references/openproject
1
0
Fork 0
mirror of https://github.com/opf/openproject.git synced 2026-06-14 03:30:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'dev' into code-maintenance/angular-22

Browse Source
This commit is contained in:
Alexander Brandon Coles
2026-06-10 08:39:31 +01:00
parent d3d1f1e7b2 b489ab50e7
commit c085eefb06
428 changed files with 12057 additions and 5992 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/api/apiv3/openapi-spec.yml
+14 -2
View File
@@ -272,20 +272,32 @@ paths:
"/api/v3/meetings/{id}":
"$ref": "./paths/meeting.yml"
"/api/v3/meetings/{id}/agenda_items":
"$ref": "./paths/meeting_agenda_items.yml"
"$ref": "./paths/meeting_agenda_items_by_meeting.yml"
"/api/v3/meetings/{meeting_id}/agenda_items/{id}":
"$ref": "./paths/meeting_agenda_item_by_meeting.yml"
"/api/v3/meeting_agenda_items":
"$ref": "./paths/meeting_agenda_items.yml"
"/api/v3/meeting_agenda_items/{id}":
"$ref": "./paths/meeting_agenda_item.yml"
"/api/v3/meetings/{meeting_id}/agenda_items/{agenda_item_id}/outcomes":
"$ref": "./paths/meeting_agenda_item_outcomes.yml"
"/api/v3/meetings/{meeting_id}/agenda_items/{agenda_item_id}/outcomes/{id}":
"$ref": "./paths/meeting_agenda_item_outcome.yml"
"/api/v3/meeting_outcomes":
"$ref": "./paths/meeting_outcomes.yml"
"/api/v3/meeting_outcomes/{id}":
"$ref": "./paths/meeting_outcome.yml"
"/api/v3/meetings/{id}/attachments":
"$ref": "./paths/meeting_attachments.yml"
"/api/v3/meetings/{id}/form":
"$ref": "./paths/meeting_form.yml"
"/api/v3/meetings/{id}/sections":
"$ref": "./paths/meeting_sections.yml"
"$ref": "./paths/meeting_sections_by_meeting.yml"
"/api/v3/meetings/{meeting_id}/sections/{id}":
"$ref": "./paths/meeting_section_by_meeting.yml"
"/api/v3/meeting_sections":
"$ref": "./paths/meeting_sections.yml"
"/api/v3/meeting_sections/{id}":
"$ref": "./paths/meeting_section.yml"
"/api/v3/meetings/form":
"$ref": "./paths/meetings_form.yml"
docs/api/apiv3/paths/meeting_agenda_item.yml
+5 -50
View File
@@ -1,19 +1,12 @@
# /api/v3/meetings/{meeting_id}/agenda_items/{id}
# /api/v3/meeting_agenda_items/{id}
---
get:
summary: Get a meeting agenda item
operationId: get_meeting_agenda_item
tags:
- Meetings
description: Retrieve an individual agenda item of a meeting.
description: Retrieve an individual agenda item.
parameters:
- description: Meeting identifier
example: 1
in: path
name: meeting_id
required: true
schema:
type: integer
- description: Agenda item identifier
example: 1
in: path
@@ -40,7 +33,7 @@ get:
errorIdentifier: urn:openproject-org:api:v3:errors:NotFound
message: The requested resource could not be found.
description: |-
Returned if the agenda item or meeting does not exist or the client does not have sufficient permissions.
Returned if the agenda item does not exist or the client does not have sufficient permissions.
patch:
summary: Update a meeting agenda item
@@ -49,13 +42,6 @@ patch:
- Meetings
description: Updates the given agenda item.
parameters:
- description: Meeting identifier
example: 1
in: path
name: meeting_id
required: true
schema:
type: integer
- description: Agenda item identifier
example: 1
in: path
@@ -82,12 +68,6 @@ patch:
application/hal+json:
schema:
$ref: "../components/schemas/error_response.yml"
examples:
response:
value:
_type: Error
errorIdentifier: urn:openproject-org:api:v3:errors:MissingPermission
message: You are not authorized to access this resource.
description: |-
Returned if the client does not have sufficient permissions.
@@ -97,14 +77,8 @@ patch:
application/hal+json:
schema:
$ref: "../components/schemas/error_response.yml"
examples:
response:
value:
_type: Error
errorIdentifier: urn:openproject-org:api:v3:errors:NotFound
message: The requested resource could not be found.
description: |-
Returned if the agenda item or meeting does not exist.
Returned if the agenda item does not exist or the client does not have sufficient permissions.
'406':
$ref: "../components/responses/missing_content_type.yml"
'415':
@@ -122,13 +96,6 @@ delete:
- Meetings
description: Deletes the agenda item.
parameters:
- description: Meeting identifier
example: 1
in: path
name: meeting_id
required: true
schema:
type: integer
- description: Agenda item identifier
example: 1
in: path
@@ -144,12 +111,6 @@ delete:
application/hal+json:
schema:
$ref: "../components/schemas/error_response.yml"
examples:
response:
value:
_type: Error
errorIdentifier: urn:openproject-org:api:v3:errors:MissingPermission
message: You are not authorized to access this resource.
description: |-
Returned if the client does not have sufficient permissions.
@@ -159,11 +120,5 @@ delete:
application/hal+json:
schema:
$ref: "../components/schemas/error_response.yml"
examples:
response:
value:
_type: Error
errorIdentifier: urn:openproject-org:api:v3:errors:NotFound
message: The requested resource could not be found.
description: |-
Returned if the agenda item or meeting does not exist.
Returned if the agenda item does not exist or the client does not have sufficient permissions.
docs/api/apiv3/paths/meeting_agenda_item_by_meeting.yml
+43
View File
@@ -0,0 +1,43 @@
# /api/v3/meetings/{meeting_id}/agenda_items/{id}
---
get:
summary: Get a meeting agenda item
operationId: get_meeting_agenda_item_by_meeting
tags:
- Meetings
description: Retrieve an individual agenda item of a meeting.
parameters:
- description: Meeting identifier
example: 1
in: path
name: meeting_id
required: true
schema:
type: integer
- description: Agenda item identifier
example: 1
in: path
name: id
required: true
schema:
type: integer
responses:
'200':
description: OK
content:
application/hal+json:
schema:
$ref: "../components/schemas/meeting_agenda_item_model.yml"
'404':
content:
application/hal+json:
schema:
$ref: "../components/schemas/error_response.yml"
examples:
response:
value:
_type: Error
errorIdentifier: urn:openproject-org:api:v3:errors:NotFound
message: The requested resource could not be found.
description: |-
Returned if the agenda item or meeting does not exist or the client does not have sufficient permissions.
docs/api/apiv3/paths/meeting_agenda_item_outcome.yml
+1 -141
View File
@@ -2,7 +2,7 @@
---
get:
summary: Get a meeting outcome
operationId: get_meeting_outcome
operationId: get_meeting_outcome_by_agenda_item
tags:
- Meetings
description: Retrieve an individual outcome of a meeting agenda item.
@@ -48,143 +48,3 @@ get:
message: The requested resource could not be found.
description: |-
Returned if the outcome, agenda item, or meeting does not exist or the client does not have sufficient permissions.
patch:
summary: Update a meeting outcome
operationId: update_meeting_outcome
tags:
- Meetings
description: Updates the given meeting outcome.
parameters:
- description: Meeting identifier
example: 1
in: path
name: meeting_id
required: true
schema:
type: integer
- description: Agenda item identifier
example: 1
in: path
name: agenda_item_id
required: true
schema:
type: integer
- description: Outcome identifier
example: 1
in: path
name: id
required: true
schema:
type: integer
requestBody:
content:
application/json:
schema:
$ref: "../components/schemas/meeting_outcome_write_model.yml"
responses:
'200':
description: OK
content:
application/hal+json:
schema:
$ref: "../components/schemas/meeting_outcome_model.yml"
'400':
$ref: "../components/responses/invalid_request_body.yml"
'403':
content:
application/hal+json:
schema:
$ref: "../components/schemas/error_response.yml"
examples:
response:
value:
_type: Error
errorIdentifier: urn:openproject-org:api:v3:errors:MissingPermission
message: You are not authorized to access this resource.
description: |-
Returned if the client does not have sufficient permissions.
**Required permission:** manage outcomes
'404':
content:
application/hal+json:
schema:
$ref: "../components/schemas/error_response.yml"
examples:
response:
value:
_type: Error
errorIdentifier: urn:openproject-org:api:v3:errors:NotFound
message: The requested resource could not be found.
description: |-
Returned if the outcome, agenda item, or meeting does not exist.
'406':
$ref: "../components/responses/missing_content_type.yml"
'415':
$ref: "../components/responses/unsupported_media_type.yml"
'422':
description: |-
Returned if:
* a constraint for a property was violated (`PropertyConstraintViolation`)
delete:
summary: Delete a meeting outcome
operationId: delete_meeting_outcome
tags:
- Meetings
description: Deletes the outcome.
parameters:
- description: Meeting identifier
example: 1
in: path
name: meeting_id
required: true
schema:
type: integer
- description: Agenda item identifier
example: 1
in: path
name: agenda_item_id
required: true
schema:
type: integer
- description: Outcome identifier
example: 1
in: path
name: id
required: true
schema:
type: integer
responses:
'204':
description: Returned if the outcome was successfully deleted
'403':
content:
application/hal+json:
schema:
$ref: "../components/schemas/error_response.yml"
examples:
response:
value:
_type: Error
errorIdentifier: urn:openproject-org:api:v3:errors:MissingPermission
message: You are not authorized to access this resource.
description: |-
Returned if the client does not have sufficient permissions.
**Required permission:** manage outcomes
'404':
content:
application/hal+json:
schema:
$ref: "../components/schemas/error_response.yml"
examples:
response:
value:
_type: Error
errorIdentifier: urn:openproject-org:api:v3:errors:NotFound
message: The requested resource could not be found.
description: |-
Returned if the outcome, agenda item, or meeting does not exist.
docs/api/apiv3/paths/meeting_agenda_item_outcomes.yml
-73
View File
@@ -43,76 +43,3 @@ get:
Returned if the agenda item or meeting does not exist or the client does not have sufficient permissions to see it.
**Required permission:** view meetings
post:
summary: Create meeting outcome
operationId: create_meeting_outcome
tags:
- Meetings
description: Creates a new outcome for the given meeting agenda item.
parameters:
- description: Meeting identifier
example: 1
in: path
name: meeting_id
required: true
schema:
type: integer
- description: Agenda item identifier
example: 1
in: path
name: agenda_item_id
required: true
schema:
type: integer
requestBody:
content:
application/json:
schema:
$ref: "../components/schemas/meeting_outcome_write_model.yml"
responses:
'201':
description: Created
content:
application/hal+json:
schema:
$ref: "../components/schemas/meeting_outcome_model.yml"
'400':
$ref: "../components/responses/invalid_request_body.yml"
'403':
content:
application/hal+json:
schema:
$ref: "../components/schemas/error_response.yml"
examples:
response:
value:
_type: Error
errorIdentifier: urn:openproject-org:api:v3:errors:MissingPermission
message: You are not authorized to access this resource.
description: |-
Returned if the client does not have sufficient permissions.
**Required permission:** manage outcomes
'404':
content:
application/hal+json:
schema:
$ref: "../components/schemas/error_response.yml"
examples:
response:
value:
_type: Error
errorIdentifier: urn:openproject-org:api:v3:errors:NotFound
message: The requested resource could not be found.
description: |-
Returned if the agenda item or meeting does not exist or the client does not have sufficient permissions to see it.
'406':
$ref: "../components/responses/missing_content_type.yml"
'415':
$ref: "../components/responses/unsupported_media_type.yml"
'422':
description: |-
Returned if:
* a constraint for a property was violated (`PropertyConstraintViolation`)
docs/api/apiv3/paths/meeting_agenda_items.yml
+3 -48
View File
@@ -1,56 +1,11 @@
# /api/v3/meetings/{id}/agenda_items
# /api/v3/meeting_agenda_items
---
get:
summary: List meeting agenda items
operationId: list_meeting_agenda_items
tags:
- Meetings
description: Lists all agenda items for the given meeting.
parameters:
- description: Meeting identifier
example: 1
in: path
name: id
required: true
schema:
type: integer
responses:
'200':
description: OK
content:
application/hal+json:
schema:
$ref: "../components/schemas/meeting_agenda_item_collection_model.yml"
'404':
content:
application/hal+json:
schema:
$ref: "../components/schemas/error_response.yml"
examples:
response:
value:
_type: Error
errorIdentifier: urn:openproject-org:api:v3:errors:NotFound
message: The requested resource could not be found.
description: |-
Returned if the meeting does not exist or the client does not have sufficient permissions to see it.
**Required permission:** view meetings
post:
summary: Create meeting agenda item
operationId: create_meeting_agenda_item
tags:
- Meetings
description: Creates a new agenda item for the given meeting.
parameters:
- description: Meeting identifier
example: 1
in: path
name: id
required: true
schema:
type: integer
description: Creates a new agenda item. The request body must link the meeting.
requestBody:
content:
application/json:
@@ -92,7 +47,7 @@ post:
errorIdentifier: urn:openproject-org:api:v3:errors:NotFound
message: The requested resource could not be found.
description: |-
Returned if the meeting does not exist or the client does not have sufficient permissions to see it.
Returned if the linked meeting does not exist or the client does not have sufficient permissions to see it.
'406':
$ref: "../components/responses/missing_content_type.yml"
'415':
docs/api/apiv3/paths/meeting_agenda_items_by_meeting.yml
+38
View File
@@ -0,0 +1,38 @@
# /api/v3/meetings/{id}/agenda_items
---
get:
summary: List meeting agenda items
operationId: list_meeting_agenda_items
tags:
- Meetings
description: Lists all agenda items for the given meeting.
parameters:
- description: Meeting identifier
example: 1
in: path
name: id
required: true
schema:
type: integer
responses:
'200':
description: OK
content:
application/hal+json:
schema:
$ref: "../components/schemas/meeting_agenda_item_collection_model.yml"
'404':
content:
application/hal+json:
schema:
$ref: "../components/schemas/error_response.yml"
examples:
response:
value:
_type: Error
errorIdentifier: urn:openproject-org:api:v3:errors:NotFound
message: The requested resource could not be found.
description: |-
Returned if the meeting does not exist or the client does not have sufficient permissions to see it.
**Required permission:** view meetings
docs/api/apiv3/paths/meeting_outcome.yml
+124
View File
@@ -0,0 +1,124 @@
# /api/v3/meeting_outcomes/{id}
---
get:
summary: Get a meeting outcome
operationId: get_meeting_outcome
tags:
- Meetings
description: Retrieve an individual meeting outcome.
parameters:
- description: Outcome identifier
example: 1
in: path
name: id
required: true
schema:
type: integer
responses:
'200':
description: OK
content:
application/hal+json:
schema:
$ref: "../components/schemas/meeting_outcome_model.yml"
'404':
content:
application/hal+json:
schema:
$ref: "../components/schemas/error_response.yml"
examples:
response:
value:
_type: Error
errorIdentifier: urn:openproject-org:api:v3:errors:NotFound
message: The requested resource could not be found.
description: |-
Returned if the outcome does not exist or the client does not have sufficient permissions.
patch:
summary: Update a meeting outcome
operationId: update_meeting_outcome
tags:
- Meetings
description: Updates the given meeting outcome.
parameters:
- description: Outcome identifier
example: 1
in: path
name: id
required: true
schema:
type: integer
requestBody:
content:
application/json:
schema:
$ref: "../components/schemas/meeting_outcome_write_model.yml"
responses:
'200':
description: OK
content:
application/hal+json:
schema:
$ref: "../components/schemas/meeting_outcome_model.yml"
'400':
$ref: "../components/responses/invalid_request_body.yml"
'403':
content:
application/hal+json:
schema:
$ref: "../components/schemas/error_response.yml"
description: |-
Returned if the client does not have sufficient permissions.
**Required permission:** manage outcomes
'404':
content:
application/hal+json:
schema:
$ref: "../components/schemas/error_response.yml"
description: |-
Returned if the outcome does not exist or the client does not have sufficient permissions.
'406':
$ref: "../components/responses/missing_content_type.yml"
'415':
$ref: "../components/responses/unsupported_media_type.yml"
'422':
description: |-
Returned if:
* a constraint for a property was violated (`PropertyConstraintViolation`)
delete:
summary: Delete a meeting outcome
operationId: delete_meeting_outcome
tags:
- Meetings
description: Deletes the outcome.
parameters:
- description: Outcome identifier
example: 1
in: path
name: id
required: true
schema:
type: integer
responses:
'204':
description: Returned if the outcome was successfully deleted
'403':
content:
application/hal+json:
schema:
$ref: "../components/schemas/error_response.yml"
description: |-
Returned if the client does not have sufficient permissions.
**Required permission:** manage outcomes
'404':
content:
application/hal+json:
schema:
$ref: "../components/schemas/error_response.yml"
description: |-
Returned if the outcome does not exist or the client does not have sufficient permissions.
docs/api/apiv3/paths/meeting_outcomes.yml
+59
View File
@@ -0,0 +1,59 @@
# /api/v3/meeting_outcomes
---
post:
summary: Create meeting outcome
operationId: create_meeting_outcome
tags:
- Meetings
description: Creates a new meeting outcome. The request body must link the agenda item.
requestBody:
content:
application/json:
schema:
$ref: "../components/schemas/meeting_outcome_write_model.yml"
responses:
'201':
description: Created
content:
application/hal+json:
schema:
$ref: "../components/schemas/meeting_outcome_model.yml"
'400':
$ref: "../components/responses/invalid_request_body.yml"
'403':
content:
application/hal+json:
schema:
$ref: "../components/schemas/error_response.yml"
examples:
response:
value:
_type: Error
errorIdentifier: urn:openproject-org:api:v3:errors:MissingPermission
message: You are not authorized to access this resource.
description: |-
Returned if the client does not have sufficient permissions.
**Required permission:** manage outcomes
'404':
content:
application/hal+json:
schema:
$ref: "../components/schemas/error_response.yml"
examples:
response:
value:
_type: Error
errorIdentifier: urn:openproject-org:api:v3:errors:NotFound
message: The requested resource could not be found.
description: |-
Returned if the linked agenda item does not exist or the client does not have sufficient permissions to see it.
'406':
$ref: "../components/responses/missing_content_type.yml"
'415':
$ref: "../components/responses/unsupported_media_type.yml"
'422':
description: |-
Returned if:
* a constraint for a property was violated (`PropertyConstraintViolation`)
docs/api/apiv3/paths/meeting_section.yml
+7 -58
View File
@@ -1,19 +1,12 @@
# /api/v3/meetings/{meeting_id}/sections/{id}
# /api/v3/meeting_sections/{id}
---
get:
summary: Get a meeting section
operationId: get_meeting_section
tags:
- Meetings
description: Retrieve an individual section of a meeting.
description: Retrieve an individual meeting section.
parameters:
- description: Meeting identifier
example: 1
in: path
name: meeting_id
required: true
schema:
type: integer
- description: Section identifier
example: 1
in: path
@@ -33,29 +26,16 @@ get:
application/hal+json:
schema:
$ref: "../components/schemas/error_response.yml"
examples:
response:
value:
_type: Error
errorIdentifier: urn:openproject-org:api:v3:errors:NotFound
message: The requested resource could not be found.
description: |-
Returned if the section or meeting does not exist or the client does not have sufficient permissions.
Returned if the section does not exist or the client does not have sufficient permissions.
patch:
summary: Update a meeting section
operationId: update_meeting_section
tags:
- Meetings
description: Updates the given section.
description: Updates the given meeting section.
parameters:
- description: Meeting identifier
example: 1
in: path
name: meeting_id
required: true
schema:
type: integer
- description: Section identifier
example: 1
in: path
@@ -82,12 +62,6 @@ patch:
application/hal+json:
schema:
$ref: "../components/schemas/error_response.yml"
examples:
response:
value:
_type: Error
errorIdentifier: urn:openproject-org:api:v3:errors:MissingPermission
message: You are not authorized to access this resource.
description: |-
Returned if the client does not have sufficient permissions.
@@ -97,14 +71,8 @@ patch:
application/hal+json:
schema:
$ref: "../components/schemas/error_response.yml"
examples:
response:
value:
_type: Error
errorIdentifier: urn:openproject-org:api:v3:errors:NotFound
message: The requested resource could not be found.
description: |-
Returned if the section or meeting does not exist.
Returned if the section does not exist or the client does not have sufficient permissions.
'406':
$ref: "../components/responses/missing_content_type.yml"
'415':
@@ -120,15 +88,8 @@ delete:
operationId: delete_meeting_section
tags:
- Meetings
description: Deletes the section and all its agenda items.
description: Deletes the meeting section.
parameters:
- description: Meeting identifier
example: 1
in: path
name: meeting_id
required: true
schema:
type: integer
- description: Section identifier
example: 1
in: path
@@ -144,12 +105,6 @@ delete:
application/hal+json:
schema:
$ref: "../components/schemas/error_response.yml"
examples:
response:
value:
_type: Error
errorIdentifier: urn:openproject-org:api:v3:errors:MissingPermission
message: You are not authorized to access this resource.
description: |-
Returned if the client does not have sufficient permissions.
@@ -159,11 +114,5 @@ delete:
application/hal+json:
schema:
$ref: "../components/schemas/error_response.yml"
examples:
response:
value:
_type: Error
errorIdentifier: urn:openproject-org:api:v3:errors:NotFound
message: The requested resource could not be found.
description: |-
Returned if the section or meeting does not exist.
Returned if the section does not exist or the client does not have sufficient permissions.
docs/api/apiv3/paths/meeting_section_by_meeting.yml
+43
View File
@@ -0,0 +1,43 @@
# /api/v3/meetings/{meeting_id}/sections/{id}
---
get:
summary: Get a meeting section
operationId: get_meeting_section_by_meeting
tags:
- Meetings
description: Retrieve an individual section of a meeting.
parameters:
- description: Meeting identifier
example: 1
in: path
name: meeting_id
required: true
schema:
type: integer
- description: Section identifier
example: 1
in: path
name: id
required: true
schema:
type: integer
responses:
'200':
description: OK
content:
application/hal+json:
schema:
$ref: "../components/schemas/meeting_section_model.yml"
'404':
content:
application/hal+json:
schema:
$ref: "../components/schemas/error_response.yml"
examples:
response:
value:
_type: Error
errorIdentifier: urn:openproject-org:api:v3:errors:NotFound
message: The requested resource could not be found.
description: |-
Returned if the section or meeting does not exist or the client does not have sufficient permissions.
docs/api/apiv3/paths/meeting_sections.yml
+3 -48
View File
@@ -1,56 +1,11 @@
# /api/v3/meetings/{id}/sections
# /api/v3/meeting_sections
---
get:
summary: List meeting sections
operationId: list_meeting_sections
tags:
- Meetings
description: Lists all sections for the given meeting.
parameters:
- description: Meeting identifier
example: 1
in: path
name: id
required: true
schema:
type: integer
responses:
'200':
description: OK
content:
application/hal+json:
schema:
$ref: "../components/schemas/meeting_section_collection_model.yml"
'404':
content:
application/hal+json:
schema:
$ref: "../components/schemas/error_response.yml"
examples:
response:
value:
_type: Error
errorIdentifier: urn:openproject-org:api:v3:errors:NotFound
message: The requested resource could not be found.
description: |-
Returned if the meeting does not exist or the client does not have sufficient permissions to see it.
**Required permission:** view meetings
post:
summary: Create meeting section
operationId: create_meeting_section
tags:
- Meetings
description: Creates a new section for the given meeting.
parameters:
- description: Meeting identifier
example: 1
in: path
name: id
required: true
schema:
type: integer
description: Creates a new section. The request body must link the meeting.
requestBody:
content:
application/json:
@@ -92,7 +47,7 @@ post:
errorIdentifier: urn:openproject-org:api:v3:errors:NotFound
message: The requested resource could not be found.
description: |-
Returned if the meeting does not exist or the client does not have sufficient permissions to see it.
Returned if the linked meeting does not exist or the client does not have sufficient permissions to see it.
'406':
$ref: "../components/responses/missing_content_type.yml"
'415':
docs/api/apiv3/paths/meeting_sections_by_meeting.yml
+38
View File
@@ -0,0 +1,38 @@
# /api/v3/meetings/{id}/sections
---
get:
summary: List meeting sections
operationId: list_meeting_sections
tags:
- Meetings
description: Lists all sections for the given meeting.
parameters:
- description: Meeting identifier
example: 1
in: path
name: id
required: true
schema:
type: integer
responses:
'200':
description: OK
content:
application/hal+json:
schema:
$ref: "../components/schemas/meeting_section_collection_model.yml"
'404':
content:
application/hal+json:
schema:
$ref: "../components/schemas/error_response.yml"
examples:
response:
value:
_type: Error
errorIdentifier: urn:openproject-org:api:v3:errors:NotFound
message: The requested resource could not be found.
description: |-
Returned if the meeting does not exist or the client does not have sufficient permissions to see it.
**Required permission:** view meetings
docs/glossary/README.md
+24 -17
View File
@@ -82,7 +82,7 @@ In OpenProject, authentication is an important element to guarantee a data prote
Backlogs is a [module](#module) in OpenProject that brings features that support [Agile project management](#agile-project-management), in particular the Scrum methodology, such as a product backlog and sprint backlogs.
It includes functionality for planning and managing sprints, including a sprint board that is automatically created when a sprint is started. Within the backlog, work packages can be organized using **backlog buckets** to group items into clearly defined sections. Work packages that are not assigned to a backlog bucket or a sprint are listed in the **index backlog**.
It includes functionality for planning and managing [sprints](#sprint), including a sprint [board](#board) that is automatically created when a sprint is started. Within the backlog, work packages can be organized using **backlog buckets** to group items into clearly defined sections. Work packages that are not assigned to a backlog bucket or a sprint are listed in the **inbox** backlog bucket.
To use backlogs in OpenProject, the Backlogs module has to be activated in the [project settings](#project-settings) by a project admin.
@@ -98,7 +98,7 @@ BIM stands for Building Information Modeling. In OpenProject, we offer a special
### Board
A board in OpenProject is a view that allows you to see your work packages as cards divided into columns. A board is a typical element in [agile project management](#agile-project-management), supporting methodologies such as Scrum or Kanban. OpenProject, you can use a [basic board](../user-guide/agile-boards/#basic-boards) or [advanced Action boards](../user-guide/agile-boards). Use advanced Action boards to quickly change attributes of your work package. [Read more about boards for agile project management](../user-guide/agile-boards/).
A board in OpenProject is a view that allows you to see your work packages as cards divided into columns. A board is a typical element in [agile project management](#agile-project-management), supporting methodologies such as Scrum or Kanban. In OpenProject, you can use a [basic board](../user-guide/agile-boards/#basic-boards) or [advanced Action boards](../user-guide/agile-boards). Use advanced Action boards to quickly change attributes of your work package. [Read more about boards for agile project management](../user-guide/agile-boards/).
**More information on boards in OpenProject**
@@ -200,7 +200,7 @@ Excel synchronization is an integration in OpenProject which allows you to easil
### File storage
File storages can be configured in the System Administration and then be selected in the [project settings](#project-settings). OpenProject offers a [Nextcloud integration](#nextcloud-integration) to support file storage. [More information on file storage with the Nextcloud integration](../user-guide/file-management/nextcloud-integration/).
File storages can be configured in the system administration and then be selected in the [project settings](#project-settings). OpenProject offers a [Nextcloud integration](#nextcloud-integration) to support file storage. [More information on file storage with the Nextcloud integration](../user-guide/file-management/nextcloud-integration/).
### Filters
@@ -218,11 +218,11 @@ The Gantt charts [module](#module) in OpenProject displays the work packages in
### Global modules
In OpenProject, global modules are defined as a menu to access all [modules](#module) for *all* your projects. With global modules you can easily see all your project-overarching information at one place, e.g. for work packages, boards, calendars or meetings. Click on the grid icon on the left side of the header menu to access the global modules. [Read more about global modules in OpenProject](../user-guide/home/global-modules/).
In OpenProject, global modules are defined as a menu to access all [modules](#module) for *all* your projects. With global modules you can easily see all your project-overarching information at one place, e.g. for [work packages](#work-package), [boards](#board), calendars or [meetings](#meetings). Click on the grid icon on the left side of the header menu to access the global modules. [Read more about global modules in OpenProject](../user-guide/home/global-modules/).
### Group
A group in OpenProject is defined as a list of users which can be added as a member to projects with a selected [role](#role). Groups can also be assigned to work packages. New groups can be defined in *Administration → Users and permissions → Groups*.
A group in OpenProject is defined as a list of users which can be added as a member to projects with a selected [role](#role). Groups can also be assigned to work packages. They can be nested to represent organizational structures and inherit permissions from parent groups. New groups can be defined in *Administration → Users and permissions → Groups*.
## H
@@ -343,7 +343,7 @@ OpenProject on-premises is a self-hosted version of OpenProject. As opposed to t
**More information on OpenProject on-premises**
- [See our pricing side about your options for OpenProject](https://www.openproject.org/pricing/).
- [See our pricing page about your options for OpenProject](https://www.openproject.org/pricing/).
- [Read a blog article comparing on-premises and cloud](https://www.openproject.org/blog/why-self-hosting-software/).
- [Read how to activate the Enterprise on-premises edition](../enterprise-guide/enterprise-on-premises-guide/activate-enterprise-on-premises/).
- [Read how to start a trial for Enterprise on-premises](../enterprise-guide/enterprise-on-premises-guide/enterprise-on-premises-trial/).
@@ -379,7 +379,7 @@ PM² is a project management framework developed by the European Commission to s
### PMflex
PMflex is is a comprehensive and flexible project management system based on the European [PM²](#pm--pm2) standard and further developed for public administration in Germany. [Read more about how to use PMflex with OpenProject](https://www.openproject.org/pmflex). If you are looking for specific PMflex terminology, please see our [use case of implementing PM² and PMflex project management in OpenProject](../use-cases/project-management-pm2-pmflex/#implementing-pm-and-pmflex-project-management-in-openproject).
PMflex is a comprehensive and flexible project management system based on the European [PM²](#pm--pm2) standard and further developed for public administration in Germany. [Read more about how to use PMflex with OpenProject](https://www.openproject.org/pmflex). If you are looking for specific PMflex terminology, please see our [use case of implementing PM² and PMflex project management in OpenProject](../use-cases/project-management-pm2-pmflex/#implementing-pm-and-pmflex-project-management-in-openproject).
### Portfolio
@@ -388,7 +388,7 @@ In OpenProject, you can manage your project portfolio by creating, filtering and
### Primer design system
OpenProject started adopting [Github's Primer Design System](https://primer.style/) in 2023. New features will be developed using Primer and existing features will will be gradually revised. Relevant reusable components from Primer as well as common patterns and compositions of these components will be documented in our [Lookbook](https://qa.openproject-edge.com/lookbook/pages/how_to_use). [Read more about OpenProject's decision to use Primer](https://www.openproject.org/blog/primer-design-system/).
OpenProject started adopting [Github's Primer Design System](https://primer.style/) in 2023. New features will be developed using Primer and existing features will be gradually revised. Relevant reusable components from Primer as well as common patterns and compositions of these components will be documented in our [Lookbook](https://qa.openproject-edge.com/lookbook/pages/how_to_use). [Read more about OpenProject's decision to use Primer](https://www.openproject.org/blog/primer-design-system/).
### Project
@@ -404,9 +404,7 @@ A project attribute in OpenProject is a [custom field](#custom-field) that appli
### Project folder
Project folders help collaborating in the most efficient way. They can be used with
OpenProject's [Nextcloud integration](#nextcloud-integration) or with
OpenProject's [OneDrive integration](#onedrive-integration). [Read more about project folders in OpenProject](../user-guide/projects/project-settings/files/#project-folders).
Project folders help collaborating in the most efficient way. They can be used with OpenProject's [Nextcloud integration](#nextcloud-integration) or with OpenProject's [OneDrive integration](#onedrive-integration). [Read more about project folders in OpenProject](../user-guide/projects/project-settings/files/#project-folders).
### Project home
@@ -437,7 +435,7 @@ Phases and phase gates are visible on the [project home](#project-home) page, in
### Project lists
In OpenProject, project lists are very useful for project portfolio managers to get an overview of all their [projects](#project) on the instance. Access your project lists on OpenProject by either navigating to the "All projects" menu and clicking on the "Project lists" button, or via the [Global modules](#global-modules). [Read more about project lists OpenProject](../user-guide/projects/project-lists/).
In OpenProject, project lists are very useful for project portfolio managers to get an overview of all their [projects](#project) on the instance. Access your project lists on OpenProject by either navigating to the "All projects" menu and clicking on the "Project lists" button, or via the [Global modules](#global-modules). [Read more about project lists in OpenProject](../user-guide/projects/project-lists/).
### Project navigation
@@ -481,7 +479,7 @@ In OpenProject, you can set work packages in relation to each other. Some relati
OpenProject offers different types of reminders so that you can lean back and never forget a task. One is the [date alert](#date-alerts) (Enterprise add-on), which generates automatic and customized [notifications](#notifications) regarding a work package's due date or start date.
OpenProject also allows you to set **work package reminders**: Simply activate the clock icon on top of a work package and choose from different options, e.g. to be reminded the next day (at 9 am) or in one week. You can also set a custom date. [Read more about work package reminders in OpenProject](../user-guide/work-packages/edit-work-package/#work-package-reminders).
OpenProject also allows you to set **work package reminders**: Simply activate the clock icon on top of a work package and choose from different options, e.g. to be reminded the next day (at 9 am) or in one week. You can also set a custom date. [Read more about work package reminders in OpenProject](../user-guide/work-packages/edit-work-package/#work-package-reminders).
### Repository
@@ -509,6 +507,10 @@ SAML (Security Assertion Markup Language) is an open standard for exchanging aut
OpenProject offers the possibility to share work packages with external groups or users that are not [members](#member) of the project. This feature is an [Enterprise add-on](#enterprise-add-on). Every user with whom a work package is shared must either already be a user of the instance or be newly created. The latter requires special rights. [Read more about OpenProject's feature to share work packages with project non-members](../user-guide/work-packages/share-work-packages/).
### Sprint
A sprint is a time-boxed iteration used in agile project management to plan and execute work during a defined period. In OpenProject, sprints are managed through the [Backlogs](#backlogs) module and include attributes such as start and end dates. Sprint [boards](#board) are automatically created when a sprint is started.
### Story points
Story points is a term known in Scrum. They are defined as numbers assigned to a [work package](#work-package) used to estimate (relatively) the size of the work. In OpenProject, you can add story points to work packages. [Read how to work with story points in OpenProject](../user-guide/backlogs-scrum/#story-points).
@@ -545,7 +547,7 @@ The OpenProject [user guide](../user-guide/) is an in-depth guide of all feature
### Versions
Versions in OpenProject are defined as an attribute for [work packages](#work-package) or in the [Backlogs](#backlogs) module. Versions will be displayed in the [Roadmap](#roadmap). In the [Enterprise edition](#enterprise-add-on), you can also create a version [board](#board) to get an overview of the progress of your versions. [Read more about how to manage versions in OpenProject](../user-guide/projects/project-settings/versions/).
Versions in OpenProject are used to group and organize work packages, for example to plan releases, milestones, or delivery targets. Versions are displayed in the [Roadmap](#roadmap) and can be assigned to work packages as an attribute. You can also create a version [board](#board) to get an overview of the progress of your versions. [Read more about how to manage versions in OpenProject](../user-guide/projects/project-settings/versions/).
## W
@@ -569,7 +571,8 @@ In OpenProject, a wiki is defined as a [module](#module) that allows to use wiki
### Work, Remaining Work and % Complete
In OpenProject, '**Work**' refers to a work package attribute indicating the estimated hours and days needed to complete a task.
In OpenProject, '**Work**' refers to a work package attribute indicating the estimated hours and days needed to complete a task.
'**Remaining work**' is a work package attribute that shows how much work is left to finish the work package. It is automatically calculated if you work with [status-based progress reporting](../user-guide/time-and-costs/progress-tracking/#status-based-progress-reporting). And '**% Complete**' is an automatically calculated work package attribute that shows in percentage how much work is already completed. All three attributes are important for [progress reporting with OpenProject](https://www.openproject.org/blog/changes-progress-work-estimates/).
To make it easier for project managers to work with work package hierarchies, OpenProject also displays a value (in blue) for the total amount of work in the Work field for parent work packages next to the value for the dedicated work package. This **total work value** is the sum of the work value of the parent work package and all the work values of its children. The same principle applies to the work package attribute Remaining Work. [Read in our user guide about how to configure a work package](../user-guide/work-packages/work-package-table-configuration/)
@@ -599,7 +602,11 @@ If you need a Category that applies to all projects on your instance, we recomme
### Work package ID
Work package ID is defined as a unique ascending number assigned to a newly created work package. Work package IDs cannot be changed and are numbered across all projects of an OpenProject instance (therefore, the numbering within a project may not be sequential).
In OpenProject, every work package has a unique ID (identifier). It is automatically assigned when a work package is created. Work package IDs are configured globally and apply across the entire OpenProject instance.
By default, work package IDs are numerical, ascending numbers, for example #429. System [administrators](#admin) can optionally switch to project-based work package IDs, which consist of a project-specific prefix and an ascending number (e.g. OP-382). Project-based identifiers that have been used are [reserved and can be released if necessary](../system-admin-guide/projects/reserved-project-identifiers/) so that they can be used again.
Administrators can configure work package identifiers under *Administration → Work packages → Identifiers*. [Read more in the OpenProject system admin guide](../user-guide/projects/project-settings/project-information/#change-project-identifier).
### Work package subject
@@ -617,7 +624,7 @@ Work package types are the different items a work package can represent. Each wo
### Work package view
A list of work packages is considered a view. The containing work packages in any view can be displayed a number of different ways. Examples for most used work package views are the [table view](#work-package-table), the full screen view or the split screen view. You can also display work packages in a card view and use them in a [board](#board) to use agile methods. [Read more about work package views in OpenProject](../user-guide/work-packages/work-package-views/#work-packages-views).
A list of work packages is considered a view. The containing work packages in any view can be displayed a number of different ways. Examples for most used work package views are the [table view](#work-package-table), the full screen view or the split screen view. You can also display work packages in a card view and use them in a [board](#board) to use agile methods. [Read more about work package views in OpenProject](../user-guide/work-packages/work-package-views/#work-packages-views).
### WYSIWYG editor
docs/release-notes/17-3-3/README.md
+80
View File
@@ -0,0 +1,80 @@
---
title: OpenProject 17.3.3
sidebar_navigation:
title: 17.3.3
release_version: 17.3.3
release_date: 2026-06-08
---
# OpenProject 17.3.3
Release date: 2026-06-08
We released [OpenProject 17.3.3](https://community.openproject.org/versions/2299).
The release contains several bug fixes and we recommend updating to the newest version.
Below you will find a complete list of all changes and bug fixes.
<!-- BEGIN SECURITY FIXES AUTOMATED SECTION -->
## Security fixes
### CVE-2026-47193 - Journal diff endpoint bypasses object, journal, and field visibility checks
This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
For more information, please see the [GitHub advisory #GHSA-f2rx-x2qj-2hgj](https://github.com/opf/openproject/security/advisories/GHSA-f2rx-x2qj-2hgj)
### GHSA-3vpx-94qx-xpw6 - IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized Resources
A project-admin in one project can hijack the managed Nextcloud or OneDrive folder of another project on the same storage by writing the victim project&#39;s `project_folder_id` into the attacker&#39;s `Storages::ProjectStorage` row. The next managed-folder sync overwrites the ACL on the referenced folder with the attacker project&#39;s user list.
This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
For more information, please see the [GitHub advisory #GHSA-3vpx-94qx-xpw6](https://github.com/opf/openproject/security/advisories/GHSA-3vpx-94qx-xpw6)
### GHSA-6crw-7f5r-4qj9 - CSRF on TARGET through /users/:id via POST parameter "user[admin]"
Turbo Drive auto-injects CSRF tokens (from `<meta name="csrf-token">`) on forms injected via the XSS&#39;s `append` Turbo Stream action. A second action, `dispatch_event` with `name="submit"`, auto-submits the form with no victim interaction beyond viewing the work package, resulting in a CSRF attack
This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
For more information, please see the [GitHub advisory #GHSA-6crw-7f5r-4qj9](https://github.com/opf/openproject/security/advisories/GHSA-6crw-7f5r-4qj9)
### GHSA-98vw-2r87-fx2r - SQL injection in timestamps functionality
OpenProject baseline comparison allows callers to request historic work-package attributes using the `timestamps` parameter.
The timestamp parser accepts a relative date keyword on the first line because its regular expression uses line anchors. The parser validates the input, but the original multi-line string is kept and later interpolated into a raw SQL `CASE ... THEN '<timestamp>'` expression.
An authenticated user who can save a query can persist a timestamp array value containing literal commas and trigger a top-level data-modifying CTE. This gives the attacker a generic database write primitive as the OpenProject application database role.
The demonstrated impact is administrator privilege escalation: the attacker uses that write primitive to update their own account record, setting the account&#39;s administrator flag to true. The same injection also allows in-band data disclosure through work-package timestamp metadata.
This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
For more information, please see the [GitHub advisory #GHSA-98vw-2r87-fx2r](https://github.com/opf/openproject/security/advisories/GHSA-98vw-2r87-fx2r)
### GHSA-h83w-5q5x-pq27 - Information Disclosure (cleartext storage of data) on localhost through memcached via Others "storage.<id>.httpx_access_token" leads to Sensitive Data Exposure
OpenProject&#39;s Storages module writes the OneDrive/SharePoint userless OAuth `access_token` plaintext to `Rails.cache` under the deterministic key `storage.<id>.httpx_access_token`, repopulated continuously by an hourly cron and every userless-OAuth call site (see Write cadence). None of the three allowed cache backends (`file_store`, `memcache`, `redis`) encrypts at rest. An attacker with read access to the cache backend recovers the Azure-AD application-tier bearer with an anonymous `get` over the memcached binary protocol (or the equivalent against Redis)
This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
For more information, please see the [GitHub advisory #GHSA-h83w-5q5x-pq27](https://github.com/opf/openproject/security/advisories/GHSA-h83w-5q5x-pq27)
### GHSA-q33w-f822-hg8x - Stored XSS on openproject.example.com through /api/v3/projects/{project}/work_packages via POST parameter "description"
The HTML sanitizer grants `<macro>` elements unrestricted `data-*` attributes via `:data` wildcard. An attacker injects `data-controller="poll-for-changes"` into a work package description, causing Stimulus.js to mount a controller that fetches an attacker-uploaded attachment and passes it to `renderStreamMessage()`. This executes arbitrary Turbo Stream actions — including `redirect_to` — in every victim&#39;s authenticated browser session, redirecting them to an attacker-controlled server.
This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
For more information, please see the [GitHub advisory #GHSA-q33w-f822-hg8x](https://github.com/opf/openproject/security/advisories/GHSA-q33w-f822-hg8x)
### GHSA-qj96-f42f-6336 - Cache store poisoning leads to Remote Code Execution (RCE)
This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
For more information, please see the [GitHub advisory #GHSA-qj96-f42f-6336](https://github.com/opf/openproject/security/advisories/GHSA-qj96-f42f-6336)
<!-- END SECURITY FIXES AUTOMATED SECTION -->
<!--more-->
## Bug fixes and changes
<!-- Warning: Anything within the below lines will be automatically removed by the release script -->
<!-- BEGIN AUTOMATED SECTION -->
<!-- END AUTOMATED SECTION -->
<!-- Warning: Anything above this line will be automatically removed by the release script -->
docs/release-notes/17-3-4/README.md
+28
View File
@@ -0,0 +1,28 @@
---
title: OpenProject 17.3.4
sidebar_navigation:
title: 17.3.4
release_version: 17.3.4
release_date: 2026-06-08
---
# OpenProject 17.3.4
Release date: 2026-06-08
We released [OpenProject 17.3.4](https://community.openproject.org/versions/2305).
The release contains several bug fixes and we recommend updating to the newest version.
Below you will find a complete list of all changes and bug fixes.
<!-- BEGIN SECURITY FIXES AUTOMATED SECTION -->
<!-- END SECURITY FIXES AUTOMATED SECTION -->
<!--more-->
## Bug fixes and changes
<!-- Warning: Anything within the below lines will be automatically removed by the release script -->
<!-- BEGIN AUTOMATED SECTION -->
- Bugfix: Memcached serialization is broken in 17.3.3 \[[#75753](https://community.openproject.org/wp/75753)\]
<!-- END AUTOMATED SECTION -->
<!-- Warning: Anything above this line will be automatically removed by the release script -->
docs/release-notes/17-4-1/README.md
+92
View File
@@ -0,0 +1,92 @@
---
title: OpenProject 17.4.1
sidebar_navigation:
title: 17.4.1
release_version: 17.4.1
release_date: 2026-06-08
---
# OpenProject 17.4.1
Release date: 2026-06-08
We released [OpenProject 17.4.1](https://community.openproject.org/versions/2301).
The release contains several bug fixes and we recommend updating to the newest version.
Below you will find a complete list of all changes and bug fixes.
<!-- BEGIN SECURITY FIXES AUTOMATED SECTION -->
## Security fixes
### CVE-2026-47193 - Journal diff endpoint bypasses object, journal, and field visibility checks
This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
For more information, please see the [GitHub advisory #GHSA-f2rx-x2qj-2hgj](https://github.com/opf/openproject/security/advisories/GHSA-f2rx-x2qj-2hgj)
### CVE-2026-49355 - Private work package data disclosure through single meeting agenda item API
`GET /api/v3/meetings/:meeting_id/agenda_items/:agenda_item_id` discloses private work package data from a linked work package that belongs to a private/inaccessible project.
This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
For more information, please see the [GitHub advisory #GHSA-g387-6rm2-xw88](https://github.com/opf/openproject/security/advisories/GHSA-g387-6rm2-xw88)
### GHSA-3vpx-94qx-xpw6 - IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized Resources
A project-admin in one project can hijack the managed Nextcloud or OneDrive folder of another project on the same storage by writing the victim project&#39;s `project_folder_id` into the attacker&#39;s `Storages::ProjectStorage` row. The next managed-folder sync overwrites the ACL on the referenced folder with the attacker project&#39;s user list.
This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
For more information, please see the [GitHub advisory #GHSA-3vpx-94qx-xpw6](https://github.com/opf/openproject/security/advisories/GHSA-3vpx-94qx-xpw6)
### GHSA-6crw-7f5r-4qj9 - CSRF on TARGET through /users/:id via POST parameter "user[admin]"
Turbo Drive auto-injects CSRF tokens (from `<meta name="csrf-token">`) on forms injected via the XSS&#39;s `append` Turbo Stream action. A second action, `dispatch_event` with `name="submit"`, auto-submits the form with no victim interaction beyond viewing the work package, resulting in a CSRF attack
This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
For more information, please see the [GitHub advisory #GHSA-6crw-7f5r-4qj9](https://github.com/opf/openproject/security/advisories/GHSA-6crw-7f5r-4qj9)
### GHSA-98vw-2r87-fx2r - SQL injection in timestamps functionality
OpenProject baseline comparison allows callers to request historic work-package attributes using the `timestamps` parameter.
The timestamp parser accepts a relative date keyword on the first line because its regular expression uses line anchors. The parser validates the input, but the original multi-line string is kept and later interpolated into a raw SQL `CASE ... THEN '<timestamp>'` expression.
An authenticated user who can save a query can persist a timestamp array value containing literal commas and trigger a top-level data-modifying CTE. This gives the attacker a generic database write primitive as the OpenProject application database role.
The demonstrated impact is administrator privilege escalation: the attacker uses that write primitive to update their own account record, setting the account&#39;s administrator flag to true. The same injection also allows in-band data disclosure through work-package timestamp metadata.
This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
For more information, please see the [GitHub advisory #GHSA-98vw-2r87-fx2r](https://github.com/opf/openproject/security/advisories/GHSA-98vw-2r87-fx2r)
### GHSA-h83w-5q5x-pq27 - Information Disclosure (cleartext storage of data) on localhost through memcached via Others "storage.<id>.httpx_access_token" leads to Sensitive Data Exposure
OpenProject&#39;s Storages module writes the OneDrive/SharePoint userless OAuth `access_token` plaintext to `Rails.cache` under the deterministic key `storage.<id>.httpx_access_token`, repopulated continuously by an hourly cron and every userless-OAuth call site (see Write cadence). None of the three allowed cache backends (`file_store`, `memcache`, `redis`) encrypts at rest. An attacker with read access to the cache backend recovers the Azure-AD application-tier bearer with an anonymous `get` over the memcached binary protocol (or the equivalent against Redis)
This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
For more information, please see the [GitHub advisory #GHSA-h83w-5q5x-pq27](https://github.com/opf/openproject/security/advisories/GHSA-h83w-5q5x-pq27)
### GHSA-q33w-f822-hg8x - Stored XSS on openproject.example.com through /api/v3/projects/{project}/work_packages via POST parameter "description"
The HTML sanitizer grants `<macro>` elements unrestricted `data-*` attributes via `:data` wildcard. An attacker injects `data-controller="poll-for-changes"` into a work package description, causing Stimulus.js to mount a controller that fetches an attacker-uploaded attachment and passes it to `renderStreamMessage()`. This executes arbitrary Turbo Stream actions — including `redirect_to` — in every victim&#39;s authenticated browser session, redirecting them to an attacker-controlled server.
This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
For more information, please see the [GitHub advisory #GHSA-q33w-f822-hg8x](https://github.com/opf/openproject/security/advisories/GHSA-q33w-f822-hg8x)
### GHSA-qj96-f42f-6336 - Cache store poisoning leads to Remote Code Execution (RCE)
This vulnerability was reported as part of the [YesWeHack.com OpenProject Bug Bounty program](https://yeswehack.com/programs/openproject), sponsored by the European Commission.
For more information, please see the [GitHub advisory #GHSA-qj96-f42f-6336](https://github.com/opf/openproject/security/advisories/GHSA-qj96-f42f-6336)
<!-- END SECURITY FIXES AUTOMATED SECTION -->
<!--more-->
## Bug fixes and changes
<!-- Warning: Anything within the below lines will be automatically removed by the release script -->
<!-- BEGIN AUTOMATED SECTION -->
- Bugfix: Migration 20250929070310 failing due to update code failing on not-yet fully migrated schema \[[#75286](https://community.openproject.org/wp/75286)\]
<!-- END AUTOMATED SECTION -->
<!-- Warning: Anything above this line will be automatically removed by the release script -->
## Contributions
A big thanks to our Community members for reporting bugs and helping us identify and provide fixes.
This release, special thanks for reporting and finding bugs go to Alexander Aleschenko.
docs/release-notes/17-6-0/README.md
+151 -67
View File
@@ -3,12 +3,12 @@ title: OpenProject 17.6.0
sidebar_navigation:
title: 17.6.0
release_version: 17.6.0
release_date: 2026-06-08
release_date: 2026-06-10
---
# OpenProject 17.6.0
Release date: 2026-06-08
Release date: 2026-06-10
We released [OpenProject 17.6.0](https://community.openproject.org/versions/2298).
The release contains several bug fixes and we recommend updating to the newest version.
@@ -19,7 +19,32 @@ In these Release Notes, we will give an overview of important feature changes. A
## Important updates and breaking changes
<!-- Remove this section if empty, add to it in pull requests linking to tickets and provide information -->
### Integrations (e.g. Nextcloud and XWiki) respect global SSRF filters
To increase the security of OpenProject installations, we've added protections against server-side request forgery in previous releases
of OpenProject. These prevent OpenProject from making network requests into private IP address space.
Starting with OpenProject 17.6, these protections expand into the code that's responsible for web requests of storage and wiki integrations as well.
This means if you have a Nextcloud instance or an XWiki instance reachable via a private (i.e. not publicly routable) IP address, you need to
add it to the SSRF allowlist to be able to keep the integration working. This is usually achieved by defining the following environment variable:
```
OPENPROJECT_SSRF_PROTECTION_IP_ALLOWLIST=2001:db8:100::/48
```
The list accepts one or multiple IP addresses or ranges (in CIDR notation) that shall be exempt from SSRF filtering.
### Meeting API structure changes
17.6. introduces new endpoints for meeting outcomes,
and changes the self link for all meeting related resources to be flat:
That means, some of the responses have changed:
POST/PATCH/DELETE `/api/v3/meetings/:id/agenda_items)` is no longer available,
they have been moved to the `/api/v3/meeting_agendas/` respectively. The same is true for outcomes and sections.
This follows the APIv3 standards, and also fixes a bug related to the self link.
<!-- BEGIN SECURITY FIXES AUTOMATED SECTION -->
@@ -31,70 +56,129 @@ In these Release Notes, we will give an overview of important feature changes. A
<!-- Warning: Anything within the below lines will be automatically removed by the release script -->
<!-- BEGIN AUTOMATED SECTION -->
- Feature: Sprint goals \[[#71059](https://community.openproject.org/wp/71059)\]
- Feature: Add possibility to order backlog buckets and sprints manually \[[#73610](https://community.openproject.org/wp/73610)\]
- Feature: Add multi-select drop-down for sprint and backlog buckets \[[#73611](https://community.openproject.org/wp/73611)\]
- Feature: Multi-select cards within backlog and sprints \[[#73729](https://community.openproject.org/wp/73729)\]
- Feature: Display backlog bucket in work package page \[[#73887](https://community.openproject.org/wp/73887)\]
- Feature: &quot;Move to backlog bucket&quot; and &quot;move to backlog inbox&quot; menu option for work packages within the backlog module \[[#73925](https://community.openproject.org/wp/73925)\]
- Feature: Add existing work packages within sprint and backlog containers menu \[[#74386](https://community.openproject.org/wp/74386)\]
- Feature: &quot;All sprints&quot; view - simple list \[[#74594](https://community.openproject.org/wp/74594)\]
- Feature: Column, ordering and grouping by backlog bucket in work package list \[[#74653](https://community.openproject.org/wp/74653)\]
- Feature: Show message when work package with excluded type/status is moved to backlog and disappears \[[#74845](https://community.openproject.org/wp/74845)\]
- Feature: Check the accessibility on Flash messages \[[#63276](https://community.openproject.org/wp/63276)\]
- Feature: Remove newest projects in project widget on homepage \[[#74198](https://community.openproject.org/wp/74198)\]
- Feature: Make project hierarchy collapsable in the global project selector \[[#74625](https://community.openproject.org/wp/74625)\]
- Feature: Create work package out of Meeting Agenda Item \[[#57053](https://community.openproject.org/wp/57053)\]
- Feature: API for Meeting outcomes \[[#75393](https://community.openproject.org/wp/75393)\]
- Feature: Group synchronization through attributes of the group, not member/memberOf \[[#32812](https://community.openproject.org/wp/32812)\]
- Feature: Track working hours and availabilities for each user in the system \[[#34911](https://community.openproject.org/wp/34911)\]
- Feature: Allow cost types to be enabled/disabled per project \[[#42037](https://community.openproject.org/wp/42037)\]
- Feature: All open view with default sort order to show the latest on top (ID descending) \[[#57962](https://community.openproject.org/wp/57962)\]
- Feature: New Administration for User Custom Fields and Custom Field Sections \[[#72005](https://community.openproject.org/wp/72005)\]
- Feature: Primerize advanced filters component \[[#74380](https://community.openproject.org/wp/74380)\]
- Feature: Build Primer quickfilter \[[#74577](https://community.openproject.org/wp/74577)\]
- Feature: Enforce order of subheader slots/quickfilters \[[#75013](https://community.openproject.org/wp/75013)\]
- Feature: Escape possible control characters in CSV export \[[#75486](https://community.openproject.org/wp/75486)\]
- Feature: Filter project by portfolio and programm \[[#74718](https://community.openproject.org/wp/74718)\]
- Feature: Adapt Excel and CSV exports for semantic identifiers \[[#74361](https://community.openproject.org/wp/74361)\]
- Feature: Adapt BCF Export and Import for semantic identifiers \[[#74362](https://community.openproject.org/wp/74362)\]
- Feature: Adapt other PDF exports for semantic identifiers \[[#75229](https://community.openproject.org/wp/75229)\]
- Feature: /wp on an empty line should create a block work-package link, not an inline one \[[#75310](https://community.openproject.org/wp/75310)\]
- Feature: Expose installation UUID via API \[[#75442](https://community.openproject.org/wp/75442)\]
- Feature: Configure internal wiki provider \[[#75594](https://community.openproject.org/wp/75594)\]
- Feature: Show total sprint capacity (in days or story points) \[[#71060](https://community.openproject.org/wp/71060)\]
- Feature: &quot;All Sprints&quot; view \[[#71260](https://community.openproject.org/wp/71260)\]
- Feature: Allow multiple active sprints within a single project \[[#73232](https://community.openproject.org/wp/73232)\]
- Feature: XWiki integration \[[#53738](https://community.openproject.org/wp/53738)\]
- Feature: Extend CKEditor with Wiki interactions and macros \[[#70554](https://community.openproject.org/wp/70554)\]
- Feature: Wiki tab in work package detail view \[[#70555](https://community.openproject.org/wp/70555)\]
- Feature: Wiki integration setup on OpenProject \[[#70556](https://community.openproject.org/wp/70556)\]
- Bugfix: Page loads twice after sprint creation \[[#73316](https://community.openproject.org/wp/73316)\]
- Bugfix: A missing full stop at the end of confirmation message of danger dialog \[[#73899](https://community.openproject.org/wp/73899)\]
- Bugfix: Impossible to open work packages list from the sidebar after visiting team planner \[[#74331](https://community.openproject.org/wp/74331)\]
- Bugfix: Input group with trailing action clipboard copy button + validation error = style broken \[[#75395](https://community.openproject.org/wp/75395)\]
- Bugfix: FilterableTreeView does not keep default filter arguments \[[#75617](https://community.openproject.org/wp/75617)\]
- Bugfix: Tree view selection based on path identity breaks use cases where similar paths are allowed \[[#75618](https://community.openproject.org/wp/75618)\]
- Bugfix: Fix tracking expression browser warnings \[[#75676](https://community.openproject.org/wp/75676)\]
- Bugfix: GET /api/v3/meetings/{id} — \_links.participants count does not match \_embedded.participants count \[[#75696](https://community.openproject.org/wp/75696)\]
- Bugfix: PATCH /api/v3/meetings/{id} — adding an already existing participant via \_links.participants creates a duplicate entry \[[#75697](https://community.openproject.org/wp/75697)\]
- Bugfix: PATCH /api/v3/meetings/{id} - participants cannot be removed via \_links.participants \[[#75701](https://community.openproject.org/wp/75701)\]
- Bugfix: WP table configuration: overflow due to the very long CF label \[[#46005](https://community.openproject.org/wp/46005)\]
- Bugfix: Tooltip on Team planner not entirely visible \[[#48223](https://community.openproject.org/wp/48223)\]
- Bugfix: Problems with GitLab and GitHub integration snippets \[[#56847](https://community.openproject.org/wp/56847)\]
- Bugfix: Misalignment of fields in Work estimates and progress when language=DE \[[#65738](https://community.openproject.org/wp/65738)\]
- Bugfix: Custom text widget pagination bug \[[#66419](https://community.openproject.org/wp/66419)\]
- Bugfix: Arrow for switching years barely visible in dark mode on the calendar \[[#68517](https://community.openproject.org/wp/68517)\]
- Bugfix: Login right side panel dark mode: login form has ugly/unnecessary gray background \[[#69328](https://community.openproject.org/wp/69328)\]
- Bugfix: User sees a success banner if they save a letter/word as integer \[[#71650](https://community.openproject.org/wp/71650)\]
- Bugfix: Closed, duplicated meeting disappears from synced calendar \[[#72219](https://community.openproject.org/wp/72219)\]
- Bugfix: Wrong icon used when changing non working days \[[#73372](https://community.openproject.org/wp/73372)\]
- Bugfix: User facing work package link from GitLab tab is not the shortened version \[[#73718](https://community.openproject.org/wp/73718)\]
- Bugfix: Inline text attachments lose UTF-8 charset \[[#75402](https://community.openproject.org/wp/75402)\]
- Bugfix: BCF import permission scope not clear \[[#75457](https://community.openproject.org/wp/75457)\]
- Bugfix: Hide &quot;my meetings&quot; and &quot;favourited projects&quot; widgets for anonymous users \[[#75477](https://community.openproject.org/wp/75477)\]
- Bugfix: Setting mail header via OPENPROJECT\_EMAILS\_\_HEADER\_EN interprets colon as hash \[[#75570](https://community.openproject.org/wp/75570)\]
- Bugfix: Date custom field filter &quot;is empty&quot; does not return all work packages with empty values \[[#75185](https://community.openproject.org/wp/75185)\]
- Feature: Exclude certain work package types from automated backlog (per project) \[[#71305](https://community.openproject.org/wp/71305)\]
- Feature: Container header (Sprint/Bucket/Inbox) restyling \[[#72945](https://community.openproject.org/wp/72945)\]
- Feature: Restyled work package card in &quot;Backlogs and sprints&quot; view \[[#73089](https://community.openproject.org/wp/73089)\]
- Feature: Bring sprint sharing (SAFe) to corporate plan \[[#74147](https://community.openproject.org/wp/74147)\]
- Feature: Create work package links through # notation in documents / BlockNote \[[#73664](https://community.openproject.org/wp/73664)\]
- Feature: Create a WorkPackageCard component \[[#73968](https://community.openproject.org/wp/73968)\]
- Feature: Extend the SubHeader component to support quick filter components \[[#73972](https://community.openproject.org/wp/73972)\]
- Feature: Jira Migrator imports project-based semantic issue identifiers \[[#72427](https://community.openproject.org/wp/72427)\]
- Feature: Jira Migrator supports due date, estimated hours and remaining hours. \[[#74807](https://community.openproject.org/wp/74807)\]
- Feature: Meeting series: Add monthly scheduling options \[[#61522](https://community.openproject.org/wp/61522)\]
- Feature: Debounce emails for meetings \[[#66645](https://community.openproject.org/wp/66645)\]
- Feature: Primerize Types form configuration page \[[#69524](https://community.openproject.org/wp/69524)\]
- Feature: Expand work package mentions (##, ###) macros inside CKEditor \[[#74641](https://community.openproject.org/wp/74641)\]
- Feature: Allow Custom Fields on UserQuery \[[#74758](https://community.openproject.org/wp/74758)\]
- Feature: Primerize users administration to allow all filters \[[#74763](https://community.openproject.org/wp/74763)\]
- Feature: Workflows UX improvement: Allow multi-selection of roles in workflow \[[#72242](https://community.openproject.org/wp/72242)\]
- Feature: Administration setting for project-based work package identifiers \[[#71633](https://community.openproject.org/wp/71633)\]
- Feature: Background job for converting project-based semantic work package identifiers \[[#71645](https://community.openproject.org/wp/71645)\]
- Feature: Allow inline Work Package links within text paragraphs in the Documents module \[[#72817](https://community.openproject.org/wp/72817)\]
- Feature: Adapt creation of projects through the API for semantic identifiers \[[#73175](https://community.openproject.org/wp/73175)\]
- Feature: Define database model for project-based work package identifiers \[[#73315](https://community.openproject.org/wp/73315)\]
- Feature: Adapt work package show view for project-based semantic work package identifiers \[[#73716](https://community.openproject.org/wp/73716)\]
- Feature: Adapt work package lists for project-based semantic work package identifiers \[[#73717](https://community.openproject.org/wp/73717)\]
- Feature: Adapt routes for project-based semantic work package identifiers \[[#73756](https://community.openproject.org/wp/73756)\]
- Feature: Search work packages by their identifier \[[#73761](https://community.openproject.org/wp/73761)\]
- Feature: Adapt email notifications for project-based work package identifiers \[[#73827](https://community.openproject.org/wp/73827)\]
- Feature: Adapt work package link blocks in BlockNote for project-based semantic work package identifiers \[[#74115](https://community.openproject.org/wp/74115)\]
- Feature: Adapt work package links in CKEditor for project-based semantic work package identifiers \[[#74116](https://community.openproject.org/wp/74116)\]
- Feature: Adapt GitHub and GitLab modules for semantic identifiers \[[#74364](https://community.openproject.org/wp/74364)\]
- Feature: Adapt work package PDF exports for semantic identifiers \[[#74366](https://community.openproject.org/wp/74366)\]
- Feature: Add better progress indicator to identifier conversion page \[[#74903](https://community.openproject.org/wp/74903)\]
- Feature: Put &quot;Beta&quot; label on the setting for enabling semantic identifiers \[[#74975](https://community.openproject.org/wp/74975)\]
- Feature: Admin panel for releasing old classic project aliases \[[#74992](https://community.openproject.org/wp/74992)\]
- Bugfix: Closed work packages are still considered to be part of the bucket. \[[#74773](https://community.openproject.org/wp/74773)\]
- Bugfix: Inconsistent handling of &quot;Definition of Done&quot; \[[#74796](https://community.openproject.org/wp/74796)\]
- Bugfix: Backlogs: Missing space on mobile \[[#75188](https://community.openproject.org/wp/75188)\]
- Bugfix: Sprint field is sometimes not visible on the wp page \[[#75194](https://community.openproject.org/wp/75194)\]
- Bugfix: Backlog settings tab switching doesn&#39;t persist in url \[[#75239](https://community.openproject.org/wp/75239)\]
- Bugfix: No &quot;Undisclosed&quot; mention for the parent work package on the wp card for a user without permissions to see the parent \[[#75241](https://community.openproject.org/wp/75241)\]
- Bugfix: Incorrect resize behavior for pasted inline-links \[[#74190](https://community.openproject.org/wp/74190)\]
- Bugfix: Inserting &quot;#&quot; inside text removes content after cursor \[[#74325](https://community.openproject.org/wp/74325)\]
- Bugfix: Сards converting to hash links on copy-paste and DnD \[[#74327](https://community.openproject.org/wp/74327)\]
- Bugfix: Type colors are not applied correctly at the beginning \[[#74330](https://community.openproject.org/wp/74330)\]
- Bugfix: Inconsistent contrast for type colors when switching themes \[[#74332](https://community.openproject.org/wp/74332)\]
- Bugfix: Dropdown option order changes depending on selected item \[[#74333](https://community.openproject.org/wp/74333)\]
- Bugfix: Inconsistent inline-link heights in text flow \[[#74341](https://community.openproject.org/wp/74341)\]
- Bugfix: Inline work package chip has no visual highlight when selected \[[#74385](https://community.openproject.org/wp/74385)\]
- Bugfix: Arrow-down selection for link work package block prevented by tooltip \[[#74393](https://community.openproject.org/wp/74393)\]
- Bugfix: Wrong cursor placement after inserting links to Work Packages in BlockNote \[[#74397](https://community.openproject.org/wp/74397)\]
- Bugfix: Improve size menu and remove L+XL blocks \[[#74651](https://community.openproject.org/wp/74651)\]
- Bugfix: Click position is lost when activating an inline edit field \[[#72837](https://community.openproject.org/wp/72837)\]
- Bugfix: Doubled scrollbar on a Board \[[#73714](https://community.openproject.org/wp/73714)\]
- Bugfix: Quick filters don&#39;t react good to medium screen sizes \[[#74832](https://community.openproject.org/wp/74832)\]
- Bugfix: Hide pagination buttons when they are disabled \[[#75258](https://community.openproject.org/wp/75258)\]
- Bugfix: Horizontal ellipsis button misaligned when text expanded on Permissions Report/Workflows pages \[[#75275](https://community.openproject.org/wp/75275)\]
- Bugfix: Jira Migrator: misalignement between the status badge and the import name \[[#72840](https://community.openproject.org/wp/72840)\]
- Bugfix: Imprecise error for unallowed IP when testing Jira connection \[[#75031](https://community.openproject.org/wp/75031)\]
- Bugfix: Imprecise error for SSL errors when testing Jira connection \[[#75032](https://community.openproject.org/wp/75032)\]
- Bugfix: Jira Migrator cannot import a user with non-alphanumeric characters in their name \[[#75238](https://community.openproject.org/wp/75238)\]
- Bugfix: Jira Migrator stops the import for non-existing user in user mention \[[#75248](https://community.openproject.org/wp/75248)\]
- Bugfix: Remove extra space in Jira Migrator backup warning dialog \[[#75353](https://community.openproject.org/wp/75353)\]
- Bugfix: Jira Migrator does not scope issues between import runs. \[[#75355](https://community.openproject.org/wp/75355)\]
- Bugfix: Jira Migrator shows 0 issues info if server does not include the data in serverInfo endpoint \[[#75380](https://community.openproject.org/wp/75380)\]
- Bugfix: Jira Migrator gives unhelpful error message if user email is blank \[[#75381](https://community.openproject.org/wp/75381)\]
- Bugfix: No way to find jira import run history page \[[#75382](https://community.openproject.org/wp/75382)\]
- Bugfix: Enabled rate limiting on Jira instance breaks projects selector. \[[#75391](https://community.openproject.org/wp/75391)\]
- Bugfix: Wrong wording on import page in admin \[[#75422](https://community.openproject.org/wp/75422)\]
- Bugfix: Jira Migrator: Do not disable the new configuration button if the instance is not switched to semantic identifiers \[[#75674](https://community.openproject.org/wp/75674)\]
- Bugfix: Cancel occurence action item is called &#39;Delete&#39; on My Meetings page and Meeting index page &#39;Past&#39; tab \[[#74303](https://community.openproject.org/wp/74303)\]
- Bugfix: User cannot restore a cancelled occurrence if series has a deleted WP on the agenda \[[#74304](https://community.openproject.org/wp/74304)\]
- Bugfix: Show default section more clearly when using the section selector for a meeting with no sections \[[#74321](https://community.openproject.org/wp/74321)\]
- Bugfix: Meetings endpoint /api/v3/recurring\_meetings/:id/occurrences/:start\_time/init is not properly authorized \[[#75449](https://community.openproject.org/wp/75449)\]
- Bugfix: ActiveRecord::InvalidForeignKey on RecurringMeetingsController#end\_series \[[#75463](https://community.openproject.org/wp/75463)\]
- Bugfix: Work package configuration dialog&#39;s highlighting tab has no space between radio buttons and labels \[[#64359](https://community.openproject.org/wp/64359)\]
- Bugfix: Log time modal dropdown&#39;s bottom border is indistignuishable from the modal&#39;s bottom border \[[#65523](https://community.openproject.org/wp/65523)\]
- Bugfix: Wrong calendar week in My time tracking \[[#68272](https://community.openproject.org/wp/68272)\]
- Bugfix: Asterisks on Project attributes displaced \[[#68633](https://community.openproject.org/wp/68633)\]
- Bugfix: \[Meetings\] Exception raised while trying to update Stale Object \[[#68703](https://community.openproject.org/wp/68703)\]
- Bugfix: Clicking work package tabs triggers page reload and flickering \[[#69210](https://community.openproject.org/wp/69210)\]
- Bugfix: Mobile - Include project on WP list is missing spacing \[[#69451](https://community.openproject.org/wp/69451)\]
- Bugfix: Roles selectable as &quot;Role given to a non-admin user who creates a project&quot; that lack essential permissions \[[#69496](https://community.openproject.org/wp/69496)\]
- Bugfix: Text overflow in Baseline modal banner \[[#69526](https://community.openproject.org/wp/69526)\]
- Bugfix: Fix accessibility errors found by ERB Lint \[[#70166](https://community.openproject.org/wp/70166)\]
- Bugfix: Role not created properly when unselecting all permissions \[[#73494](https://community.openproject.org/wp/73494)\]
- Bugfix: POST/PATCH/DELETE requests to APIv3 return unauthorized \[[#73499](https://community.openproject.org/wp/73499)\]
- Bugfix: &quot;Upgrade&quot; button label should not be underlined \[[#73570](https://community.openproject.org/wp/73570)\]
- Bugfix: Not possible to filter for blocked users in time and cost report \[[#73660](https://community.openproject.org/wp/73660)\]
- Bugfix: Not possible to follow link custom field from work package list view \[[#73673](https://community.openproject.org/wp/73673)\]
- Bugfix: Black font in dark mode on wp description \[[#74697](https://community.openproject.org/wp/74697)\]
- Bugfix: Add upcoming/past filter to meetings index page filters \[[#74743](https://community.openproject.org/wp/74743)\]
- Bugfix: Redirect to /login is missing the URL query params \[[#74778](https://community.openproject.org/wp/74778)\]
- Bugfix: Missing space between user avatar and name \[[#74853](https://community.openproject.org/wp/74853)\]
- Bugfix: LDAP seeding via OPENPROJECT\_SEED\_LDAP\_\* uses a different (and self-contradictory) key convention than the rest of the env-var settings \[[#75361](https://community.openproject.org/wp/75361)\]
- Bugfix: Incorrect confirmation message when deleting a OAuth token \[[#72958](https://community.openproject.org/wp/72958)\]
- Bugfix: Roles select panel button should be &quot;Apply&quot; \[[#74560](https://community.openproject.org/wp/74560)\]
- Bugfix: Nextcloud integration shows &quot;No connection to Nextcloud&quot; for folders that have &quot;&amp;&quot; in the name \[[#73855](https://community.openproject.org/wp/73855)\]
- Bugfix: Shared work package not showing images of comments \[[#69056](https://community.openproject.org/wp/69056)\]
- Bugfix: Lists of work packages should sort correctly by semantic id \[[#74156](https://community.openproject.org/wp/74156)\]
- Bugfix: Automatically converting project identifiers should not lead to usage of reserved keywords \[[#74161](https://community.openproject.org/wp/74161)\]
- Bugfix: Moving work packages after switching to semantic and back should not lead to errors \[[#74192](https://community.openproject.org/wp/74192)\]
- Bugfix: After migration job is complete save button is visible and clicking it triggers a 404 \[[#74623](https://community.openproject.org/wp/74623)\]
- Bugfix: Admin page for semantic IDs: grammatical issue \[[#74681](https://community.openproject.org/wp/74681)\]
- Bugfix: Admin page for semantic IDs: long ids cause overflow \[[#74730](https://community.openproject.org/wp/74730)\]
- Bugfix: Numeric ID still in the URL of the link opened from the email notification \[[#74760](https://community.openproject.org/wp/74760)\]
- Bugfix: Numeric ID in the email notification after adding watchers \[[#74762](https://community.openproject.org/wp/74762)\]
- Bugfix: Numeric ID copied instead of semantic ID in &quot;Copy work package ID&quot; on Backlogs page \[[#74826](https://community.openproject.org/wp/74826)\]
- Bugfix: Numeric ID in URL of the wp link when opened from search results \[[#74834](https://community.openproject.org/wp/74834)\]
- Bugfix: Semantic ID is not shown in search results in different places \[[#74844](https://community.openproject.org/wp/74844)\]
- Bugfix: Numeric ID instead of semantic one in the spent time calendar \[[#74900](https://community.openproject.org/wp/74900)\]
- Bugfix: Numeric ID instead of semantic one on the Activity page \[[#74912](https://community.openproject.org/wp/74912)\]
- Bugfix: Numeric ID instead of semantic one in Roadmap \[[#74913](https://community.openproject.org/wp/74913)\]
- Bugfix: Numeric ID instead of semantic one in bulk edit work packages \[[#74926](https://community.openproject.org/wp/74926)\]
- Bugfix: Unable to change a parent on bulk edit of work packages with semantic ID \[[#74927](https://community.openproject.org/wp/74927)\]
- Bugfix: Numeric ID instead of semantic one on the error message on bulk edit \[[#74928](https://community.openproject.org/wp/74928)\]
- Bugfix: Numeric ID instead of semantic one on the table of related work packages \[[#74942](https://community.openproject.org/wp/74942)\]
- Bugfix: Numeric ID instead of semantic one on the Time and costs report \[[#74943](https://community.openproject.org/wp/74943)\]
- Bugfix: Numeric ID instead of semantic one on the wp delete confirmation dialogue \[[#74944](https://community.openproject.org/wp/74944)\]
- Bugfix: All-numeric project identifiers are not properly handled in classic mode \[[#74993](https://community.openproject.org/wp/74993)\]
- Bugfix: Numeric ID visible in edit mode in links with # \[[#75180](https://community.openproject.org/wp/75180)\]
- Bugfix: Inconsistent naming on admin page \[[#75362](https://community.openproject.org/wp/75362)\]
- Bugfix: Reserved project identifiers: UI fails silently with 404 console error when acting on a deleted project \[[#75483](https://community.openproject.org/wp/75483)\]
- Bugfix: workPackageValue:ID:attribute macros failing with semantic IDs \[[#75574](https://community.openproject.org/wp/75574)\]
- Bugfix: Numeric ID showing in Github tab on work packages without links to PRs \[[#75636](https://community.openproject.org/wp/75636)\]
<!-- END AUTOMATED SECTION -->
<!-- Warning: Anything above this line will be automatically removed by the release script -->
docs/release-notes/README.md
+21
View File
@@ -13,6 +13,27 @@ Stay up to date and get an overview of the new features included in the releases
<!--- New release notes are generated below. Do not remove comment. -->
<!--- RELEASE MARKER -->
## 17.3.4
Release date: 2026-06-08
[Release Notes](17-3-4/)
## 17.4.1
Release date: 2026-06-08
[Release Notes](17-4-1/)
## 17.3.3
Release date: 2026-06-08
[Release Notes](17-3-3/)
## 17.4.0
Release date: 2026-05-13
docs/system-admin-guide/users-permissions/users/README.md
+60 -39
View File
@@ -20,45 +20,64 @@ To manage users click on your avatar (top right corner) and select **Administrat
In the Community edition there is no limit to the number of users. In Enterprise editions (cloud and on-premises) the user limit is based on your subscription. The number of users for your subscription is thus not bound to names. For example, if you block a user you can add a new one without upgrading.
| Topic | Content |
| ----------------------------------------------- | -------------------------------------------------------- |
| [User list](#user-list) | Manage all users in OpenProject. |
| [Filter users](#filter-users) | Filter users in the list. |
| [Lock and unlock users](#lock-and-unlock-users) | Block a user permanently in the system or unlock a user. |
| [Create users](#create-users) | Invite or create new users. Resend or delete user invitations |
| [Manage user settings](#manage-user-settings) | Manage user details. |
| [Authentication](#authentication) | Set and use authentication methods. |
| [Delete users](#delete-users) | Delete a user from the system. |
| Topic | Content |
| ----------------------------------------------- | ------------------------------------------------------------ |
| [User list](#user-list) | Manage all users in OpenProject. |
| [Filter users](#filter-users) | Filter users in the list. |
| [Configure view](#configure-view) | Configure how user information is displayed. |
| [Lock and unlock users](#lock-and-unlock-users) | Block a user permanently in the system or unlock a user. |
| [Create users](#create-users) | Invite or create new users. Resend or delete user invitations |
| [Manage user settings](#manage-user-settings) | Manage user details. |
| [Authentication](#authentication) | Set and use authentication methods. |
| [Delete users](#delete-users) | Delete a user from the system. |
## User list
The User list is where users are managed. They can be added, edited or deleted from this list, which can be filtered if required.
![openproject_system_admin_guide_users_list](openproject_system_admin_guide_users_list.png)
![List of users under OpenProject administration](openproject_system_admin_guide_users_list.png)
Column headers can be clicked to toggle sort direction. Arrows indicate sort order, up for ascending (a-z/0-9) and down for descending (z-a/9-0). Paging controls are shown at the bottom of the list. You will also see whether a user is a system administrator in OpenProject.
## Filter users
At the top of the user list is a filter box. Filter by status. group or name, then click the green **Apply** button to filter the list. Click the **Clear** button to reset the filter fields and refresh the list.
To filter for users, begin by clicking the **Filters** button.
* **Status** - select from Active, All or Locked Temporarily. Each selection shows the number of users.
* **Group** - select from the list of existing groups.
* **Name** - enter any text; this can contain a "%" wild card for 0 or more characters. The filter applies to user name, first name, last name and email address.
!["Filters" button to filter through users list in OpenProject administration](openproject_systemguide_filters_button.png)
![Filter users in OpenProject](openproject_systemguide_filter_users.png)
Clicking on it opens up the **+Add filter** form. Here, you can filter by group, status, name or username, and your list is automatically updated. Each filter button displays additional filtering options to help you narrow down results. The results are then filtered based on the selected criteria. Click the **x** symbol in front of each selected filter to clear the filter and the **x** symbol at the **top-right corner** to close the form.
![Add filter form](openproject_systemguide_add_filters.png)
- **Username** - enter any text or character like @, .com which is unique to the user list.
- **Name** - enter any text; this can contain a "%" wild card for 0 or more characters. For example, if you are filtering for a user named Niklas but are unsure if it's Niklas, Niclas, Nikolas, or Nicholas, you can search for “Ni%las” and all matching users will be listed. The filter applies to first name, last name and email address.
- **Group** - select from the list of existing groups.
- **Status** - select from Active, Registered, Locked, Invited, Deleted. Each selection shows the number of users.
![Filters for user list in OpenProject administration](openproject_systemguide_filter_users.png)
## Configure view
To configure how the table of users is displayed, click on the More menu **(...)**.
![Menu for configure view for the user list in OpenProject administration](openproject_systemguide_configure_view.png)
This opens up a form where you can add columns, or manage and reorder columns via drag and drop. Click **Apply** to save your changes.
![Open form to configure view for the user list in OpenProject administration](openproject_systemguide_configure_view_form.png)
## Lock and unlock users
Handling locking and unlocking of users is also done from the user list. To disable a user's access click the **Lock permanently** link next to a user. Use the **Unlock** link to restore the user's access.
Handling locking and unlocking of users is also done from the user list. To disable a user's access click, the **Lock permanently** link next to a user. Use the **Unlock** link to restore the user's access.
If you are using [Enterprise cloud](../../../enterprise-guide/enterprise-cloud-guide) or [Enterprise on-premises](../../../enterprise-guide/enterprise-on-premises-guide) locking a user will free up a user license and so you could add another user to the system within your booked plan.
> **Note**: The previous activities from a locked user will still be displayed in the system.
> [!NOTE]
> The previous activities from a locked user will still be displayed in the system.
![Lock users in OpenProject](open_project_system_admin_lock_user_permanently.png)
If a user has repeated failed logins the user will be locked temporarily and a **Reset failed logins** link will be shown in the user list. Click the link to unlock it right away, or wait and it will be unlocked automatically. Have a look at the section [Other authentication settings](../../authentication/login-registration-settings/) for failed attempts and time blocked.
If a user has repeated failed logins, the user will be locked temporarily and a **Reset failed logins** link will be shown in the user list. Click the link to unlock it right away, or wait and it will be unlocked automatically. Have a look at the section [Other authentication settings](../../authentication/login-registration-settings/) for failed attempts and time blocked.
## Create users
@@ -75,7 +94,7 @@ Enter the email address, first name, and last name of the new user. Tick the box
Note: the email field must be a valid format and be unique or it will be rejected on clicking the button.
Click the **Create** button to add the user and show that user's details page. Click the **Create and continue** button to add the user and stay on the new user form to add another user. Either way, the new user will be invited via email.
When adding the last of multiple users you can click on **Create** or click the **Users** link in the menu on the left. The **Users list** will be shown. Click on the name of each user to [edit their details](#set-initial-details).
When adding the last of multiple users you can click on **Create** or click the **Users** link in the menu on the left. The **Users list** will be shown. Click on the name of each user to [edit their details](#set-initial-details).
### Create user (via self-registration)
@@ -110,8 +129,10 @@ In the top right, click the **Send invitation** button in order to send the emai
### Delete user invitations
To invalidate or revoke a user's invitation click on the user name and then on **Delete** in the upper right corner. This will prevent the invited user from logging in.
Please note: this only works for users who haven't logged in yet. If the user is already active this will delete his/her whole profile and account. Deleting users can't be revoked.
To invalidate or revoke a user's invitation, click on the user name and then on **Delete** in the upper right corner. This will prevent the invited user from logging in.
> [!NOTE]
> This only works for users who haven't logged in yet. If the user is already active, this will delete his/her whole profile and account. Deleting users can't be revoked.
## Manage user settings
@@ -119,11 +140,11 @@ You can manage individual user details if you click on the user name in the list
### General settings
![administration-user-settings-manage-user](openproject_system_guide_general_tab.png)
![Settings to manage a user under OpenProject administration](openproject_system_guide_general_tab.png)
On the **General** tab the following fields are shown:
1. User's master date
1. User's master data
- **Status** - this is set by the system.
- **Username** - this defaults to the email address for a new user (unless the user used the self registration). It can be changed on this page. Users cannot change their own user name.
- **First name**, **Last name**, **Email** - these fields are filled from the **New user** page. Users can change them under their **Profile** page; they are mandatory.
@@ -139,7 +160,7 @@ On the **General** tab the following fields are shown:
To create a new password for a user (e.g. if he/she lost it) navigate to the **Authentication** section of the **General** tab. You can either **Assign a random password** (check the box on top) or set a new password manually and send it to them (preferably through secured communication). Consider checking the box next to **Enforce password change on next login**.
![reset-user-password](Authentication.png)
![Reset user password under OpenProject administration](Authentication.png)
### Add users to a project
@@ -147,19 +168,20 @@ In order to see and work in a project, a user has to be a member of a project an
On the **Projects** tab, select the new project from the drop-down list, choose the [roles](../roles-permissions) for this project and click the green **Add** button.
![Sysadmin add project](Sys-admin-add-project1.gif)
![Add users to a project under OpenProject system administration](Sys-admin-add-project1.gif)
### Add users to groups
On the **Groups** tab you can see the groups the user belongs to. If a group is shown, click the group name link.
![User groups](system_guide_user_groups.png)
![User groups in OpenProject administration](system_guide_user_groups.png)
If no groups are shown (i.e. the user does not belong to any group, yet), click the **Manage groups** link to [edit groups](../groups).
![Manage Groups](system_guide_manage_groups.png)
![Manage groups in OpenProject administration](system_guide_manage_groups.png)
**Please note**: The **Groups** tab is only shown if at least one user group exists in OpenProject.
> [!NOTE]
> The **Groups** tab is only shown if at least one user group exists in OpenProject.
### Global roles
@@ -167,7 +189,7 @@ In order to add a global role to a user, at least one global role needs to be [c
On the **Global roles** tab, select or de-select the global role(s) for this user. Click the **Add** button.
![Add global roles](openproject_system_guide_add_global_roles.png)
![Add global user roles in OpenProject administration](openproject_system_guide_add_global_roles.png)
### Notification settings
@@ -181,13 +203,13 @@ Under **Email reminders** tab you can edit the [email reminders settings](../../
The rate history tab shows the hourly rates that have been defined for the user. The **Default rate** is applied to projects with no rate defined. All projects that the user is a member of are listed with the user's rates.
The **Valid from** date will effect the rate used when creating a [budget](../../../user-guide/budgets/) and when [logging time](../../../user-guide/time-and-costs/time-tracking/).
The **Valid from** date will affect the rate used when creating a [budget](../../../user-guide/budgets/) and when [logging time](../../../user-guide/time-and-costs/time-tracking/).
If you want to set a different hourly rate for the user on different projects, you can overwrite the default rate with a different rate below in the respective projects.
To enter a new hourly rate, click on the **Update** icon next to the rate history. You can either set a **default hourly rate** or define a rate for a certain project.
![set-hourly-rate-administration](system_guide_rate_history.png)
![Set hourly rates for users in OpenProject administrationin OpenProject administration](system_guide_rate_history.png)
1. Enter a date from which the rate is **Valid from**.
2. Enter the (hourly) **Rate**. The currency can only be changed in the [respective settings](../../time-and-costs).
@@ -199,10 +221,9 @@ To enter a new hourly rate, click on the **Update** icon next to the rate histor
### Avatar
The **Avatar** tab shows the default icon to be shown for this user. A custom image can be uploaded as the avatar. In addition, users can also use their [Gravatar](https://en.wikipedia.org/wiki/Gravatar). User can manage this under their [profile settings](../../../user-guide/account-settings/#set-an-avatar). These features can be disabled in the [avatar settings](../avatars).
The **Avatar** tab shows the default icon to be shown for this user. A custom image can be uploaded as the avatar. In addition, users can also use their [Gravatar](https://en.wikipedia.org/wiki/Gravatar). Users can manage this under their [profile settings](../../../user-guide/account-settings/#set-an-avatar). These features can be disabled in the [avatar settings](../avatars).
> [!TIP]
>
> Hovering over a user's avatar or name, for example on the Members page or the Activity page, will display their information.
### Two-factor authentication (2FA)
@@ -219,9 +240,9 @@ Use the **self-registration** field to give the following controls over a new us
The user details Authentication section has fields **Assign random password**, **Password**, **Confirmation** and **Enforce password change**.
* If you are near the new user, you can enter a password and confirmation then tell the user what it is. They can then sign in. It is recommended that you also tick the enforce password change checkbox, so that the user is prompted to change their password after they sign in.
* You can phone the new user or send them an email, not using OpenProject, to give them the password. In this case it is more important to tick the enforce password change checkbox.
* Tick the Assign random password, and probably the enforce password change checkbox. When the details are saved OpenProject will send an email to the new user with their password.
- If you are near the new user, you can enter a password and confirmation then tell the user what it is. They can then sign in. It is recommended that you also tick the enforce password change checkbox, so that the user is prompted to change their password after they sign in.
- You can phone the new user or send them an email, not using OpenProject, to give them the password. In this case it is more important to tick the enforce password change checkbox.
- Tick the Assign random password, and probably the enforce password change checkbox. When the details are saved OpenProject will send an email to the new user with their password.
### Account activation by email
@@ -231,8 +252,8 @@ Leave all fields blank. When the details are saved OpenProject will send an emai
Two [settings](../settings/#user-deletion) allow users to be deleted from the system:
* **User accounts deletable by admins** - if ticked, a **Delete** button is shown on the user details page.
* **Users allowed to delete their accounts** - if ticked, a **Delete account** menu entry is shown in the **Account settings** page.
- **User accounts deletable by admins** - if ticked, a **Delete** button is shown on the user details page.
- **Users allowed to delete their accounts** - if ticked, a **Delete account** menu entry is shown in the **Account settings** page.
To delete another user's account open the [user list](#user-list). Click on the **user name** of the user which you want to delete. Click the **Delete** button at the top right.
@@ -240,7 +261,7 @@ To delete another user's account open the [user list](#user-list). Click on the
You will then be asked to confirm the deletion of the user permanently from the system. Checking the consent box will activate the **Delete permanently** button.
![delete user](delete-user-confirmation.png)
![Delete user in OpenProject administration](delete-user-confirmation.png)
> [!CAUTION]
> Deleting a user account is a permanent action and cannot be reversed. The previous activities from this user will still be displayed in the system but reassigned to **Deleted user**. This is also true for the Time and cost and the Budget modules. Spent time will be still be visible for **Deleted user** inside a Work package. Time and cost reports will contain the entries with reference to **Deleted user**. Labor budgets that have been setup for the user are displayed under **Deleted user**, too. If you would like to keep track of the user's name in connection with the mentioned activities, the spent time and the budget, you are able to keep the user's name in the historical data by simply [locking the user](#lock-and-unlock-users).
docs/system-admin-guide/users-permissions/users/openproject_system_admin_guide_users_list.png
BIN
View File
Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 54 KiB

docs/system-admin-guide/users-permissions/users/openproject_systemguide_add_filters.png
BIN
View File
Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

docs/system-admin-guide/users-permissions/users/openproject_systemguide_configure_view.png
BIN
View File
Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB

docs/system-admin-guide/users-permissions/users/openproject_systemguide_configure_view_form.png
BIN
View File
Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

docs/system-admin-guide/users-permissions/users/openproject_systemguide_filter_users.png
BIN
View File
Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 23 KiB

After

Width:  |  Height:  |  Size: 56 KiB

docs/system-admin-guide/users-permissions/users/openproject_systemguide_filters_button.png
BIN
View File
Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB