": "109dbd50896a4840bf8fdbc6d8215a45",
+      "trackEvents": false,
+      "trackEventsFallthrough": false,
+      "debugEventsUntilDate": null,
+      "version": 2,
+      "deleted": false
+    },
     "ff_back_2004_async_review_24032022_short": {
       "key": "ff_back_2004_async_review_24032022_short",
       "on": false,
 
@@ -192,6 +192,7 @@ class LSAPITokenRotateView(TokenViewBase):
     authentication_classes = [JWTAuthentication, TokenAuthenticationPhaseout, SessionAuthentication]
     permission_classes = [IsAuthenticated]
     _serializer_class = 'jwt_auth.serializers.LSAPITokenRotateSerializer'
+    token_class = LSAPIToken
 
     @swagger_auto_schema(
         tags=['JWT'],
@@ -219,5 +220,9 @@ def post(self, request, *args, **kwargs):
             return Response({'detail': 'Token is invalid or already blacklisted.'}, status=status.HTTP_400_BAD_REQUEST)
 
         # Create a new token for the user
-        new_token = LSAPIToken.for_user(request.user)
+        new_token = self.create_token(request.user)
         return Response({'refresh': new_token.get_full_jwt()}, status=status.HTTP_200_OK)
+
+    def create_token(self, user):
+        """Create a new token for the user. Can be overridden by child classes to use different token classes."""
+        return self.token_class.for_user(user)
@@ -0,0 +1,40 @@
+from django.utils.decorators import method_decorator
+from drf_yasg.utils import swagger_auto_schema
+from rest_framework import generics
+from rest_framework.permissions import IsAuthenticated
+
+from .models import SessionTimeoutPolicy
+from .serializers import SessionTimeoutPolicySerializer
+
+
+@method_decorator(
+    name='get',
+    decorator=swagger_auto_schema(
+        tags=['Session Policy'],
+        operation_summary='Retrieve Session Policy',
+        operation_description='Retrieve session timeout policy for the currently active organization.',
+    ),
+)
+@method_decorator(
+    name='patch',
+    decorator=swagger_auto_schema(
+        tags=['Session Policy'],
+        operation_summary='Update Session Policy',
+        operation_description='Update session timeout policy for the currently active organization.',
+    ),
+)
+class SessionTimeoutPolicyView(generics.RetrieveUpdateAPIView):
+    """
+    API endpoint for retrieving and updating organization's session timeout policy
+    """
+
+    serializer_class = SessionTimeoutPolicySerializer
+    permission_classes = [IsAuthenticated]
+    http_method_names = ['get', 'patch']  # Explicitly specify allowed methods
+
+    def get_object(self):
+        # Get the organization from the request
+        org = self.request.user.active_organization
+        # Get or create the session policy for the organization
+        policy, _ = SessionTimeoutPolicy.objects.get_or_create(organization=org)
+        return policy
Original file line number	Diff line number	Diff line change
`@@ -1972,5 +1972,11 @@`
`1972`	`1972`	`"module": "jwt_auth.views.LSAPITokenRotateView",`
`1973`	`1973`	`"name": "jwt_auth:token_rotate",`
`1974`	`1974`	`"decorators": ""`
	`1975`	`+ },`
	`1976`	`+ {`
	`1977`	`+ "url": "/api/session-policy/",`
	`1978`	`+ "module": "session_policy.api.SessionTimeoutPolicyView",`
	`1979`	`+ "name": "session_policy:session-policy",`
	`1980`	`+ "decorators": ""`
`1975`	`1981`	`}`
`1976`	`1982`	`]`
Original file line number	Diff line number	Diff line change
`@@ -111,6 +111,7 @@`
`111`	`111`	`path('__lsa/', views.collect_metrics, name='collect_metrics'),`
`112`	`112`	`re_path(r'^api-auth/', include('rest_framework.urls', namespace='rest_framework')),`
`113`	`113`	`re_path(r'^', include('jwt_auth.urls')),`
	`114`	`+ re_path(r'^', include('session_policy.urls')),`
`114`	`115`	`]`
`115`	`116`
`116`	`117`	`if settings.DEBUG:`