We generate those tokens with a prefix, so that we
can decide by looking at a token, whether it's an API Token
or a different kind of token, so that we can decide which
code path to choose for validating the token.
The usage of access tokens as Bearer token has the usability advantage,
that you can paste them as plaintext into tools that expect you
to specify the token as a header.
Also the Basic auth approach for our old tokens usually rather caused
issues, such as browsers prompting for credentials in surprising situations.
If we were to deprecate basic authentication one day, this change today could've
been the first step towards that.
- **it's** is a contraction of _it is_ or _it has_. It requires an
apostrophe.
- **its** is the posssive form of _it_, denoting ownership. It should
not use an apostrophe.
Found via `codespell -q 3 -S ./.git,./config/locales,./modules/xls_export/config/locales,./modules/job_status/config/locales,./modules/two_factor_authentication/config/locales,./modules/backlogs/config/locales/crowdin,./**/config/locales,./frontend/src/vendor -L ba,inflight,nd,parms,pullrequest,pullrequests,sur,varius`
They are for now still available as separate entities but that is more due to existing references to them both. Under the hood, they now depend on the
same structure `Settings::Definition` which just as well could have been named `Configuration::Definition`, that defines:
* the name
* the default value
* the type (which might be deferred from the default value)
* the array of allowed values
Both Setting and Configuration can now be overwritten using the same mechanisms:
* Default value
* Database value
* configuration.yml (settings.yml is removed)
* ENV vars
Updates the copyright to 2021 for all files that have a copyright. Files in our source code without the copyright header still do not receive one automatically. Additionally, backlisted files are also excluded.
Previously the copyright of chiliproject which references redmine stated a copyright of redmine up to and including 2017 which is not true for the code we have in here. Because of that I changed that to 2013
- Remove attachment search from global search as it is currently incompatible
- Add rake task for indexing attachments that have not been indexed yet
- Make the attachments filters a EE feature.
This adds:
1. A configuration option `apiv3_enable_basic_auth` to determine whether v3 may use the basic auth strategies
2. Extensions to the warden strategies to disable them unless configured
This provides a configuration option to add `--trust-server-cert` to the
SVN calls made by OpenProject.
Either add the `trustedssl` key to the Subversion scm configuration or
set the ENV `OPENPROJECT_SCM_SUBVERSION_TRUSTEDSSL=true`.
When passing configuration settings through ENV (e.g., packager), we
can't pass arrays as configuration settings.
This PR allows `Repository.disabled_types` to be set as a String in ENV,
e.g., through
`OPENPROJECT_SCM_SUBVERSION_DISABLED__TYPES='existing,foobar'`.
Repositories were not properly relocated when using a managed remote.
This also changes the request to use an old identifier instead of the
whole path. The managed remote will build the correct old path itself.
Adds an `insecure` option to the `configuration.yml`.
This option only applies when the manages: key is set to a URL.
If the given URL uses SSL, certificate checking will be disabled.
This key is set for a packaged installation by default, since it communicates locally and
these installations may often include a snakeoil certificate.
Jan Sandbrink