references/openproject
1
0
Fork 0
mirror of https://github.com/opf/openproject.git synced 2026-06-14 03:30:14 +00:00
Code Issues Packages Projects Releases Wiki Activity
108,351 Commits 457 Branches 316 Tags
create-page-command
Commit Graph

432 Commits

Author SHA1 Message Date
Kabiru Mwenja b29cf5a6bb Correct acts_as_event usage note and tighten followItem spec arg type 
The header comment claimed search did not rely on acts_as_event; the
server-rendered search results page builds its work package links through
WorkPackage#event_url, so the note now reflects that search and atom feeds
both depend on it while the Activities subsystem uses its own providers.

Type the followItem spec helper from the method signature instead of
unknown, so the test states the argument contract explicitly.
 2026-05-29 20:10:34 +03:00
Oliver Günther 274f7c6e3d Merge pull request #23230 from opf/feat/monthly-meeting-option 
Meeting series: Add monthly scheduling options
 2026-05-20 16:02:36 +02:00
Oliver Günther 6295d90346 Add monthly scheduling options 2026-05-20 15:20:16 +02:00
OpenProject Actions CI 7e1c003ba7 Merge branch 'release/17.4' into dev 2026-05-20 06:43:24 +00:00
OpenProject Actions CI 82c65d6a27 Merge branch 'release/17.3' into release/17.4 2026-05-20 06:42:24 +00:00
Oliver Günther 6ef24e9075 Merge pull request #23246 from opf/fix/journable-visibility 
Explicitly call journable.visible? on the diff controller
 2026-05-20 08:41:32 +02:00
Oliver Günther ac4794ad8f Use customizable? to check for non-customizable journables 2026-05-19 18:32:28 +02:00
Oliver Günther 96d703d863 Merge remote-tracking branch 'origin/release/17.4' into dev 2026-05-19 11:09:41 +02:00
Oliver Günther 0b08d49f0c Merge remote-tracking branch 'origin/release/17.3' into release/17.4 2026-05-19 11:09:30 +02:00
Oliver Günther ecfe44b22f Add missing msgpack require 2026-05-19 11:08:53 +02:00
Oliver Günther ac46afc084 Merge remote-tracking branch 'origin/release/17.4' into dev 2026-05-19 10:27:31 +02:00
Oliver Günther 3494170fdf Merge remote-tracking branch 'origin/release/17.3' into release/17.4 2026-05-19 10:27:20 +02:00
Oliver Günther 6d0b39b466 Merge pull request #23251 from opf/fix/use-message-pack-cache-serializer 
Use MessagePack serializer that treats old marshal cache as miss
 2026-05-19 10:26:48 +02:00
Oliver Günther 7c5d5e3e66 Actually add participants to history of meeting and to journal details 2026-05-18 20:10:00 +02:00
Eric Schubert f3f8625434 [chore] removed docs and code insertions for custom header 
- X-Requested-With header no longer needed to prevent CSRF for session
  based auth
- removed occurences and mentions from code and docs
 2026-05-12 08:13:14 +02:00
Jan Sandbrink 0383ae171c Consider Sec-Fetch-Site header for session auth 
This warden strategy is primarily used to allow APIv3 requests
from the browser, which only authenticates using its session cookie.

Since this is susceptible to cross-site-request-forgery, prevention of
CSRF must take place. This was so far only ensured through the usage of
the X-Requested-With header. When a client sent along this header, the
server could know that a CORS-preflight request must have been made and
thus the browser most certainly has validated that the request is valid
according to CORS rules.

However, the header itself is a non-standard header and while some JavaScript
frameworks add it to requests, not all of them do. For us this was practically
visible on the API docs hosted under `/api/docs`.

The solution is to expect the browser to send the Sec-Fetch-Site header with a value
of same-origin. This header can't be set through JavaScript, but only by the browser
and the value "same-origin" ensures that scheme, host and port are the same for requester
and requested endpoint, thus eliminating CSRF concerns. This feature is widely supported by
all major browsers, the last of which was Safari which added support 3 years ago.

We might want to consider dropping the check for X-Requested-With entirely, since it should be
superfluous. For now it was left in place for greater compatibility.
 2026-05-12 08:13:14 +02:00
Alexander Brandon Coles f8e3ea3019 Merge remote-tracking branch 'opf/dev' into HEAD 
# Conflicts:
#	frontend/src/assets/sass/backlogs/_master_backlog.sass
#	modules/backlogs/config/locales/crowdin/es.yml
#	modules/backlogs/config/locales/crowdin/uk.yml
#	modules/storages/config/locales/crowdin/zh-CN.yml
#	modules/wikis/config/locales/crowdin/es.yml
#	modules/wikis/config/locales/crowdin/uk.yml
#	modules/wikis/config/locales/crowdin/zh-CN.yml
 2026-05-11 17:31:22 +02:00
as-op ed2881f594 [#74746] Avoid additional journal background jobs to be started by Jira import job 
https://community.openproject.org/wp/74746
 2026-05-07 14:59:44 +02:00
Klaus Zanders c502885230 Add allow_enabling attribute to FeatureDecisions 2026-05-05 11:57:29 +02:00
Klaus Zanders de15253cc2 Fix DynamicFindBy issues in our Codebase 2026-04-27 09:20:11 +02:00
Alexander Brandon Coles 4295e335f9 Move format_date_range to Redmine::I18n 
Places the helper next to `format_date` and `format_time` so other
modules can reuse it. Adds YARD docs.
 2026-04-20 17:29:58 +01:00
Oliver Günther 98c91275e2 Use scan on raw translate for link_translate building 
We changed the way we output translation text in the link_translate
function. By using a SafeBuffer, the original text was already escaped
before it got handled by the link helper.

Instead, we can pass the raw link part of the translation string to the
link helper, allowing it to handle escaping, and output the rest of the
translation manually to the SafeBuffer.

This way, the entire string is subjected to escaping still, but will
allow entities to not be escaped

https://community.openproject.org/work_packages/73513
 2026-03-30 09:05:09 +02:00
Oliver Günther 468fa6de78 Adapt tests now that we use link_translate 2026-03-20 09:49:11 +01:00
Oliver Günther 4d731dcab6 Replace raw and explicit html_safe calls 2026-03-20 09:49:10 +01:00
Oliver Günther 00317e7197 Ensure we use renderer, not AC render method itself 2026-03-20 08:53:15 +01:00
Oliver Günther 50e16740ad Allow link attributes on link_translate 2026-03-20 08:53:15 +01:00
Ivan Kuchin 70c21d1255 Merge pull request #22214 from opf/bug/72823-refactor-projectcustomfields-loadservice 
Bug/72823 refactor projectcustomfields loadservice
 2026-03-10 15:13:16 +01:00
Ivan Kuchin 7296cdd4cf add missing check to custom_comment_for and custom_comment_changes 2026-03-09 17:05:37 +01:00
Ivan Kuchin fa69a60a44 bring order to custom values both in the relation and project custom fields load service 2026-03-05 15:57:33 +01:00
Markus Kahl a89cfaa2ec allow space separated list for IPs, document list delimiters 2026-03-05 12:15:36 +00:00
Markus Kahl 42d97005e2 add OpenProject::SsrfProtection, use it when sending test email to prevent attack 2026-03-05 12:15:35 +00:00
Ivan Kuchin 807c1bc6d5 Use stringify_keys instead of transform_keys(&:to_s) 
Co-authored-by: Dombi Attila <83396+dombesz@users.noreply.github.com>
 2026-02-25 20:07:28 +01:00
Ivan Kuchin 6a8975b419 handle delete custom fields in human attribute name 2026-02-25 20:07:26 +01:00
Ivan Kuchin 5bdf9f9874 don't use local variables automatically populated for named capture groups 2026-02-25 20:07:26 +01:00
Ivan Kuchin 73803c59cd add admin_only_allowed setting to acts_as_customizable 2026-02-25 20:07:13 +01:00
Ivan Kuchin 51bab06de3 rework setting custom comments to allow setting them also for inacessible custom fields 
This should be blocked on contract level
 2026-02-25 20:07:09 +01:00
Ivan Kuchin 73f941b11e handle custom comment human attribute name 2026-02-25 20:07:08 +01:00
Ivan Kuchin d5c0b9d84e set comments and show changes even if custom field doesn't allow comments 
Otherwise contract doesn't know that there was an attempt to set
attribute
 2026-02-25 20:07:08 +01:00
Ivan Kuchin c16dcaf52d add accessors for comments also when has_comment is false 2026-02-25 20:07:07 +01:00
Ivan Kuchin ddcbd6adc3 always return comment_attribute_name even when has_comment is false 2026-02-25 20:07:07 +01:00
Ivan Kuchin ca452da4bb add accessors for custom comments 
It was needed by project create contract spec
 2026-02-25 20:07:07 +01:00
Ivan Kuchin ba4cc09ffe move custom_comment_for to acts as customizable 2026-02-25 20:07:01 +01:00
Ivan Kuchin 875f600ae3 return changes to comments from custom_field_changes and changed_with_custom_fields 2026-02-25 20:06:59 +01:00
Ivan Kuchin 57a4a894bd include acts as customizable methods at start of call 2026-02-25 20:06:59 +01:00
Ivan Kuchin 09d176c107 allow to assign comments in a way similar to values 2026-02-25 20:06:59 +01:00
Ivan Kuchin 574857a6ba move adding custom_comments relation to acts_as_customizable and mark for autosave 2026-02-25 16:00:32 +01:00
Ivan Kuchin a7854fe6f2 move configuration for ability to have custom comments to acts_as_customizable 2026-02-25 16:00:32 +01:00
Ivan Kuchin 26142f1af8 transform keys to strings instead of converting to hash with indifferent access 2026-02-25 16:00:29 +01:00
Ivan Kuchin b188bda6cb move admin_only check of custom field related activity to the query 
This should be more efficient and will ensure "The changes were
retracted" message shown when all changes are hidden
 2026-02-25 16:00:26 +01:00
Ivan Kuchin c75b885a63 add custom comment changes 2026-02-25 16:00:25 +01:00