Release OpenProject 11.4.0

Author: oliverguenther

.pkgr.yml

@@ -13,6 +13,8 @@ targets:
       - imagemagick
   debian-10:
     <<: *debian9
+  debian-11:
+    <<: *debian9
   ubuntu-16.04:
     <<: *debian9
   ubuntu-18.04:

Gemfile

@@ -170,7 +170,7 @@ gem 'unicorn'
 
 gem 'puma', '~> 5.3.0' # used for development and optionally for production
 
-gem 'nokogiri', '~> 1.11.0'
+gem 'nokogiri', '~> 1.12.5'
 
 gem 'carrierwave', '~> 1.3.1'
 gem 'carrierwave_direct', '~> 2.1.0'
@@ -180,7 +180,7 @@ gem 'aws-sdk-core', '~> 3.107'
 # File upload via fog + screenshots on travis
 gem 'aws-sdk-s3', '~> 1.91'
 
-gem 'openproject-token', '~> 2.1.1'
+gem 'openproject-token', '~> 2.2'
 
 gem 'plaintext', '~> 0.3.2'
 
@@ -295,6 +295,7 @@ gem 'bootsnap', '~> 1.7.0', require: false
 
 # API gems
 gem 'grape', '~> 1.5.0'
+gem 'grape_logging', '~> 1.8.4'
 gem 'roar', '~> 1.1.0'
 
 # CORS for API

Gemfile.lock

@@ -511,6 +511,9 @@ GEM
       mustermann-grape (~> 1.0.0)
       rack (>= 1.3.0)
       rack-accept
+    grape_logging (1.8.4)
+      grape
+      rack
     gravatar_image_tag (1.2.0)
     hashdiff (1.0.1)
     hashery (2.1.2)
@@ -587,7 +590,7 @@ GEM
     mime-types-data (3.2021.0225)
     mini_magick (4.11.0)
     mini_mime (1.0.3)
-    mini_portile2 (2.5.1)
+    mini_portile2 (2.6.1)
     minisyntax (0.2.5)
     minitest (5.14.4)
     mixlib-shellout (2.1.0)
@@ -604,8 +607,8 @@ GEM
     newrelic_rpm (7.0.0)
     nio4r (2.5.7)
     no_proxy_fix (0.1.2)
-    nokogiri (1.11.4)
-      mini_portile2 (~> 2.5.0)
+    nokogiri (1.12.5)
+      mini_portile2 (~> 2.6.1)
       racc (~> 1.4)
     nokogumbo (2.0.5)
       nokogiri (~> 1.8, >= 1.8.4)
@@ -628,7 +631,7 @@ GEM
       validate_email
       validate_url
       webfinger (>= 1.0.1)
-    openproject-token (2.1.3)
+    openproject-token (2.2.0)
       activemodel
     parallel (1.20.1)
     parallel_tests (3.7.0)
@@ -1003,6 +1006,7 @@ DEPENDENCIES
   fuubar (~> 2.5.0)
   gon (~> 6.4.0)
   grape (~> 1.5.0)
+  grape_logging (~> 1.8.4)
   grids!
   html-pipeline (~> 2.14.0)
   htmldiff
@@ -1020,7 +1024,7 @@ DEPENDENCIES
   my_page!
   net-ldap (~> 0.17.0)
   newrelic_rpm
-  nokogiri (~> 1.11.0)
+  nokogiri (~> 1.12.5)
   oj (~> 3.11.0)
   okcomputer (~> 1.18.1)
   omniauth!
@@ -1042,7 +1046,7 @@ DEPENDENCIES
   openproject-pdf_export!
   openproject-recaptcha!
   openproject-reporting!
-  openproject-token (~> 2.1.1)
+  openproject-token (~> 2.2)
   openproject-translations!
   openproject-two_factor_authentication!
   openproject-webhooks!

app/contracts/attachments/create_contract.rb

@@ -0,0 +1,98 @@
+#-- encoding: UTF-8
+
+#-- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) 2012-2021 the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See docs/COPYRIGHT.rdoc for more details.
+#++
+
+module Attachments
+  class CreateContract < ::ModelContract
+    attribute :file
+    attribute :filename
+    attribute :filesize
+    attribute :digest
+    attribute :description
+    attribute :content_type
+    attribute :container
+    attribute :container_type
+    attribute :author
+
+    validates :filename, presence: true
+
+    validate :validate_attachments_addable
+    validate :validate_container_addable
+    validate :validate_author
+    validate :validate_content_type
+
+    private
+
+    def validate_attachments_addable
+      return if model.container
+
+      if Redmine::Acts::Attachable.attachables.none?(&:attachments_addable?)
+        errors.add(:base, :error_unauthorized)
+      end
+    end
+
+    def validate_author
+      unless model.author == user
+        errors.add(:author, :invalid)
+      end
+    end
+
+    def validate_container_addable
+      return unless model.container
+
+      errors.add(:base, :error_unauthorized) unless model.container.attachments_addable?(user)
+    end
+
+    ##
+    # Validates the content type, if a whitelist is set
+    def validate_content_type
+      # If the whitelist is empty, assume all files are allowed
+      # as before
+      unless matches_whitelist?(attachment_whitelist)
+        Rails.logger.info { "Uploaded file #{model.filename} with type #{model.content_type} does not match whitelist" }
+        errors.add :content_type, :not_whitelisted, value: model.content_type
+      end
+    end
+
+    ##
+    # Get the user-defined whitelist or a custom whitelist
+    # defined for this invocation
+    def attachment_whitelist
+      Array(options.fetch(:whitelist, Setting.attachment_whitelist))
+    end
+
+    ##
+    # Returns whether the attachment matches the whitelist
+    def matches_whitelist?(whitelist)
+      return true if whitelist.empty?
+
+      whitelist.include?(model.content_type) || whitelist.include?("*#{model.extension}")
+    end
+  end
+end

app/contracts/attachments/prepare_upload_contract.rb

@@ -0,0 +1,41 @@
+#-- encoding: UTF-8
+
+#-- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) 2012-2021 the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See docs/COPYRIGHT.rdoc for more details.
+#++
+
+module Attachments
+  class PrepareUploadContract < CreateContract
+    validate :validate_direct_uploads_active
+
+    private
+
+    def validate_direct_uploads_active
+      errors.add :base, :not_available unless OpenProject::Configuration.direct_uploads?
+    end
+  end
+end

app/contracts/base_contract.rb

@@ -82,7 +82,7 @@ def property(name, options = {}, &block)
     end
 
     def attribute(attribute, options = {}, &block)
-      property attribute
+      property attribute, options.slice(:readable)
 
       add_writable(attribute, options[:writeable])
       attribute_permission(attribute, options[:permission])

app/contracts/wiki_pages/update_contract.rb

@@ -0,0 +1,32 @@
+#-- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) 2012-2021 the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See docs/COPYRIGHT.rdoc for more details.
+#++
+
+module WikiPages
+  class UpdateContract < BaseContract
+  end
+end

lib/api/v3/attachments/attachment_metadata_representer.rb renamed to app/controllers/admin/settings/attachments_settings_controller.rb

@@ -28,28 +28,19 @@
 # See docs/COPYRIGHT.rdoc for more details.
 #++
 
-require 'roar/decorator'
-require 'roar/json/hal'
+module Admin::Settings
+  class AttachmentsSettingsController < ::Admin::SettingsController
+    menu_item :settings_attachments
 
-module API
-  module V3
-    module Attachments
-      class AttachmentMetadataRepresenter < ::API::Decorators::Single
-        def initialize(attachment)
-          super(attachment, current_user: nil)
-        end
+    def default_breadcrumb
+      t(:'attributes.attachments')
+    end
 
-        property :file_name
-        property :description,
-                 getter: ->(*) {
-                   ::API::Decorators::Formattable.new(description, plain: true)
-                 },
-                 setter: ->(fragment:, **) { self.description = fragment['raw'] },
-                 render_nil: true
+    private
 
-        property :content_type, render_nil: false
-        property :file_size, render_nil: false
-        property :digest, render_nil: false
+    def settings_params
+      super.tap do |settings|
+        settings["attachment_whitelist"] = settings["attachment_whitelist"].split(/\r?\n/)
       end
     end
   end

app/controllers/concerns/attachable_service_call.rb

@@ -0,0 +1,66 @@
+#-- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) 2012-2021 the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See docs/COPYRIGHT.rdoc for more details.
+#++
+
+module AttachableServiceCall
+  ##
+  # Call the presented CreateContract service
+  # with the given params, merging in any attachment params
+  #
+  # @param service_cls the service class instance
+  # @param args permitted args for the service call
+  def attachable_create_call(service_cls, args:)
+    service_cls
+      .new(user: current_user)
+      .call(args.merge(attachment_params))
+  end
+
+  ##
+  # Call the presented UpdateContract service
+  # with the given params, merging in any attachment params
+  #
+  # @param service_cls the service class instance
+  # @param args permitted args for the service call
+  def attachable_update_call(service_cls, model:, args:)
+    service_cls
+      .new(user: current_user, model: model)
+      .call(args.merge(attachment_params))
+  end
+
+  ##
+  # Attachable parameters mapped to a format the
+  # SetReplacements service concern
+  def attachment_params
+    attachment_params = permitted_params.attachments.to_h
+
+    if attachment_params.any?
+      { attachment_ids: attachment_params.values.map(&:values).flatten }
+    else
+      {}
+    end
+  end
+end