Release OpenProject 13.1.1

.github/workflows/docker.yml

@@ -40,7 +40,13 @@ jobs:
             bim_support: false
             target: all-in-one
     steps:
-      - name: Checkout
+      - name: Checkout current release
+        if: ${{ github.event_name == 'push' }}
+        uses: actions/checkout@v3
+      - name: Checkout specific version
+        if: ${{ github.event_name != 'push' }}
+        with:
+          ref: ${{ inputs.version }}
         uses: actions/checkout@v3
       - name: Prepare docker files
         run: |

.pkgr.yml

@@ -25,7 +25,6 @@ targets:
     <<: *debian
   centos-8: &centos8
     env:
-      - BUNDLE_BUILD__PG="--with-pg-config=/usr/pgsql-13/bin/pg_config"
       - NODE_ENV=production
       - NPM_CONFIG_PRODUCTION=false
     dependencies:

Gemfile

@@ -255,7 +255,8 @@ group :test do
   gem 'capybara', '~> 3.39.0'
   gem 'capybara-screenshot', '~> 1.0.17'
   gem 'cuprite', '~> 0.15.0'
-  gem 'selenium-webdriver', '~> 4.15.0'
+  gem 'selenium-devtools'
+  gem 'selenium-webdriver', '~> 4.15'
   gem 'capybara_accessible_selectors', git: 'https://github.com/citizensadvice/capybara_accessible_selectors', branch: 'main'
 
   gem 'fuubar', '~> 2.5.0'

Gemfile.lock

@@ -938,7 +938,9 @@ GEM
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
     secure_headers (6.5.0)
-    selenium-webdriver (4.15.0)
+    selenium-devtools (0.120.0)
+      selenium-webdriver (~> 4.2)
+    selenium-webdriver (4.16.0)
       rexml (~> 3.2, >= 3.2.5)
       rubyzip (>= 1.2.2, < 3.0)
       websocket (~> 1.0)
@@ -1210,7 +1212,8 @@ DEPENDENCIES
   rubytree (~> 2.0.0)
   sanitize (~> 6.1.0)
   secure_headers (~> 6.5.0)
-  selenium-webdriver (~> 4.15.0)
+  selenium-devtools
+  selenium-webdriver (~> 4.15)
   semantic (~> 1.6.1)
   shoulda-context (~> 2.0)
   shoulda-matchers (~> 5.0)

app/contracts/oauth_clients/create_contract.rb

@@ -31,7 +31,7 @@ class CreateContract < ::ModelContract
     include ActiveModel::Validations
 
     attribute :client_id, writable: true
-    validates :client_id, presence: true, length: { maximum: 255 }
+    validates :client_id, presence: { message: I18n.t('oauth_client.errors.client_id_blank') }, length: { maximum: 255 }
 
     attribute :client_secret, writable: true
     validates :client_secret, presence: true, length: { maximum: 255 }

app/helpers/meta_tags_helper.rb

@@ -42,6 +42,7 @@ def initializer_meta_tag
         data: {
           locale: I18n.locale,
           defaultLocale: I18n.default_locale,
+          instanceLocale: Setting.default_language,
           firstWeekOfYear: locale_first_week_of_year,
           firstDayOfWeek: locale_first_day_of_week,
           environment: Rails.env,

app/models/project.rb

@@ -150,13 +150,13 @@ class Project < ApplicationRecord
   friendly_id :identifier, use: :finders
 
   include ::Scopes::Scoped
-  scopes :allowed_to
+  scopes :allowed_to,
+         :visible
 
   scope :has_module, ->(mod) {
     where(["#{Project.table_name}.id IN (SELECT em.project_id FROM #{EnabledModule.table_name} em WHERE em.name=?)", mod.to_s])
   }
   scope :public_projects, -> { where(public: true) }
-  scope :visible, ->(user = User.current) { where(id: Project.visible_by(user)) }
   scope :with_visible_work_packages, ->(user = User.current) do
     where(id: WorkPackage.visible(user).select(:project_id)).or(allowed_to(user, :view_work_packages))
   end
@@ -199,16 +199,6 @@ def self.selectable_projects
     Project.visible.select { |p| User.current.member_of? p }.sort_by(&:to_s)
   end
 
-  # Returns all projects the user is allowed to see.
-  #
-  # Employs the :view_project permission to perform the
-  # authorization check as the permission is public, meaning it is granted
-  # to everybody having at least one role in a project regardless of the
-  # role's permissions.
-  def self.visible_by(user = User.current)
-    allowed_to(user, :view_project).or(where(id: WorkPackage.visible(user).select(:project_id)))
-  end
-
   # Returns a :conditions SQL string that can be used to find the issues associated with this project.
   #
   # Examples:

app/models/projects/scopes/visible.rb

@@ -0,0 +1,50 @@
+# -- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) 2010-2023 the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See COPYRIGHT and LICENSE files for more details.
+# ++
+
+module Projects::Scopes
+  module Visible
+    extend ActiveSupport::Concern
+
+    class_methods do
+      # Returns all projects the user is allowed to see.
+      # Those include projects where the user has the permission:
+      # * :view_project via a project role (which might also be the non member/anonymous role) or by being administrator
+      # * :view_work_packages via a work package role
+      def visible(user = User.current)
+        # Use a shortcut for admins and anonymous where
+        # we don't need to calculate for work package roles which is more expensive
+        if user.admin? || user.anonymous?
+          Project.allowed_to(user, :view_project)
+        else
+          Project.allowed_to(user, :view_project)
+                 .or(where(id: WorkPackage.allowed_to(user, :view_work_packages).select(:project_id)))
+        end
+      end
+    end
+  end
+end

app/models/queries/principals/principal_query.rb

@@ -32,6 +32,6 @@ def self.model
   end
 
   def default_scope
-    Principal.not_builtin
+    Principal.visible(User.current).not_builtin
   end
 end

app/services/oauth_clients/create_service.rb

@@ -36,10 +36,9 @@ module OAuthClients
   class CreateService < ::BaseServices::Create
     protected
 
-    def before_perform(params, _service_result)
-      OAuthClient.where(integration: params[:integration]).delete_all
-
-      super
+    def after_validate(params, contract_call)
+      OAuthClient.where(integration: params[:integration]).delete_all if contract_call.success?
+      super(params, contract_call)
     end
   end
 end

app/views/sharing_mailer/shared_work_package.html.erb

@@ -29,7 +29,7 @@
                    work_package: @work_package,
                    unique_reasons: [:shared],
                    show_count: false,
-                   notification_url: @notification_url,
+                   notification_url: @url,
                    open_in_browser_path: @url
                  } do %>
         <table <%= placeholder_table_styles(width:'100%',style: 'width:100%;') %>>

config/application.rb

@@ -66,6 +66,10 @@ class Application < Rails::Application
     # https://community.openproject.org/wp/45463 for details.
     config.load_defaults 5.0
 
+    # Silence the "multiple database warning"
+    # Note that this warning can be removed in the 7.1 upgrade
+    ActiveRecord.suppress_multiple_database_warning = true
+
     # Do not require `belongs_to` associations to be present by default.
     # Rails 5.0+ default is true. Because of history, lots of tests fail when
     # set to true.

config/constants/settings/definition.rb

@@ -648,6 +648,13 @@ class Definition
         default: nil,
         allowed: -> { Role.pluck(:id) }
       },
+      notifications_hidden: {
+        default: false
+      },
+      notifications_polling_interval: {
+        format: :integer,
+        default: 60000
+      },
       oauth_allow_remapping_of_existing_users: {
         description: 'When set to false, prevent users from other identity providers to take over accounts connected ' \
                      'to another identity provider.',

config/environments/production.rb

@@ -127,6 +127,11 @@
 
   config.active_record.dump_schema_after_migration = false
 
+  # Silence the following warning
+  # "Rails couldn't infer whether you are using multiple databases from your database.yml"
+  # This is deprecated in 7.1. and the warning got removed.
+  config.active_record.suppress_multiple_database_warning = true
+
   if OpenProject::Configuration.enable_internal_assets_server?
     config.public_file_server.enabled = true
     config.public_file_server.headers = {

config/locales/crowdin/af.yml

@@ -401,8 +401,8 @@ af:
     sharing:
       missing_workflow_waring:
         title: "Workflow missing for work package sharing"
-        message: "No workflow configured for the 'Work package editor' role. Without a workflow, the status of a shared work package cannot be changed."
-        link_message: "Configure a workflow in the administration."
+        message: "No workflow is configured for the 'Work package editor' role. Without a workflow, the shared with user cannot alter the status of the work package. Workflows can be copied. Select a source type (e.g. 'Task') and source role (e.g. 'Member'). Then select the target types. To start with, you could select all the types as targets. Finally, select the 'Work package editor' role as the target and press 'Copy'. After having thus created the defaults, fine tune the workflows as you do for every other role."
+        link_message: "Configure the workflows in the administration."
     summary:
       reports:
         category:
@@ -2221,9 +2221,9 @@ af:
     sharing:
       work_packages:
         allowed_actions: "You may %{allowed_actions} this work package. This can change depending on your project role and permissions."
-        create_account: "To access this work package you will need to create and activate an %{instance} account. "
+        create_account: "To access this work package, you will need to create and activate an account on %{instance}."
         open_work_package: "Open work package"
-        subject: "You have been shared work package #%{id}"
+        subject: "Work package #%{id} was shared with you"
         enterprise_text: "Share work packages with users who are not members of the project."
         summary:
           user: "%{user} shared a work package with you with %{role_rights} rights"
@@ -3262,6 +3262,7 @@ af:
       oauth_returned_json_error: "OAuth2 returned a JSON error"
       oauth_returned_http_error: "OAuth2 returned a network error"
       oauth_returned_standard_error: "OAuth2 returned an internal error"
+      client_id_blank: "ID can't be blank."
       wrong_token_type_returned: "OAuth2 returned a wrong type of token, expecting AccessToken::Bearer"
       oauth_issue_contact_admin: "OAuth2 reported an error. Please contact your system administrator."
       oauth_client_not_found: "OAuth2 client not found in 'callback' endpoint (redirect_uri)."

config/locales/crowdin/ar.yml

@@ -405,8 +405,8 @@ ar:
     sharing:
       missing_workflow_waring:
         title: "Workflow missing for work package sharing"
-        message: "No workflow configured for the 'Work package editor' role. Without a workflow, the status of a shared work package cannot be changed."
-        link_message: "Configure a workflow in the administration."
+        message: "No workflow is configured for the 'Work package editor' role. Without a workflow, the shared with user cannot alter the status of the work package. Workflows can be copied. Select a source type (e.g. 'Task') and source role (e.g. 'Member'). Then select the target types. To start with, you could select all the types as targets. Finally, select the 'Work package editor' role as the target and press 'Copy'. After having thus created the defaults, fine tune the workflows as you do for every other role."
+        link_message: "Configure the workflows in the administration."
     summary:
       reports:
         category:
@@ -2333,9 +2333,9 @@ ar:
     sharing:
       work_packages:
         allowed_actions: "You may %{allowed_actions} this work package. This can change depending on your project role and permissions."
-        create_account: "To access this work package you will need to create and activate an %{instance} account. "
+        create_account: "To access this work package, you will need to create and activate an account on %{instance}."
         open_work_package: "Open work package"
-        subject: "You have been shared work package #%{id}"
+        subject: "Work package #%{id} was shared with you"
         enterprise_text: "Share work packages with users who are not members of the project."
         summary:
           user: "%{user} shared a work package with you with %{role_rights} rights"
@@ -3384,6 +3384,7 @@ ar:
       oauth_returned_json_error: "OAuth2 returned a JSON error"
       oauth_returned_http_error: "OAuth2 returned a network error"
       oauth_returned_standard_error: "OAuth2 returned an internal error"
+      client_id_blank: "ID can't be blank."
       wrong_token_type_returned: "OAuth2 returned a wrong type of token, expecting AccessToken::Bearer"
       oauth_issue_contact_admin: "OAuth2 reported an error. Please contact your system administrator."
       oauth_client_not_found: "OAuth2 client not found in 'callback' endpoint (redirect_uri)."

config/locales/crowdin/az.yml

@@ -401,8 +401,8 @@ az:
     sharing:
       missing_workflow_waring:
         title: "Workflow missing for work package sharing"
-        message: "No workflow configured for the 'Work package editor' role. Without a workflow, the status of a shared work package cannot be changed."
-        link_message: "Configure a workflow in the administration."
+        message: "No workflow is configured for the 'Work package editor' role. Without a workflow, the shared with user cannot alter the status of the work package. Workflows can be copied. Select a source type (e.g. 'Task') and source role (e.g. 'Member'). Then select the target types. To start with, you could select all the types as targets. Finally, select the 'Work package editor' role as the target and press 'Copy'. After having thus created the defaults, fine tune the workflows as you do for every other role."
+        link_message: "Configure the workflows in the administration."
     summary:
       reports:
         category:
@@ -2221,9 +2221,9 @@ az:
     sharing:
       work_packages:
         allowed_actions: "You may %{allowed_actions} this work package. This can change depending on your project role and permissions."
-        create_account: "To access this work package you will need to create and activate an %{instance} account. "
+        create_account: "To access this work package, you will need to create and activate an account on %{instance}."
         open_work_package: "Open work package"
-        subject: "You have been shared work package #%{id}"
+        subject: "Work package #%{id} was shared with you"
         enterprise_text: "Share work packages with users who are not members of the project."
         summary:
           user: "%{user} shared a work package with you with %{role_rights} rights"
@@ -3262,6 +3262,7 @@ az:
       oauth_returned_json_error: "OAuth2 returned a JSON error"
       oauth_returned_http_error: "OAuth2 returned a network error"
       oauth_returned_standard_error: "OAuth2 returned an internal error"
+      client_id_blank: "ID can't be blank."
       wrong_token_type_returned: "OAuth2 returned a wrong type of token, expecting AccessToken::Bearer"
       oauth_issue_contact_admin: "OAuth2 reported an error. Please contact your system administrator."
       oauth_client_not_found: "OAuth2 client not found in 'callback' endpoint (redirect_uri)."

config/locales/crowdin/be.yml

@@ -403,8 +403,8 @@ be:
     sharing:
       missing_workflow_waring:
         title: "Workflow missing for work package sharing"
-        message: "No workflow configured for the 'Work package editor' role. Without a workflow, the status of a shared work package cannot be changed."
-        link_message: "Configure a workflow in the administration."
+        message: "No workflow is configured for the 'Work package editor' role. Without a workflow, the shared with user cannot alter the status of the work package. Workflows can be copied. Select a source type (e.g. 'Task') and source role (e.g. 'Member'). Then select the target types. To start with, you could select all the types as targets. Finally, select the 'Work package editor' role as the target and press 'Copy'. After having thus created the defaults, fine tune the workflows as you do for every other role."
+        link_message: "Configure the workflows in the administration."
     summary:
       reports:
         category:
@@ -2277,9 +2277,9 @@ be:
     sharing:
       work_packages:
         allowed_actions: "You may %{allowed_actions} this work package. This can change depending on your project role and permissions."
-        create_account: "To access this work package you will need to create and activate an %{instance} account. "
+        create_account: "To access this work package, you will need to create and activate an account on %{instance}."
         open_work_package: "Open work package"
-        subject: "You have been shared work package #%{id}"
+        subject: "Work package #%{id} was shared with you"
         enterprise_text: "Share work packages with users who are not members of the project."
         summary:
           user: "%{user} shared a work package with you with %{role_rights} rights"
@@ -3324,6 +3324,7 @@ be:
       oauth_returned_json_error: "OAuth2 returned a JSON error"
       oauth_returned_http_error: "OAuth2 returned a network error"
       oauth_returned_standard_error: "OAuth2 returned an internal error"
+      client_id_blank: "ID can't be blank."
       wrong_token_type_returned: "OAuth2 returned a wrong type of token, expecting AccessToken::Bearer"
       oauth_issue_contact_admin: "OAuth2 reported an error. Please contact your system administrator."
       oauth_client_not_found: "OAuth2 client not found in 'callback' endpoint (redirect_uri)."

config/locales/crowdin/bg.yml

@@ -401,8 +401,8 @@ bg:
     sharing:
       missing_workflow_waring:
         title: "Workflow missing for work package sharing"
-        message: "No workflow configured for the 'Work package editor' role. Without a workflow, the status of a shared work package cannot be changed."
-        link_message: "Configure a workflow in the administration."
+        message: "No workflow is configured for the 'Work package editor' role. Without a workflow, the shared with user cannot alter the status of the work package. Workflows can be copied. Select a source type (e.g. 'Task') and source role (e.g. 'Member'). Then select the target types. To start with, you could select all the types as targets. Finally, select the 'Work package editor' role as the target and press 'Copy'. After having thus created the defaults, fine tune the workflows as you do for every other role."
+        link_message: "Configure the workflows in the administration."
     summary:
       reports:
         category:
@@ -2221,9 +2221,9 @@ bg:
     sharing:
       work_packages:
         allowed_actions: "You may %{allowed_actions} this work package. This can change depending on your project role and permissions."
-        create_account: "To access this work package you will need to create and activate an %{instance} account. "
+        create_account: "To access this work package, you will need to create and activate an account on %{instance}."
         open_work_package: "Open work package"
-        subject: "You have been shared work package #%{id}"
+        subject: "Work package #%{id} was shared with you"
         enterprise_text: "Share work packages with users who are not members of the project."
         summary:
           user: "%{user} shared a work package with you with %{role_rights} rights"
@@ -3262,6 +3262,7 @@ bg:
       oauth_returned_json_error: "OAuth2 returned a JSON error"
       oauth_returned_http_error: "OAuth2 returned a network error"
       oauth_returned_standard_error: "OAuth2 returned an internal error"
+      client_id_blank: "ID can't be blank."
       wrong_token_type_returned: "OAuth2 returned a wrong type of token, expecting AccessToken::Bearer"
       oauth_issue_contact_admin: "OAuth2 reported an error. Please contact your system administrator."
       oauth_client_not_found: "OAuth2 client not found in 'callback' endpoint (redirect_uri)."