Adding some more information if someone wants to work on it :)

Check should be done right here and throw a custom Exception which inherits from APIException: https://github.com/nextcloud/appstore/blob/master/nextcloudappstore/core/api/v1/release/provider.py#L27

Therefore we should return two arguments here https://github.com/nextcloud/appstore/blob/master/nextcloudappstore/core/api/v1/release/parser.py#L82 namely the info file content and the app folder name which is in folder[0]

The whole thing should be tested by creating an archive in here: https://github.com/nextcloud/appstore/tree/master/nextcloudappstore/core/api/v1/tests/data/archives which has an app folder called test and then creating a new test class for the provider in https://github.com/nextcloud/appstore/tree/master/nextcloudappstore/core/api/v1/tests called test_app_release_provider.py.

Since the downloader is being injected you can simply return a mock instance which points to the test archive

@LukasReschke any idea which domain we will use?

use settings.AUTH_USER_MODEL to refer to the auth usr model.

See https://docs.djangoproject.com/en/1.9/topics/auth/customizing/#referencing-the-user-model

add a user profile with:
-list of apps and their releases. Allow deleting of apps and releases, but no editing. Updates should be done via the API.

• allow changing of password.

Anything else?

There needs to be an easy way for developers to find out how to upload and manage their apps. The following things need to be documented:

• How do I publish, update and delete a release
  • curl examples
  • ncdev examples
• How big can my package and info.xml be?
• How is the info.xml validated (Ideally make the schema available under a URL, help people to reference the schema in their info.xml to get IDE completion, show them http://www.utilities-online.info/xsdvalidation/ talk about the ordering of tags and show them what is the minimum info.xml and maximum info.xml)
• What app structure is enforced (e.g. only one top level folder, lower case characters + _ allowed for folder, appid/appinfo.info.xml must exist, no sym or hard links allowed for info.xml etc)

There are a number of possibilities where these docs can lie:

• Served from our server
• readthedocs

update the Appstore to use semantic versioning for:

• AppRelease.version
• required PHP version
• required Nextcloud version
• required database version
• required PHP extension version

We should fail as early as possible and therefore add the required maximum lengths to the schema. In addition this will developers validate their info.xml prior to uploading it.

➜  /tmp curl -X POST -u admin https://apps.weasel.rocks/api/v1/apps/releases -H "Content-Type: application/json" -d '{"download":"https://github.com/owncloud/contacts/releases/download/v0.0.0.104/contacts.tar.gz"}'
Enter host password for user 'admin':
{"detail":"No possible app folder found. App folder must contain only lowercase ASCII characters or underscores"}%

But from what I see the archive should be compliant?

As a user you should be able to search apps. The search field should be rendered in the navigation or banner (inline it) and should search app's titles, descriptions and comments. The resulting list should look and work the same as the app list (meaning you can also sort based on various criteria).

The first implementation should be very simple.

For logged in users it should be possible to comment on apps and also on other comments.

The first implementation should be very basic:

class Comment(Model):
    app = ForeignKey(App)
    text = TextField()  # should be rendered as markdown
    author = ForeignKey(User)
    parent_comment = ForeignKey(Comment)  # comments can be replied to
    created = DateTimeField(auto_now_add=True)
    last_modified = DateTimeField(auto_now=True)

The following people should be able to edit and delete comments:

• App owners and co-maintainers
• Comment authors

The story is finished if creating, deleting and editing comments works in markdown

The following call to a route should delete an app release.

DELETE /api/v1/apps/news/9.0.0

Only app owners should be able to do that.

The following things need to be implemented

• A new permission class AllowedToDeleteAppRelease needs to be implemented in https://github.com/nextcloud/appstore/blob/master/nextcloudappstore/core/permissions.py and similar to the Editing method on the app in https://github.com/nextcloud/appstore/blob/master/nextcloudappstore/core/models.py#L47, an allows_deletion method should be added to the AppRelease model
• The app release view needs to be adjusted to inherit from DestroyApiView and to include the permissions AllowedToDeleteAppRelease and IsAuthenticatedOrReadOnly and basic auth needs to be set as authentication https://github.com/nextcloud/appstore/blob/master/nextcloudappstore/core/api/v1/views.py#L31 . get_object probably needs to be overwritten to return the appropriate release
• The URLs need to include the new route with the parsed app pk and app release version https://github.com/nextcloud/appstore/blob/master/nextcloudappstore/core/api/v1/urls.py#L7
• Tests need to be added to make sure that only authenticated owners can delete an app release https://github.com/nextcloud/appstore/blob/master/nextcloudappstore/core/api/v1/tests.py#L30 take inspiration from the other delete tests

needs to be available per language.

• Add unit tests that verify that xml entities throw
• Add unit tests and code that verify that the app folder and appinfo folder inside the package are neither hard nor symlinks

As a developer I wan't to sign up so I'm able to submit app packages.

The basic sign up process is very simple for now:

• Use a ModelForm to create a form for auth.User
• Explicitely whitelist the fields that should be shown
• Install django-recaptcha from pypi in the venv and add it to requirements/production.txt (tip: pip freeze will output all installed packages in the virtual env)
• Add the custom field to the ModelForm and get tokens from Google. Put the tokens into nextcloudappstore/local_settings.py
• Create a simple template with the form and use a class based view (CreateView ?)
• The form should be served on /register
• You also need to include the js script from google in the header. It should be included only on the register page so maybe go for template inheritance where you add can add extra head tags by inheriting from it.

It could be that the plugin does not work with Django 1.9, in that case look for a compatible solution or just create a widget using the recaptcha Python library

cc @adsworth

@LukasReschke for input

Several texts which are stored in the database are translatable. This currently includes:

• Category title and description

For this purpose we need a way to automatically generate translations.

There are some solutions that query the database and generate .po files like https://github.com/ecometrica/django-vinaigrette which hook into ./manage.py makemessages.

An approach like this is preferred, more research should be conducted.

We should move core.models and core.admin to core.app.models and core.app.admin and create a new core.app Django application.

If we keep everything in the core app thing will get big, messy and confusing soon.

@BernhardPosselt

All apps need to be licensed at least under the AGPL if they are used by any users. Since you can have more than one license in our database model, should we validate, that at least the agpl is set as license?

So if you want to license your app under the MIT license you'd put the following into your info.xml:

<licence>agpl</licence>
<licence>mit</licence>

As for the available licenses: I'd keep it small and only support the latest MIT, AGPL, MPL and Apache License.

There should be a way to hook djangos ./manage.py makemessages into Transifex so that the app can be translated by translators.

I think a description of the category would be a nice addition.

Thoughts?

@BernhardPosselt @LukasReschke

What is the reasoning behind having an own Author model.

IMHO, the author should be a django auth user and not our own model.

@BernhardPosselt

• click the confirm link in the email
• click the button on that page
• getting redirected to https://.../accounts/login/ instead of https://.../login/ which is not available

cc @BernhardPosselt @adsworth

The current solution forces app developers to upload their screenshots somewhere else. It would be nice if we could also offer a way to extract them from the package e.g. by keeping 3 png or jp(e)g images from a screenshot directory like news/screenshots.

The screenshots should be moved into a separate directory in the media folder and should be named appid-ordering.ext

Things to keep in mind:

• The images needs to be streamed when extracted from the archive to prevent zip bombs
• The file must be checked for hard or symlinks which are not allowed (should throw)
• Take a look at the info.xml handling
• Images need to be deleted if an app is deleted or new screenshots are uploaded
• The appropriate image links need to be constructed by using the MEDIA_URL
• If Screenshot Urls appear inside the info.xml, no images should be used from the screenshots directory

Both apps and app releases provide a lastModified field. This field contains the modified date down to miliseconds.

If a request comes in, the http headers should be checked for If-None-Match. A lookup in the database should determine if there is an app or release with a newer last modified date. If there is none, a Http 304 should be returned without further querying the database.

If there is a newer entry, the entire thing should be served again. An Etag header should be set on the response which contains the latest lastModified from both apps and releases.

A user should be able to delete his account by hitting and confirming it on the download page. The confirmation should not be able to trigger by accident, Github's delete repo ui is a good example.

Before deleting his account, a user will be warned that all his comments and apps will be deleted.

Only API routes should be whitelisted for CORS

We need to make sure that CORS and session auth are mutually exclusive

The solution is probably to integrate https://github.com/ottoyiu/django-cors-headers/

The Html website was a quick prototype using bootstrap. We should think of a way how we want to progress further from that. Some quick thoughts:

• We currently use some bootstrap frankenstein wordpress theme CSS. We should get rid of that and use bootstrap 3 if we decide to do it with bootstrap (which is probably a good idea)
• We should serve all the css and js from our servers
• We should keep frontend stuff under package manager control, be it npm (recommended) or bower while keeping the downloaded js folder in gitignore
• We should set ourselfves a goal: Do we want to release the first version in plain Html and then use something like angular 2 for future versions?

After doing a:

➜  /tmp curl -X POST -u admin https://apps.weasel.rocks/api/v1/apps/releases -H "Content-Type: application/json" -d '{"download":"https://github.com/nextcloud/news/archive/8.8.0.tar.gz"}'
Enter host password for user 'admin':
<h1>Server Error (500)</h1>%

Internal Server Error: /api/v1/apps/releases

TypeError at /api/v1/apps/releases
int() argument must be a string, a bytes-like object or a number, not 'NoneType'

Request Method: POST
Request URL: http://apps.weasel.rocks/api/v1/apps/releases
Django Version: 1.9.7
Python Executable: /opt/appstore/venv/bin/python
Python Version: 3.5.1
Python Path: ['/opt/appstore', '/usr/lib/python35.zip', '/usr/lib/python3.5', '/usr/lib/python3.5/plat-x86_64-linux-gnu', '/usr/lib/python3.5/lib-dynload', '/opt/appstore/venv/lib/python3.5/site-packages']
Server time: Sun, 26 Jun 2016 21:15:19 +0000
Installed Applications:
['nextcloudappstore.core.apps.CoreConfig',
'parler',
'captcha',
'rest_framework',
'corsheaders',
'allauth',
'allauth.account',
'allauth.socialaccount',
'allauth.socialaccount.providers.github',
'allauth.socialaccount.providers.bitbucket',
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.sites',
'django.contrib.staticfiles']
Installed Middleware:
['django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'corsheaders.middleware.CorsMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware']


Traceback:  

File "/opt/appstore/venv/lib/python3.5/site-packages/django/core/handlers/base.py" in get_response
 149.                     response = self.process_exception_by_middleware(e, request)

File "/opt/appstore/venv/lib/python3.5/site-packages/django/core/handlers/base.py" in get_response
 147.                     response = wrapped_callback(request, *callback_args, **callback_kwargs)

File "/opt/appstore/venv/lib/python3.5/site-packages/django/views/decorators/csrf.py" in wrapped_view
 58.         return view_func(*args, **kwargs)

File "/opt/appstore/venv/lib/python3.5/site-packages/django/views/generic/base.py" in view
 68.             return self.dispatch(request, *args, **kwargs)

File "/opt/appstore/venv/lib/python3.5/site-packages/rest_framework/views.py" in dispatch
 466.             response = self.handle_exception(exc)

File "/opt/appstore/venv/lib/python3.5/site-packages/rest_framework/views.py" in dispatch
 463.             response = handler(request, *args, **kwargs)

File "/opt/appstore/nextcloudappstore/core/api/v1/views.py" in post
 95.             info = provider.get_release_info(url)

File "/opt/appstore/nextcloudappstore/core/api/v1/release/provider.py" in get_release_info
 27.             self.config.download_max_redirects, self.config.download_max_size

File "/opt/appstore/nextcloudappstore/core/api/v1/release/downloader.py" in get_archive
 57.             if int(req.headers.get('Content-Length')) > max_size:

Exception Type: TypeError at /api/v1/apps/releases
Exception Value: int() argument must be a string, a bytes-like object or a number, not 'NoneType'

OC 9.2.2. -> NC 9.0.5 @ ALL-INKL Hosted Server under PHP 7.0 (CGI)
Upgrade went fine but some Apps can not be enabled:

Hi,
when trying to ENABLE a previously in Owncloud 9.2.2. used APP:

APP: REGISTRATION 0.1.3
https://apps.owncloud.com/content/show.php?content=1706081

I get the above Error Message...

Same behaviour also in some other APPS...

Oliver

Apps are rendered in a minimal list atm.

Each app section should display the first screenshot and maybe render the description (in an ellipsis) and the featured flag.

The list should be able to be sorted ascending and descending based on:

• last_modified date (can we also include app release modified dates?)
• featured flag
• alphabetic name
• rating (if implemented)

The list should not be paginated. ATM the old app store contains a total of 250 apps which is no performance problem. Pagintation just makes the experience worse.

MVP should be the first target which should include the following

• Require users and devs to sign up:
  • e-mail
  • name or nick
  • password
  • captcha (re-captcha since everything else has been broken afaik)

API should be implemented as REST + JSON and require Basic Auth for the first iteration.

Later on most of the stuff will be parsed from the info.xml.

Let's assume I want to publish version 9.0.0 for the News app

Register App

An app id needs to be registered for an app developer before releases can be created, first come first serve (we will be able to intervene later on):

PUT /apps/news

{}

The JSON object is empty for now but will later on contain stuff like name, cateogry, description, links to homepages and issue trackers etc :)

Similarily an app developer can also unregister an app id (this will delete all releases as well):

DELETE /apps/news

Publish An App Release

This will contain much more in the end, namely dependencies, categories/tags etc. For the first try keep it small:

PUT /apps/news/9.0.0

{
    "download": "https://domain.com/news.tar.gz"
}

Delete An App Release

Straightforward:
DELETE /apps/news/9.0.0

Get All Apps

In the future it should be possible to replace the call to this route by simply serving a continously updated JSON file (if ever needed because of performance issues). Therefore we do only minimal filtering based on the supported platform version
GET /platform/9.1/apps.json

{
    "apps": {
        "news": {
            "9.0.0": {
                "download": "https://domain.com/news.tar.gz",
                "checksum": "asfasfafdasdf12312313123"
            }
        }
    }
}

The app will also contain more than the download link and checksum, like the name, dependencies etc

Packages Should Not Be Stored On The App Store

The app store should not host the packages, only download links. It happened in the past that the app store broke because disk space ran out and I don't think it can scale well enough.

So if you review apps, how do you make sure that the download link did not change? Simply provide a checksum (SHA256 sum).

The Case Against Git

In the beginning I thought it would be a cool idea to just base this on Git and GitHub like Bower, CocoaPods and many other package managers. The main issue with this is that most ownCloud apps have to be built first (mail, news, contacts, calendar?, notes?).

Building apps on the app store or a users installation is not a solution. It's too hard to sandbox and limited, but most importantly we would need to provide all sorts of dependencies (make, node and whatever people want).

Why not store everything on GitHub

GitHub has rate limiting in it's api so we can't hook up users

Instead of listing all app versions in a long list a typical user wants to lookup which version runs on his platform. Therefore the releases page should order releases based on their supported platform version (Think of it like Nextcloud 9.0, Nextcloud 9.1 etc).

Each release should list the database, shell commands, extensions, licenses, php and shell dependencies, checksum, download link below. Also a relative date should be shown for last_modified property (e.g. updated 8 months ago). Hovering over the relative date should show the actual date (use the title attribute).

All infos should be collapsed (click to expand) except the latest one for the appropriate platform.

We should also think about a way to communicate support timeframes to a user. It makes no sense to list all possible releases equally if only the latest one receives security updates. As a user I want to know if the latest version for my platform will receive security updates.

Companies behind large app store have taken a lot of care to improve their rating system in order to make it easier for users to find the best apps and have per version rating since everybody knows a lot can happen over time. It would be great if Nextcloud could follow their foot steps.

• Stars rating 1-5
• Give breakdown per level ( 3 x 3_, 7 x 5_, etc.)
• Breakdown per version
• Make it possible to vote from the embedded app store
• Comments with rating (important!)

Benefit / value

• People interested in the app can quickly know if current users are happy with it

Caveats

• Devs releasing too often are penalised
• 3 five star ratings are averaged higher than 1000 4 and 5 star ratings

Currently there is only documentation for apache setup but @LukasReschke and me decided that it's probably better to use gunicorn and nginx since .htaccess files are a possible remote code execution vector.

The documentation should be enhanced by adding another sub section to the server setup https://github.com/nextcloud/appstore/blob/master/docs/installation.rst#configuring-the-server

Simply split the existing stuff into apache and nginx :)

The app detail page should list the app author, name and description (rendered in markdown) in the appropriate locale, the screenshots, releases and links.

The screenshots should get the most prominent spot and should be shown in a slideshow (non jquery, slim solution preferred. If you don't need JS but only solve it using CSS, even better!)

Vertical layout should be:

• Title
• Gallery
• Description
• Releases page links, one for each platform (Nextcloud 9.0, Nextcloud 9.1) that contains at least one of the app's releases

The authors information should NOT show his email address and should give him just enough space to feel proud but should not steal the focus from the screenshots.

We should also use an icon or a special style to render the featured attribute.

All links like documentation, website, bug tracker etc, should be placed discretely. The old app store does this pretty well, check out https://apps.owncloud.com/content/show.php/Gallery%2B?content=169116

We should know if zip bombs are possible currently

• nightlies don't have a separate version number but a flag:

curl -X POST -u "user:password" http://localhost:8000/api/v1/apps/releases -H "Content-Type: application/json" -d '{"download":"https://example.com/release.tar.gz", "nightly":true }'

• this is also listed in the "get all apps" API with a nightly: true attribute https://nextcloudappstore.readthedocs.io/en/latest/restapi.html#get-all-apps-and-releases
• upload of a new nightly will delete the previous one for that app
• this allows to upgrade to a nightly (needs to be invoked by the admin and can be undone -> next regular release of the app will be installed)

I mean we don't have a password there 🙈

I just tried to deploy this here and everything works fine, except the SMTP part which makes registering impossible. As soon as somebody tries to register a verification mail will be sent but somehow Django refuses to connect properly to the SMTP.

I've configured the following and on the virtual machine next to this one the settings work quite fine for phpList:

EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend'
EMAIL_HOST = 'mx.nextcloud.com'
EMAIL_HOST_PASSWORD = 'VALID_PASSWORD'
EMAIL_HOST_USER = 'VALID_USER'
EMAIL_USE_TLS = True
EMAIL_PORT = 587

The thrown error is:

Environment:


Request Method: GET
Request URL: http://apps.weasel.rocks/github/login/callback/?code=56de6e976a6f07e4d69f&state=ybGbtidE7F9B

Django Version: 1.9.7
Python Version: 3.5.1
Installed Applications:
['nextcloudappstore.core.apps.CoreConfig',
 'parler',
 'captcha',
 'rest_framework',
 'corsheaders',
 'allauth',
 'allauth.account',
 'allauth.socialaccount',
 'allauth.socialaccount.providers.github',
 'allauth.socialaccount.providers.bitbucket',
 'django.contrib.admin',
 'django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.messages',
 'django.contrib.sites',
 'django.contrib.staticfiles']
Installed Middleware:
['django.middleware.security.SecurityMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'corsheaders.middleware.CorsMiddleware',
 'django.middleware.common.CommonMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'django.middleware.clickjacking.XFrameOptionsMiddleware']



Traceback:

File "/opt/appstore/lib/python3.5/site-packages/django/core/handlers/base.py" in get_response
  149.                     response = self.process_exception_by_middleware(e, request)

File "/opt/appstore/lib/python3.5/site-packages/django/core/handlers/base.py" in get_response
  147.                     response = wrapped_callback(request, *callback_args, **callback_kwargs)

File "/opt/appstore/lib/python3.5/site-packages/allauth/socialaccount/providers/oauth2/views.py" in view
  62.                 return self.dispatch(request, *args, **kwargs)

File "/opt/appstore/lib/python3.5/site-packages/allauth/socialaccount/providers/oauth2/views.py" in dispatch
  135.             return complete_social_login(request, login)

File "/opt/appstore/lib/python3.5/site-packages/allauth/socialaccount/helpers.py" in complete_social_login
  145.         return _complete_social_login(request, sociallogin)

File "/opt/appstore/lib/python3.5/site-packages/allauth/socialaccount/helpers.py" in _complete_social_login
  158.         ret = _login_social_account(request, sociallogin)

File "/opt/appstore/lib/python3.5/site-packages/allauth/socialaccount/helpers.py" in _login_social_account
  59.                          signal_kwargs={"sociallogin": sociallogin})

File "/opt/appstore/lib/python3.5/site-packages/allauth/account/utils.py" in perform_login
  145.             send_email_confirmation(request, user, signup=signup)

File "/opt/appstore/lib/python3.5/site-packages/allauth/account/utils.py" in send_email_confirmation
  311.                                                     signup=signup)

File "/opt/appstore/lib/python3.5/site-packages/allauth/account/models.py" in send_confirmation
  58.         confirmation.send(request, signup=signup)

File "/opt/appstore/lib/python3.5/site-packages/allauth/account/models.py" in send
  122.         get_adapter(request).send_confirmation_mail(request, self, signup)

File "/opt/appstore/lib/python3.5/site-packages/allauth/account/adapter.py" in send_confirmation_mail
  396.                        ctx)

File "/opt/appstore/lib/python3.5/site-packages/allauth/account/adapter.py" in send_mail
  128.         msg.send()

File "/opt/appstore/lib/python3.5/site-packages/django/core/mail/message.py" in send
  292.         return self.get_connection(fail_silently).send_messages([self])

File "/opt/appstore/lib/python3.5/site-packages/django/core/mail/backends/smtp.py" in send_messages
  100.             new_conn_created = self.open()

File "/opt/appstore/lib/python3.5/site-packages/django/core/mail/backends/smtp.py" in open
  58.             self.connection = connection_class(self.host, self.port, **connection_params)

File "/usr/lib/python3.5/smtplib.py" in __init__
  251.             (code, msg) = self.connect(host, port)

File "/usr/lib/python3.5/smtplib.py" in connect
  335.         self.sock = self._get_socket(host, port, self.timeout)

File "/usr/lib/python3.5/smtplib.py" in _get_socket
  306.                                         self.source_address)

File "/usr/lib/python3.5/socket.py" in create_connection
  711.         raise err

File "/usr/lib/python3.5/socket.py" in create_connection
  702.             sock.connect(sa)

Exception Type: ConnectionRefusedError at /github/login/callback/
Exception Value: [Errno 111] Connection refused

cc @adsworth @BernhardPosselt Any ideas?

As a user I want to confirm my sign up by clicking on a link inside an E-Mail so I can verify that I've used the correct E-Mail for future password resets.

Basic implementation should start where #2 left off and use http://django-registration.readthedocs.io/en/2.1/quickstart.html or a similarily well maintained and popular extension to implement the registration flow.

The used library should be installed via pip and added to requirements/production.txt

In the past comments were (ab)used to:

• File bug reports (A LOT)
• Ask for features (A LOT)
• Ask for documentation

These comments neither help people nor users.

As a developer I want that users post bugs and feature requests on the bug tracker and that users look up setup documentation and FAQ entries before posting comments

As a user I'm interested in what others think about the app, e.g. "I like the app because it has feature XY" or "App seems unmaintained" or "There is an alternative which is better"

I therefore vote for making commenting a bit harder: As a user, after I click on the comment button I should be presented with a set of choices (in my head they are tiles) which ask the user what he wants to write:

• I've got an error/bug/problem: This will be rendered if the app provides an issue tracker Url and will redirect to it
• I want to propose a feature: This will be rendered if the app provides an issue tracker Url and will redirect to it
• I need help to set up the app: This will be present if the app provides an admin documentation link
• I've got a basic question: This will be present if one or more documentation links are present. This will ask the user what kind of question he has and redirect to the appropriate documentation
• I want to share my impressions or provide feedback: This will actually redirect to the actual comment form :D
• I want to contribute code: This will be rendered if the app provides a developer documentation Url and will redirect to it

The choice which redirects to the form should neither be the first nor the last entry and if there are multiple columns should be in the middle or right.

What needs to be done: The app detail view which contains the comment button should be adjusted to redirect to the questionaire. The different links need to be rendered depending on if the saved values are non empty.

PUT /v1/apps/9.0.0 with the JSON contents of {"download": "https://domain.com/path/to/tar.gz"} should download an app zip, parse the info.xml and update/create a new app release.

Currently we've got an app owner and app collaborators. Both are allowed to publish and delete specific apps and their releases. Are we fine with this? If so we can close this ticket :)

@LukasReschke @adsworth @jancborchardt

The home page should show the categories as well as the list of applications that are available. If somebody clicks on an application more details about it should be shown.

Probably best to solve this completely with some JS magic and not use any Python logic for this.

Currently allowed categories include:

• multimedia
• pim
• tools
• games

Anything else?

We should have a way to highlight or mark apps as spotlighted to show them more prominent in the Nextcloud user interface. This should be used for apps that we basically support but ship via the Appstore. (such as calendar or contacts)

Some apps provide a CHANGELOG.md inside the app folder which follows a specific format. It would be awesome if we could parse the markdown and add it to the appropriate release overview.

Things to keep in mind:

• The file needs to be streamed when extracted from the archive to prevent zip bombs
• The file must be checked for hard or symlinks which are not allowed (should throw)
• Take a look at the info.xml handling

This applies to links parsed from the info.xml as well as the app's description markdown

Django's translation mechanism should be documented in a separate chapter in the docs called l10n.rst. It should quickly outline template and code translation and how to generate the translations. We also need a style guide for translating content containing Html tags

In addition to basic auth it should be possible to authenticate via token

Token authentication should be added to both app and app release views:

• https://github.com/nextcloud/appstore/blob/master/nextcloudappstore/core/api/v1/views.py#L11
• https://github.com/nextcloud/appstore/blob/master/nextcloudappstore/core/api/v1/views.py#L33

In addition there should be an api route to obtain/generate a token and a user profile form where you can show and generate a new token.

See http://www.django-rest-framework.org/api-guide/authentication/#tokenauthentication