OpenProject 12.5.7

Release date: 2023-06-14

We released OpenProject 12.5.7.
The release contains several bug fixes and we recommend updating to the newest version.

Bug fixes and changes

• Changed: Quick-Wins to make blue boxes easier to understand [#44340]
• Fixed: Milestone cannot be dragged left-right on the calendar [#48334]
• Fixed: Docker linux/arm64 image raise "/app/docker/prod/gosu: cannot execute binary file: Exec format error" [#48395]

Contributions

A big thanks to community members for reporting bugs and helping us identifying and providing fixes.

Special thanks for reporting and finding bugs go to

Marco D.

OpenProject 12.5.6

Release date: 2023-06-01

We released OpenProject 12.5.6.
The release contains a security related bug fix and we recommend updating to the newest version.

CVE-2023-31140: Project identifier information leakage through robots.txt

For any OpenProject installation, a robots.txt file is generated through the server to denote which routes shall or shall not be accessed by crawlers. These routes contain project identifiers of all public projects in the instance. Even if the entire instance is marked as "Login required" and prevents all truly anonymous access, the /robots.txt route remains publicly available.

This results in the URL part of the project (i.e., the project identifier) to be publicly visible. As these identifiers are derived from the project name, they may contain sensitive information.

For more information, please see our security advisory.

Patches

You can download the following patchfile to apply the patch to any OpenProject version > 10.0: https://patch-diff.githubusercontent.com/raw/opf/openproject/pull/12708.patch

Workaround
If you are unable to update or apply the provided patch, mark any public project as non-public for the time being and give anyone in need of access to the project a membership.

Bug fixes and changes

• Changed: Add packaged installation support for SLES 15 [#44117]
• Changed: Allow URL behind the application logo to be configurable [#48251]
• Fixed: Moving in Kanban board having a "is not" project filter changes the project of the work packages [#44895]
• Fixed: Upgrade migration error "smtp_openssl_verify_mode is not writable" [#48125]
• Fixed: OpenProject officially supports Debian 9 while Postgres does not anymore. [#48245]
• Fixed: robots.txt leaks public project identifiers [#48338]
• Fixed: Unchecked copy options are still copied in the new project [#48351]

Contributions

A big thanks to community members for reporting bugs and helping us identifying and providing fixes.

Special thanks for reporting and finding bugs go to

Benjamin Rönnau, Ryan Brownell

OpenProject 12.5.5

Release date: 2023-05-16

We released OpenProject 12.5.5.
The release contains several bug fixes and we recommend updating to the newest version.

Bug fixes and changes

• Fixed: API v3 Group List Api sometimes misses embedded members field [#42303]
• Fixed: Wrong date format for the Slovenian language [#48032]
• Fixed: MyProjectPageToGrid migration fails [#48122]
• Fixed: Missing translation for "Comment added" on work package activity tracking [#48157]
• Fixed: Links from the welcome text stop working when text is edited [#48158]
• Fixed: Document not listing project name under My Page [#48177]

Contributions

A big thanks to community members for reporting bugs and helping us identifying and providing fixes.

Special thanks for reporting and finding bugs go to

Maximilian Hippler, Simon B

OpenProject 12.5.4

Release date: 2023-05-02

We released OpenProject 12.5.4.
The release contains two security related bug fixes and we recommend updating to the newest version.

Invalidation of existing sessions when 2FA activated [#48035]

When a user registers and confirms their first two-factor authentication (2FA) device for an account, existing logged in sessions for that user account are not terminated. Likewise, if an administrators creates a mobile phone 2FA device on behalf of a user, their existing sessions are not terminated. The issue has been resolved in OpenProject version 12.5.4 by actively terminating sessions of user accounts having registered and confirmed a 2FA device.

This security related issue was responsibly disclosed by Vaishnavi Pardeshi. Thank you for reaching out to us and your help in identifying this issue. If you have a security vulnerability you would like to disclose, please see our statement on security.

Advisory: GHSA-xfp9-qqfj-x28q

Workarounds

As a workaround, users who register the first 2FA device on their account can manually log out to terminate all other active sessions. This is the default behavior of OpenProject but might be disabled through a configuration option. Double check that this option is not overridden if you plan to employ the workaround.

Invalidation of password reset link when user changes password in the meantime [#48036]

When a user requests a password reset, an email is sent with a link to confirm and reset the password. If the user changes the password in an active session in the meantime, the password reset link was not invalidated and continued to be usable for the duration of its validity period.

The issue has been resolved in OpenProject version 12.5.4 by actively revoking any active password reset tokens for user accounts having changed their passwords successfully within the application.

This security related issue was responsibly disclosed by Vaishnavi Pardeshi. Thank you for reaching out to us and your help in identifying this issue. If you have a security vulnerability you would like to disclose, please see our statement on security.

Bug fixes and changes

• Fixed: Google reCAPTCHA v2 and V3 changed implementation [#44115]
• Fixed: User activity: Previous link removes user parameter from URL [#47855]
• Fixed: Work package HTML titles needlessly truncated [#47876]
• Fixed: Wrong spacing in Firefox when using line breaks in user content tables [#48027]
• Fixed: Previously Created Session Continue Being Valid After 2FA Activation [#48035]
• Fixed: Forgotten password link does not expire when user changes password in the meantime [#48036]

Contributions

A big thanks to community members for reporting bugs and helping us identifying and providing fixes.

Special thanks for reporting and finding bugs go to

Björn Schümann

OpenProject 12.5.3

Release date: 2023-04-24

We released OpenProject 12.5.3.
The release contains several bug fixes and we recommend updating to the newest version.

Bug fixes and changes

• Fixed: Titles of related work packages are unecessarily truncated. Full titles are not accessible. [#44828]
• Fixed: Date picker: selected dates in mini calendar don't have a hover (primary dark) [#46436]
• Fixed: Non-working Days/Holidays selection with 12.5 update [#47057]
• Fixed: Project filter values drop down cut off [#47072]
• Fixed: In projects filter selected values keep being suggested [#47074]
• Fixed: Acitivity page not working correctly [#47203]
• Fixed: XLS export of work package with description cannot be opened by Excel if the description contains a table [#47513]
• Fixed: Cannot archive a project that has archived sub-projects [#47599]
• Fixed: 'TypeError: can't cast Array' during db:migrate [#47620]
• Fixed: Anyone can sign up using Google even if user registration is disabled [#47622]
• Fixed: inbound emails uses "move_on_success" and "move_on_failure" error [#47633]

Contributions

A big thanks to community members for reporting bugs and helping us identifying and providing fixes.

Special thanks for reporting and finding bugs go to

Daniel Grabowski, Sebastian Bialek, Chris Quin, Gordon Yeung, YK L

OpenProject 12.5.2

Release date: 2023-03-28

We released OpenProject 12.5.2.
The release contains several bug fixes and we recommend updating to the newest version.

Bug fixes and changes

• Fixed: [AppSignal] incompatible character encodings: ASCII-8BIT and UTF-8 [#43898]
• Fixed: Missing deletion confirmation for subprojects [#45935]
• Fixed: Green button turns to black on hover [#47026]
• Fixed: Time log entries too coarse [#47027]
• Fixed: Burndown charts empty since 12.5 [#47079]
• Fixed: Direct download of a storage file fails [#47113]
• Fixed: Fix direct uploads when Nextcloud configured without pretty URLs [#47152]
• Fixed: Swagger UI is not rendering for API docs [#47157]
• Changed: Add hint if Nextcloud App "OpenProject Integration" needs upgrade for 12.5 [#47021]

Contributions

A big thanks to community members for reporting bugs and helping us identifying and providing fixes.

Special thanks for reporting and finding bugs go to

Jörg Mollowitz, André Keil

OpenProject 12.5.1

Release date: 2023-03-20

We released OpenProject 12.5.1.
The release contains several bug fixes and we recommend updating to the newest version.

Bug fixes and changes

• Fixed: Changing non working days in Polish fails [#47020]
• Fixed: Unable to login via oauth provider (e.g. Azure) [#47044]

OpenProject 12.5.0

Release date: 2023-03-20

We released OpenProject 12.5.0.
This new release is again packed with many new collaboration features, improvements and bug fixes.
The release will bring the anticipated collaboration features for the Nextcloud integration to the OpenProject side. Nextcloud and OpenProject now offer mutual customers a way to manage their projects and share files seamlessly and without disruption.

Moreover, with OpenProject 12.5, the system administrator can set additional non-working days on an instance level, such as public holidays. Also, we are happy to publish another Enterprise add-on: The Advanced search functionality not only supports full text search but also enables users to search for work package attachments or content. It is now a part of the free-of-charge Community version.

Upload files to Nextcloud while working in OpenProject

OpenProject 12.5 launches the next step for the integration between OpenProject and Nextcloud. It is now possible to upload new files to Nextcloud and link them directly to a work package all from within OpenProject. The close connection of work packages with project-related files combines the advantages of both open source systems.

Different use cases are covered for uploading and linking files directly from within a work package.

Link an existing Nextcloud file or folder to an OpenProject work package

If you want to link an existing project related file or folder from Nextcloud to an OpenProject work package, you can now do it directly within the work package in OpenProject.

To do so, start by clicking on Link existing files underneath the section of your Nextcloud file storage.

New file picker in OpenProject

A new file picker will appear, displaying all the files and folders on your Nextcloud instance that you have permission to see. You choose the respective file or folder from Nextcloud via the file picker.

To link a certain file or folder with this work package, click on the checkbox to the left of each item. Once you have selected the file(s) or folder(s) you wish to link to the work package, click on the Link files button. The number on the button will represent the number of files/folders you have selected.

Upload a new file while working in OpenProject

It is now possible to upload a new file from your device directly to Nextcloud from within an OpenProject work package.

In this case, the file you want to link has not yet been uploaded to Nextcloud. Hence, click on the Upload files link. You will then be prompted to select a file (or multiple files) on your computer that you want to upload to Nextcloud.

Alternatively, you can also simply drag a file or folder on your computer to this area (under the name of your Nextcloud file storage) and drop it in the drop zone that appears.

Once you have selected or dropped the files you would like to upload, you will need to select a folder on Nextcloud to which they should be stored.

To save the files you uploaded to the current folder in Nextcloud, click on the Choose location button.

Upload files during creation of a new work package

If you create a new work package in OpenProject and want to add a file to the work package, you can now upload or link files from Nextcloud directly.

Thereby, it gives you two options: Upload a new file or link an existing file from Nextcloud, as described above.

More options for linked Nextcloud files in OpenProject

The Files tab shows you Nextcloud files that are linked to the current work package. Hovering on any linked file with your mouse will give you options to open or download the file, show the containing folder in Nextcloud or remove the link.

Please note: Removing the link from within a work package in OpenProject will not delete the file or folder in Nextcloud. When uploading a new file with the same name, you will be asked if you want to either overwrite the existing one in Nextcloud or create an additional copy of it.

Setting public holidays as non-working days

OpenProject already lets administrators set the work week at an instance-level by letting them define the working and non-working days of the week.

With OpenProject 12.5, administrators can now also define additional individual non-working days of the year. This can be useful to program in public holidays or closures. Work packages cannot then start or end on these days and these days do not count towards the duration of a work package. (A user can nevertheless turn the 'Working days only' switch off at a work package level and schedule on non-working days if needed).

Please note: These additional non-working days will be set instance-wide, for all projects. They need to be set for every year, e.g. Christmas day has to be set for 2023, 2024 etc. if applicable. If you add additional non-working days, you will be asked if you want to re-schedule your work packages.

Track project changes

Starting with OpenProject 12.5, the Activities module (if enabled) will now include the changes to project attributes and project custom fields. You can directly open the project activity view from the Project list by clicking on the More menu of a particular project and then choosing Project activity.

You can also access project activity by clicking on Activity on the project sidebar menu and using the filters at the bottom of the sidebar to filter for the attributes you wish to view.

New default filter for overdue work packages

We added a default filter Overdue in the work package list so that you can quickly see which of your work packages are overdue and need your attention.

Printing Wikis

If you want to print your Wiki, with OpenProject 12.5 you can now do so. A print function has been added to the More menu at the top right in your Wiki.

Advanced search for work package attachment or content released for the Community

With OpenProject 12.5, we are happy to announce that another Enterprise add-on was released for the free-of-charge Community version. The advanced filters enable not only full text search but also to filter and search for work packages attachments and content of the attachments.

Further improvements, changes, and bug fixes

• Extend the data model and the API to save and query historic values of work packages as a foundation for baseline comparisons.
• The default work package filter “Latest Activity” also includes rejected, closed and on hold work packages.
• Archive projects can now be done by non-admins.
• The number of GitHub pull requests will be shown on the work package tab.

List of all bug fixes and changes

• Changed: Archive project via project settings by non admins [#3897]
• Changed: Change filter for default view: Latest activity [#29086]
• Changed: Work packages: Add finish date filter with additional overdue task check [#37145]
• Changed: Add print menu item to context menu of a wiki page [#37851]
• Changed: Update the list of operators available when filtering using multi-select attributes [#42012]
• Changed: Standardise date pickers outside of the main work package date field [#42358]
• Changed: Include nextcloud and attachments empty status drag and drop area [#43576]
• Changed: Make attachment lists and file link lists drop zones [#43577]
• Changed: Upload or link Nextcloud files from within the work package creation form [#43578]
• Changed: File picker [#43654]
• Changed: Location picker [#43655]
• Changed: Upload files to Nextcloud from within OpenProject [#43656]
• Changed: Link existing Nextclou...

OpenProject 12.4.5

Release date: 2023-02-23

We released OpenProject 12.4.5.
The release contains several bug fixes and we recommend updating to the newest version.

Bug fixes and changes

• Fixed: Timeout when bulk editing work package assignees across projects [#46284]
• Fixed: Groups can no longer have their notifications suppressed [#46330]

OpenProject 12.4.4

Release date: 2023-02-15

We released OpenProject 12.4.4.
The release contains several bug fixes and we recommend updating to the newest version.

Bug fixes and changes

• Fixed: Deleting tmp/cache works when called manually but never by scheduled jobs [#44182]
• Fixed: Not possible to delete favicon and touch icon [#45997]
• Fixed: Sendmail not working in 12.4.3 [#46152]
• Fixed: Prevent OAuth refresh token race condition. [#46195]
• Fixed: Click started in modal, but dragged outside closes the modal [#46217]

Contributions

A big thanks to community members for reporting bugs and helping us identifying and providing fixes.

Special thanks for reporting and finding bugs go to

Sven Kunze, Lars Jørgensen