Merge pull request #21968 from opf/rename-rest-api-enabled

Rename rest_api_enabled to api_tokens_enabled
2026-06-14 03:30:14 +00:00 · 2026-02-13 09:52:58 +01:00
parent 136ed3ee23 d61bb47b2b
commit eb73e27e23
14 changed files with 70 additions and 19 deletions
@@ -56,7 +56,7 @@ module My

      def token_available?
        case token_type.to_s
-        when "Token::API" then Setting.rest_api_enabled?
+        when "Token::API" then Setting.api_tokens_enabled?
        when "Token::ICalMeeting" then Setting.ical_enabled?
        when "Token::RSS" then Setting.feeds_enabled?
        else raise ArgumentError, "Unknown token type: #{token_type}"
@@ -101,7 +101,7 @@ module Accounts::CurrentUser
  end

  def current_api_key_user
-    return unless Setting.rest_api_enabled? && api_request?
+    return unless Setting.api_tokens_enabled? && api_request?

    key = api_key_from_request

@@ -172,7 +172,7 @@ module My
    helper_method :has_tokens?

    def has_tokens?
-      Setting.feeds_enabled? || Setting.rest_api_enabled? || current_user.ical_tokens.any?
+      Setting.feeds_enabled? || Setting.api_tokens_enabled? || current_user.ical_tokens.any?
    end

    def set_api_token
@@ -48,7 +48,7 @@ module Admin
      end

      settings_form do |sf|
-        sf.check_box(name: :rest_api_enabled)
+        sf.check_box(name: :api_tokens_enabled, caption: I18n.t(:setting_api_tokens_enabled_caption))

        sf.text_field(
          name: :apiv3_max_page_size,
@@ -448,7 +448,7 @@ class User < Principal
  end

  def self.find_by_api_key(key)
-    return nil unless Setting.rest_api_enabled?
+    return nil unless Setting.api_tokens_enabled?

    token = Token::API.find_by_plaintext_value(key)

@@ -126,6 +126,13 @@ module Settings
        default: :quarantine,
        allowed: %i[quarantine delete]
      },
+      api_tokens_enabled: {
+        default: true,
+        description: "Decide whether users can create personal API tokens in their account settings",
+        # Keeping old name only for backwards-compatibility, can be removed in OpenProject 18.0
+        env_alias: "OPENPROJECT_REST__API__ENABLED",
+        format: :boolean
+      },
      auth_source_sso: {
        description: "Configuration for Header-based Single Sign-On",
        format: :hash,
@@ -969,9 +976,6 @@ module Settings
      repository_truncate_at: {
        default: 500
      },
-      rest_api_enabled: {
-        default: true
-      },
      scm: {
        format: :hash,
        default: {},
@@ -4571,6 +4571,10 @@ en:
  setting_smtp_password: "SMTP password"
  setting_smtp_domain: "SMTP HELO domain"
  setting_activity_days_default: "Days displayed on project activity"
+  setting_api_tokens_enabled: "Enable API tokens"
+  setting_api_tokens_enabled_caption: >
+    Decide whether users can create personal API tokens in their account settings. These tokens can be used to access the different
+    APIs of OpenProject, such as APIv3 and MCP.
  setting_app_subtitle: "Application subtitle"
  setting_app_title: "Application title"
  setting_attachment_max_size: "Attachment max. size"
@@ -4685,7 +4689,6 @@ en:
  setting_repository_checkout_text: "Checkout instruction text"
  setting_repository_log_display_limit: "Maximum number of revisions displayed on file log"
  setting_repository_truncate_at: "Maximum number of files displayed in the repository browser"
-  setting_rest_api_enabled: "Enable REST web service"
  setting_self_registration: "Self-registration"
  setting_self_registration_caption: >
    Choose the self-registration mechanism for users. Be careful with the setting you choose, as some
@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+#-- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+#
+# See COPYRIGHT and LICENSE files for more details.
+#++
+
+require_relative "migration_utils/setting_renamer"
+
+class RenameSettingRestAPIEnabled < ActiveRecord::Migration[8.0]
+  def up
+    ::Migration::MigrationUtils::SettingRenamer.rename(:rest_api_enabled, :api_tokens_enabled)
+  end
+
+  def down
+    ::Migration::MigrationUtils::SettingRenamer.rename(:api_tokens_enabled, :rest_api_enabled)
+  end
+end
@@ -13,9 +13,12 @@ Navigate to **Administration → API and webhooks**.

 ## API

+<!-- TODO: Replace screenshot with new version -->
 ![API settings in OpenProject administration](openproject_system_admin_guide_api.png)

-Here, you can manage the **REST web service** to selectively control whether foreign applications may access your OpenProject API endpoints from within the browser. This setting allows users to access the OpenProject API using an API token created from the users "Account settings" page. You can set the **maximum page size** the API will respond with. It will not be possible to perform API requests that return more values on a single page. You can also enable **write access to read-only attributes**, which will allow administrators to write static read-only attributes during creation, such as *createdAt* and *author*. 
+Here, you can manage whether users can create personal API tokens, this setting allows users to access the OpenProject APIs using an API token created from the user's "Account settings" page.
+You can set the **maximum page size** the API will respond with. It will not be possible to perform API requests that return more values on a single page.
+You can also enable **write access to read-only attributes**, which will allow administrators to write static read-only attributes during creation, such as *createdAt* and *author*. This can be useful during data imports.

 ### Documentation

@@ -35,12 +35,12 @@ module OpenProject
        ##
        # Allows users to authenticate using their API key as a Bearer token.
        # Note that in order for a user to be able to generate one
-        # `Setting.rest_api_enabled` has to be `1`.
+        # `Setting.api_tokens_enabled` has to be `1`.
        class UserAPIToken < ::Warden::Strategies::Base
          include FailWithHeader

          def valid?
-            return false unless Setting.rest_api_enabled?
+            return false unless Setting.api_tokens_enabled?

            @access_token = ::Doorkeeper::OAuth::Token.from_bearer_authorization(
              ::Doorkeeper::Grape::AuthorizationDecorator.new(request)
@@ -37,7 +37,7 @@ module OpenProject
        ##
        # Allows users to authenticate using their API key via basic auth.
        # Note that in order for a user to be able to generate one
-        # `Setting.rest_api_enabled` has to be `1`.
+        # `Setting.api_tokens_enabled` has to be `true`.
        #
        # The basic auth credentials are expected to contain the literal 'apikey'
        # as the user name and the API key as the password.
@@ -165,8 +165,8 @@ RSpec.describe Settings::Definition, :settings_reset do

      it "overriding boolean configuration from ENV will cast the value",
         with_env: { "OPENPROJECT_REST__API__ENABLED" => "0" } do
-        reset(:rest_api_enabled)
-        expect(all[:rest_api_enabled].value).to be false
+        reset(:api_tokens_enabled)
+        expect(all[:api_tokens_enabled].value).to be false
      end

      it "overriding symbol configuration having allowed values from ENV will cast the value before validation check",
@@ -46,7 +46,7 @@ RSpec.describe "my access tokens", :js do
  end

  describe "API tokens" do
-    context "when API access is disabled via global settings", with_settings: { rest_api_enabled: false } do
+    context "when API tokens are disabled via global setting", with_settings: { api_tokens_enabled: false } do
      it "shows notice about disabled token" do
        visit my_access_tokens_path

@@ -57,7 +57,7 @@ RSpec.describe "my access tokens", :js do
      end
    end

-    context "when API access is enabled via global settings", with_settings: { rest_api_enabled: true } do
+    context "when API tokens are enabled via global setting", with_settings: { api_tokens_enabled: true } do
      it "API tokens can be generated and revoked" do
        visit my_access_tokens_path

@@ -41,8 +41,8 @@ RSpec.describe Admin::Settings::APISettingsForm, type: :forms do
  end

  it "renders", :aggregate_failures do
-    expect(rendered_form).to have_field "Enable REST web service", type: :checkbox do |field|
-      expect(field["name"]).to eq "settings[rest_api_enabled]"
+    expect(rendered_form).to have_field "Enable API tokens", type: :checkbox do |field|
+      expect(field["name"]).to eq "settings[api_tokens_enabled]"
    end

    expect(rendered_form).to have_field "Maximum API page size", type: :number do |field|