Release OpenProject 17.0.4

Author: oliverguenther

app/contracts/messages/update_contract.rb

@@ -31,5 +31,20 @@
 # TODO: This is but a stub
 module Messages
   class UpdateContract < BaseContract
+    validate :moving_message_to_another_forum
+
+    private
+
+    def moving_message_to_another_forum
+      return if !model.forum_id_changed?
+      return if model.forum_id_was.nil?
+
+      old_forum = Forum.find_by(id: model.forum_id_was)
+      return if old_forum.nil?
+
+      return if old_forum.project_id == model.forum.project_id
+
+      errors.add(:forum_id, :cannot_move_message_to_forum_of_different_project)
+    end
   end
 end

app/contracts/queries/base_contract.rb

@@ -92,6 +92,14 @@ def user_allowed_to_make_public
       end
     end
 
+    def user_allowed_to_save_queries?
+      if model.project
+        user.allowed_in_project?(:save_queries, model.project)
+      else
+        user.allowed_in_any_project?(:save_queries)
+      end
+    end
+
     def timestamps_are_parsable
       invalid_timestamps = model.timestamps.reject(&:valid?)
 

app/contracts/queries/create_contract.rb

@@ -30,5 +30,10 @@
 
 module Queries
   class CreateContract < BaseContract
+    validate :user_allowed_to_save
+
+    def user_allowed_to_save
+      errors.add :base, :error_unauthorized unless user_allowed_to_save_queries?
+    end
   end
 end

app/contracts/queries/update_contract.rb

@@ -64,14 +64,6 @@ def user_allowed_to_edit_work_packages?
       user.allowed_in_any_work_package?(:edit_work_packages, in_project: model.project)
     end
 
-    def user_allowed_to_save_queries?
-      if model.project
-        user.allowed_in_project?(:save_queries, model.project)
-      else
-        user.allowed_in_any_project?(:save_queries)
-      end
-    end
-
     def user_allowed_to_change_query_to_private
       if model.user.is_a? DeletedUser
         errors.add :base, :error_unauthorized

app/models/capabilities/scopes/default.rb

@@ -72,7 +72,7 @@ def default_sql_by_member
             ON members.id = member_roles.member_id
             AND members.entity_type IS NULL
             AND members.entity_id IS NULL
-          JOIN (#{principal_sql}) users
+          JOIN users
             ON "users".id = members.user_id
           LEFT OUTER JOIN "projects"
             ON "projects".id = members.project_id
@@ -91,7 +91,7 @@ def default_sql_by_admin
             users.id principal_id,
             projects.id context_id
           FROM (#{Action.default.to_sql}) actions
-          JOIN (#{principal_sql}) users
+          JOIN users
             ON "users".admin = true AND actions.grant_to_admin = true
           LEFT OUTER JOIN "projects"
             ON "projects".active = true
@@ -115,7 +115,7 @@ def default_sql_by_non_member
           JOIN "roles"
             ON ("roles".id = "role_permissions".role_id OR "actions"."public")
             AND roles.builtin = #{Role::BUILTIN_NON_MEMBER}
-          JOIN (#{principal_sql}) users
+          JOIN users
             ON 1 = 1
           JOIN "projects"
             ON "projects".active = true
@@ -157,12 +157,6 @@ def default_sql_by_non_member_with_anonymous
           WHERE enabled_modules.project_id IS NOT NULL OR "actions".module IS NULL
         SQL_PART
       end
-
-      def principal_sql
-        RequestStore.fetch(:capabilities_principal_sql) do
-          Principal.visible.not_builtin.not_locked.to_sql
-        end
-      end
     end
   end
 end

app/models/capabilities/scopes/visible.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+#-- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See COPYRIGHT and LICENSE files for more details.
+#++
+
+module Capabilities::Scopes
+  module Visible
+    extend ActiveSupport::Concern
+
+    class_methods do
+      def visible(user = User.current)
+        scope = if user.admin?
+                  all
+                else
+                  where(context_id: nil)
+                    .or(where(context_id: Project.visible(user).select(:id)))
+                end
+
+        scope.where(principal_id: Principal.visible(user).not_builtin.not_locked)
+      end
+    end
+  end
+end

app/models/capability.rb

@@ -32,7 +32,8 @@ class Capability < ApplicationRecord
   include Tableless
   include Scopes::Scoped
 
-  scopes :default
+  scopes :default,
+         :visible
 
   default_scope { default }
 

app/models/queries/capabilities/capability_query.rb

@@ -43,7 +43,7 @@ def results
 
   def default_scope
     Capability
-      .default
+      .visible
       .distinct
   end
 

app/views/user_mailer/activation_limit_reached.html.erb

@@ -28,9 +28,8 @@ See COPYRIGHT and LICENSE files for more details.
 ++# %>
 
 <p>
-    <% mail_link = "<a href=\"mailto:#{@email}\">#{@email}</a>" %>
-    <% host = Rails.application.root_url %>
-    <% host_link = "<a href=\"#{host}\">#{Setting.app_title}</a>" %>
+    <% mail_link = content_tag(:a, @email, href: "mailto:#{@email}") %>
+    <% host_link = content_tag(:a, Setting.app_title, href: Rails.application.root_url) %>
     <%= t("mail_user_activation_limit_reached.message", email: mail_link, host: host_link).html_safe %>
 </p>
 

app/views/user_mailer/wiki_page_added.html.erb

@@ -31,7 +31,7 @@ See COPYRIGHT and LICENSE files for more details.
   <%= raw t(
         :mail_body_wiki_page_added,
         id: link_to(@wiki_page.title, project_wiki_url(@wiki_page.project, @wiki_page)),
-        author: @wiki_page.author
+        author: h(@wiki_page.author)
       ) %><br>
   <em><%= @wiki_page.journals.last.notes %></em>
 </p>