diff --git a/.rubocop.yml b/.rubocop.yml
index 151ba2e17e9..5ae61c918bb 100644
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -125,7 +125,7 @@ LineEndConcatenation:
   Enabled: false
 
 LineLength:
-  Max: 99
+  Max: 100
 
 MethodLength:
   Enabled: false
diff --git a/Gemfile b/Gemfile
index a31e8e23106..45961b4ae2c 100644
--- a/Gemfile
+++ b/Gemfile
@@ -41,6 +41,9 @@ gem 'omniauth'
 gem 'request_store', "~> 1.1.0"
 gem 'gravatar_image_tag', '~> 1.2.0'
 
+gem 'warden', '~> 1.2'
+gem 'warden-basic_auth', '~> 0.2.0'
+
 # TODO: adds #auto_link which was deprecated in rails 3.1
 gem 'rails_autolink', '~> 1.1.6'
 gem "will_paginate", '~> 3.0'
diff --git a/README.md b/README.md
index a662c0f4b58..2df84acfe06 100644
--- a/README.md
+++ b/README.md
@@ -45,10 +45,10 @@ The [OpenProject Foundation (OPF)](https://community.openproject.org/projects/op
 
 ## Repository
 
-This repository contains two main branches:
+This repository contains several main branches:
 
 * `dev`: The main development branch. We try to keep it stable in the sense of all tests are passing, but we don't recommend it for production systems.
-* `stable`: Contains the latest stable release that we recommend for production use. Use this if you always want the latest version of OpenProject.
+* `stable/<version>`: Contains the latest stable release for a specific version. We recommend to use this for production use. Example: `stable/4.1`.
 
 ## License
 
diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb
index 875db46fec4..0c3ea217784 100644
--- a/app/controllers/search_controller.rb
+++ b/app/controllers/search_controller.rb
@@ -33,7 +33,7 @@ class SearchController < ApplicationController
   def index
     @question = params[:q] || ''
     @question.strip!
-    @all_words = params[:all_words] || (params[:submit] ? false : true)
+    @all_words = params[:all_words] || !params[:submit]
     @titles_only = !params[:titles_only].nil?
 
     projects_to_search =
diff --git a/app/controllers/work_packages_controller.rb b/app/controllers/work_packages_controller.rb
index 5e620a5617f..22186c72c3d 100644
--- a/app/controllers/work_packages_controller.rb
+++ b/app/controllers/work_packages_controller.rb
@@ -425,7 +425,7 @@ class WorkPackagesController < ApplicationController
   end
 
   def send_notifications?
-    params[:send_notification] == '0' ? false : true
+    params[:send_notification] != '0'
   end
 
   def per_page_param
diff --git a/app/controllers/workflows_controller.rb b/app/controllers/workflows_controller.rb
index 82d666e11ab..0e2ec7dd7d3 100644
--- a/app/controllers/workflows_controller.rb
+++ b/app/controllers/workflows_controller.rb
@@ -58,7 +58,7 @@ class WorkflowsController < ApplicationController
       end
     end
 
-    @used_statuses_only = (params[:used_statuses_only] == '0' ? false : true)
+    @used_statuses_only = params[:used_statuses_only] != '0'
     if @type && @used_statuses_only && @type.statuses.any?
       @statuses = @type.statuses
     end
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index c6f3e236656..df61a35ade8 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -502,7 +502,10 @@ module ApplicationHelper
         when 6
           '6' # Saturday
         else
-          '' # use language
+          # use language (pass a blank string into the JSON object,
+          # as the datepicker implementation checks for numbers in
+          # /frontend/app/misc/datepicker-defaults.js:34)
+          '""'
         end
         # FIXME: Get rid of this abomination
         js = "var CS = { lang: '#{current_language.to_s.downcase}', firstDay: #{start_of_week} };"
diff --git a/app/helpers/sort_helper.rb b/app/helpers/sort_helper.rb
index 5d896bf14b2..031e638212f 100644
--- a/app/helpers/sort_helper.rb
+++ b/app/helpers/sort_helper.rb
@@ -143,8 +143,15 @@ module SortHelper
 
     def normalize!
       @criteria ||= []
-      @criteria = @criteria.map { |s| s = s.to_a; [s.first, (s.last == false || s.last == 'desc') ? false : true] }
-      @criteria = @criteria.select { |k, _o| @available_criteria.has_key?(k) } if @available_criteria
+      @criteria = @criteria.map { |s|
+        s = s.to_a
+        [s.first, !(s.last == false || s.last == 'desc')]
+      }
+
+      if @available_criteria
+        @criteria = @criteria.select { |k, _o| @available_criteria.has_key?(k) }
+      end
+
       @criteria.slice!(3)
       self
     end
diff --git a/app/models/enumeration.rb b/app/models/enumeration.rb
index c1913131626..9c64a6b2676 100644
--- a/app/models/enumeration.rb
+++ b/app/models/enumeration.rb
@@ -149,7 +149,7 @@ class Enumeration < ActiveRecord::Base
 
   # Are the new and previous fields equal?
   def self.same_active_state?(new, previous)
-    new = (new == '1' ? true : false)
+    new = new == '1'
     new == previous
   end
 
diff --git a/app/models/mail_handler.rb b/app/models/mail_handler.rb
index e1b657a121e..e8cf8f3ddfa 100644
--- a/app/models/mail_handler.rb
+++ b/app/models/mail_handler.rb
@@ -48,7 +48,7 @@ class MailHandler < ActionMailer::Base
     # Status overridable by default
     @@handler_options[:allow_override] << 'status' unless @@handler_options[:issue].has_key?(:status)
 
-    @@handler_options[:no_permission_check] = (@@handler_options[:no_permission_check].to_s == '1' ? true : false)
+    @@handler_options[:no_permission_check] = @@handler_options[:no_permission_check].to_s == '1'
 
     email.force_encoding('ASCII-8BIT') if email.respond_to?(:force_encoding)
     super email
diff --git a/app/models/system_user.rb b/app/models/system_user.rb
index b2388eb6274..ef540739866 100644
--- a/app/models/system_user.rb
+++ b/app/models/system_user.rb
@@ -62,7 +62,7 @@ class SystemUser < User
 
   # There should be only one SystemUser in the database
   def validate_unique_system_user
-    errors.add :base, 'A SystemUser already exists.' if SystemUser.find(:first)
+    errors.add :base, 'A SystemUser already exists.' if SystemUser.any?
   end
 
   # Overrides a few properties
diff --git a/app/models/user.rb b/app/models/user.rb
index 55becf50d47..f6aabe994aa 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -740,7 +740,7 @@ class User < Principal
   end
 
   def self.system
-    system_user = SystemUser.find(:first)
+    system_user = SystemUser.first
     if system_user.nil?
       (system_user = SystemUser.new.tap do |u|
         u.lastname = 'System'
diff --git a/app/views/boards/index.html.erb b/app/views/boards/index.html.erb
index 7b63e3435e6..61b6555b64d 100644
--- a/app/views/boards/index.html.erb
+++ b/app/views/boards/index.html.erb
@@ -47,12 +47,10 @@ See doc/COPYRIGHT.rdoc for more details.
         <td align="center"><%= board.topics_count %></td>
         <td align="center"><%= board.messages_count %></td>
         <td>
-          <small>
-            <% if board.last_message %>
-              <%= authoring board.last_message.created_on, board.last_message.author %><br />
-              <%= link_to_message board.last_message %>
-            <% end %>
-          </small>
+          <% if board.last_message %>
+            <%= authoring board.last_message.created_on, board.last_message.author %><br />
+            <%= link_to_message board.last_message %>
+          <% end %>
         </td>
       </tr>
     <% end %>
diff --git a/app/views/help/wiki_syntax_detailed.html.erb b/app/views/help/wiki_syntax_detailed.html.erb
index d2ea097c5b8..78d789643ce 100644
--- a/app/views/help/wiki_syntax_detailed.html.erb
+++ b/app/views/help/wiki_syntax_detailed.html.erb
@@ -236,6 +236,16 @@ To go live, all you need to add is a database and a web server.
 {{toc}} => left aligned toc
 {{>toc}} => right aligned toc
 </pre>
+<h3><a name="11" class="wiki-page"></a>Acronyms</h3>
+<p>Display tooltip for acronym by entering tooltip in parantheses after upper case
+acronym.</p>
+<pre>
+WHO(World Health Organisation) => Displays "World Health Organisation" as
+tooltip of "WHO"
+</pre>
+<p>
+  <acronym title="World Health Organisation">WHO</acronym>
+</p>
 <h2><a name="12" class="wiki-page"></a>Macros</h2>
 <p>OpenProject has the following builtin macros:</p>
 <p>
diff --git a/app/views/my/_sidebar.html.erb b/app/views/my/_sidebar.html.erb
index dd08b56ebb7..d27a9953c77 100644
--- a/app/views/my/_sidebar.html.erb
+++ b/app/views/my/_sidebar.html.erb
@@ -44,19 +44,18 @@ See doc/COPYRIGHT.rdoc for more details.
     (<%= link_to l(:button_reset), {:action => 'reset_rss_key'}, :method => :post %>)
   </p>
 <% end %>
-<% if Setting.rest_api_enabled? %>
-  <h3><%= l(:label_api_access_key) %></h3>
-  <div>
-    <%= link_to_function(l(:button_show), "$('api-access-key').toggle();")%>
-    <pre id='api-access-key' class='autoscroll'><%= h(@user.api_key) %></pre>
-  </div>
-  <%= javascript_tag("$('api-access-key').hide();") %>
-  <p>
-    <% if @user.api_token %>
-      <%= l(:label_api_access_key_created_on, distance_of_time_in_words(Time.now, @user.api_token.created_on)) %>
-    <% else %>
-      <%= l(:label_missing_api_access_key) %>
-    <% end %>
-    (<%= link_to l(:button_reset), {:action => 'reset_api_key'}, :method => :post %>)
-  </p>
-<% end %>
+
+<h3><%= l(:label_api_access_key) %></h3>
+<div>
+  <%= link_to_function(l(:button_show), "$('api-access-key').toggle();")%>
+  <pre id='api-access-key' class='autoscroll'><%= h(@user.api_key) %></pre>
+</div>
+<%= javascript_tag("$('api-access-key').hide();") %>
+<p>
+  <% if @user.api_token %>
+    <%= l(:label_api_access_key_created_on, distance_of_time_in_words(Time.now, @user.api_token.created_on)) %>
+  <% else %>
+    <%= l(:label_missing_api_access_key) %>
+  <% end %>
+  (<%= link_to l(:button_reset), {:action => 'reset_api_key'}, :method => :post %>)
+</p>
diff --git a/config/configuration.yml.example b/config/configuration.yml.example
index 0ceeede6cd0..05a7c361d41 100644
--- a/config/configuration.yml.example
+++ b/config/configuration.yml.example
@@ -277,6 +277,14 @@ default:
   # generated and sent to the user who then has to change their password upon login.
   disable_password_choice: false
 
+  # You can configure a global set of credentials to authenticate towards
+  # API v3 via basic auth. Note that this will grant admin access. Use with care
+  # and make sure the password does not leak.
+  # authentication:
+  #   global_basic_auth:
+  #     user: admin
+  #     password: admin
+
 # specific configuration options for production environment
 # that overrides the default ones
 # production:
diff --git a/config/initializers/warden.rb b/config/initializers/warden.rb
new file mode 100644
index 00000000000..85dc7990b8e
--- /dev/null
+++ b/config/initializers/warden.rb
@@ -0,0 +1,24 @@
+require 'open_project/authentication'
+
+# Strategies provided by OpenProject:
+require 'open_project/authentication/strategies/warden/basic_auth_failure'
+require 'open_project/authentication/strategies/warden/global_basic_auth'
+require 'open_project/authentication/strategies/warden/user_basic_auth'
+require 'open_project/authentication/strategies/warden/session'
+
+strategies = {
+  basic_auth_failure: OpenProject::Authentication::Strategies::Warden::BasicAuthFailure,
+  global_basic_auth:  OpenProject::Authentication::Strategies::Warden::GlobalBasicAuth,
+  user_basic_auth:    OpenProject::Authentication::Strategies::Warden::UserBasicAuth,
+  session:            OpenProject::Authentication::Strategies::Warden::Session
+}
+
+strategies.each do |name, clazz|
+  Warden::Strategies.add name, clazz
+end
+
+include OpenProject::Authentication::Scope
+
+OpenProject::Authentication.update_strategies(API_V3) do |_strategies|
+  [:global_basic_auth, :user_basic_auth, :basic_auth_failure, :session]
+end
diff --git a/config/locales/de.yml b/config/locales/de.yml
index f5e1faee630..2a2749165d9 100644
--- a/config/locales/de.yml
+++ b/config/locales/de.yml
@@ -1685,6 +1685,7 @@ de:
         lock_version: "Sperrversion"
     errors:
       code_401: "Sie müssen sich authentifizieren, um auf die Ressource zugreifen zu können."
+      code_401_wrong_credentials: "Die von Ihnen benutzten Zugangsdaten sind nicht korrekt."
       code_403: "Sie sind nicht berechtigt auf diese Ressource zuzugreifen."
       code_404: "Die angeforderte Ressource konnte nicht gefunden werden."
       code_409: "Die Ressource konnte wegen parallelen Zugriffs nicht aktualisiert werden."
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 73be5f7dc95..b1ffe2cd13d 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -1677,6 +1677,7 @@ en:
       lock_version: "Lock Version"
     errors:
       code_401: "You need to be authenticated to access this resource."
+      code_401_wrong_credentials: "You did not provide the correct credentials."
       code_403: "You are not authorized to access this resource."
       code_404: "The requested resource could not be found."
       code_409: "Couldn\'t update the resource because of conflicting modifications."
diff --git a/doc/CONFIGURATION.md b/doc/CONFIGURATION.md
index 4bff000debf..f395cf32ae3 100644
--- a/doc/CONFIGURATION.md
+++ b/doc/CONFIGURATION.md
@@ -86,6 +86,7 @@ storage config above like this:
 * [`hidden_menu_items`](#hidden-menu-items) (default: {})
 * [`disabled_modules`](#disabled-modules) (default: [])
 * [`blacklisted_routes`](#blacklisted-routes) (default: [])
+* [`global_basic_auth`](#global-basic-auth)
 
 ### disable password login
 
@@ -186,7 +187,7 @@ OPENPROJECT_HIDDEN__MENU__ITEMS_ADMIN__MENU='roles types'
 
 *default: []*
 
-You can blacklist specific routes 
+You can blacklist specific routes
 The following example forbid all routes for above disabled menu:
 
 ```
@@ -237,6 +238,21 @@ The option to use a string is mostly relevant for when you want to override the
 OPENPROJECT_DISABLED__MODULES='backlogs meetings'
 ```
 
+### global basic auth
+
+*default: none*
+
+You can define a global set of credentials used to authenticate towards API v3.
+Example section for `configuration.yml`:
+
+```
+default:
+  authentication:
+    global_basic_auth:
+      user: admin
+      password: admin
+```
+
 ## Email configuration
 
 * `email_delivery_method`: The way emails should be delivered. Possible values: `smtp` or `sendmail`
diff --git a/doc/QUICK_START.md b/doc/QUICK_START.md
index 5c853b1f17e..29137daabc2 100644
--- a/doc/QUICK_START.md
+++ b/doc/QUICK_START.md
@@ -43,8 +43,8 @@ These are generic (and condensed) installation instructions for the **current de
 * Git
 * Database (MySQL 5.x/PostgreSQL 8.x)
 * Ruby 2.1.x
-* [Node.js] (version v0.10.x)
-* [Bundler] (version 1.5.1 or higher required)
+* Node.js (version v0.10.x)
+* Bundler (version 1.5.1 or higher required)
 
 ### Install Dependencies
 
diff --git a/doc/apiv3-documentation.apib b/doc/apiv3-documentation.apib
index 1c216357cfe..f99a468a5bf 100644
--- a/doc/apiv3-documentation.apib
+++ b/doc/apiv3-documentation.apib
@@ -93,7 +93,7 @@ For the future we plan to add authentication modes based on OAuth2 and OpenID Co
 
 Links to other resources in the API are represented uniformly by so called link objects.
 
-## Properties
+## Local Properties
 
 | Property  | Description                                                              | Type    | Required | Nullable | Default |
 |:---------:| ------------------------------------------------------------------------ | ------- |:--------:|:--------:| ------- |
@@ -207,8 +207,9 @@ embedded errors or simply state that multiple errors occured.
 
 * `urn:openproject-org:api:v3:errors:InvalidRequestBody` (**HTTP 400**) - The format of the request body did not match the servers expectation
 * `urn:openproject-org:api:v3:errors:InvalidRenderContext` (**HTTP 400**) - The client specified a rendering context that does not exist
-* `urn:openproject-org:api:v3:errors:InvalidUserStatusTransition` (**HTTP 400**) The client used an invalid transition in the attempt to change the status of a user account.
-* `urn:openproject-org:api:v3:errors:MissingPermission` (**HTTP 401** / **HTTP 403**) - The client does not have the needed permissions to perform the requested action
+* `urn:openproject-org:api:v3:errors:InvalidUserStatusTransition` (**HTTP 400**) - The client used an invalid transition in the attempt to change the status of a user account.
+* `urn:openproject-org:api:v3:errors:Unauthenticated` (**HTTP 401**) - The client has to authenticate to access the requested resource.
+* `urn:openproject-org:api:v3:errors:MissingPermission` (**HTTP 403**) - The client does not have the needed permissions to perform the requested action
 * `urn:openproject-org:api:v3:errors:NotFound` (**HTTP 404**) - Default for HTTP 404 when no further information is available
 * `urn:openproject-org:api:v3:errors:UpdateConflict` (**HTTP 409**) - The resource changed between GET-ing it and performing an update on it
 * `urn:openproject-org:api:v3:errors:TypeNotSupported` (**HTTP 415**) - The request contained data in an unsupported media type (Content-Type)
@@ -295,7 +296,7 @@ pagination can be found below the links table.
 A collection also carries meta information like the total count of elements in the collection or - in case of a paginated collection -
 the amount of elements returned in this response and action links to retrieve the remaining elements.
 
-## Properties
+## Local Properties
 
 | Property | Description                                                     | Type    | Availability                |
 |:--------:| --------------------------------------------------------------- | ------- | --------------------------- |
@@ -435,7 +436,7 @@ Cursor based pagination is therefore less suited for use cases where you want to
 
 # Group Activities
 
-## Properties:
+## Local Properties:
 | Property    | Description      | Type                 | Constraints | Supported operations |
 | :---------: | -------------    | ----                 | ----------- | -------------------- |
 | id          | Activity id      | Integer              | x > 0       | READ                 |
@@ -551,7 +552,7 @@ Updates an activity's comment and, on success, returns the updated activity.
 
 # Group Attachments
 
-## Properties:
+## Local Properties:
 | Property     | Description      | Type     | Constraints | Supported operations |
 | :---------:  | -------------    | ----     | ----------- | -------------------- |
 | id           | Attachment's id  | Integer  | x > 0       | READ                 |
@@ -613,7 +614,7 @@ Updates an activity's comment and, on success, returns the updated activity.
 | project         | The project of this category                        | Project       | not null    | READ                 |
 | defaultAssignee | Default assignee for work packages of this category | User          |             | READ                 |
 
-## Properties
+## Local Properties
 | Property   | Description   | Type    | Constraints | Supported operations |
 | :--------: | ------------- | ------- | ----------- | -------------------- |
 | id         | Category id   | Integer | x > 0       | READ                 |
@@ -1075,7 +1076,7 @@ The request body is the actual string that shall be rendered as HTML string.
 |:---------:|-------------------------------------------- | ------------- | --------------------- | -------------------- |
 | self      | This priority                               | Priority      | not null              | READ                 |
 
-## Properties
+## Local Properties
 | Property    | Description                                 | Type       | Constraints | Supported operations |
 | :---------: | ------------------------------------------- | ---------- | ----------- | -------------------- |
 | id          | Priority id                                 | Integer    | x > 0       | READ                 |
@@ -1238,7 +1239,7 @@ The request body is the actual string that shall be rendered as HTML string.
 | types      | Types available in this project      | Types      | not null    | READ                 |
 | versions   | Versions available in this project   | Versions   | not null    | READ                 |
 
-## Properties:
+## Local Properties:
 | Property    | Description                                   | Type     | Constraints | Supported operations |
 | :---------: | -------------                                 | ----     | ----------- | -------------------- |
 | id          | Projects's id                                 | Integer  | x > 0       | READ                 |
@@ -1485,7 +1486,7 @@ For more details and all possible responses see the general specification of [Fo
 
 # Group Queries
 
-## Properties:
+## Local Properties:
 | Property     | Description   | Type    | Constraints | Supported operations |
 | :---------:  | ------------- | ----    | ----------- | -------------------- |
 | id           | Query id      | Integer | x > 0       | READ                 |
@@ -1749,7 +1750,7 @@ The `allowedValues` can either contain a list of canonical links or just a singl
 This is an optimization to allow efficient handling of both small resource lists (that can be enumerated inline) and large
 resource lists (requiring one or more separate requests).
 
-## Properties:
+## Local Properties:
 
 | Property          | Description                                                                        | Type     | Default |
 |:-----------------:| ---------------------------------------------------------------------------------- | -------- | ------- |
@@ -1845,7 +1846,7 @@ This is an example of how a schema might look like. Note that this endpoint does
 |:-------------:|-------------------------- | ------------- | ----------- | -------------------- |
 | self          | This status               | Status        | not null    | READ                 |
 
-## Properties
+## Local Properties
 | Property         | Description                                                   | Type    | Constraints   | Supported operations |
 | :--------:       | -------------                                                 | ------- | -----------   | -------------------- |
 | id               | Status id                                                     | Integer | x > 0         | READ                 |
@@ -2046,7 +2047,7 @@ This is an example of how a schema might look like. Note that this endpoint does
 |:-------------:|-------------------------- | ------------- | ----------- | -------------------- |
 | self          | This string object        | StringObject  | not null    | READ                 |
 
-## Properties
+## Local Properties
 | Property         | Description                                    | Type     | Constraints | Supported operations |
 |:----------------:| ---------------------------------------------- | -------- | ----------- | -------------------- |
 | value            | The value of the string                        | String   |             | READ                 |
@@ -2083,7 +2084,7 @@ e.g. to be able to provide `allowedValues` for a string typed property.
 |:-------------:|-------------------------- | ------------- | ----------- | -------------------- |
 | self          | This type                 | Type          | not null    | READ                 |
 
-## Properties
+## Local Properties
 | Property         | Description                                    | Type     | Constraints | Supported operations |
 |:----------------:| ---------------------------------------------- | -------- | ----------- | -------------------- |
 | id               | Type id                                        | Integer  | x > 0       | READ                 |
@@ -2319,7 +2320,7 @@ This endpoint lists the types that are *available* in a given project.
 |:---------:|-------------------------------------------- | ------------- | --------------------- | -------------------- |
 | self      | This user                                   | User          | not null              | READ                 |
 
-## Properties:
+## Local Properties:
 | Property    | Description                                               | Type     | Constraints | Supported operations | Condition                 |
 | :---------: | -------------                                             | ----     | ----------- | -------------------- | ------------------------- |
 | id          | User's id                                                 | Integer  | x > 0       | READ                 |                           |
@@ -2546,7 +2547,7 @@ Permanently deletes the specified user account.
 | definingProject     | The project to which the version belongs | Project       | only present if the project is visible for the current user    | READ                 |
 | availableInProjects | Projects where this version can be used  | Projects      | not null                                                       | READ                 |
 
-## Properties
+## Local Properties
 | Property    | Description                                   | Type        | Constraints | Supported operations |
 | :---------: | --------------------------------------------- | ----------- | ----------- | -------------------- |
 | id          | Version id                                    | Integer     | x > 0       | READ                 |
@@ -2742,7 +2743,7 @@ Note that due to sharing this might be more than the versions *defined* by that
 | type               | The type of the work package                                                                                                                          | Type         | not null     | READ / WRITE          |                                           |
 | version            | The version associated to the work package                                                                                                            | Version      |              | READ / WRITE          |                                           |
 
-## Properties:
+## Local Properties:
 
 | Property         | Description                                            | Type        | Constraints                                                                                            | Supported operations | Condition                        |
 | :--------------: | ------------------------------------------------------ | ----------- | ------------------------------------------------------------------------------------------------------ | -------------------- | -------------------------------- |
diff --git a/extra/svn/reposman.rb b/extra/svn/reposman.rb
index 88b1b6d087d..ae8241ae149 100755
--- a/extra/svn/reposman.rb
+++ b/extra/svn/reposman.rb
@@ -205,7 +205,7 @@ def set_owner_and_rights(project, repos_path, &block)
 end
 
 def other_read_right?(file)
-  (File.stat(file).mode & 0007).zero? ? false : true
+  !(File.stat(file).mode & 0007).zero?
 end
 
 def owner_name(file)
diff --git a/features/step_definitions/custom_web_steps.rb b/features/step_definitions/custom_web_steps.rb
index 3a9561e96d5..984e820a039 100644
--- a/features/step_definitions/custom_web_steps.rb
+++ b/features/step_definitions/custom_web_steps.rb
@@ -60,7 +60,7 @@ end
 Then /^"([^"]*)" should (not )?be selectable from "([^"]*)"$/ do |value, negative, select_id|
   # more page.evaluate ugliness
   find(:xpath, '//body')
-  bool = negative ? false : true
+  bool = !negative
   (page.evaluate_script("$('#{select_id}').select('option[value=#{value}]').first.disabled") =~ /^#{bool}$/).should be_present
 end
 
diff --git a/features/step_definitions/general_steps.rb b/features/step_definitions/general_steps.rb
index daf21e61885..1e5b7a9101b 100644
--- a/features/step_definitions/general_steps.rb
+++ b/features/step_definitions/general_steps.rb
@@ -214,8 +214,8 @@ Given /^there are the following issue status:$/ do |table|
   table.hashes.each_with_index do |t, i|
     status = Status.find_by(name: t['name'])
     status = Status.new name: t['name'] if status.nil?
-    status.is_closed = t['is_closed'] == 'true' ? true : false
-    status.is_default = t['is_default'] == 'true' ? true : false
+    status.is_closed = t['is_closed'] == 'true'
+    status.is_default = t['is_default'] == 'true'
     status.position = t['position'] ? t['position'] : i
     status.default_done_ratio = t['default_done_ratio']
     status.save!
diff --git a/features/step_definitions/password_steps.rb b/features/step_definitions/password_steps.rb
index 7932360f158..728f4fb602b 100644
--- a/features/step_definitions/password_steps.rb
+++ b/features/step_definitions/password_steps.rb
@@ -143,7 +143,7 @@ def set_user_attribute(login, attribute, value)
 end
 
 Given /^the user "(.+)" is(not |) forced to change his password$/ do |login, disable|
-  set_user_attribute(login, :force_password_change, (disable == 'not ') ? false : true)
+  set_user_attribute(login, :force_password_change, disable != 'not ')
 end
 
 Given /^I use the first existing token to request a password reset$/ do
diff --git a/features/step_definitions/web_steps.rb b/features/step_definitions/web_steps.rb
index 90a9f7dbbad..742dfb5cec7 100644
--- a/features/step_definitions/web_steps.rb
+++ b/features/step_definitions/web_steps.rb
@@ -319,7 +319,7 @@ end
 Then /^there should be a( disabled)? "(.+)" field( visible| invisible)?$/ do |disabled, fieldname, visible|
   # Checking for a disabled field will only work for field with labels where the label
   # has a correctly filled "for" attribute
-  visibility = visible && visible.include?('invisible') ? false : true
+  visibility = visible && !visible.include?('invisible')
 
   if disabled
     # disabled fields can not be found via find_field
diff --git a/frontend/app/ui_components/wiki-toolbar-directive.js b/frontend/app/ui_components/wiki-toolbar-directive.js
index e2081522937..f504ec80cf5 100644
--- a/frontend/app/ui_components/wiki-toolbar-directive.js
+++ b/frontend/app/ui_components/wiki-toolbar-directive.js
@@ -32,6 +32,7 @@ module.exports = function() {
                           'menubar=no, status=no, scrollbars=yes&quot;); return false;',
       HELP_LINK_HTML = jQuery('<button title="' + I18n.t('js.inplace.link_formatting_help') + '"' +
                               ' class="jstb_help icon icon-help" ' +
+                              ' type="button" ' +
                               'onclick="' + HELP_LINK_ONCLICK + '">' +
                               '<span class="hidden-for-sighted">' +
                               I18n.t('js.inplace.link_formatting_help') +
diff --git a/lib/api/errors/unauthenticated.rb b/lib/api/errors/unauthenticated.rb
index 9742a289329..e098f577d62 100644
--- a/lib/api/errors/unauthenticated.rb
+++ b/lib/api/errors/unauthenticated.rb
@@ -30,8 +30,8 @@
 module API
   module Errors
     class Unauthenticated < ErrorBase
-      def initialize
-        super 401, I18n.t('api_v3.errors.code_401')
+      def initialize(message = I18n.t('api_v3.errors.code_401'))
+        super 401, message
       end
     end
   end
diff --git a/lib/api/root.rb b/lib/api/root.rb
index 1d49796106a..ea12449f095 100644
--- a/lib/api/root.rb
+++ b/lib/api/root.rb
@@ -31,8 +31,13 @@
 # This is the place for all API wide configuration, helper methods, exceptions
 # rescuing, mounting of differnet API versions etc.
 
+require 'open_project/authentication'
+
 module API
   class Root < Grape::API
+    include OpenProject::Authentication::Scope
+    extend API::Utilities::GrapeHelper
+
     prefix :api
 
     class Formatter
@@ -59,19 +64,32 @@ module API
 
     parser :json, Parser.new
 
+    use OpenProject::Authentication::Manager
+
     helpers do
       def current_user
-        return User.current if running_in_test_env?
-        user_id = env['rack.session']['user_id']
-        User.current = user_id ? User.find(user_id) : User.anonymous
+        User.current
+      end
+
+      def warden
+        env['warden']
       end
 
       def authenticate
-        if Setting.login_required? && (current_user.nil? || current_user.anonymous?)
-          raise API::Errors::Unauthenticated
+        warden.authenticate! scope: API_V3
+
+        User.current = warden.user scope: API_V3
+
+        if Setting.login_required? and not logged_in?
+          raise ::API::Errors::Unauthenticated
         end
       end
 
+      def logged_in?
+        # An admin SystemUser is anonymous but still a valid user to be logged in.
+        current_user && (current_user.admin? || !current_user.anonymous?)
+      end
+
       def authorize(permission, context: nil, global: false, user: current_user)
         is_authorized = AuthorizationService.new(permission,
                                                  context: context,
@@ -124,34 +142,29 @@ module API
       end
     end
 
-    rescue_from ActiveRecord::RecordNotFound do
-      api_error = ::API::Errors::NotFound.new
-      representer = ::API::V3::Errors::ErrorRepresenter.new(api_error)
-      env['api.format'] = 'hal+json'
-      error_response(status: api_error.code, message: representer.to_json)
+    def self.auth_headers
+      { 'WWW-Authenticate' => %(Basic realm="#{OpenProject::Authentication::Realm.realm}") }
     end
 
-    rescue_from ActiveRecord::StaleObjectError do
-      api_error = ::API::Errors::Conflict.new
-      representer = ::API::V3::Errors::ErrorRepresenter.new(api_error)
-      env['api.format'] = 'hal+json'
-      error_response(status: api_error.code, message: representer.to_json)
+    ##
+    # Return JSON error response on authentication failure.
+    OpenProject::Authentication.handle_failure(scope: API_V3) do |warden, _opts|
+      e = grape_error_for warden.env, self
+      error_message = I18n.t('api_v3.errors.code_401_wrong_credentials')
+      api_error = ::API::Errors::Unauthenticated.new error_message
+      representer = ::API::V3::Errors::ErrorRepresenter.new api_error
+
+      e.error_response status: 401, message: representer.to_json, headers: warden.headers
     end
 
-    rescue_from ::API::Errors::ErrorBase, rescue_subclasses: true do |e|
-      representer = ::API::V3::Errors::ErrorRepresenter.new(e)
-      env['api.format'] = 'hal+json'
-      error_response(status: e.code, message: representer.to_json)
-    end
+    error_response ActiveRecord::RecordNotFound, ::API::Errors::NotFound.new
+    error_response ActiveRecord::StaleObjectError, ::API::Errors::Conflict.new
+
+    error_response ::API::Errors::Unauthenticated, headers: auth_headers
+    error_response ::API::Errors::ErrorBase, rescue_subclasses: true
 
     # run authentication before each request
     before do
-      # Call current_user as it sets User.current.
-      # Not doing this might cause devs to use User.current without that value
-      # being set to the actually current user. That might result in standard
-      # users becoming admins and otherwise based on who called the ruby
-      # process last.
-      current_user
       authenticate
     end
 
diff --git a/lib/api/utilities/grape_helper.rb b/lib/api/utilities/grape_helper.rb
new file mode 100644
index 00000000000..bb887d0fd03
--- /dev/null
+++ b/lib/api/utilities/grape_helper.rb
@@ -0,0 +1,72 @@
+#-- encoding: UTF-8
+#-- copyright
+# OpenProject is a project management system.
+# Copyright (C) 2012-2015 the OpenProject Foundation (OPF)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See doc/COPYRIGHT.rdoc for more details.
+#++
+
+module API
+  module Utilities
+    module GrapeHelper
+      ##
+      # We need this to be able to use `Grape::Middleware::Error#error_response`
+      # outside of the Grape context. We use it outside of the Grape context because
+      # OpenProject authentication happens in a middleware upstream of Grape.
+      class GrapeError < Grape::Middleware::Error
+        def initialize(env)
+          @env = env
+          @options = {}
+        end
+      end
+
+      def grape_error_for(env, api)
+        GrapeError.new(env).tap do |e|
+          e.options[:content_types] = api.content_types
+          e.options[:format] = 'hal+json'
+        end
+      end
+
+      def error_response(rescued_error, error = nil, rescue_subclasses: nil, headers: {})
+        default_response = lambda do |e|
+          representer = ::API::V3::Errors::ErrorRepresenter.new e
+          env['api.format'] = 'hal+json'
+
+          error_response status: e.code, message: representer.to_json, headers: headers
+        end
+
+        response =
+          if error.nil?
+            default_response
+          else
+            lambda { instance_exec error, &default_response }
+          end
+
+        # We do this lambda business because #rescue_from behaves differently
+        # depending on the number of parameters the passed block accepts.
+        rescue_from rescued_error, rescue_subclasses: rescue_subclasses, &response
+      end
+    end
+  end
+end
diff --git a/lib/api/v3/errors/error_representer.rb b/lib/api/v3/errors/error_representer.rb
index f87f117d63a..08d6a451fe6 100644
--- a/lib/api/v3/errors/error_representer.rb
+++ b/lib/api/v3/errors/error_representer.rb
@@ -62,7 +62,9 @@ module API
             'urn:openproject-org:api:v3:errors:UpdateConflict'
           when ::API::Errors::NotFound
             'urn:openproject-org:api:v3:errors:NotFound'
-          when ::API::Errors::Unauthenticated, ::API::Errors::Unauthorized
+          when ::API::Errors::Unauthenticated
+            'urn:openproject-org:api:v3:errors:Unauthenticated'
+          when ::API::Errors::Unauthorized
             'urn:openproject-org:api:v3:errors:MissingPermission'
           when ::API::Errors::UnwritableProperty
             'urn:openproject-org:api:v3:errors:PropertyIsReadOnly'
diff --git a/lib/open_project/authentication.rb b/lib/open_project/authentication.rb
new file mode 100644
index 00000000000..c0666454774
--- /dev/null
+++ b/lib/open_project/authentication.rb
@@ -0,0 +1,74 @@
+require 'open_project/authentication/manager'
+
+module OpenProject
+  ##
+  # OpenProject uses Warden strategies for request authentication.
+  module Authentication
+    class << self
+      ##
+      # Updates the used warden strategies for a given scope. The strategies will be tried
+      # in the order they are set here. Plugins can call this to add or remove strategies.
+      # For available scopes please refer to `OpenProject::Authentication::Scope`.
+      #
+      # @param [Symbol] scope The scope for which to update the used warden strategies.
+      # @param [Boolean] store Indicates whether the user should be stored in the session
+      #                        for this scope. Optional. If not given, the current store flag
+      #                        for this strategy will remain unchanged what ever it is.
+      #
+      # @yield [strategies] A block returning the strategies to be used for this scope.
+      # @yieldparam [Array] strategies The strategies currently used by this scope. May be empty.
+      # @yieldreturn [Array] The strategies to be used by this scope.
+      def update_strategies(scope, store: nil, &block)
+        raise ArgumentError, "invalid scope: #{scope}" unless Scope.values.include? scope
+
+        current_strategies = Array(Manager.scope_strategies[scope])
+
+        Manager.store_defaults[scope] = store unless store.nil?
+        Manager.scope_strategies[scope] = block.call current_strategies if block_given?
+      end
+
+      ##
+      # Allows to handle an authentication failure with a custom response.
+      #
+      # @param [Symbol] scope The scope for which to set the custom failure handler. Optional.
+      #                       If omitted the default failure handler is set.
+      #
+      # @yield [failure_handler] A block returning a custom failure response.
+      # @yieldparam [Warden::Proxy] warden Warden instance giving access to the would-be
+      #                             result message and headers.
+      # @yieldparam [Hash] warden_options Warden options including the scope of the failed
+      #                                   strategy and the attempted request path.
+      # @yieldreturn [Array] A rack standard response such as `[401, {}, ['unauthenticated']]`.
+      def handle_failure(scope: nil, &block)
+        Manager.failure_handlers[scope] = block
+      end
+    end
+
+    ##
+    # This module is only there to declare all used scopes. Technically a scope can be an
+    # arbitrary symbol. But we declare them here not to lose sight of them.
+    #
+    # Plugins can declare new scopes by declaring new constants in this module.
+    module Scope
+      API_V3 = :api_v3
+
+      class << self
+        def values
+          constants.map do |name|
+            const_get name
+          end
+        end
+      end
+    end
+
+    module Realm
+      module_function
+
+      def realm
+        'OpenProject'
+      end
+    end
+  end
+end
+
+Warden::Strategies::BasicAuth.prepend OpenProject::Authentication::Realm
diff --git a/lib/open_project/authentication/failure_app.rb b/lib/open_project/authentication/failure_app.rb
new file mode 100644
index 00000000000..8d7e71daff2
--- /dev/null
+++ b/lib/open_project/authentication/failure_app.rb
@@ -0,0 +1,52 @@
+module OpenProject
+  module Authentication
+    class FailureApp
+      attr_reader :failure_handlers
+
+      def initialize(failure_handlers)
+        @failure_handlers = failure_handlers
+      end
+
+      def call(env)
+        warden = self.warden env
+        scope = self.scope env
+
+        if warden && warden.result == :failure
+          handler = failure_handlers[scope] || default_failure_handler
+
+          if handler
+            handler.call warden, warden_options(env)
+          else
+            handle_failure warden
+          end
+        else
+          unauthorized
+        end
+      end
+
+      def default_failure_handler
+        failure_handlers[nil]
+      end
+
+      def handle_failure(warden)
+        [warden.status || 401, warden.headers, [warden.message]]
+      end
+
+      def unauthorized
+        [401, {}, ['unauthorized']]
+      end
+
+      def warden(env)
+        env['warden']
+      end
+
+      def warden_options(env)
+        Hash(env['warden.options'])
+      end
+
+      def scope(env)
+        warden_options(env)[:scope]
+      end
+    end
+  end
+end
diff --git a/lib/open_project/authentication/manager.rb b/lib/open_project/authentication/manager.rb
new file mode 100644
index 00000000000..57520cf7d5b
--- /dev/null
+++ b/lib/open_project/authentication/manager.rb
@@ -0,0 +1,46 @@
+module OpenProject
+  module Authentication
+    class Manager < Warden::Manager
+      serialize_into_session do |user|
+        user.id
+      end
+
+      serialize_from_session do |id|
+        User.find id
+      end
+
+      def initialize(app, options = {}, &configure)
+        block = lambda do |config|
+          self.class.configure config
+
+          configure.call config if configure
+        end
+
+        super app, options, &block
+      end
+
+      class << self
+        def scope_strategies
+          @scope_strategies ||= {}
+        end
+
+        def store_defaults
+          @store_defaults ||= Hash.new false
+        end
+
+        def failure_handlers
+          @failure_handlers ||= {}
+        end
+
+        def configure(config)
+          config.default_strategies :session
+          config.failure_app = OpenProject::Authentication::FailureApp.new failure_handlers
+
+          scope_strategies.each do |scope, strategies|
+            config.scope_defaults scope, strategies: strategies, store: store_defaults[scope]
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/lib/open_project/authentication/strategies/warden/basic_auth_failure.rb b/lib/open_project/authentication/strategies/warden/basic_auth_failure.rb
new file mode 100644
index 00000000000..05bc8053360
--- /dev/null
+++ b/lib/open_project/authentication/strategies/warden/basic_auth_failure.rb
@@ -0,0 +1,16 @@
+module OpenProject
+  module Authentication
+    module Strategies
+      module Warden
+        ##
+        # This strategy is inserted after optional basic auth strategies to
+        # indicate that invalid basic auth credentials were provided.
+        class BasicAuthFailure < ::Warden::Strategies::BasicAuth
+          def authenticate_user(_username, _password)
+            nil # always fails
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/lib/open_project/authentication/strategies/warden/global_basic_auth.rb b/lib/open_project/authentication/strategies/warden/global_basic_auth.rb
new file mode 100644
index 00000000000..97b9a93f0ec
--- /dev/null
+++ b/lib/open_project/authentication/strategies/warden/global_basic_auth.rb
@@ -0,0 +1,87 @@
+require 'warden/basic_auth'
+
+module OpenProject
+  module Authentication
+    module Strategies
+      module Warden
+        ##
+        # Allows authentication via a singular set of basic auth credentials for admin access.
+        #
+        # The credentials must be configured in `config/configuration.yml` like this:
+        #
+        #     production:
+        #       authentication:
+        #         global_basic_auth:
+        #           user: admin
+        #           password: 123456
+        #
+        # The strategy will only be triggered when the configured user name is sent.
+        # Meaning that this strategy is skipped if a basic auth attempt involving any
+        # other user name is made.
+        class GlobalBasicAuth < ::Warden::Strategies::BasicAuth
+          def self.configuration
+            @configuration ||= configure!
+          end
+
+          ##
+          # Updates the configuration for this strategy. It's usually called only once, at startup.
+          #
+          # @param [Hash] config The configuration to be used. Must contain :user and :password.
+          # @raise [ArgumentError] Raises an error if the configured user name collides with the
+          #                        user name used for UserBasicAuth (apikey) or if the
+          #                        provided password is empty.
+          # @return [Hash] The new hash set for the configuration or an empty hash if
+          #                no configuration was provided.
+          def self.configure!(config = openproject_config)
+            return {} if config.empty?
+
+            if config[:user] == UserBasicAuth.user
+              raise ArgumentError, "global user must not be '#{UserBasicAuth.user}'"
+            end
+
+            if config[:password].blank?
+              raise ArgumentError, "password must not be empty"
+            end
+
+            @configuration = config
+          end
+
+          ##
+          # Reads the configuration for this strategy from OpenProject's `configuration.yml`.
+          def self.openproject_config
+            config = OpenProject::Configuration
+            %w(authentication global_basic_auth).inject(config) do |acc, key|
+              HashWithIndifferentAccess.new acc[key]
+            end
+          end
+
+          def self.configuration?
+            user && password
+          end
+
+          def self.user
+            configuration[:user]
+          end
+
+          def self.password
+            configuration[:password].to_s
+          end
+
+          ##
+          # Only valid if global basic auth is configured and tried.
+          def valid?
+            self.class.configuration? && super && username == self.class.user
+          end
+
+          def authenticate_user(username, password)
+            if username == self.class.user && password == self.class.password
+              User.system.tap do |user|
+                user.admin = true
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/lib/open_project/authentication/strategies/warden/session.rb b/lib/open_project/authentication/strategies/warden/session.rb
new file mode 100644
index 00000000000..9cb47db1bac
--- /dev/null
+++ b/lib/open_project/authentication/strategies/warden/session.rb
@@ -0,0 +1,31 @@
+module OpenProject
+  module Authentication
+    module Strategies
+      module Warden
+        ##
+        # Temporary strategy necessary as long as the OpenProject authentication has
+        # not been unified in terms of Warden strategies and is only locally
+        # applied to the API v3.
+        class Session < ::Warden::Strategies::Base
+          def valid?
+            session
+          end
+
+          def authenticate!
+            user = user_id ? User.find(user_id) : User.anonymous
+
+            success! user
+          end
+
+          def user_id
+            Hash(session)['user_id']
+          end
+
+          def session
+            env['rack.session']
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/lib/open_project/authentication/strategies/warden/user_basic_auth.rb b/lib/open_project/authentication/strategies/warden/user_basic_auth.rb
new file mode 100644
index 00000000000..c6cb39e9a9b
--- /dev/null
+++ b/lib/open_project/authentication/strategies/warden/user_basic_auth.rb
@@ -0,0 +1,30 @@
+require 'warden/basic_auth'
+
+module OpenProject
+  module Authentication
+    module Strategies
+      module Warden
+        ##
+        # Allows users to authenticate using their API key via basic auth.
+        # Note that in order for a user to be able to generate one
+        # `Setting.rest_api_enabled` has to be `1`.
+        #
+        # The basic auth credentials are expected to contain the literal 'apikey'
+        # as the user name and the API key as the password.
+        class UserBasicAuth < ::Warden::Strategies::BasicAuth
+          def self.user
+            'apikey'
+          end
+
+          def valid?
+            super && username == self.class.user
+          end
+
+          def authenticate_user(_, api_key)
+            User.find_by_api_key api_key
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/lib/open_project/text_formatting.rb b/lib/open_project/text_formatting.rb
index 4e59ee5bda1..8bfd880c96b 100644
--- a/lib/open_project/text_formatting.rb
+++ b/lib/open_project/text_formatting.rb
@@ -80,7 +80,7 @@ module OpenProject
       # don't return html in edit mode when textile or text formatting is enabled
       return text if edit
       project = options[:project] || @project || (obj && obj.respond_to?(:project) ? obj.project : nil)
-      only_path = options.delete(:only_path) == false ? false : true
+      only_path = options.delete(:only_path) != false
 
       # offer 'plain' as readable version for 'no formatting' to callers
       options_format = options[:format] == 'plain' ? '' : options[:format]
diff --git a/lib/open_project/version.rb b/lib/open_project/version.rb
index afe177aabbf..d57d77e06f9 100644
--- a/lib/open_project/version.rb
+++ b/lib/open_project/version.rb
@@ -32,7 +32,7 @@ require 'rexml/document'
 module OpenProject
   module VERSION #:nodoc:
     MAJOR = 4
-    MINOR = 2
+    MINOR = 3
     PATCH = 0
     TINY  = PATCH # Redmine compat
 
diff --git a/lib/redmine/default_data/loader.rb b/lib/redmine/default_data/loader.rb
index bdbda3fe62e..c80ef4d2331 100644
--- a/lib/redmine/default_data/loader.rb
+++ b/lib/redmine/default_data/loader.rb
@@ -201,32 +201,63 @@ module Redmine
             none = ::Type.standard_type
 
             # Issue statuses
-            new      = Status.create!(name: l(:default_status_new), is_closed: false, is_default: true, position: 1)
-            specified  = Status.create!(name: l(:default_status_specified), is_closed: false, is_default: false, position: 2)
-            confirmed  = Status.create!(name: l(:default_status_confirmed), is_closed: false, is_default: false, position: 3)
-            to_be_scheduled  = Status.create!(name: l(:default_status_to_be_scheduled), is_closed: false, is_default: false, position: 4)
-            scheduled  = Status.create!(name: l(:default_status_scheduled), is_closed: false, is_default: false, position: 5)
-            in_progress  = Status.create!(name: l(:default_status_in_progress), is_closed: false, is_default: false, position: 6)
-            tested  = Status.create!(name: l(:default_status_tested), is_closed: false, is_default: false, position: 7)
-            on_hold  = Status.create!(name: l(:default_status_on_hold), is_closed: false, is_default: false, position: 8)
-            rejected  = Status.create!(name: l(:default_status_rejected), is_closed: true, is_default: false, position: 9)
-            closed    = Status.create!(name: l(:default_status_closed), is_closed: true, is_default: false, position: 10)
+            new      = Status.create!(name: l(:default_status_new),
+                                      is_closed: false,
+                                      is_default: true,
+                                      position: 1)
+            specified  = Status.create!(name: l(:default_status_specified),
+                                        is_closed: false,
+                                        is_default: false,
+                                        position: 2)
+            confirmed  = Status.create!(name: l(:default_status_confirmed),
+                                        is_closed: false,
+                                        is_default: false,
+                                        position: 3)
+            to_be_scheduled  = Status.create!(name: l(:default_status_to_be_scheduled),
+                                              is_closed: false,
+                                              is_default: false,
+                                              position: 4)
+            scheduled  = Status.create!(name: l(:default_status_scheduled),
+                                        is_closed: false,
+                                        is_default: false,
+                                        position: 5)
+            in_progress  = Status.create!(name: l(:default_status_in_progress),
+                                          is_closed: false,
+                                          is_default: false,
+                                          position: 6)
+            tested  = Status.create!(name: l(:default_status_tested),
+                                     is_closed: false,
+                                     is_default: false,
+                                     position: 7)
+            on_hold  = Status.create!(name: l(:default_status_on_hold),
+                                      is_closed: false,
+                                      is_default: false,
+                                      position: 8)
+            rejected  = Status.create!(name: l(:default_status_rejected),
+                                       is_closed: true,
+                                       is_default: false,
+                                       position: 9)
+            closed    = Status.create!(name: l(:default_status_closed),
+                                       is_closed: true,
+                                       is_default: false,
+                                       position: 10)
 
-            # Workflow
-            statuses_for_task = [new, in_progress, on_hold, rejected, closed]
-            statuses_for_deliverable = [new, specified, in_progress, on_hold, rejected, closed]
-            statuses_for_none = [new, in_progress, rejected, closed]
-            statuses_for_milestone = [new, to_be_scheduled, scheduled, in_progress, on_hold, rejected, closed]
-            statuses_for_phase = statuses_for_milestone
-            statuses_for_bug = [new, confirmed, in_progress, tested, on_hold, rejected, closed]
-            statuses_for_feature = [new, specified, confirmed, in_progress, tested, on_hold, rejected, closed]
-            # Give each type its own workflow. Possible statuses are stored in one of the arrays above.
-            # Every status from the array gets a workflow to every other status from the array.
-            ['task', 'deliverable', 'none', 'milestone', 'phase', 'bug', 'feature'].each { |t|
-              (eval 'statuses_for_'.concat(t)).each { |os|
-                (eval 'statuses_for_'.concat(t)).each { |ns|
+            # Workflow - Each type has its own workflow
+            workflows = { task.id =>        [new, in_progress, on_hold, rejected, closed],
+                          deliverable.id => [new, specified, in_progress, on_hold, rejected, closed],
+                          none.id =>        [new, in_progress, rejected, closed],
+                          milestone.id =>   [new, to_be_scheduled, scheduled, in_progress, on_hold, rejected, closed],
+                          phase.id =>       [new, to_be_scheduled, scheduled, in_progress, on_hold, rejected, closed],
+                          bug.id =>         [new, confirmed, in_progress, tested, on_hold, rejected, closed],
+                          feature.id =>     [new, specified, confirmed, in_progress, tested, on_hold, rejected, closed] }
+            workflows.each { |type_id, statuses_for_type|
+              statuses_for_type.each { |old_status|
+                statuses_for_type.each { |new_status|
                   [manager.id, member.id].each { |role_id|
-                    Workflow.create!(type_id: (eval t).id, role_id: role_id, old_status_id: os.id, new_status_id: ns.id) unless os == ns
+                    Workflow.create!(type_id: type_id,
+                                     role_id: role_id,
+                                     old_status_id: old_status.id,
+                                     new_status_id: new_status.id)
                   }
                 }
               }
diff --git a/lib/redmine/wiki_formatting/textile/helper.rb b/lib/redmine/wiki_formatting/textile/helper.rb
index 06f2e891e0a..a7f382411e0 100644
--- a/lib/redmine/wiki_formatting/textile/helper.rb
+++ b/lib/redmine/wiki_formatting/textile/helper.rb
@@ -38,6 +38,7 @@ module Redmine
                       "height=640, menubar=no, status=no, scrollbars=yes\"); return false;"
           help_button = content_tag :button,
                                     '',
+                                    type: 'button',
                                     class: 'jstb_help icon icon-help',
                                     onclick: open_help,
                                     title: l(:setting_text_formatting) do
diff --git a/spec/factories/token_factory.rb b/spec/factories/token_factory.rb
index 0a4fb136916..0981cc26f70 100644
--- a/spec/factories/token_factory.rb
+++ b/spec/factories/token_factory.rb
@@ -26,8 +26,19 @@
 # See doc/COPYRIGHT.rdoc for more details.
 #++
 
+require 'securerandom'
+
 FactoryGirl.define do
   factory :token do
-    # doesn't need anything
+    user
+    value { SecureRandom.hex(16) }
+
+    factory :api_key do
+      action 'api'
+    end
+
+    factory :rss_key do
+      action 'rss'
+    end
   end
 end
diff --git a/spec/lib/open_project/authentication/strategies/warden/global_basic_auth_spec.rb b/spec/lib/open_project/authentication/strategies/warden/global_basic_auth_spec.rb
new file mode 100644
index 00000000000..925ff4f2f7d
--- /dev/null
+++ b/spec/lib/open_project/authentication/strategies/warden/global_basic_auth_spec.rb
@@ -0,0 +1,75 @@
+#-- copyright
+# OpenProject is a project management system.
+# Copyright (C) 2012-2015 the OpenProject Foundation (OPF)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See doc/COPYRIGHT.rdoc for more details.
+#++
+
+require 'spec_helper'
+
+Strategies = OpenProject::Authentication::Strategies::Warden
+
+describe Strategies::GlobalBasicAuth do
+  let(:user) { 'someuser' }
+  let(:password) { 'somepassword' }
+
+  let(:config) do
+    lambda do
+      Strategies::GlobalBasicAuth.configure! user: user, password: password
+    end
+  end
+
+  context "with UserBasicAuth's reserved username" do
+    let(:user) { Strategies::UserBasicAuth.user }
+
+    before do
+      allow(Strategies::UserBasicAuth).to receive(:user).and_return('schluessel')
+    end
+
+    it "raises an error" do
+      expect(config).to raise_error("global user must not be 'schluessel'")
+    end
+  end
+
+  context 'with an empty pasword' do
+    let(:password) { '' }
+
+    it 'raises an error' do
+      expect(config).to raise_error('password must not be empty')
+    end
+  end
+
+  context 'with digits-only password' do
+    let(:password) { 1234 }
+    let(:strategy) { Strategies::GlobalBasicAuth.new nil }
+
+    before do
+      config.call
+    end
+
+    it 'must authenticate successfully' do
+      expect(strategy.authenticate_user(user, '1234')).to be_truthy
+    end
+  end
+end
diff --git a/spec/requests/api/v3/authentication_spec.rb b/spec/requests/api/v3/authentication_spec.rb
new file mode 100644
index 00000000000..15e98740a74
--- /dev/null
+++ b/spec/requests/api/v3/authentication_spec.rb
@@ -0,0 +1,217 @@
+#-- copyright
+# OpenProject is a project management system.
+# Copyright (C) 2012-2015 the OpenProject Foundation (OPF)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See doc/COPYRIGHT.rdoc for more details.
+#++
+
+require 'spec_helper'
+
+describe API::V3, type: :request do
+  describe 'basic auth' do
+    let(:user)     { FactoryGirl.create :user }
+    let(:resource) { "/api/v3/users/#{user.id}" }
+
+    let(:response_401) do
+      {
+        '_embedded'       => {},
+        '_type'           => 'Error',
+        'errorIdentifier' => 'urn:openproject-org:api:v3:errors:Unauthenticated',
+        'message'         => expected_message
+      }
+    end
+
+    let(:expected_message) { 'You need to be authenticated to access this resource.' }
+
+    Strategies = OpenProject::Authentication::Strategies::Warden
+
+    def basic_auth(user, password)
+      credentials = ActionController::HttpAuthentication::Basic.encode_credentials user, password
+      { 'HTTP_AUTHORIZATION' => credentials }
+    end
+
+    shared_examples 'it is basic auth protected' do
+      context 'without credentials' do
+        before do
+          get resource
+        end
+
+        it 'should return 401 unauthorized' do
+          expect(response.status).to eq 401
+        end
+
+        it 'should return the correct JSON response' do
+          expect(JSON.parse(response.body)).to eq response_401
+        end
+
+        it 'should return the WWW-Authenticate header' do
+          expect(response.header['WWW-Authenticate']).to include 'Basic realm="OpenProject"'
+        end
+      end
+
+      context 'with invalid credentials' do
+        let(:expected_message) { 'You did not provide the correct credentials.' }
+
+        before do
+          get resource, {}, basic_auth(username, password.reverse)
+        end
+
+        it 'should return 401 unauthorized' do
+          expect(response.status).to eq 401
+        end
+
+        it 'should return the correct JSON response' do
+          expect(JSON.parse(response.body)).to eq response_401
+        end
+
+        it 'should return the correct content type header' do
+          expect(response.headers['Content-Type']).to eq 'application/hal+json; charset=utf-8'
+        end
+
+        it 'should return the WWW-Authenticate header' do
+          expect(response.header['WWW-Authenticate']).to include 'Basic realm="OpenProject"'
+        end
+      end
+
+      context 'with valid credentials' do
+        before do
+          get resource, {}, basic_auth(username, password)
+        end
+
+        it 'should return 200 OK' do
+          expect(response.status).to eq 200
+        end
+      end
+    end
+
+    context 'with login required' do
+      before do
+        Setting.login_required = 1
+      end
+
+      context 'with global basic auth configured' do
+        let(:username) { 'root' }
+        let(:password) { 'toor' }
+
+        before do
+          Strategies::GlobalBasicAuth.configure! user: 'root', password: 'toor'
+        end
+
+        it_behaves_like 'it is basic auth protected'
+
+        describe 'user basic auth' do
+          let(:api_key) { FactoryGirl.create :api_key }
+
+          let(:username) { 'apikey' }
+          let(:password) { api_key.value }
+
+          # check that user basic auth is tried when global basic auth fails
+          it_behaves_like 'it is basic auth protected'
+        end
+      end
+
+      describe 'user basic auth' do
+        let(:api_key) { FactoryGirl.create :api_key }
+
+        let(:username) { 'apikey' }
+        let(:password) { api_key.value }
+
+        # check that user basic auth works on its own too
+        it_behaves_like 'it is basic auth protected'
+      end
+    end
+
+    context 'without login required' do
+      before do
+        Setting.login_required = 0
+      end
+
+      context 'with global and user basic auth enabled' do
+        let(:username) { 'hancholo' }
+        let(:password) { 'olooleol' }
+
+        let(:api_user) { FactoryGirl.create :user, login: 'user_account' }
+        let(:api_key)  { FactoryGirl.create :api_key, user: api_user }
+
+        before do
+          config = { user: 'global_account', password: 'global_password' }
+          Strategies::GlobalBasicAuth.configure! config
+        end
+
+        context 'without credentials' do
+          before do
+            get resource
+          end
+
+          it 'should return 200 OK' do
+            expect(response.status).to eq 200
+          end
+
+          it 'should "login" the anonymous user' do
+            expect(User.current).to be_anonymous
+          end
+        end
+
+        context 'with invalid credentials' do
+          before do
+            get resource, {}, basic_auth(username, password)
+          end
+
+          it 'should return 401 unauthorized' do
+            expect(response.status).to eq 401
+          end
+        end
+
+        context 'with valid global credentials' do
+          before do
+            get resource, {}, basic_auth('global_account', 'global_password')
+          end
+
+          it 'should return 200 OK' do
+            expect(response.status).to eq 200
+          end
+
+          it 'should login an admin system user' do
+            expect(User.current.is_a?(SystemUser)).to eq true
+            expect(User.current).to be_admin
+          end
+        end
+
+        context 'with valid user credentials' do
+          before do
+            get resource, {}, basic_auth('apikey', api_key.value)
+          end
+
+          it 'should return 200 OK' do
+            expect(response.status).to eq 200
+          end
+
+          it 'should login user' do
+            expect(User.current).to eq api_user
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/spec/requests/api/v3/support/response_examples.rb b/spec/requests/api/v3/support/response_examples.rb
index 30cb6ca221f..6a2c652513e 100644
--- a/spec/requests/api/v3/support/response_examples.rb
+++ b/spec/requests/api/v3/support/response_examples.rb
@@ -92,7 +92,7 @@ end
 shared_examples_for 'unauthenticated access' do
   it_behaves_like 'error response',
                   401,
-                  'MissingPermission',
+                  'Unauthenticated',
                   I18n.t('api_v3.errors.code_401')
 end