opf
diff --git a/‎Gemfile.lock‎
Lines changed: 4 additions & 4 deletions b/‎Gemfile.lock‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎Gemfile.modules‎
Lines changed: 1 addition & 1 deletion b/‎Gemfile.modules‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎app/controllers/account_controller.rb‎
Lines changed: 3 additions & 3 deletions b/‎app/controllers/account_controller.rb‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎app/controllers/concerns/accounts/user_password_change.rb‎
Lines changed: 10 additions & 0 deletions b/‎app/controllers/concerns/accounts/user_password_change.rb‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎app/models/principals/scopes/visible.rb‎
Lines changed: 2 additions & 2 deletions b/‎app/models/principals/scopes/visible.rb‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎app/models/setting.rb‎
Lines changed: 3 additions & 1 deletion b/‎app/models/setting.rb‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎app/services/settings/update_service.rb‎
Lines changed: 7 additions & 0 deletions b/‎app/services/settings/update_service.rb‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎app/views/admin/settings/mail_notifications_settings/show.html.erb‎
Lines changed: 1 addition & 0 deletions b/‎app/views/admin/settings/mail_notifications_settings/show.html.erb‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎app/views/my/password.html.erb‎
Lines changed: 1 addition & 1 deletion b/‎app/views/my/password.html.erb‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎config/constants/settings/definition.rb‎
Lines changed: 2 additions & 0 deletions b/‎config/constants/settings/definition.rb‎
Lines changed: 2 additions & 0 deletions
@@ -36,10 +36,10 @@ GIT
 
 GIT
   remote: https://github.com/opf/omniauth-openid-connect.git
-  revision: e923d9dd14fa4ca04b98720ac2185807b263f5ed
-  ref: e923d9dd14fa4ca04b98720ac2185807b263f5ed
+  revision: f0c1ecdb26e39017a9e929af75a166c772d960bb
+  ref: f0c1ecdb26e39017a9e929af75a166c772d960bb
   specs:
-    omniauth-openid-connect (0.4.1)
+    omniauth-openid-connect (0.4.2)
       addressable (~> 2.5)
       omniauth (~> 1.6)
       openid_connect (~> 2.2.0)
@@ -2003,7 +2003,7 @@ CHECKSUMS
   oj (3.16.11) sha256=2aab609d2bc896529bd3c70d737f591c13932a640ba6164a0f7e414efdb052b1
   okcomputer (1.19.0) sha256=8548935a82f725bdd8f2c329925a9f1a1bb2ce19ce26b47d7515665ee363b458
   omniauth (1.9.2)
-  omniauth-openid-connect (0.4.1)
+  omniauth-openid-connect (0.4.2)
   omniauth-openid_connect-providers (0.2.0)
   omniauth-saml (1.10.6) sha256=13dde22f4fd1beff0ef2d6dae576f7b68594f159990e8e886d8a02b32397afbd
   op-clamav-client (3.4.2) sha256=f28d697d11758a2ba3dc530cfdf4871a00ecd517631e8bac30dee30cd6012964
 
@@ -8,7 +8,7 @@ gem 'omniauth-openid_connect-providers',
 
 gem 'omniauth-openid-connect',
     git: 'https://github.com/opf/omniauth-openid-connect.git',
-    ref: 'e923d9dd14fa4ca04b98720ac2185807b263f5ed'
+    ref: 'f0c1ecdb26e39017a9e929af75a166c772d960bb'
 
 group :opf_plugins do
     # included so that engines can reference OpenProject::Version
 
@@ -182,14 +182,14 @@ def activate
   # to change the password.
   # When making changes here, also check MyController.change_password
   def change_password
-    # Retrieve user_id from session
-    @user = User.find(params[:password_change_user_id])
+    # Retrieve user login name from session
+    @user = User.find_by!(login: params[:password_change_user])
 
     change_password_flow(user: @user, params:, show_user_name: true) do
       password_authentication(@user.login, params[:new_password])
     end
   rescue ActiveRecord::RecordNotFound
-    Rails.logger.error "Failed to find user for change_password request: #{flash[:_password_change_user_id]}"
+    Rails.logger.error "Failed to find user for change_password request: #{flash[:_password_change_user]}"
     render_404
   end
 
 
@@ -42,8 +42,15 @@ def change_password_flow(user:, params:, update_legacy: true, show_user_name: fa
     # auth sources in the admin UI, so this shouldn't normally happen.
     return if redirect_if_password_change_not_allowed(user)
 
+    # Check if user is locked due to too many failed attempts
+    if user.failed_too_many_recent_login_attempts?
+      flash_and_log_invalid_credentials(is_logged_in: !show_user_name)
+      return render_password_change(user, nil, show_user_name:)
+    end
+
     # Ensure the current password is validated
     unless user.check_password?(params[:password], update_legacy:)
+      user.log_failed_login
       flash_and_log_invalid_credentials(is_logged_in: !show_user_name)
       return render_password_change(user, nil, show_user_name:)
     end
@@ -53,6 +60,9 @@ def change_password_flow(user:, params:, update_legacy: true, show_user_name: fa
 
     # Yield the success to the caller
     if call.success?
+      # Reset failed login count on successful password change
+      User.reset_failed_login_count_for(user)
+
       response = yield call
 
       call.apply_flash_message!(flash)
 
@@ -39,8 +39,8 @@ module Visible
     class_methods do
       def visible(user = ::User.current)
         if user.allowed_in_any_project?(:manage_members) ||
-          user.allowed_globally?(:manage_user) ||
-          user.allowed_in_any_project?(:share_work_packages)
+           user.allowed_globally?(:manage_user) ||
+           user.allowed_in_any_project?(:share_work_packages)
           all
         else
           in_visible_project_or_me(user)
 
@@ -29,6 +29,8 @@
 #++
 
 class Setting < ApplicationRecord
+  class NotWritableError < StandardError; end
+
   extend Aliases
   extend MailSettings
 
@@ -174,7 +176,7 @@ def value=(val)
 
   def set_value!(val, force: false)
     unless force || definition.writable?
-      raise NoMethodError, "#{name} is not writable but can be set through env vars or configuration.yml file."
+      raise NotWritableError, "#{name} is not writable but can be set through env vars or configuration.yml file."
     end
 
     self[:value] = formatted_value(val)
 
@@ -37,7 +37,14 @@ def initialize(user:)
   def persist(call)
     params.each do |name, value|
       set_setting_value(name, value)
+    rescue Setting::NotWritableError
+      i18n_name = I18n.t("setting_#{name}", default: name)
+      call.success = false
+      call.errors.add(:base, I18n.t("settings.errors.failed_to_update",
+                                    message: I18n.t("settings.errors.not_writable"),
+                                    name: i18n_name))
     end
+
     call
   end
 
 
@@ -87,6 +87,7 @@ See COPYRIGHT and LICENSE files for more details.
     </div>
     <div id="email_delivery_method_sendmail" class="email_delivery_method_settings">
       <div class="form--field"><%= setting_text_field :sendmail_location %></div>
+      <div class="form--field"><%= setting_text_field :sendmail_arguments %></div>
     </div>
     <div id="email_delivery_method_letter_opener" class="email_delivery_method_settings">
       <p>Letter opener is used to render emails as a file in your Rails tmp folder. Mails will automatically open in
 
@@ -44,7 +44,7 @@ See COPYRIGHT and LICENSE files for more details.
       { autocomplete: "off", class: "form -wide-labels" }
     ) do %>
   <%= back_url_hidden_field_tag %>
-  <%= hidden_field_tag :password_change_user_id, @user.id %>
+  <%= hidden_field_tag :password_change_user, @user.login %>
   <section class="form--section">
     <%= render partial: "my/password_form_fields",
                locals: { show_user_name: !!(defined? show_user_name) ? show_user_name : nil,
 
@@ -1010,11 +1010,13 @@ class Definition
       sendmail_arguments: {
         description: "Arguments to call sendmail with in case it is configured as outgoing email setup",
         format: :string,
+        writable: false,
         default: "-i"
       },
       sendmail_location: {
         description: "Location of sendmail to call if it is configured as outgoing email setup",
         format: :string,
+        writable: false,
         default: "/usr/sbin/sendmail"
       },
       # Allow separate error reporting for frontend errors