Release/4.0.0

CHANGELOG.rst

@@ -2,6 +2,100 @@
 Change history
 ==============
 
+4.0.0 (2026-04-13)
+------------------
+
+Major release
+
+.. warning::
+
+    This version combines the Objects API and Objecttypes into a single application named
+    Open Object. This application no longer supports objecttypes hosted in an external application.
+    Before upgrading to 4.0.0, it is required to first update to Objects API version 3.6.0 and run an import command
+    to locally import the objecttypes (make sure to read :ref:`objecttype_migration` for more details).
+
+.. warning::
+
+  From version 4.0.0 onward, the Docker images for Open Object will be published under the
+  Dockerhub repository ``maykinmedia/open-object``. If you want to use Open Object and you are
+  using ``maykinmedia/objects-api``, make sure to change to the new repository before deploying.
+
+**💥 Breaking changes**
+
+* [:open-object:`564`] Combine Objects API and Objecttypes API into Open Object and only allow usage of local objecttypes
+
+.. note::
+
+    The API now ignores the domain used in objecttype URLs and only checks
+    if an objecttype exists for that UUID in the Open Object database. This means that applications that
+    still use URLs that have the domain of the old Objecttypes API instance for requests
+    to Open Object will not break.
+
+* Changes for Open Telemetry
+
+  * Change namespace for metrics from ``objects`` to ``openobject`` and add metrics for Objecttypes (see :ref:`installation_observability_metrics`)
+  * Change default for environment variable ``OTEL_SERVICE_NAME`` from ``objects`` to ``openobject`` (with postfixes for celery, flower)
+
+* Changes to ``setup_configuration`` (see :ref:`installation_config_cli`)
+
+  * Remove the ``SitesConfigurationStep``, make sure to remove the namespace ``sites_config``
+    from your ``setup_configuration`` data
+  * Remove the attribute ``service_identifier`` for ``ObjectTypesConfigurationStep`` (namespace ``objecttypes``)
+  * Remove the attribute ``fields`` and ``use_fields`` for ``TokenAuthConfigurationStep`` (namespace ``tokenauth``)
+
+* Changes to environment variables
+
+  * [:open-object:`730`] Rename ``ENABLE_STRUCTLOG_REQUESTS`` to ``LOG_REQUESTS``
+  * [:open-object:`730`] Rename ``LOG_REQUESTS`` to ``LOG_OUTGOING_REQUESTS``
+  * [:open-object:`730`] Use the environment variable ``CELERY_BROKER_URL`` for the Celery broker URL setting,
+    previously this incorrectly used ``CELERY_RESULT_BACKEND`` for this setting.
+  * [:open-object:`730`] Remove django.contrib.sites and related code, this makes ``SITE_DOMAIN`` a required environment variable!
+
+* [:open-object:`730`] Remove redirect for deprecated API schema URLs. The schema is now only available
+  under ``/api/v2/openapi.json`` or ``/api/v2/openapi.yaml``
+* [:commonground-api-common:`142`] Update API response error format to be compliant with ``application/problem+json``
+
+**New features**
+
+* [:open-object:`565`] Implement import-export functionality for Objecttypes with optional UUID retention (see :ref:`import_export_objecttypes`)
+
+**Bugfixes**
+
+* [:open-object:`718`] Fix 500 error on duplicate UUID when creating objects
+* Fix styling for ``account_blocked`` page
+
+**Maintenance**
+
+* [:open-api-framework:`211`] Optimize memory usage for uWSGI and celery-flower
+
+  * Make sure uWSGI workers restart after 1000 requests
+  * Set ``FLOWER_MAX_TASKS=1000`` and ``FLOWER_MAX_WORKERS=50``
+
+* Upgrade python dependencies
+
+  * ``django`` to 5.2.13
+  * ``pyjwt`` to 2.12.1
+  * ``open-api-framework`` to 0.13.4
+  * ``cryptography`` to 46.0.6
+  * ``pyopenssl`` to 26.0.0
+  * ``mozilla-django-oidc`` to 5.0.2
+  * ``mozilla-django-oidc-db`` to 2.0.1
+  * ``commonground-api-common`` to 2.11.0
+  * ``attrs`` to 25.4.0
+  * ``cbor2`` to 5.9.0
+  * ``cffi`` to 2.0.0
+  * ``requests`` to 2.33.1
+
+* Upgrade npm dependencies
+* [:open-object:`728`] Improve setup for bencher
+* Removed unnecessary dev packages from docker build
+* Fix CodeQL warning for codeql-analysis action
+* Add explicit least privilege permissions for each workflow
+
+**Documentation**
+
+* [:open-api-framework:`205`] Describe version policy + supported versions in documentation (see :ref:`versioning_policy`)
+
 3.6.0 (2026-02-06)
 ------------------
 

Dockerfile

@@ -86,6 +86,7 @@ ENV RELEASE=${RELEASE}
 ENV DJANGO_SETTINGS_MODULE=objects.conf.docker
 
 ARG SECRET_KEY=dummy
+ARG SITE_DOMAIN=dummy
 
 # Run collectstatic, so the result is already included in the image
 RUN python src/manage.py collectstatic --noinput

README.NL.rst

@@ -2,7 +2,7 @@
 Open Object
 =============
 
-:Version: 3.6.0
+:Version: 4.0.0
 :Source: https://github.com/maykinmedia/open-object
 :Keywords: objecten, assets, zaakobjecten
 
@@ -34,7 +34,10 @@ Applicatie versie       Release datum   API specificatie
 =================       ==============  =============================
 latest                  n/a             `ReDoc <https://redocly.github.io/redoc/?url=https://raw.githubusercontent.com/maykinmedia/open-object/master/src/objects/api/v2/openapi.yaml>`_,
                                         `Swagger <https://petstore.swagger.io/?url=https://raw.githubusercontent.com/maykinmedia/open-object/master/src/objects/api/v2/openapi.yaml>`_,
-                                        (`verschillen <https://github.com/maykinmedia/open-object/compare/3.6.0..master>`_)
+                                        (`verschillen <https://github.com/maykinmedia/open-object/compare/4.0.0..master>`_)
+4.0.0                   2026-04-13      `ReDoc <https://redocly.github.io/redoc/?url=https://raw.githubusercontent.com/maykinmedia/open-object/4.0.0/src/objects/api/v2/openapi.yaml>`_,
+                                        `Swagger <https://petstore.swagger.io/?url=https://raw.githubusercontent.com/maykinmedia/open-object/4.0.0/src/objects/api/v2/openapi.yaml>`_
+                                        (`verschillen <https://github.com/maykinmedia/open-object/compare/3.6.0..4.0.0>`_)
 3.6.0                   2026-02-06      `ReDoc <https://redocly.github.io/redoc/?url=https://raw.githubusercontent.com/maykinmedia/open-object/3.6.0/src/objects/api/v2/openapi.yaml>`_,
                                         `Swagger <https://petstore.swagger.io/?url=https://raw.githubusercontent.com/maykinmedia/open-object/3.6.0/src/objects/api/v2/openapi.yaml>`_
                                         (`verschillen <https://github.com/maykinmedia/open-object/compare/3.5.0..3.6.0>`_)

README.rst

@@ -2,7 +2,7 @@
 Open Object
 =============
 
-:Version: 3.6.0
+:Version: 4.0.0
 :Source: https://github.com/maykinmedia/open-object
 :Keywords: objects, assets, zaakobjecten
 
@@ -32,7 +32,10 @@ Application version     Release date    API specification
 ===================     ==============  =============================
 latest                  n/a             `ReDoc <https://redocly.github.io/redoc/?url=https://raw.githubusercontent.com/maykinmedia/open-object/master/src/objects/api/v2/openapi.yaml>`_,
                                         `Swagger <https://petstore.swagger.io/?url=https://raw.githubusercontent.com/maykinmedia/open-object/master/src/objects/api/v2/openapi.yaml>`_,
-                                        (`diff <https://github.com/maykinmedia/open-object/compare/3.6.0..master>`_)
+                                        (`diff <https://github.com/maykinmedia/open-object/compare/4.0.0..master>`_)
+4.0.0                   2026-04-13      `ReDoc <https://redocly.github.io/redoc/?url=https://raw.githubusercontent.com/maykinmedia/open-object/4.0.0/src/objects/api/v2/openapi.yaml>`_,
+                                        `Swagger <https://petstore.swagger.io/?url=https://raw.githubusercontent.com/maykinmedia/open-object/4.0.0/src/objects/api/v2/openapi.yaml>`_
+                                        (`diff <https://github.com/maykinmedia/open-object/compare/3.6.0..4.0.0>`_)
 3.6.0                   2026-02-06      `ReDoc <https://redocly.github.io/redoc/?url=https://raw.githubusercontent.com/maykinmedia/open-object/3.6.0/src/objects/api/v2/openapi.yaml>`_,
                                         `Swagger <https://petstore.swagger.io/?url=https://raw.githubusercontent.com/maykinmedia/open-object/3.6.0/src/objects/api/v2/openapi.yaml>`_
                                         (`diff <https://github.com/maykinmedia/open-object/compare/3.5.0..3.6.0>`_)

bin/celery_flower.sh

@@ -3,7 +3,7 @@
 set -e
 
 # Set defaults for OTEL
-export OTEL_SERVICE_NAME="${OTEL_SERVICE_NAME:-objects-flower}"
+export OTEL_SERVICE_NAME="${OTEL_SERVICE_NAME:-openobject-flower}"
 
 # 100x less than the defaults
 export FLOWER_MAX_TASKS="${FLOWER_MAX_TASKS:-1000}"

bin/celery_worker.sh

@@ -15,7 +15,7 @@ if [[ "$ENABLE_COVERAGE" ]]; then
 fi
 
 # Set defaults for OTEL
-export OTEL_SERVICE_NAME="${OTEL_SERVICE_NAME:-objects-worker-"${QUEUE}"}"
+export OTEL_SERVICE_NAME="${OTEL_SERVICE_NAME:-openobject-worker-"${QUEUE}"}"
 
 echo "Starting celery worker $WORKER_NAME with queue $QUEUE"
 # unset this if NOT using a process pool

bin/docker_start.sh

@@ -21,7 +21,7 @@ ${SCRIPTPATH}/wait_for_db.sh
 >&2 echo "Database is up."
 
 # Set defaults for OTEL
-export OTEL_SERVICE_NAME="${OTEL_SERVICE_NAME:-objects}"
+export OTEL_SERVICE_NAME="${OTEL_SERVICE_NAME:-openobject}"
 
 # Apply database migrations
 >&2 echo "Apply database migrations"

bin/setup_configuration.sh

@@ -6,7 +6,7 @@
 set -e
 
 # Set defaults for OTEL
-export OTEL_SERVICE_NAME="${OTEL_SERVICE_NAME:-objects-setup-configuration}"
+export OTEL_SERVICE_NAME="${OTEL_SERVICE_NAME:-openobject-setup-configuration}"
 
 if [[ "${RUN_SETUP_CONFIG,,}" =~ ^(true|1|yes)$ ]]; then
     # wait for required services

docker-compose.yml

@@ -37,6 +37,7 @@ services:
       SUBPATH: ${SUBPATH}
       DB_CONN_MAX_AGE: "0"
       DB_POOL_ENABLED: True
+      SITE_DOMAIN: web:8000
 
       # Enabling Open Telemetry requires the services in docker/docker-compose.observability.yaml
       # to be up and running.

docker/setup_configuration/data.yaml

@@ -1,10 +1,3 @@
-sites_config_enable: true
-sites_config:
-  items:
-  - domain: example.com
-    name: Example site
-
-
 zgw_consumers_config_enable: true
 zgw_consumers:
   services:

docs/admin/objecttype.rst

@@ -129,6 +129,7 @@ if you click on the "history" button in the top right corner of the object type
 
 You can see all the versions, their statuses, the creation dates and the related JSON shemas.
 
+.. _import_export_objecttypes:
 
 Export and import object types
 ------------------------------

docs/api/index.rst

@@ -7,9 +7,10 @@ API-specifications
 ======================  ==========================================
 API                     Specification version(s)
 ======================  ==========================================
-`Open Object`_          2.6.0 (
-                        `Redoc <https://redocly.github.io/redoc/?url=https://raw.githubusercontent.com/maykinmedia/open-object/3.6.0/src/objects/api/v2/openapi.yaml>`__,
-                        `Swagger <https://petstore.swagger.io/?url=https://raw.githubusercontent.com/maykinmedia/open-object/3.6.0/src/objects/api/v2/openapi.yaml>`__)
+`Open Object`_          2.7.0 (
+                        `Redoc <https://redocly.github.io/redoc/?url=https://raw.githubusercontent.com/maykinmedia/open-object/4.0.0/src/objects/api/v2/openapi.yaml>`__,
+                        `Swagger <https://petstore.swagger.io/?url=https://raw.githubusercontent.com/maykinmedia/open-object/4.0.0/src/objects/api/v2/openapi.yaml>`__
+                        )
 ======================  ==========================================
 
 See the repository for the latest and previous versions.

docs/installation/config.rst

@@ -21,6 +21,7 @@ Required
 * ``CACHE_DEFAULT``: redis cache address for the default cache (this **MUST** be set when using Docker). Defaults to: ``localhost:6379/0``.
 * ``CACHE_AXES``: redis cache address for the brute force login protection cache (this **MUST** be set when using Docker). Defaults to: ``localhost:6379/0``.
 * ``EMAIL_HOST``: hostname for the outgoing e-mail server (this **MUST** be set when using Docker). Defaults to: ``localhost``.
+* ``SITE_DOMAIN``: Defines the primary domain where the application is hosted.
 
 
 Database
@@ -50,20 +51,21 @@ Logging
 * ``LOG_STDOUT``: whether to log to stdout or not. Defaults to: ``True``.
 * ``LOG_LEVEL``: control the verbosity of logging output. Available values are ``CRITICAL``, ``ERROR``, ``WARNING``, ``INFO`` and ``DEBUG``. Defaults to: ``INFO``.
 * ``LOG_QUERIES``: enable (query) logging at the database backend level. Note that you must also set ``DEBUG=1``, which should be done very sparingly!. Defaults to: ``False``.
-* ``LOG_REQUESTS``: enable logging of the outgoing requests. This must be enabled along with `LOG_OUTGOING_REQUESTS_DB_SAVE` to save outgoing request logs in the database. Defaults to: ``False``.
+* ``LOG_REQUESTS``: enable structured logging of requests. Defaults to: ``True``.
 * ``LOG_FORMAT_CONSOLE``: The format for the console logging handler, possible options: ``json``, ``plain_console``. Defaults to: ``json``.
-* ``ENABLE_STRUCTLOG_REQUESTS``: enable structured logging of requests. Defaults to: ``True``.
 * ``LOG_OUTGOING_REQUESTS_EMIT_BODY``: Whether or not outgoing request bodies should be logged. Defaults to: ``True``.
 * ``LOG_OUTGOING_REQUESTS_DB_SAVE``: Whether or not outgoing request logs should be saved to the database. Defaults to: ``False``.
 * ``LOG_OUTGOING_REQUESTS_DB_SAVE_BODY``: Whether or not outgoing request bodies should be saved to the database. Defaults to: ``True``.
 * ``LOG_OUTGOING_REQUESTS_MAX_AGE``: The amount of time after which request logs should be deleted from the database. Defaults to: ``7``.
+* ``LOG_OUTGOING_REQUESTS``: enable logging of the outgoing requests. This must be enabled along with `LOG_OUTGOING_REQUESTS_DB_SAVE` to save outgoing request logs in the database. Defaults to: ``False``.
 
 
 Celery
 ------
 
 * ``CELERY_LOGLEVEL``: control the verbosity of logging output for celery, independent of ``LOG_LEVEL``. Available values are ``CRITICAL``, ``ERROR``, ``WARNING``, ``INFO`` and ``DEBUG``. Defaults to: ``INFO``.
 * ``CELERY_RESULT_BACKEND``: the URL of the backend/broker that will be used by Celery to send the notifications. Defaults to: ``redis://localhost:6379/1``.
+* ``CELERY_BROKER_URL``: the URL of the broker that will be used by Celery to send the notifications. Defaults to: ``redis://localhost:6379/1``.
 * ``CELERY_RESULT_EXPIRES``: How long the results of tasks will be stored in Redis (in seconds), this can be set to a lower duration to lower memory usage for Redis. Defaults to: ``3600``.
 * ``CELERY_TASK_HARD_TIME_LIMIT``: Task hard time limit in seconds. The worker processing the task will be killed and replaced with a new one when this is exceeded. Defaults to: ``900``.
 
@@ -119,7 +121,6 @@ Optional
 * ``NUM_PROXIES``: the number of reverse proxies in front of the application, as an integer. This is used to determine the actual client IP adres. On Kubernetes with an ingress you typically want to set this to 2. Defaults to: ``1``.
 * ``CSRF_TRUSTED_ORIGINS``: A list of trusted origins for unsafe requests (e.g. POST). Defaults to: ``[]``.
 * ``NOTIFICATIONS_DISABLED``: indicates whether or not notifications should be sent to the Notificaties API for operations on the API endpoints. Defaults to ``True`` for the ``dev`` environment, otherwise defaults to ``False``.
-* ``SITE_DOMAIN``: Defines the primary domain where the application is hosted. Defaults to: ``(empty string)``.
 * ``SENTRY_DSN``: URL of the sentry project to send error reports to. Default empty, i.e. -> no monitoring set up. Highly recommended to configure this.
 * ``DISABLE_2FA``: Whether or not two factor authentication should be disabled. Defaults to: ``False``.
 * ``OBJECTS_ADMIN_SEARCH_DISABLED``: Indicates whether or not searching in the Objects admin should be disabled. Defaults to: ``False``.

docs/installation/observability/logging.rst

@@ -168,6 +168,13 @@ Data migrations
 * ``missing_service_for_objecttype``: while migrating, a ``Service`` object is missing for an ``ObjectType``. Additional context: ``object``, ``objecttype``.
 * ``invalid_objecttype``: while migrating, the ``ObjectType`` is not valid, because it was not possible to parse a UUID from it. Additional context: ``object``, ``objecttype``.
 
+Migration checks
+----------------
+
+* ``unimported_objecttypes``: when upgrading from Objects API 3.6.0 to Open Object 4.0.0,
+  objecttypes where found that have not been imported with the ``import_objecttypes`` command (see :ref:`objecttype_migration`).
+  Additional context: ``uuids``.
+
 Third party library events
 --------------------------
 

docs/introduction/versioning.rst

@@ -26,7 +26,7 @@ Open Object
 +=======+=========+===============+==========================+
 | 4.x   |         |               |                          |
 +-------+---------+---------------+--------------------------+
-|       | 4.0.x   | TBD           | TBD                      |
+|       | 4.0.x   | 2026-04-13    |                          |
 +-------+---------+---------------+--------------------------+
 
 Objects API
@@ -42,7 +42,7 @@ Objects API
 +=======+=========+===============+==========================+
 | 3.x   |         |               |                          |
 +-------+---------+---------------+--------------------------+
-|       | 3.6.x   | 2026-02-06    |                          |
+|       | 3.6.x   | 2026-02-06    | 2028-04-13               |
 +-------+---------+---------------+--------------------------+
 |       | 3.5.x   | 2025-12-01    | 2026-06-01               |
 +-------+---------+---------------+--------------------------+
@@ -89,7 +89,7 @@ Objecttypes API
 +=======+=========+===============+==========================+
 | 3.x   |         |               |                          |
 +-------+---------+---------------+--------------------------+
-|       | 3.4.x   | 2025-12-01    |                          |
+|       | 3.4.x   | 2025-12-01    | 2028-04-09               |
 +-------+---------+---------------+--------------------------+
 |       | 3.3.x   | 2025-10-06    | 2026-04-06               |
 +-------+---------+---------------+--------------------------+

docs/manual/migration.rst

@@ -36,11 +36,15 @@ and update existing objecttypes or create new ones if they have not been added t
 
 Please note that after running this import command, the objecttypes API is still being used in Objects API version <4.0.0, the command only fetches and imports the data to prepare for the 4.0 upgrade.
 
-With ``check_for_external_objecttypes`` you can check if there are any remaining external objecttypes.
+.. note::
 
-.. code-block:: bash
+    The API now ignores the domain used in objecttype URLs and only checks
+    if an objecttype exists for that UUID in the Open Object database. This means that applications that
+    still use URLs that have the domain of the old Objecttypes API instance for requests
+    to Open Object will not break.
 
-    src/manage.py check_for_external_objecttypes
+    For example: doing a POST on ``/objects`` with a ``type`` like ``https://<objecttypes-api-domain>/api/v2/objecttypes/<uuid>``,
+    will still succeed if an objecttype with the specified UUID exists in the Open Object database.
 
 Setup configuration
 -------------------

dotenv.example

@@ -9,4 +9,4 @@ DB_PASSWORD=""
 DB_HOST=""
 DB_PORT=""
 
-OTEL_SERVICE_NAME=objects
+OTEL_SERVICE_NAME=openobject