Release OpenProject 13.3.1

opf · Feb 28, 2024 · 9f5d571 · 9f5d571
2 parents 24e90ea + 2869318
commit 9f5d571
Show file tree

Hide file tree

Showing 293 changed files with 9,245 additions and 826 deletions.
diff --git a/.github/workflows/brakeman-scan-core.yml b/.github/workflows/brakeman-scan-core.yml
@@ -29,11 +29,6 @@ jobs:
 
       - name: Setup Ruby
         uses: ruby/setup-ruby@v1
-        with:
-          # FIXME: remove the ruby version once '3.2.2' is released.
-          # This is set to head to fix ruby segfaulting when brakeman is
-          # used. See https://bugs.ruby-lang.org/issues/19433
-          ruby-version: 'head'
 
       - name: Setup Brakeman
         run: |

diff --git a/.github/workflows/continuous-delivery.yml b/.github/workflows/continuous-delivery.yml
@@ -19,9 +19,8 @@ jobs:
           TOKEN: ${{ secrets.OPENPROJECT_CI_TOKEN }}
           REPOSITORY: opf/openproject-flavours
           WORKFLOW_ID: ci.yml
-          CORE_REF: ${{ github.ref_name }}
         run: |
           curl -i --fail-with-body -H"authorization: Bearer $TOKEN" \
             -XPOST -H"Accept: application/vnd.github.v3+json" \
             https://api.github.com/repos/$REPOSITORY/actions/workflows/$WORKFLOW_ID/dispatches \
-            -d '{"ref": "dev", "inputs": { "ref" : "'$CORE_REF'" }}'
+            -d '{"ref": "dev", "inputs": { "ref" : "${{ github.ref_name }}" }}'
diff --git a/.github/workflows/danger.yml b/.github/workflows/danger.yml
@@ -0,0 +1,26 @@
+name: migration-warning-on-release-branches
+
+on:
+  pull_request:
+    branches:
+      - release/*
+    paths:
+      - 'db/migrate/**.rb'
+      - 'modules/**/db/migrate/*.rb'
+
+jobs:
+  danger:
+    if: github.repository == 'opf/openproject'
+    runs-on: [ubuntu-latest]
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.2.3'
+      - uses: MeilCli/danger-action@v5
+        with:
+          danger_file: 'Dangerfile'
+          danger_id: 'danger-pr'
+        env:
+          DANGER_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/Dangerfile b/Dangerfile
@@ -0,0 +1,9 @@
+CORE_OR_MODULE_MIGRATIONS_REGEX = %r{(modules/.*)?db/migrate/.*\.rb}
+
+def added_or_modified_migrations?
+  (git.modified_files + git.added_files).grep(CORE_OR_MODULE_MIGRATIONS_REGEX)
+end
+
+if added_or_modified_migrations?
+  warn "This PR has migration-related changes on a release branch. Ping @opf/operations"
+end
diff --git a/Gemfile b/Gemfile
@@ -382,4 +382,4 @@ end
 
 gem 'openproject-octicons', '~>19.8.0'
 gem 'openproject-octicons_helper', '~>19.8.0'
-gem 'openproject-primer_view_components', '~>0.20.0'
+gem 'openproject-primer_view_components', '~>0.22.2'
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -238,35 +238,35 @@ GEM
   remote: https://rubygems.org/
   specs:
     Ascii85 (1.1.0)
-    actioncable (7.1.3)
-      actionpack (= 7.1.3)
-      activesupport (= 7.1.3)
+    actioncable (7.1.3.2)
+      actionpack (= 7.1.3.2)
+      activesupport (= 7.1.3.2)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
       zeitwerk (~> 2.6)
-    actionmailbox (7.1.3)
-      actionpack (= 7.1.3)
-      activejob (= 7.1.3)
-      activerecord (= 7.1.3)
-      activestorage (= 7.1.3)
-      activesupport (= 7.1.3)
+    actionmailbox (7.1.3.2)
+      actionpack (= 7.1.3.2)
+      activejob (= 7.1.3.2)
+      activerecord (= 7.1.3.2)
+      activestorage (= 7.1.3.2)
+      activesupport (= 7.1.3.2)
       mail (>= 2.7.1)
       net-imap
       net-pop
       net-smtp
-    actionmailer (7.1.3)
-      actionpack (= 7.1.3)
-      actionview (= 7.1.3)
-      activejob (= 7.1.3)
-      activesupport (= 7.1.3)
+    actionmailer (7.1.3.2)
+      actionpack (= 7.1.3.2)
+      actionview (= 7.1.3.2)
+      activejob (= 7.1.3.2)
+      activesupport (= 7.1.3.2)
       mail (~> 2.5, >= 2.5.4)
       net-imap
       net-pop
       net-smtp
       rails-dom-testing (~> 2.2)
-    actionpack (7.1.3)
-      actionview (= 7.1.3)
-      activesupport (= 7.1.3)
+    actionpack (7.1.3.2)
+      actionview (= 7.1.3.2)
+      activesupport (= 7.1.3.2)
       nokogiri (>= 1.8.5)
       racc
       rack (>= 2.2.4)
@@ -277,31 +277,31 @@ GEM
     actionpack-xml_parser (2.0.1)
       actionpack (>= 5.0)
       railties (>= 5.0)
-    actiontext (7.1.3)
-      actionpack (= 7.1.3)
-      activerecord (= 7.1.3)
-      activestorage (= 7.1.3)
-      activesupport (= 7.1.3)
+    actiontext (7.1.3.2)
+      actionpack (= 7.1.3.2)
+      activerecord (= 7.1.3.2)
+      activestorage (= 7.1.3.2)
+      activesupport (= 7.1.3.2)
       globalid (>= 0.6.0)
       nokogiri (>= 1.8.5)
-    actionview (7.1.3)
-      activesupport (= 7.1.3)
+    actionview (7.1.3.2)
+      activesupport (= 7.1.3.2)
       builder (~> 3.1)
       erubi (~> 1.11)
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
-    activejob (7.1.3)
-      activesupport (= 7.1.3)
+    activejob (7.1.3.2)
+      activesupport (= 7.1.3.2)
       globalid (>= 0.3.6)
-    activemodel (7.1.3)
-      activesupport (= 7.1.3)
+    activemodel (7.1.3.2)
+      activesupport (= 7.1.3.2)
     activemodel-serializers-xml (1.0.2)
       activemodel (> 5.x)
       activesupport (> 5.x)
       builder (~> 3.1)
-    activerecord (7.1.3)
-      activemodel (= 7.1.3)
-      activesupport (= 7.1.3)
+    activerecord (7.1.3.2)
+      activemodel (= 7.1.3.2)
+      activesupport (= 7.1.3.2)
       timeout (>= 0.4.0)
     activerecord-import (1.5.1)
       activerecord (>= 4.2)
@@ -314,13 +314,13 @@ GEM
       multi_json (~> 1.11, >= 1.11.2)
       rack (>= 2.0.8, < 4)
       railties (>= 6.1)
-    activestorage (7.1.3)
-      actionpack (= 7.1.3)
-      activejob (= 7.1.3)
-      activerecord (= 7.1.3)
-      activesupport (= 7.1.3)
+    activestorage (7.1.3.2)
+      actionpack (= 7.1.3.2)
+      activejob (= 7.1.3.2)
+      activerecord (= 7.1.3.2)
+      activesupport (= 7.1.3.2)
       marcel (~> 1.0)
-    activesupport (7.1.3)
+    activesupport (7.1.3.2)
       base64
       bigdecimal
       concurrent-ruby (~> 1.0, >= 1.0.2)
@@ -756,7 +756,7 @@ GEM
       actionview
       openproject-octicons (= 19.8.0)
       railties
-    openproject-primer_view_components (0.20.0)
+    openproject-primer_view_components (0.22.2)
       actionview (>= 5.0.0)
       activesupport (>= 5.0.0)
       openproject-octicons (>= 19.8.0)
@@ -824,7 +824,7 @@ GEM
       puma (>= 5.0, < 7)
     raabro (1.4.0)
     racc (1.7.3)
-    rack (2.2.8)
+    rack (2.2.8.1)
     rack-accept (0.4.5)
       rack (>= 0.4)
     rack-attack (6.7.0)
@@ -854,20 +854,20 @@ GEM
     rackup (1.0.0)
       rack (< 3)
       webrick
-    rails (7.1.3)
-      actioncable (= 7.1.3)
-      actionmailbox (= 7.1.3)
-      actionmailer (= 7.1.3)
-      actionpack (= 7.1.3)
-      actiontext (= 7.1.3)
-      actionview (= 7.1.3)
-      activejob (= 7.1.3)
-      activemodel (= 7.1.3)
-      activerecord (= 7.1.3)
-      activestorage (= 7.1.3)
-      activesupport (= 7.1.3)
+    rails (7.1.3.2)
+      actioncable (= 7.1.3.2)
+      actionmailbox (= 7.1.3.2)
+      actionmailer (= 7.1.3.2)
+      actionpack (= 7.1.3.2)
+      actiontext (= 7.1.3.2)
+      actionview (= 7.1.3.2)
+      activejob (= 7.1.3.2)
+      activemodel (= 7.1.3.2)
+      activerecord (= 7.1.3.2)
+      activestorage (= 7.1.3.2)
+      activesupport (= 7.1.3.2)
       bundler (>= 1.15.0)
-      railties (= 7.1.3)
+      railties (= 7.1.3.2)
     rails-controller-testing (1.0.5)
       actionpack (>= 5.0.1.rc1)
       actionview (>= 5.0.1.rc1)
@@ -882,9 +882,9 @@ GEM
     rails-i18n (7.0.8)
       i18n (>= 0.7, < 2)
       railties (>= 6.0.0, < 8)
-    railties (7.1.3)
-      actionpack (= 7.1.3)
-      activesupport (= 7.1.3)
+    railties (7.1.3.2)
+      actionpack (= 7.1.3.2)
+      activesupport (= 7.1.3.2)
       irb
       rackup (>= 1.0.0)
       rake (>= 12.2)
@@ -1227,7 +1227,7 @@ DEPENDENCIES
   openproject-octicons (~> 19.8.0)
   openproject-octicons_helper (~> 19.8.0)
   openproject-openid_connect!
-  openproject-primer_view_components (~> 0.20.0)
+  openproject-primer_view_components (~> 0.22.2)
   openproject-recaptcha!
   openproject-reporting!
   openproject-storages!

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -220,7 +220,15 @@ def reset_i18n_fallbacks
   end
 
   def set_localization
-    SetLocalizationService.new(User.current, request.env['HTTP_ACCEPT_LANGUAGE']).call
+    # 1. Use completely autheticated user
+    # 2. Use user with some authenticated stages not compelted.
+    #    In this case user is not considered logged in, but identified.
+    #    It covers localization for extra authentication stages(like :consent, for example)
+    # 3. Use anonymous instance.
+    user = RequestStore[:current_user] ||
+           (session[:authenticated_user_id].present? && User.find_by(id: session[:authenticated_user_id])) ||
+           User.anonymous
+    SetLocalizationService.new(user, request.env['HTTP_ACCEPT_LANGUAGE']).call
   end
 
   def deny_access(not_found: false)

diff --git a/app/controllers/concerns/accounts/authentication_stages.rb b/app/controllers/concerns/accounts/authentication_stages.rb
@@ -1,3 +1,31 @@
+#-- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) 2012-2024 the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See COPYRIGHT and LICENSE files for more details.
+#++
+
 module Accounts::AuthenticationStages
   def successful_authentication(user, reset_stages: true, just_registered: false)
     stages = authentication_stages after_activation: just_registered, reset: reset_stages

diff --git a/app/controllers/concerns/accounts/user_consent.rb b/app/controllers/concerns/accounts/user_consent.rb
@@ -33,8 +33,8 @@ module Accounts::UserConsent
   include ::UserConsentHelper
 
   def consent
-    if consent_required?
-      render 'account/consent', locals: { consenting_user: }
+    if user_consent_required? && consenting_user&.consent_expired?
+      render 'account/consent'
     else
       consent_finished
     end
@@ -50,14 +50,6 @@ def confirm_consent
     end
   end
 
-  def consent_required?
-    # Ensure consent is enabled and a text is provided
-    return false unless user_consent_required?
-
-    # Require the user to consent if he hasn't already
-    consent_expired?
-  end
-
   def decline_consent
     message = I18n.t('consent.decline_warning_message') + "\n"
     message <<
@@ -71,19 +63,6 @@ def decline_consent
     redirect_to authentication_stage_failure_path :consent
   end
 
-  def consent_expired?
-    consented_at = consenting_user.try(:consented_at)
-
-    # Always if the user has not consented
-    return true if consented_at.blank?
-
-    # Did not expire if no consent_time set, but user has consented at some point
-    return false if Setting.consent_time.blank?
-
-    # Otherwise, expires when consent_time is newer than last consented_at
-    consented_at < Setting.consent_time
-  end
-
   def consenting_user
     User.find_by id: session[:authenticated_user_id]
   end

diff --git a/app/helpers/user_consent_helper.rb b/app/helpers/user_consent_helper.rb
@@ -37,23 +37,23 @@ def user_consent_required?
   end
 
   ##
-  # Gets consent instructions for the given user.
+  # Gets consent instructions.
   #
-  # @param user [User] The user to get instructions for.
   # @param locale [String] ISO-639-1 code for the desired locale (e.g. de, en, fr).
   #                        `I18n.locale` is set for each request individually depending
   #                        among other things on the user's Accept-Language headers.
   # @return [String] Instructions in the respective language.
-  def user_consent_instructions(_user, locale: I18n.locale)
+  def user_consent_instructions(locale)
     all = Setting.consent_info
-
     all.fetch(locale.to_s) { all.values.first }
   end
 
   def consent_checkbox_label(locale: I18n.locale)
     I18n.t('consent.checkbox_label', locale:)
   end
 
+  private
+
   def consent_configured?
     if Setting.consent_info.count == 0
       Rails.logger.error 'Instance is configured to require consent, but no consent_info has been set.'

diff --git a/app/models/role.rb b/app/models/role.rb
@@ -77,7 +77,16 @@ def copy_from_role(source_role)
             inclusion: { in: ->(*) { Role.subclasses.map(&:to_s) } }
 
   def self.givable
-    where.not(builtin: [BUILTIN_NON_MEMBER, BUILTIN_ANONYMOUS])
+    where
+      .not(
+        builtin: [
+          Role::BUILTIN_NON_MEMBER,
+          Role::BUILTIN_ANONYMOUS,
+          Role::BUILTIN_WORK_PACKAGE_VIEWER,
+          Role::BUILTIN_WORK_PACKAGE_COMMENTER,
+          Role::BUILTIN_WORK_PACKAGE_EDITOR
+        ]
+      )
       .order(Arel.sql('position'))
   end