Merge branch 'release/13.1' into dev

.github/workflows/openapi.yaml

@@ -0,0 +1,28 @@
+name: "OpenAPI"
+# https://securitylab.github.com/research/github-actions-preventing-pwn-requests
+on:
+  push:
+    branches:
+      - dev
+      - release/*
+    paths:
+      - 'docs/api/apiv3/**'
+  pull_request:
+    types: [opened, reopened, synchronize]
+    paths:
+      - 'docs/api/apiv3/**'
+
+jobs:
+  api-spec:
+    name: APIv3 specification (OpenAPI 3.0)
+    if: github.repository == 'opf/openproject'
+    runs-on: [ubuntu-latest]
+    steps:
+    - uses: actions/checkout@v2
+    - uses: ruby/setup-ruby@v1
+      with:
+        bundler-cache: true
+    - uses: actions/setup-node@v2
+      with:
+        node-version: '20'
+    - run: ./script/api/validate_spec

app/controllers/account_controller.rb

@@ -203,17 +203,16 @@ def activate_self_registered(token)
       else
         flash[:error] = I18n.t(:notice_activation_failed)
       end
-
-      redirect_to signin_path
     else
       if user.active?
         flash[:notice] = I18n.t(:notice_account_already_activated)
       else
         flash[:error] = I18n.t(:notice_activation_failed)
       end
 
-      redirect_to home_url
     end
+
+    redirect_to signin_path(back_url: params[:back_url])
   end
 
   def activate_by_invite_token(token)
@@ -224,6 +223,7 @@ def activate_by_invite_token(token)
 
   def activate_invited(token)
     session[:invitation_token] = token.value
+    session[:back_url] = params[:back_url]
     user = token.user
 
     if user.ldap_auth_source
@@ -524,7 +524,7 @@ def disable_api
   def invalid_token_and_redirect
     flash[:error] = I18n.t(:notice_account_invalid_token)
 
-    redirect_to home_url
+    redirect_to signin_path
   end
 
   def apply_csp_appends

app/controllers/concerns/accounts/omniauth_login.rb

@@ -47,8 +47,12 @@ module Accounts::OmniauthLogin
   end
 
   def omniauth_login
-    # Set back url to page the omniauth login link was clicked on
-    params[:back_url] = request.env['omniauth.origin']
+    # Remmember the back_url to redirect to after login
+    # only if we're in a direct login phase, so the user ends up
+    # in the original requested URL after logging in
+    if omniauth_direct_login?
+      params[:back_url] = request.env['omniauth.origin']
+    end
 
     # Extract auth info and perform check / login or activate user
     auth_hash = request.env['omniauth.auth']

app/controllers/concerns/accounts/redirect_after_login.rb

@@ -42,21 +42,19 @@ def redirect_after_login(user)
     end
   end
 
-  #    * * *
-
   def default_redirect
-    if url = OpenProject::Configuration.after_login_default_redirect_url
-      redirect_to url
+    if (url = OpenProject::Configuration.after_login_default_redirect_url)
+      redirect_back_or_default url
     else
       redirect_back_or_default my_page_path
     end
   end
 
   def first_login_redirect
-    if url = OpenProject::Configuration.after_first_login_redirect_url
-      redirect_to url
+    if (url = OpenProject::Configuration.after_first_login_redirect_url)
+      redirect_back_or_default url
     else
-      redirect_to home_url(first_time_user: true)
+      redirect_back_or_default home_url(first_time_user: true)
     end
   end
 end

app/helpers/application_helper.rb

@@ -305,8 +305,8 @@ def labelled_tabular_form_for(record, options = {}, &)
     form_for(record, options, &)
   end
 
-  def back_url_hidden_field_tag
-    back_url = params[:back_url] || request.env['HTTP_REFERER']
+  def back_url_hidden_field_tag(use_referer: true)
+    back_url = params[:back_url] || (use_referer ? request.env['HTTP_REFERER'] : nil)
     back_url = CGI.unescape(back_url.to_s)
     hidden_field_tag('back_url', CGI.escape(back_url), id: nil) if back_url.present?
   end

app/helpers/mail_notification_helper.rb

@@ -39,10 +39,6 @@ def notifications_path(id)
     notifications_center_url(['details', id, 'activity'])
   end
 
-  def shared_work_package_path(id)
-    work_package_url(id)
-  end
-
   def type_color(type, default_fallback)
     color_id = selected_color(type)
     if color_id

app/mailers/sharing_mailer.rb

@@ -1,17 +1,21 @@
 # frozen_string_literal: true
 
 class SharingMailer < ApplicationMailer
+  include MailNotificationHelper
   helper :mail_notification
 
   def shared_work_package(sharer, membership, group = nil)
     @sharer = sharer
     @shared_with_user = membership.principal
+    @invitation_token = @shared_with_user.invited? ? @shared_with_user.invitation_token : nil
     @group = group
     @work_package = membership.entity
 
     role = membership.roles.first
     @role_rights = derive_role_rights(role)
     @allowed_work_package_actions = derive_allowed_work_package_actions(role)
+    @url = optionally_activated_url(work_package_url(@work_package.id), @invitation_token)
+    @notification_url = optionally_activated_url(notifications_path(@work_package.id), @invitation_token)
 
     set_open_project_headers(@work_package)
     message_id(membership, sharer)
@@ -25,6 +29,15 @@ def shared_work_package(sharer, membership, group = nil)
 
   private
 
+  def optionally_activated_url(back_url, invitation_token)
+    return back_url unless invitation_token
+
+    url_for(controller: '/account',
+            action: :activate,
+            token: invitation_token.value,
+            back_url:)
+  end
+
   def derive_role_rights(role)
     case role.builtin
     when Role::BUILTIN_WORK_PACKAGE_EDITOR
@@ -38,16 +51,16 @@ def derive_role_rights(role)
 
   def derive_allowed_work_package_actions(role)
     allowed_actions = case role.builtin
-                      when Role::BUILTIN_WORK_PACKAGE_EDITOR
-                        [I18n.t('work_package.sharing.permissions.view'),
-                         I18n.t('work_package.sharing.permissions.comment'),
-                         I18n.t('work_package.sharing.permissions.edit')]
-                      when Role::BUILTIN_WORK_PACKAGE_COMMENTER
-                        [I18n.t('work_package.sharing.permissions.view'),
-                         I18n.t('work_package.sharing.permissions.comment')]
-                      when Role::BUILTIN_WORK_PACKAGE_VIEWER
-                        [I18n.t('work_package.sharing.permissions.view')]
-                      end
+    when Role::BUILTIN_WORK_PACKAGE_EDITOR
+      [I18n.t('work_package.sharing.permissions.view'),
+       I18n.t('work_package.sharing.permissions.comment'),
+       I18n.t('work_package.sharing.permissions.edit')]
+    when Role::BUILTIN_WORK_PACKAGE_COMMENTER
+      [I18n.t('work_package.sharing.permissions.view'),
+       I18n.t('work_package.sharing.permissions.comment')]
+    when Role::BUILTIN_WORK_PACKAGE_VIEWER
+      [I18n.t('work_package.sharing.permissions.view')]
+    end
 
     allowed_actions.map(&:downcase)
   end

app/models/queries/operators/equals_all.rb

@@ -28,7 +28,7 @@
 
 module Queries::Operators
   class EqualsAll < Base
-    label 'equals_all'
+    label 'operator_equals_all'
     set_symbol '&='
   end
 end

app/models/token/invitation.rb

@@ -31,9 +31,9 @@ class Invitation < Base
     include ExpirableToken
 
     ##
-    # Invitation tokens are valid for one day.
+    # Invitation tokens are valid for a configurable amount of days
     def self.validity_time
-      (Setting.invitation_expiration_days || 1).days
+      Setting.invitation_expiration_days.days
     end
 
     ##

app/models/user.rb

@@ -56,6 +56,9 @@ class User < Principal
   has_one :rss_token, class_name: '::Token::RSS', dependent: :destroy
   has_one :api_token, class_name: '::Token::API', dependent: :destroy
 
+  # The user might have one invitation token
+  has_one :invitation_token, class_name: '::Token::Invitation', dependent: :destroy
+
   # everytime a user subscribes to a calendar, a new ical_token is generated
   # unlike on other token types, all previously generated ical_tokens are kept
   # in order to keep all previously generated ical urls valid and usable

app/views/account/_register.html.erb

@@ -30,7 +30,7 @@ See COPYRIGHT and LICENSE files for more details.
 <div class="modal-delivery-element">
   <%= labelled_tabular_form_for(@user, url: account_register_path, html: { class: 'form -wide-labels spot-modal' }) do |f| %>
 
-    <%= back_url_hidden_field_tag %>
+    <%= back_url_hidden_field_tag use_referer: false %>
     <%= error_messages_for :user %>
 
     <div id="spotModalTitle" class="spot-modal--header">

app/views/mailer/_notification_row.html.erb

@@ -1,5 +1,5 @@
 <a style="text-decoration: none;display: block;"
-   href="<%= notifications_path(work_package.id) %>"
+   href="<%= local_assigns[:notification_url] || notifications_path(work_package.id) %>"
    target="_blank">
   <%= render layout: 'mailer/border_table' do %>
     <tr>

app/views/sharing_mailer/shared_work_package.html.erb

@@ -20,7 +20,7 @@
                  locals: {
                    user: @shared_with_user,
                    summary:,
-                   button_href: shared_work_package_path(@work_package.id),
+                   button_href: @url,
                    button_text: I18n.t(:'mail.sharing.work_packages.open_work_package'),
                  } %>
 
@@ -29,7 +29,8 @@
                    work_package: @work_package,
                    unique_reasons: [:shared],
                    show_count: false,
-                   open_in_browser_path: shared_work_package_path(@work_package.id)
+                   notification_url: @notification_url,
+                   open_in_browser_path: @url
                  } do %>
         <table <%= placeholder_table_styles(width:'100%',style: 'width:100%;') %>>
           <tr>

app/views/sharing_mailer/shared_work_package.text.erb

@@ -21,4 +21,7 @@
 <%= I18n.t('mail.work_packages.reason.shared') %>:
 <%= t('mail.sharing.work_packages.allowed_actions', allowed_actions: @allowed_work_package_actions.to_sentence).html_safe %>
 
+<%= t('mail.sharing.work_packages.open_work_package') %>
+<%= @url %>
+
 <%= "-" * 100 %>

config/locales/en.yml

@@ -2338,7 +2338,7 @@ en:
     sharing:
       work_packages:
         allowed_actions: "You may %{allowed_actions} this work package. This can change depending on your project role and permissions."
-        create_account: "To access this work package you will need to create an %{instance} account. "
+        create_account: "To access this work package you will need to create and activate an %{instance} account. "
         open_work_package: "Open work package"
         subject: "You have been shared work package #%{id}"
         enterprise_text: "Share work packages with users who are not members of the project."

docs/api/apiv3/components/examples/project_collection.yml

@@ -0,0 +1,40 @@
+# Example: Project collection
+---
+value:
+  _type: Collection
+  count: 2
+  total: 2
+  pageSize: 20
+  offset: 1
+  _embedded:
+    elements:
+      - _hint: Project resource shortened for brevity
+        id: 1
+        identifier: initialproject
+        name: DeathStar construction
+        active: true
+        public: true
+      - _hint: Project resource shortened for brevity
+        id: 2
+        identifier: mysecret
+        name: Palpatine's secret plan
+        active: true
+        public: false
+  _links:
+    self:
+      href: '/api/v3/projects?filters=%5B%5D&offset=1&pageSize=20'
+    jumpTo:
+      href: '/api/v3/projects?filters=%5B%5D&offset=%7Boffset%7D&pageSize=20'
+      templated: true
+    changeSize:
+      href: '/api/v3/projects?filters=%5B%5D&offset=1&pageSize=%7Bsize%7D'
+      templated: true
+    representations:
+      - href: '/projects.csv?filters=%5B%5D&offset=1&pageSize=20'
+        identifier: csv
+        type: text/csv
+        title: CSV
+      - href: '/projects.xls?filters=%5B%5D&offset=1&pageSize=20'
+        identifier: xls
+        type: application/vnd.ms-excel
+        title: XLS

docs/api/apiv3/components/schemas/link.yml

@@ -26,6 +26,9 @@ properties:
   identifier:
     type: string
     description: An optional unique identifier to the link object
+  type:
+    type: string
+    description: The MIME-Type of the returned resource.
 
 example:
   href: '/api/v3/work_packages'