Merge remote-tracking branch 'origin/release/13.0' into dev

2026-06-14 03:30:14 +00:00 · 2023-09-12 09:25:32 +02:00
parent efeb42cf9f 6d04105ec4
commit 0481cd1237
16 changed files with 207 additions and 107 deletions
@@ -420,7 +420,7 @@ module Settings
      # Allow connections for trial creation and booking
      enterprise_trial_creation_host: {
        description: 'Host for EE trial service',
-        default: 'https://augur.openproject.com',
+        default: 'https://start.openproject.com',
        writable: false
      },
      enterprise_chargebee_site: {
@@ -2191,8 +2191,8 @@ en:
    zero: "no projects"
  label_yesterday: "yesterday"
  label_role_type: "Type"
-  label_member_role: "Project Role"
-  label_global_role: "Global Role"
+  label_member_role: "Project role"
+  label_global_role: "Global role"
  label_not_changeable: "(not changeable)"
  label_global: "Global"
  label_seeded_from_env_warning: This record has been created through a setting / environment variable. It is not editable through UI.
@@ -2437,7 +2437,7 @@ en:
  permission_add_work_package_notes: "Add notes"
  permission_add_work_packages: "Add work packages"
  permission_add_messages: "Post messages"
-  permission_add_project: "Create project"
+  permission_add_project: "Create projects"
  permission_archive_project: "Archive project"
  permission_create_user: "Create users"
  permission_manage_user: "Edit users"
@@ -2451,7 +2451,7 @@ en:
  permission_commit_access: "Read/write access to repository (commit)"
  permission_copy_projects: "Copy projects"
  permission_copy_work_packages: "Copy work packages"
-  permission_create_backup: "Create backup"
+  permission_create_backup: "Create backups"
  permission_delete_work_package_watchers: "Delete watchers"
  permission_delete_work_packages: "Delete work packages"
  permission_delete_messages: "Delete messages"
@@ -461,7 +461,7 @@ en:
    label_filename: "File"
    label_filesize: "Size"
    label_general: "General"
-    label_global_roles: "Global Roles"
+    label_global_roles: "Global roles"
    label_greater_or_equal: ">="
    label_group: 'Group'
    label_group_by: "Group by"
@@ -0,0 +1,9 @@
+class RemoveNewsJournalsTitleLengthConstraint < ActiveRecord::Migration[7.0]
+  def up
+    change_column(:news_journals, :title, :string, limit: nil)
+  end
+
+  def down
+    change_column(:news_journals, :title, :string, limit: 60)
+  end
+end
@@ -231,6 +231,16 @@ Inconsiderate use of error handling, logging, and monitoring mechanisms of a web
 - Scrub and filter user data being logged or output in error messages to prevent data leakage.
 - Only log necessary information. Avoid logging sensitive data such as passwords, payment information, or Personally Identifiable Information (PII).
 - Log data in a standard format to make parsing, auditing, and monitoring of that information easy.
+- Ensure that actions are aborted in case of errors
+
+
+
+**Usage at OpenProject**
+
+- Exception handlers catch all StandardErrors whenever your controller inherits from ApplicationController
+- Exception responses are disconnected from the actual errors and provide user-friendly messages without error details
+- Database transaction wrapping for any actions is wrapped in the [BaseContracted services](https://github.com/opf/openproject/blob/dev/app/services/base_services/base_contracted.rb#L54). Transactions are automatically rolled back in [Rails when exceptions occur](https://api.rubyonrails.org/v5.0.1/classes/ActiveRecord/Transactions/ClassMethods.html).
+- OpenProject uses a LogRage formatter for flexible, yet easily parseable formats



@@ -52,14 +52,14 @@ You should prefix your string unless its something very generic:
 # ...
 work_packages:
  my_specific_page:
-  	my_button: "My localized button label"
+    my_button: "My localized button label"
 ```



 You can then use the `t()` helper method in the Rails erb view to translate the string:

-```html
+```erb
 <%= styled_button_tag t('work_packages.my_specific_page.my_button') %>
 ```

@@ -79,7 +79,7 @@ The Rails guide on translations will give advanced examples on variable interpol

 ## Using I18n in your frontend code

-The frontend receives all translations prefixed with `js.` (see above) through compiled javascript files from `frontend/src/locales/{language}.js` folder generated by I18n.js. These locales are loaded early on in the application in [frontend/src/main.ts](https://github.com/opf/openproject/blob/dev/frontend/src/main.ts) to ensure they are present when the page loads. The import happens dynamically so only the language the user has selected is going to be loaded by webpack.
+The frontend receives all translations prefixed with `js-` (see above) through compiled javascript files from `frontend/src/locales/{language}.js` folder generated by I18n.js. These locales are loaded early on in the application in [frontend/src/main.ts](https://github.com/opf/openproject/blob/dev/frontend/src/main.ts) to ensure they are present when the page loads. The import happens dynamically so only the language the user has selected is going to be loaded by webpack.



@@ -59,9 +59,13 @@ We recommend you use existing database tools to inspect and export the database

 OpenProject makes use of technical cookies to identity the browser client and/or remember information such as 2FA login state. The core application makes use of these cookies:

- `_open_project_session` (the name is configurable) contains the information about the logged in user as well as information stored between requests on the user's choices (e.g. the filters for costs are in part stored there)
- `autologin` enables the user to automatically log in again after the session expired (e.g. because the browser was closed). It is set when the user checks the 'Stay logged in' box in the login form.
- `op2fa_remember_token` the presence of that cookie suppresses the need for the user to provide a second factor upon login for 30 days if the user selects to do so when entering the 2fa information.
+| **Cookie name**                                | **Description**                                              | **Expiry**                                                   | **Security flags**                                    | **Implementation**                                           |
+| ---------------------------------------------- | ------------------------------------------------------------ | ------------------------------------------------------------ | ----------------------------------------------------- | ------------------------------------------------------------ |
+| `_open_project_session` (name is configurable) | contains the information about the logged in user as well as information stored between requests on the user's choices (e.g. the filters for costs are in part stored there) | Session <br />+ configurable server-sideTTL                  | secure<br />httponly<br />Samesite=Lax<br />encrypted | [Code ref](https://github.com/opf/openproject/blob/release/13.0/config/initializers/session_store.rb#L34-L39) |
+| `autologin` (name is configurable)             | (Optional feature, requires opt-in under Administration > Authentication settings) <br />enables the user to automatically log in again after the session expired (e.g. because the browser was closed). It is set when the user checks the '*Stay logged in*' box in the login form.<br /> | Cookie 1 year<br />+ server-side token N days (configurable) | secure<br />httponly<br />Samesite=Lax<br />encrypted | [Code ref](https://github.com/opf/openproject/blob/release/13.0/app/controllers/concerns/accounts/user_login.rb#L19C1-L29) |
+| `op2fa_remember_token`                         | the presence of that cookie suppresses the need for the user to provide a second factor upon login for N days (configurable by administration) if the user selects to do so when entering the 2fa information. | N days (configurable)                                        | secure<br />httponly<br />Samesite=Lax<br />encrypted | [Code ref](https://github.com/opf/openproject/blob/release/13.0/modules/two_factor_authentication/app/controllers/concerns/two_factor_authentication/remember_token.rb#L28-L34) |
+
+

 On top of that, for cloud instances:

@@ -20,7 +20,7 @@ This document provides an initial introduction to the boards in OpenProject, i.e

 To find out more about the detailed functionalities of Boards, please visit our [user guide for boards](../../user-guide/agile-boards).

-Agile boards is only one of OpenProject's features. Find a comprehensive comparison between OpenProject and Trello [here](https://www.openproject.org/alternatives/best-trello-alternative/).
+Agile boards is only one of OpenProject's features. Find a comprehensive comparison between OpenProject and Trello [here](https://www.openproject.org/project-management-software-alternatives/best-trello-alternative/).


 | Topic                                                       | Content                                    |
@@ -291,7 +291,7 @@ When a filter is defined, synchronization happens directly during seeding for en



-## Setting session options
+### Setting session options

 **Delete old sessions for the same user when logging in**

@@ -313,21 +313,30 @@ To disable, set the configuration option:
 OPENPROJECT_DROP__OLD__SESSIONS__ON__LOGOUT="false"
 ```

-### disable password login
+### Attachments storage

-If you enable this option you have to configure at least one omniauth authentication
-provider to take care of authentication instead of the password login.
+You can modify the folder where attachments are stored locally. Use the `attachments_storage_path` configuration variable for that. But ensure that you move the existing paths. To find out the current path on a packaged installation, use `openproject config:get OPENPROJECT_ATTACHMENTS__STORAGE__PATH`.

-All username/password forms will be removed and only a list of omniauth providers
-presented to the users.
+To update the path, use `openproject config:set OPENPROJECT_ATTACHMENTS__STORAGE__PATH="/path/to/new/folder"`. Ensure that this is writable by the `openproject` user. Afterwards issue a restart by `sudo openproject configure`

-*default: false*
+#### attachment storage type
+
+Attachments can be stored using e.g. Amazon S3, In order to set these values through ENV variables, add to the file :
+
+*default: file*

 ```yaml
-OPENPROJECT_DISABLE__PASSWORD__LOGIN="true"
+OPENPROJECT_ATTACHMENTS__STORAGE="fog"
+OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID="AKIAJ23HC4KNPWHPG3UA"
+OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY="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"
+OPENPROJECT_FOG_CREDENTIALS_PROVIDER="AWS"
+OPENPROJECT_FOG_CREDENTIALS_REGION="eu-west-1"
+OPENPROJECT_FOG_DIRECTORY="uploads"
 ```

-### auth source sso
+
+
+### Auth source sso

 Can be used to automatically login a user defined through a custom header sent by a load balancer or reverse proxy in front of OpenProject, for instance in a Kerberos Single Sign-On (SSO) setup via apache.
 The header with the given name has to be passed to OpenProject containing the logged in user and the defined global secret as in `$login:$secret`.
@@ -351,6 +360,75 @@ auth_source_sso:
  # optional: true
 ```

+
+
+### Backups
+
+#### backup enabled
+
+If enabled, admins (or users with the necessary permission) can download backups of the OpenProject installation
+via OpenProject's web interface or via the API.
+
+*default: true*
+
+```yaml
+OPENPROJECT_BACKUP__ENABLED="false"
+```
+
+#### backup attachment size max sum mb
+
+Per default the maximum overall size of all attachments must not exceed 1GB for them to be included in the backup. If they are larger only the database dump will be included.
+
+*default=1024*
+
+```yaml
+OPENPROJECT_BACKUP__ATTACHMENT__SIZE__MAX__SUM__MB="8192"
+```
+
+#### additional configurations for backup
+
+```yaml
+OPENPROJECT_BACKUP__DAILY__LIMIT="3"
+OPENPROJECT_BACKUP__INCLUDE__ATTACHMENTS="true"
+OPENPROJECT_BACKUP__INITIAL__WAITING__PERIOD="86400"
+```
+
+
+
+### BCrypt configuration
+
+OpenProject uses BCrypt to derive and store user passwords securely. BCrypt uses a so-called Cost Factor to derive the computational effort required to derive a password from input.
+
+For more information, see the [Cost Factor guide of the bcrypt-ruby gem](https://github.com/bcrypt-ruby/bcrypt-ruby#cost-factors). The higher the value, the more effort required for deriving BCrypt hashes.
+
+*default: 12*
+
+```bash
+OPENPROJECT_OVERRIDE__BCRYPT__COST__FACTOR="16"
+```
+
+
+
+### Database configuration and SSL
+
+Please see [this separate guide](./database/) on how to set a custom database connection string and optionally, require SSL/TTLS verification. 
+
+### disable password login
+
+If you enable this option you have to configure at least one omniauth authentication
+provider to take care of authentication instead of the password login.
+
+All username/password forms will be removed and only a list of omniauth providers
+presented to the users.
+
+*default: false*
+
+```yaml
+OPENPROJECT_DISABLE__PASSWORD__LOGIN="true"
+```
+
+
+
 ### omniauth direct login provider

 Per default the user may choose the usual password login as well as <u>several</u> omniauth providers on the login page and in the login drop down menu. With this configuration option you can set a specific omniauth provider to be used for direct login. Meaning that the login provider selection is skipped and the configured provider is used directly (non-interactive) instead.
@@ -397,29 +475,7 @@ For supported values, please see [en.gravatar.com/site/implement/images/](https:
 OPENPROJECT_GRAVATAR__FALLBACK__IMAGE="identicon"
 ```

-
-### Attachments storage
-
-You can modify the folder where attachments are stored locally. Use the `attachments_storage_path` configuration variable for that. But ensure that you move the existing paths. To find out the current path on a packaged installation, use `openproject config:get OPENPROJECT_ATTACHMENTS__STORAGE__PATH`.
-
-To update the path, use `openproject config:set OPENPROJECT_ATTACHMENTS__STORAGE__PATH="/path/to/new/folder"`. Ensure that this is writable by the `openproject` user. Afterwards issue a restart by `sudo openproject configure`
-
-#### attachment storage type
-
-Attachments can be stored using e.g. Amazon S3, In order to set these values through ENV variables, add to the file :
-
-*default: file*
-
-```yaml
-OPENPROJECT_ATTACHMENTS__STORAGE="fog"
-OPENPROJECT_FOG_CREDENTIALS_AWS__ACCESS__KEY__ID="AKIAJ23HC4KNPWHPG3UA"
-OPENPROJECT_FOG_CREDENTIALS_AWS__SECRET__ACCESS__KEY="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"
-OPENPROJECT_FOG_CREDENTIALS_PROVIDER="AWS"
-OPENPROJECT_FOG_CREDENTIALS_REGION="eu-west-1"
-OPENPROJECT_FOG_DIRECTORY="uploads"
-```
-
-#### backend migration
+backend migration

 You can migrate attachments between the available backends. One example would be that you change the configuration from the file storage to the fog storage. If you want to put all the present file-based attachments into the cloud, you will have to use the following rake task:

@@ -630,37 +686,6 @@ enterprise:
  fail_fast: true
 ```

-### backup configuration
-
-#### backup enabled
-
-If enabled, admins (or users with the necessary permission) can download backups of the OpenProject installation
-via OpenProject's web interface or via the API.
-
-*default: true*
-
-```yaml
-OPENPROJECT_BACKUP__ENABLED="false"
-```
-
-#### backup attachment size max sum mb
-
-Per default the maximum overall size of all attachments must not exceed 1GB for them to be included in the backup. If they are larger only the database dump will be included.
-
-*default=1024*
-
-```yaml
-OPENPROJECT_BACKUP__ATTACHMENT__SIZE__MAX__SUM__MB="8192"
-```
-
-#### additional configurations for backup
-
-```yaml
-OPENPROJECT_BACKUP__DAILY__LIMIT="3"
-OPENPROJECT_BACKUP__INCLUDE__ATTACHMENTS="true"
-OPENPROJECT_BACKUP__INITIAL__WAITING__PERIOD="86400"
-```
-
 ### show community links

 If you would like to hide the homescreen links to the OpenProject community, you can do this with the following configuration:
@@ -8,7 +8,23 @@ sidebar_navigation:

 ## Package-based installation

-Simply run `sudo openproject reconfigure`, and when the database wizard is displayed, select the **Use an existing PostgreSQL database** option and fill in the required details ([cf the initial configuration section](../../installation/packaged/#step-2-postgresql-database-configuration))
+Simply run `sudo openproject reconfigure`, and when the database wizard is displayed, select the **Use an existing PostgreSQL database** option and fill in the required details ([cf the initial configuration section](../../installation/packaged/#step-2-postgresql-database-configuration)).
+
+
+
+### Setting a custom database URL
+
+In some cases, you need flexibility in how you define the URL (e.g., specifying more options specific to PostgreSQL or using SSL certificates). In that case, you can pass the database URL as an environment variable instead:
+
+```bash
+openproject config:set DATABASE_URL=postgres://user:pass@host:port/dbname
+```
+
+
+
+Then, you need to run `openproject reconfigure` and select "Skip" for the database wizard. Otherwise the wizard will override your DATABASE_URL environment variable again.
+
+

 ## Docker-based installation

@@ -29,3 +45,19 @@ docker-compose up -d
 ```

 In both cases the seeder will be run when you (re)launch OpenProject to make sure that the database gets the migrations and demo data as well.
+
+
+
+## Using SSL/TLS with a PostgreSQL database
+
+By default, the packaged installation installs a local database and does not use SSL encryption. If you provide a custom PostgreSQL database that supports SSL/TLS connections for servers and/or clients, you can pass the options as part of the DATABASE_URL. See the above guides on how to set this environment variable for Docker or packaged installations.
+
+The most import option is the `sslmode` parameter. Set this to the appropriate mode as defined in the [PostgreSQL documentation](https://www.postgresql.org/docs/13/libpq-connect.html#LIBPQ-PARAMKEYWORDS). For example, to require a SSL connection with full verification of the server certificate, use these parameters:
+
+```bash
+DATABASE_URL=postgres://user:pass@host:port/dbname?sslmode=require-full&sslcert=/path/to/postgresql.cert
+```
+
+
+
+PostgreSQL supports a wide variety of options in its connection string. This is not specific to OpenProject or Rails. See the following guide for more information: https://www.postgresql.org/docs/13/libpq-connect.html#LIBPQ-PARAMKEYWORDS
@@ -82,14 +82,30 @@ OpenProject can export the table for Microsoft Excel with the following options:

 ![OpenProject_work_package_export_excel_relations](openproject_pdf_table_export_relations.png)

+### Limitations
+
+The OpenProject XLS export currently does not respect all options in the work package view being exported form:
+
+- The order of work packages in a manually sorted query is not respected. This is known limitation (Ticket https://community.openproject.org/projects/openproject/work_packages/34971/activity)
+- The hierarchy of work packages as displayed in the work package view. The exported XLS is always in "flat" mode.
+
 ## CSV export

 OpenProject can export the table into a comma-separated CSV. This file will be UTF-8 encoded.

 > **Note**: To open CSV exported files into Microsoft Excel, ensure you set the encoding to UTF-8. Excel will not auto-detect the encoding or ask you to specify it, but simply open with a wrong encoding under Microsoft Windows.

+
 ![OpenProject_work_package_export_csv](openproject_export_csv.png)

+### Limitations
+
+The OpenProject CSV export currently does not respect all options in the work package view being exported form:
+
+- The order of work packages in a manually sorted query is not respected. This is known limitation (Ticket https://community.openproject.org/projects/openproject/work_packages/34971/activity)
+- The hierarchy of work packages as displayed in the work package view. The exported CSV is always in "flat" mode.
+
+
 ## Atom (XML) export

 OpenProject can export the table into a XML-based atom format. This file will be UTF-8 encoded.
@@ -78,7 +78,7 @@ module OpenProject
        if Rails.env.production?
          self['enterprise_trial_creation_host']
        else
-          'https://augur.openproject-edge.com'
+          'https://start.openproject-edge.com'
        end
      end

@@ -41,11 +41,11 @@ RSpec.describe 'Enterprise trial management',
        {
          self:
            {
-              href: "https://augur.openproject-edge.com/public/v1/trials/#{trial_id}"
+              href: "https://start.openproject-edge.com/public/v1/trials/#{trial_id}"
            },
          details:
            {
-              href: "https://augur.openproject-edge.com/public/v1/trials/#{trial_id}/details"
+              href: "https://start.openproject-edge.com/public/v1/trials/#{trial_id}/details"
            }
        }
    }
@@ -59,11 +59,11 @@ RSpec.describe 'Enterprise trial management',
      description: "User has to confirm their email address",
      _links: {
        resend: {
-          href: "https://augur.openproject-edge.com/public/v1/trials/#{trial_id}/resend",
+          href: "https://start.openproject-edge.com/public/v1/trials/#{trial_id}/resend",
          method: "POST"
        },
        details: {
-          href: "https://augur.openproject-edge.com/public/v1/trials/#{trial_id}/details"
+          href: "https://start.openproject-edge.com/public/v1/trials/#{trial_id}/details"
        }
      }
    }
@@ -122,7 +122,7 @@ RSpec.describe 'Enterprise trial management',
      token_retrieved: false,
      _links: {
        self: {
-          href: "https://augur.openproject-edge.com/public/v1/trials/#{trial_id}"
+          href: "https://start.openproject-edge.com/public/v1/trials/#{trial_id}"
        }
      }
    }
@@ -175,7 +175,7 @@ RSpec.describe 'Enterprise trial management',
  end

  it 'blocks the request assuming the mail was used' do
-    proxy.stub('https://augur.openproject-edge.com:443/public/v1/trials', method: 'post')
+    proxy.stub('https://start.openproject-edge.com:443/public/v1/trials', method: 'post')
      .and_return(headers: { 'Access-Control-Allow-Origin' => '*' }, code: 422, body: mail_in_use_body.to_json)

    find('.button', text: 'Start free trial').click
@@ -188,7 +188,7 @@ RSpec.describe 'Enterprise trial management',
  end

  it 'blocks the request assuming the domain was used' do
-    proxy.stub('https://augur.openproject-edge.com:443/public/v1/trials', method: 'post')
+    proxy.stub('https://start.openproject-edge.com:443/public/v1/trials', method: 'post')
      .and_return(headers: { 'Access-Control-Allow-Origin' => '*' }, code: 422, body: domain_in_use_body.to_json)

    find('.button', text: 'Start free trial').click
@@ -201,7 +201,7 @@ RSpec.describe 'Enterprise trial management',
  end

  it 'shows an error in case of other errors' do
-    proxy.stub('https://augur.openproject-edge.com:443/public/v1/trials', method: 'post')
+    proxy.stub('https://start.openproject-edge.com:443/public/v1/trials', method: 'post')
      .and_return(headers: { 'Access-Control-Allow-Origin' => '*' }, code: 409, body: other_error_body.to_json)

    find('.button', text: 'Start free trial').click
@@ -214,13 +214,13 @@ RSpec.describe 'Enterprise trial management',

  context 'with a waiting request pending' do
    before do
-      proxy.stub('https://augur.openproject-edge.com:443/public/v1/trials', method: 'post')
+      proxy.stub('https://start.openproject-edge.com:443/public/v1/trials', method: 'post')
        .and_return(headers: { 'Access-Control-Allow-Origin' => '*' }, code: 200, body: created_body.to_json)

-      proxy.stub("https://augur.openproject-edge.com:443/public/v1/trials/#{trial_id}")
+      proxy.stub("https://start.openproject-edge.com:443/public/v1/trials/#{trial_id}")
        .and_return(headers: { 'Access-Control-Allow-Origin' => '*' }, code: 422, body: waiting_body.to_json)

-      proxy.stub("https://augur.openproject-edge.com:443/public/v1/trials/#{trial_id}/resend", method: 'post')
+      proxy.stub("https://start.openproject-edge.com:443/public/v1/trials/#{trial_id}/resend", method: 'post')
        .and_return(headers: { 'Access-Control-Allow-Origin' => '*' }, code: 200, body: waiting_body.to_json)

      find('.button', text: 'Start free trial').click
@@ -238,11 +238,11 @@ RSpec.describe 'Enterprise trial management',
      # Stub with successful body
      # Stub the proxy to a successful return
      # which marks the user has confirmed the mail link
-      proxy.stub("https://augur.openproject-edge.com:443/public/v1/trials/#{trial_id}")
+      proxy.stub("https://start.openproject-edge.com:443/public/v1/trials/#{trial_id}")
        .and_return(headers: { 'Access-Control-Allow-Origin' => '*' }, code: 200, body: confirmed_body.to_json)

      # Stub the details URL to still return 403
-      proxy.stub("https://augur.openproject-edge.com:443/public/v1/trials/#{trial_id}/details")
+      proxy.stub("https://start.openproject-edge.com:443/public/v1/trials/#{trial_id}/details")
        .and_return(headers: { 'Access-Control-Allow-Origin' => '*' }, code: 403)

      visit enterprise_path
@@ -264,7 +264,7 @@ RSpec.describe 'Enterprise trial management',

      # Stub the proxy to a successful return
      # which marks the user has confirmed the mail link
-      proxy.stub("https://augur.openproject-edge.com:443/public/v1/trials/#{trial_id}")
+      proxy.stub("https://start.openproject-edge.com:443/public/v1/trials/#{trial_id}")
        .and_return(headers: { 'Access-Control-Allow-Origin' => '*' }, code: 200, body: confirmed_body.to_json)

      # Wait until the next request
@@ -31,18 +31,17 @@ require 'spec_helper'
 RSpec.describe 'Global role: Global Create project',
               js: true,
               with_cuprite: true do
-  let(:user) { create(:admin) }
-  let(:project) { create(:project) }
+  shared_let(:admin) { create(:admin) }
+  shared_let(:user) { create(:user) }
+  shared_let(:project) { create(:project) }

-  before do
-    login_as user
-  end
-
-  describe 'Create Project is not a member permission' do
+  describe 'Create project is not a member permission' do
    # Given there is a role "Member"
    let!(:role) { create(:role, name: 'Member') }

    # And I am already admin
+    current_user { admin }
+
    # When I go to the edit page of the role "Member"
    # Then I should not see "Create project"
    it 'does not show the global permission' do
@@ -52,10 +51,13 @@ RSpec.describe 'Global role: Global Create project',
    end
  end

-  describe 'Create Project is a global permission' do
+  describe 'Create project is a global permission' do
    # Given there is a global role "Global"
    let!(:role) { create(:global_role, name: 'Global') }
+
    # And I am already admin
+    current_user { admin }
+
    # When I go to the edit page of the role "Global"
    # Then I should see "Create project"

@@ -66,11 +68,10 @@ RSpec.describe 'Global role: Global Create project',
    end
  end

-  describe 'Create Project displayed to user' do
+  describe 'Create project displayed to user' do
    let!(:global_role) { create(:global_role, name: 'Global', permissions: %i[add_project]) }
    let!(:member_role) { create(:role, name: 'Member', permissions: %i[view_project]) }

-    let(:user) { create(:user) }
    let!(:global_member) do
      create(:global_member,
             principal: user,
@@ -79,6 +80,8 @@ RSpec.describe 'Global role: Global Create project',

    let(:name_field) { FormFields::InputFormField.new :name }

+    current_user { user }
+
    it 'does show the global permission' do
      visit projects_path
      expect(page).to have_selector('.button.-alt-highlight', text: 'Project')
@@ -94,13 +97,14 @@ RSpec.describe 'Global role: Global Create project',
    end
  end

-  describe 'Create Project not displayed to user without global role' do
+  describe 'Create project not displayed to user without global role' do
    # Given there is 1 User with:
    # | Login | bob |
    # | Firstname | Bob |
    # | Lastname | Bobbit |
    #   When I am already logged in as "bob"
-    let(:user) { create(:user) }
+
+    current_user { user }

    it 'does show the global permission' do
      # And I go to the overall projects page
@@ -54,7 +54,7 @@ RSpec.describe 'Global role: Global role assignment',

    it 'allows global roles management' do
      visit edit_user_path user
-      click_link 'Global Roles'
+      click_link 'Global roles'

      page.within('#table_principal_roles') do
        expect(page).to have_text 'global_role1'
@@ -47,8 +47,8 @@ RSpec.describe 'Global role: Global role CRUD',
    visit new_role_path
    # Then I should not see block with "#global_permissions"
    expect(page).not_to have_selector('.form--fieldset-legend', text: 'GLOBAL')
-    # When I check "Global Role"
-    check 'Global Role'
+    # When I check "Global role"
+    check 'Global role'
    # Then I should see block with "#global_permissions"
    expect(page).to have_selector('.form--fieldset-legend', text: 'GLOBAL')
    # And I should see "Global group"