From becd3b4f11d3ec90eac10a86abf5e1450444362d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Tue, 10 Oct 2023 12:58:32 +0200 Subject: [PATCH 1/8] Bumped version to 13.0.6 [ci skip] --- lib/open_project/version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/open_project/version.rb b/lib/open_project/version.rb index 964a56310fbc..1c5645415d88 100644 --- a/lib/open_project/version.rb +++ b/lib/open_project/version.rb @@ -33,7 +33,7 @@ module OpenProject module VERSION # :nodoc: MAJOR = 13 MINOR = 0 - PATCH = 5 + PATCH = 6 class << self # Used by semver to define the special version (if any). From f3c8e0f43e4c8da82bd22cbfec0f4615a027da3c Mon Sep 17 00:00:00 2001 From: Maya Berdygylyjova Date: Wed, 11 Oct 2023 11:10:59 +0200 Subject: [PATCH 2/8] [#50444] Clarify the work package "duplicates/duplicated by" relation in documentations https://community.openproject.org/work_packages/50444 [#50444] Clarify the work package "duplicates/duplicated by" relation in documentations https://community.openproject.org/work_packages/50444 --- .../work-package-relations-hierarchies/README.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/docs/user-guide/work-packages/work-package-relations-hierarchies/README.md b/docs/user-guide/work-packages/work-package-relations-hierarchies/README.md index fe6b70894c8f..cdb4568f18ca 100644 --- a/docs/user-guide/work-packages/work-package-relations-hierarchies/README.md +++ b/docs/user-guide/work-packages/work-package-relations-hierarchies/README.md @@ -35,11 +35,18 @@ Work package relations indicate that work packages address a similar topic or cr You can select one of the following relations: - **Related to** - This option adds a link from the work package A to work package B, so that project members can immediately see the connection, even if the work packages are not members of the same hierarchy. -- **Duplicates / Duplicated by** - This option indicates that the work package A duplicates a work package B in one way or another, for example both address the same task. This can be useful if you have the same work package that needs to be a part of a closed and public projects at the same time. The connection in this case is only semantic, the changes you make in work package A will need to be adapted in work package B manually. However, this does not affect the status, so if you change the status of work package A the status of work package B will change automatically to the same. + +- **Duplicates / Duplicated by** - This option indicates that the work package B duplicates a work package A in one way or another, for example both address the same task. This can be useful if you have the same work package that needs to be a part of a closed and public projects at the same time. The connection in this case is only semantic, the changes you make in work package A will need to be adapted in work package B manually. + + **Note**: some changes in statuses will de adjusted automatically for the duplicated work package. Specifically, if the status of a work package A is set to be "closed" (or set to any status that is defined to count as "closed" in the [system settings](../../../system-admin-guide/manage-work-packages/work-package-status/), for example "rejected" often counts as a "closed" status), the status of the work package B will change to "closed". Note that this is direction dependent. Only if the work package A is closed will the work package B be closed as well, not the other way around. + - **Blocks / Blocked by** - This option defines status change restrictions between two work packages. If you set a work package A to be blocking work package B, the status of work package B cannot be set to closed or resolved until the work package A is closed. + - **Precedes / Follows** - Defines a chronological relation between two work packages. For example, if you set a work package A to precede a work package B, the start date of B has to be at least a day after the finish date of A. Please note: If work package B is in [manual scheduling mode](../../gantt-chart/scheduling/#manual-scheduling-mode), changing the finish date of work package A will have no effect on work package B. + - **Includes / Part of** - Defines if work package A includes or is part of work package B. This relation type can be used for example when you have a roll-out work package and work packages which should be shown as included without using hierarchical relationships. There is no additional effect. + - **Requires / Required by** - Defines if work package A requires or is required by work package B. There is no additional effect. The selected relation status will be automatically displayed in the work package that you enter. For example if you select "Blocks" in the current work package A and specify work package B, work package B will automatically show that it is "Blocked by" A. From 674dc3adee4a8ec0ed9afe726219b1f294d7445d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Wed, 11 Oct 2023 20:15:44 +0200 Subject: [PATCH 3/8] Add section on virus and malware protection --- .../concepts/secure-coding/README.md | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/docs/development/concepts/secure-coding/README.md b/docs/development/concepts/secure-coding/README.md index fb7dd33d4a24..238bb4dc3d8e 100644 --- a/docs/development/concepts/secure-coding/README.md +++ b/docs/development/concepts/secure-coding/README.md @@ -182,6 +182,32 @@ https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html +## Virus and Malware protection + +As OpenProject may handle and distribute sensitive user data, attack vectors such as malicious user input as specified in the previous section pose a threat to the integrity, confidentiality, and availaibility of data. In the following, we will evaluate different risks and guidelines on the protection against viruses and other malware during operation of an OpenProject instance. + + + +**Risks and impacts** + +- *Viruses and malware uploads*: Whenever users are able to upload files to a system, potentially malicous files could be provided and distributed through OpenProject by users with the appropriate upload permission. +- *Malware in software*: OpenProject carefully selects and updates third-party dependencies. Please see the following section on [external dependencies](#external-dependencies) for more information on the best practices of external dependencies. + + + +**Guidelines** + +- Virus and malware uploads + - OpenProject provides users with fine-grained access to control which user groups are allowed to upload files + - Whitelist for uploads can be provided by MIME type, rejecting any nonmatching files + - OpenProject currently does not provide a built-in virus scanner. However, using [webhooks](https://www.openproject.org/docs/system-admin-guide/api-and-webhooks/#webhooks) and the [attachments API](https://www.openproject.org/docs/api/endpoints/attachments/), users can plug existing virus scanning tools and scrub any uploaded files. +- *Malware in software*: + - OpenProject uses statical code analysis on every change provided to the application as well as code scanners on the artefacts generated from the source code (such as Snyk vulnerability scanner for Docker images). + + + + + ## External dependencies OpenProject includes a number of external dependencies both in Ruby as well as in the JavaScript ecosystem. Regardless of the selection of these dependencies, maintaining and keeping the dependencies up-to-date is a critical part of the security of the application. We have seen a lot of attacks surface in the past years originating from either outdated or manipulated dependencies. From 4abd7b257ba56dd4e068710e85338aee3709478a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Wed, 11 Oct 2023 20:49:25 +0200 Subject: [PATCH 4/8] Add section on patch and change management to application architecture --- .../application-architecture/README.md | 70 +++++++++++++++++++ .../concepts/secure-coding/README.md | 1 + docs/development/releases/README.md | 51 +------------- 3 files changed, 72 insertions(+), 50 deletions(-) diff --git a/docs/development/application-architecture/README.md b/docs/development/application-architecture/README.md index d2c4c6ca5e0d..e510edbfd8bf 100644 --- a/docs/development/application-architecture/README.md +++ b/docs/development/application-architecture/README.md @@ -73,6 +73,76 @@ OpenProject is continuously tested, developed, and distributed using the followi +# Patch and change management + +OpenProject uses the Community instance [https://community.openproject.org](https://community.openproject.org) for managing the application lifecycle. For a full overview on the process of developing changes to the application, please see our [product development guide](../product-development-handbook/). + +This section summarizes all relevant information about the process for providing releases. + +## Current release + +The [release notes](https://www.openproject.org/docs/release-notes) provide a list of all the releases including the current stable one. + +Administrators can identify their currently deployed version of OpenProject in the [Administration information page of their installation](https://www.openproject.org/docs/system-admin-guide/information). + + + +## Upcoming releases + +See the [Roadmap](https://community.openproject.com/projects/openproject/roadmap) for the overview of the upcoming stable releases. + + + +## Versioning + +OpenProject follows [Semantic Versioning](https://semver.org/). Therefore, the version is a composition of three digits in the format of e.g. 0.1.1 and can be summarised as followed: + +- MAJOR version when you make incompatible API changes, +- MINOR version when you add functionality in a backwards-compatible manner, and +- PATCH version when you make backwards-compatible bug fixes. + +Please note that OpenProject considers the following to be non breaking changes which do not lead to a new major version: + +- Database schema changes +- Updates on depended upon libraries packaged with the distributions of OpenProject (e.g. Ruby, Rails, etc.) + +Changes to those can thus happen also in minor or patch releases. + +On the other hand, changes to the following are considered breaking changes and thus lead to a new major version. + +- Changes to the minimum version of supported operating systems. +- Changes to the minimum version of the supported database system (PostgreSQL). + +This list is not conclusive but rather serves to highlight the difference to the previous list of non breaking changes. + + + +## Support of releases + +For the community edition, only the current stable release is maintained. The [Enterprise on-premises](https://www.openproject.org/enterprise-edition) provides extended maintenance. + +We recommended to update to a new stable release as soon as possible to have a supported version installed. To that end, OpenProject will show an information banner to administrators in case a new stable release is available. + + + +## Change history + +All changes made to the OpenProject software are documented via work packages bundled by the version. The [Roadmap view](https://community.openproject.com/projects/openproject/roadmap) gives a corresponding overview. A release is also summarized in the [release notes](https://www.openproject.org/docs/release-notes). + + + +## Distribution + +OpenProject is distributed in [various formats](https://www.openproject.org/docs/installation-and-operations/installation). Manual installation based on the code in GitHub is possible but not supported. + + + +## Versions in the codebase + +The version is represented as [tags](https://www.openproject.org/docs/development/git-workflow#tagging) and [branches](https://www.openproject.org/docs/development/git-workflow#branching-model) in the repository. The version is also manifested in the [version.rb](https://github.com/opf/openproject/blob/dev/lib/open_project/version.rb). + + + # Components A typical installation of OpenProject uses a web server such as NGINX or Apache to proxy requests to and from the internal [Puma](https://puma.io/) application server. All web requests are handled internally by it. A background job queue is used to execute longer running data requests or asynchronous communications. diff --git a/docs/development/concepts/secure-coding/README.md b/docs/development/concepts/secure-coding/README.md index 238bb4dc3d8e..d6fa6d85c10c 100644 --- a/docs/development/concepts/secure-coding/README.md +++ b/docs/development/concepts/secure-coding/README.md @@ -203,6 +203,7 @@ As OpenProject may handle and distribute sensitive user data, attack vectors suc - OpenProject currently does not provide a built-in virus scanner. However, using [webhooks](https://www.openproject.org/docs/system-admin-guide/api-and-webhooks/#webhooks) and the [attachments API](https://www.openproject.org/docs/api/endpoints/attachments/), users can plug existing virus scanning tools and scrub any uploaded files. - *Malware in software*: - OpenProject uses statical code analysis on every change provided to the application as well as code scanners on the artefacts generated from the source code (such as Snyk vulnerability scanner for Docker images). + - We recommend users to perform their own diff --git a/docs/development/releases/README.md b/docs/development/releases/README.md index 4fc19fd290aa..d21561c7da86 100644 --- a/docs/development/releases/README.md +++ b/docs/development/releases/README.md @@ -1,52 +1,3 @@ # Releases -This page summarizes all relevant information about releases. - -## Current release - -The [release notes](../../release-notes/) provide a list of all the releases including the current stable one. - -Administrators can identify their currently deployed version of OpenProject in the [Administration information page of their installation](../../system-admin-guide/information). - -## Upcoming releases - -See the [Roadmap](https://community.openproject.com/projects/openproject/roadmap) for the overview of the upcoming stable releases. - -## Versioning - -OpenProject follows [Semantic Versioning](https://semver.org/). -Therefore, the version is a composition of three digits in the format of e.g. 0.1.1 and can be summarised as followed: - * MAJOR version when you make incompatible API changes, - * MINOR version when you add functionality in a backwards-compatible manner, and - * PATCH version when you make backwards-compatible bug fixes. - -Please note that OpenProject considers the following to be non breaking changes which do not lead to a new major version: -* Database schema changes -* Updates on depended upon libraries packaged with the distributions of OpenProject (e.g. Ruby, Rails, etc.) - -Changes to those can thus happen also in minor or patch releases. - -On the other hand, changes to the following are considered breaking changes and thus lead to a new major version. -* Changes to the minimum version of supported operating systems. -* Changes to the minimum version of the supported database system (PostgreSQL). - -This list is not conclusive but rather serves to highlight the difference to the previous list of non breaking changes. - -## Support of releases - -For the community edition, only the current stable release is maintained. The [Enterprise on-premises](https://www.openproject.org/enterprise-edition) provides extended maintenance. - -We recommended to update to a new stable release as soon as possible to have a supported version installed. To that end, OpenProject will show an information banner to administrators in case a new stable release is available. - - -## Change history - -All changes made to the OpenProject software are documented via work packages bundled by the version. The [Roadmap view](https://community.openproject.com/projects/openproject/roadmap) gives a corresponding overview. A release is also summarized in the [release notes](../../release-notes/). - -## Distribution - -OpenProject is distributed in [various formats](../../installation-and-operations/installation/). Manual installation based on the code in GitHub is possible but not supported. - -## Versions in the codebase - -The version is represented as [tags](../git-workflow#tagging) and [branches](../git-workflow#branching-model) in the repository. The version is also manifested in the [version.rb](https://github.com/opf/openproject/blob/dev/lib/open_project/version.rb). +This page has been integrated into the [application architecture guide](../application-architecture/#patch-and-change-management). From d6545634729f90fc9b84cd89e2fdb38cd966958a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Thu, 12 Oct 2023 11:11:58 +0200 Subject: [PATCH 5/8] Update README.md --- docs/getting-started/my-activity/README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/getting-started/my-activity/README.md b/docs/getting-started/my-activity/README.md index c4f999ad7817..1c2d87061324 100644 --- a/docs/getting-started/my-activity/README.md +++ b/docs/getting-started/my-activity/README.md @@ -14,7 +14,11 @@ You can open your **My Activity** page by clicking on your user avatar in the up ![OpenProject navigate to My Activity Page](openproject_select_my_actvity.png) -You will see two lists by default. **Projects** will show all projects you are a member of. **Activity** will show all of your activities that are being recorded in OpenProject. +You will see two lists by default. + +**Projects** will show all projects you are a member of. + +**Activity** will show all of your activities that are being recorded in OpenProject. Note that only activities from projects that have enabled the "Activity" module will be shown. ![Openproject_my_activity_page](openproject_my_activity_overview.png) From 127046002557c098131dbed43a2cff6378c7f431 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Fri, 13 Oct 2023 11:02:15 +0200 Subject: [PATCH 6/8] Remove status page in favor of uptimerobot one --- .../openproject-cloud-status/README.md | 64 +------------------ 1 file changed, 1 insertion(+), 63 deletions(-) diff --git a/docs/enterprise-guide/enterprise-cloud-guide/openproject-cloud-status/README.md b/docs/enterprise-guide/enterprise-cloud-guide/openproject-cloud-status/README.md index 23b745e8809e..90c36c7b6af0 100644 --- a/docs/enterprise-guide/enterprise-cloud-guide/openproject-cloud-status/README.md +++ b/docs/enterprise-guide/enterprise-cloud-guide/openproject-cloud-status/README.md @@ -8,66 +8,4 @@ keywords: enterprise cloud, status, incidents # OpenProject cloud status page -On this page, we will report any outages and reports of degraded services for our Enterprise cloud edition customers. - -* * * - -## Current issues - -– - -* * * - -## Past incidents - -### June 25, 2020 - -We are currently seeing elevated response times and degraded performance. We are investigating the issue. - -* * * - -### September 11, 2018 - -(13:20 - 13:50 UTC) During the latest deployment of OpenProject 8.0. on our cloud infrastructure, a migration was added to rename a specific table used for the new application. This migration turned out to run through significantly longer. - -* * * - -### May 26 - 27th, 2018 - -(7:30 UTC) Services operating normally, root cause is being worked at. - -(1:00 UTC) One of the Aurora databases in our PostgreSQL cluster failed in an autovacuum operation scheduled to execute at nights (UTC + 2). A failover to the reader database happened, but not all web workers of the OpenProject cloud services reconnected correctly, resulting in consistently dropped connections during that night. - -* * * - -### April 25th, 2018 - -(8:15 UTC) OpenProject email notifciation service has been restored. - -(7:28 UTC) We are aware of degradede mail notifications on our OpenProject Enterprise cloud edition service due to a technical issue with our mail notification provider and are actively working on resolving it. - -* * * - -### April 20th, 2018 - -(3:00 UTC) The OpenProject Enterprise cloud edition is currently not available in Russia since the IP address is being blocked in connection with blocking Telegram ([more information](https://www.bbc.com/news/technology-43797176)). - -(3:00 UTC) The OpenProject Enterprise cloud edition service is currently not available in Russia. - -* * * - -### April 16th, 2018 - -(7:30 UTC) Services operating normally. - -(7:20 UTC) One of the Aurora databases in our PostgreSQL cluster denied new client connections, resulting in timeouts whenever new web workers were restarted (this is scheduled randomly after a few thousand requests). The instance however reported normal operation and in turn did not automatically failover by itself. Once the failing database was took out of the cluster and restarted, access returned to normal. - -(6:30 UTC) We're investigating page timeouts and incomplete responses returned to some of our cloud environment instances. - -* * * - -### March 14th, 2018 - -(14:25 UTC) Services operating normally. - -(14:07 UTC) We're aware of occasional Gateway timeout responses from one of our load balancers. +The following status page provides information about outages, maintenance announcements, and degraded services for our Enterprise cloud customers: https://status.openproject.com/ From 7df4f7a26c0852fa647e1ab8a4a753135903ae95 Mon Sep 17 00:00:00 2001 From: Pavel Balashou Date: Fri, 13 Oct 2023 16:18:44 +0200 Subject: [PATCH 7/8] [#50519] Project storage members page can be accessed without a session. https://community.openproject.org/work_packages/50519 --- .../project_settings/project_storage_members_controller.rb | 3 +-- .../spec/features/view_project_storage_members_spec.rb | 7 +++++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/modules/storages/app/controllers/storages/project_settings/project_storage_members_controller.rb b/modules/storages/app/controllers/storages/project_settings/project_storage_members_controller.rb index 802d044d9d98..5ff4679e99c1 100644 --- a/modules/storages/app/controllers/storages/project_settings/project_storage_members_controller.rb +++ b/modules/storages/app/controllers/storages/project_settings/project_storage_members_controller.rb @@ -29,7 +29,7 @@ # Purpose: Let OpenProject create folders per project automatically. # This is recommended as it ensures that every team member always has the correct access permissions. # -class Storages::ProjectSettings::ProjectStorageMembersController < ApplicationController +class Storages::ProjectSettings::ProjectStorageMembersController < Projects::SettingsController include PaginationHelper menu_item :settings_project_storages @@ -61,6 +61,5 @@ def find_model_object(object_id = :project_storage_id) super(object_id) @project_storage = @object @storage = @project_storage.storage - @project = @project_storage.project end end diff --git a/modules/storages/spec/features/view_project_storage_members_spec.rb b/modules/storages/spec/features/view_project_storage_members_spec.rb index 679a278d91e4..c57897f60da0 100644 --- a/modules/storages/spec/features/view_project_storage_members_spec.rb +++ b/modules/storages/spec/features/view_project_storage_members_spec.rb @@ -46,6 +46,13 @@ connected_no_permissions_user]) end + it 'cannot be accessed without being logged in' do + visit project_settings_project_storage_members_path(project, project_storage_id: project_storage.id) + + expect(page).to have_title('Sign in | OpenProject') + expect(page).not_to have_text('Members connection status') + end + it 'lists project members connection statuses' do login_as user From eb73bf60a84fdf0b26b56253f27bff01bf339761 Mon Sep 17 00:00:00 2001 From: ulferts Date: Fri, 13 Oct 2023 17:10:13 +0200 Subject: [PATCH 8/8] Add release-notes file --- docs/release-notes/13-0-6/README.md | 19 +++++++++++++++++++ docs/release-notes/README.md | 7 +++++++ 2 files changed, 26 insertions(+) create mode 100644 docs/release-notes/13-0-6/README.md diff --git a/docs/release-notes/13-0-6/README.md b/docs/release-notes/13-0-6/README.md new file mode 100644 index 000000000000..a85b9c9bcd6b --- /dev/null +++ b/docs/release-notes/13-0-6/README.md @@ -0,0 +1,19 @@ +--- +title: OpenProject 13.0.6 +sidebar_navigation: + title: 13.0.6 +release_version: 13.0.6 +release_date: 2023-10-13 +--- + +# OpenProject 13.0.6 + +Release date: 2023-10-13 + +We released [OpenProject 13.0.6](https://community.openproject.com/versions/1937). +The release contains several bug fixes and we recommend updating to the newest version. + + +#### Bug fixes and changes + +- Fixed: Project storage members page can be accessed without a session. \[[#50519](https://community.openproject.com/wp/50519)\] diff --git a/docs/release-notes/README.md b/docs/release-notes/README.md index 9187cc302564..78523647d263 100644 --- a/docs/release-notes/README.md +++ b/docs/release-notes/README.md @@ -14,6 +14,13 @@ Stay up to date and get an overview of the new features included in the releases +## 13.0.6 + +Release date: 2023-10-13 + +[Release Notes](13-0-6/) + + ## 13.0.5 Release date: 2023-10-10