Merged opf/openproject/v7.4.4 into opf/openproject-ce/stable/7

Gemfile.lock

@@ -113,73 +113,73 @@ GIT
 PATH
   remote: vendored-plugins/openproject-auth_plugins
   specs:
-    openproject-auth_plugins (7.4.3)
+    openproject-auth_plugins (7.4.4)
       omniauth (~> 1.0)
       rails (~> 5.0)
 
 PATH
   remote: vendored-plugins/openproject-avatars
   specs:
-    openproject-avatars (7.4.3)
+    openproject-avatars (7.4.4)
       fastimage (~> 2.1.0)
       gravatar_image_tag (~> 1.2.0)
       rails (~> 5.0)
 
 PATH
   remote: vendored-plugins/openproject-backlogs
   specs:
-    openproject-backlogs (7.4.3)
+    openproject-backlogs (7.4.4)
       acts_as_silent_list (~> 3.0.0)
-      openproject-pdf_export (= 7.4.3)
+      openproject-pdf_export (= 7.4.4)
       rails (~> 5.0.0)
 
 PATH
   remote: vendored-plugins/openproject-costs
   specs:
-    openproject-costs (7.4.3)
+    openproject-costs (7.4.4)
       rails (~> 5.0.0)
 
 PATH
   remote: vendored-plugins/openproject-documents
   specs:
-    openproject-documents (7.4.3)
+    openproject-documents (7.4.4)
       rails (~> 5.0.0)
 
 PATH
   remote: vendored-plugins/openproject-github_integration
   specs:
-    openproject-github_integration (7.4.3)
-      openproject-webhooks (~> 7.4.3)
+    openproject-github_integration (7.4.4)
+      openproject-webhooks (~> 7.4.4)
       rails (~> 5.0)
 
 PATH
   remote: vendored-plugins/openproject-global_roles
   specs:
-    openproject-global_roles (7.4.3)
+    openproject-global_roles (7.4.4)
       rails (~> 5.0.0)
 
 PATH
   remote: vendored-plugins/openproject-ldap_groups
   specs:
-    openproject-ldap_groups (7.4.3)
+    openproject-ldap_groups (7.4.4)
 
 PATH
   remote: vendored-plugins/openproject-meeting
   specs:
-    openproject-meeting (7.4.3)
+    openproject-meeting (7.4.4)
       icalendar (~> 2.3.0)
       rails (~> 5.0.0)
 
 PATH
   remote: vendored-plugins/openproject-my_project_page
   specs:
-    openproject-my_project_page (7.4.3)
+    openproject-my_project_page (7.4.4)
       rails (~> 5.0.0)
 
 PATH
   remote: vendored-plugins/openproject-openid_connect
   specs:
-    openproject-openid_connect (7.4.3)
+    openproject-openid_connect (7.4.4)
       lobby_boy (~> 0.1)
       omniauth-openid_connect-providers (~> 0.1)
       openproject-auth_plugins (~> 7.0)
@@ -188,44 +188,44 @@ PATH
 PATH
   remote: vendored-plugins/openproject-pdf_export
   specs:
-    openproject-pdf_export (7.4.3)
+    openproject-pdf_export (7.4.4)
       pdf-inspector (~> 1.3.0)
       prawn (~> 2.2)
 
 PATH
   remote: vendored-plugins/openproject-reporting
   specs:
-    openproject-reporting (7.4.3)
+    openproject-reporting (7.4.4)
       jquery-tablesorter (~> 1.22.3)
-      openproject-costs (= 7.4.3)
+      openproject-costs (= 7.4.4)
       rails (~> 5.0.0)
       reporting_engine (>= 1.1.0)
 
 PATH
   remote: vendored-plugins/openproject-two_factor_authentication
   specs:
-    openproject-two_factor_authentication (7.4.3)
+    openproject-two_factor_authentication (7.4.4)
       messagebird-rest (~> 1.3.2)
       rails (~> 5)
       rotp (~> 3.3)
 
 PATH
   remote: vendored-plugins/openproject-webhooks
   specs:
-    openproject-webhooks (7.4.3)
+    openproject-webhooks (7.4.4)
       rails (~> 5.0)
 
 PATH
   remote: vendored-plugins/openproject-xls_export
   specs:
-    openproject-xls_export (7.4.3)
+    openproject-xls_export (7.4.4)
       rails (~> 5.0.0)
       spreadsheet (~> 0.8.9)
 
 PATH
   remote: vendored-plugins/reporting_engine
   specs:
-    reporting_engine (7.4.3)
+    reporting_engine (7.4.4)
       json
       rails (~> 5.0.0)
 
@@ -432,7 +432,7 @@ GEM
       railties (>= 3.0.0)
     faker (1.8.4)
       i18n (~> 0.5)
-    fastimage (2.1.1)
+    fastimage (2.1.3)
     ffi (1.9.18)
     fog-aws (0.11.0)
       fog-core (~> 1.38)

app/controllers/wiki_controller.rb

@@ -135,7 +135,7 @@ def show
     if @page.new_record?
       if User.current.allowed_to?(:edit_wiki_pages, @project) && editable?
         edit
-        render action: 'edit'
+        render action: 'new'
       else
         render_404
       end
@@ -256,7 +256,7 @@ def project_menu_items
 
   def wiki_root_menu_items
     MenuItems::WikiMenuItem
-      .where(parent_id: nil)
+      .main_items(@wiki.id)
       .map { |it| OpenStruct.new name: it.name, caption: it.title, item: it }
   end
 
@@ -403,7 +403,7 @@ def parse_preview_data
   private
 
   def wiki_page_title
-    params[:id]
+    params[:title] || params[:id]
   end
 
   def find_wiki

app/controllers/work_packages/bulk_controller.rb

@@ -99,7 +99,9 @@ def destroy
   def destroy_work_packages(work_packages)
     work_packages.each do |work_package|
       begin
-        work_package.reload.destroy
+        WorkPackages::DestroyService
+          .new(user: current_user, work_package: work_package.reload)
+          .call
       rescue ::ActiveRecord::RecordNotFound
         # raised by #reload if work package no longer exists
         # nothing to do, work package was already deleted (eg. by a parent)

app/models/mail_handler.rb

@@ -141,7 +141,7 @@ def dispatch
     # TODO: send a email to the user
     logger.error e.message if logger
     false
-  rescue MissingInformation
+  rescue MissingInformation => e
     log "missing information from #{user}: #{e.message}", :error
     false
   rescue UnauthorizedAction

app/models/queries/relations/filters/from_filter.rb

@@ -31,13 +31,21 @@ module Queries
   module Relations
     module Filters
       class FromFilter < ::Queries::Relations::Filters::RelationFilter
+        include ::Queries::Relations::Filters::VisibilityChecking
+
         def type
           :integer
         end
 
         def self.key
           :from_id
         end
+
+        private
+
+        def visibility_checked_sql(operator, values, visible_sql)
+          ["from_id #{operator} (?) AND to_id IN (#{visible_sql})", values]
+        end
       end
     end
   end

app/models/queries/relations/filters/involved_filter.rb

@@ -36,6 +36,8 @@ module Filters
       #   Given relations [{ from_id: 3, to_id: 7 }, { from_id: 8, to_id: 3}]
       #   filtering by involved=3 would yield both these relations.
       class InvolvedFilter < ::Queries::Relations::Filters::RelationFilter
+        include ::Queries::Relations::Filters::VisibilityChecking
+
         def type
           :integer
         end
@@ -44,15 +46,21 @@ def self.key
           :involved
         end
 
-        def where
-          integer_values = values.map(&:to_i)
+        private
+
+        def visibility_checked_sql(operator_string, values, visible_sql)
+          concatenation = if operator == '='
+                            "OR"
+                          else
+                            "AND"
+                          end
+
+          sql = <<-SQL.strip_heredoc
+            (from_id #{operator_string} (?) AND to_id IN (#{visible_sql}))
+             #{concatenation} (to_id #{operator_string} (?) AND from_id IN (#{visible_sql}))
+          SQL
 
-          case operator
-          when "="
-            ["from_id IN (?) OR to_id IN (?)", integer_values, integer_values]
-          when "!"
-            ["from_id NOT IN (?) AND to_id NOT IN (?)", integer_values, integer_values]
-          end
+          [sql, values, values]
         end
       end
     end

app/models/queries/relations/filters/relation_filter.rb

@@ -36,6 +36,10 @@ class RelationFilter < ::Queries::Filters::Base
         def human_name
           Relation.human_attribute_name(name)
         end
+
+        def visibility_checked?
+          false
+        end
       end
     end
   end

app/models/queries/relations/filters/to_filter.rb

@@ -31,13 +31,25 @@ module Queries
   module Relations
     module Filters
       class ToFilter < ::Queries::Relations::Filters::RelationFilter
+        include ::Queries::Relations::Filters::VisibilityChecking
+
         def type
           :integer
         end
 
         def self.key
           :to_id
         end
+
+        def visibility_checked?
+          true
+        end
+
+        private
+
+        def visibility_checked_sql(operator, values, visible_sql)
+          ["to_id #{operator} (?) AND from_id IN (#{visible_sql})", values]
+        end
       end
     end
   end

app/models/queries/relations/filters/visibility_checking.rb

@@ -0,0 +1,62 @@
+#-- encoding: UTF-8
+
+#-- copyright
+# OpenProject is a project management system.
+# Copyright (C) 2012-2018 the OpenProject Foundation (OPF)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2017 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See docs/COPYRIGHT.rdoc for more details.
+#++
+
+module Queries
+  module Relations
+    module Filters
+      module VisibilityChecking
+        def visibility_checked?
+          true
+        end
+
+        def where
+          integer_values = values.map(&:to_i)
+
+          visible_sql = WorkPackage.visible(User.current).select(:id).to_sql
+
+          operator_string = case operator
+                            when "="
+                              "IN"
+                            when "!"
+                              "NOT IN"
+                            end
+
+          visibility_checked_sql(operator_string, values, visible_sql)
+        end
+
+        private
+
+        def visibility_checked_sql(_operator, _values, _visible_sql)
+          raise NotImplementedError
+        end
+      end
+    end
+  end
+end

app/models/queries/relations/relation_query.rb

@@ -35,9 +35,19 @@ def self.model
 
       def default_scope
         Relation
-          .visible
           .direct
       end
+
+      def results
+        # Filters marked to already check visibility free us from the need
+        # to check it here.
+
+        if filters.any?(&:visibility_checked?)
+          super
+        else
+          super.visible
+        end
+      end
     end
   end
 end

app/models/time_entry.rb

@@ -126,7 +126,7 @@ def authoritativ_activity
   private
 
   def validate_hours_are_in_range
-    errors.add :hours, :invalid if hours && (hours < 0 || hours >= 1000)
+    errors.add :hours, :invalid if hours && hours < 0
   end
 
   def validate_project_is_set