Release OpenProject 13.0.6

docs/development/application-architecture/README.md

@@ -73,6 +73,76 @@ OpenProject is continuously tested, developed, and distributed using the followi
 
 
 
+# Patch and change management
+
+OpenProject uses the Community instance [https://community.openproject.org](https://community.openproject.org) for managing the application lifecycle. For a full overview on the process of developing changes to the application, please see our [product development guide](../product-development-handbook/).
+
+This section summarizes all relevant information about the process for providing releases.
+
+## Current release
+
+The [release notes](https://www.openproject.org/docs/release-notes) provide a list of all the releases including the current stable one.
+
+Administrators can identify their currently deployed version of OpenProject in the [Administration information page of their installation](https://www.openproject.org/docs/system-admin-guide/information).
+
+
+
+## Upcoming releases
+
+See the [Roadmap](https://community.openproject.com/projects/openproject/roadmap) for the overview of the upcoming stable releases.
+
+
+
+## Versioning
+
+OpenProject follows [Semantic Versioning](https://semver.org/). Therefore, the version is a composition of three digits in the format of e.g. 0.1.1 and can be summarised as followed:
+
+- MAJOR version when you make incompatible API changes,
+- MINOR version when you add functionality in a backwards-compatible manner, and
+- PATCH version when you make backwards-compatible bug fixes.
+
+Please note that OpenProject considers the following to be non breaking changes which do not lead to a new major version:
+
+- Database schema changes
+- Updates on depended upon libraries packaged with the distributions of OpenProject (e.g. Ruby, Rails, etc.)
+
+Changes to those can thus happen also in minor or patch releases.
+
+On the other hand, changes to the following are considered breaking changes and thus lead to a new major version.
+
+- Changes to the minimum version of supported operating systems.
+- Changes to the minimum version of the supported database system (PostgreSQL).
+
+This list is not conclusive but rather serves to highlight the difference to the previous list of non breaking changes.
+
+
+
+## Support of releases
+
+For the community edition, only the current stable release is maintained. The [Enterprise on-premises](https://www.openproject.org/enterprise-edition) provides extended maintenance.
+
+We recommended to update to a new stable release as soon as possible to have a supported version installed. To that end, OpenProject will show an information banner to administrators in case a new stable release is available.
+
+
+
+## Change history
+
+All changes made to the OpenProject software are documented via work packages bundled by the version. The [Roadmap view](https://community.openproject.com/projects/openproject/roadmap) gives a corresponding overview. A release is also summarized in the [release notes](https://www.openproject.org/docs/release-notes).
+
+
+
+## Distribution
+
+OpenProject is distributed in [various formats](https://www.openproject.org/docs/installation-and-operations/installation). Manual installation based on the code in GitHub is possible but not supported.
+
+
+
+## Versions in the codebase
+
+The version is represented as [tags](https://www.openproject.org/docs/development/git-workflow#tagging) and [branches](https://www.openproject.org/docs/development/git-workflow#branching-model) in the repository. The version is also manifested in the [version.rb](https://github.com/opf/openproject/blob/dev/lib/open_project/version.rb).
+
+
+
 # Components
 
 A typical installation of OpenProject uses a web server such as NGINX or Apache to proxy requests to and from the internal [Puma](https://puma.io/) application server. All web requests are handled internally by it. A background job queue is used to execute longer running data requests or asynchronous communications.

docs/development/concepts/secure-coding/README.md

@@ -182,6 +182,33 @@ https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
 
 
 
+## Virus and Malware protection
+
+As OpenProject may handle and distribute sensitive user data, attack vectors such as malicious user input as specified in the previous section pose a threat to the integrity, confidentiality, and availaibility of data. In the following, we will evaluate different risks and guidelines on the protection against viruses and other malware during operation of an OpenProject instance.
+
+
+
+**Risks and impacts**
+
+- *Viruses and malware uploads*: Whenever users are able to upload files to a system, potentially malicous files could be provided and distributed through OpenProject by users with the appropriate upload permission. 
+- *Malware in software*: OpenProject carefully selects and updates third-party dependencies. Please see the following section on [external dependencies](#external-dependencies) for more information on the best practices of external dependencies.
+
+
+
+**Guidelines**
+
+- Virus and malware uploads
+  - OpenProject provides users with fine-grained access to control which user groups are allowed to upload files
+  - Whitelist for uploads can be provided by MIME type, rejecting any nonmatching files
+  - OpenProject currently does not provide a built-in virus scanner. However, using [webhooks](https://www.openproject.org/docs/system-admin-guide/api-and-webhooks/#webhooks) and the [attachments API](https://www.openproject.org/docs/api/endpoints/attachments/), users can plug existing virus scanning tools and scrub any uploaded files.
+- *Malware in software*:
+  - OpenProject uses statical code analysis on every change provided to the application as well as code scanners on the artefacts generated from the source code (such as Snyk vulnerability scanner for Docker images).
+  - We recommend users to perform their own 
+
+
+
+
+
 ## External dependencies
 
 OpenProject includes a number of external dependencies both in Ruby as well as in the JavaScript ecosystem. Regardless of the selection of these dependencies, maintaining and keeping the dependencies up-to-date is a critical part of the security of the application. We have seen a lot of attacks surface in the past years originating from either outdated or manipulated dependencies.

docs/development/releases/README.md

@@ -1,52 +1,3 @@
 # Releases
 
-This page summarizes all relevant information about releases.
-
-## Current release
-
-The [release notes](../../release-notes/) provide a list of all the releases including the current stable one.
-
-Administrators can identify their currently deployed version of OpenProject in the [Administration information page of their installation](../../system-admin-guide/information).
-
-## Upcoming releases
-
-See the [Roadmap](https://community.openproject.com/projects/openproject/roadmap) for the overview of the upcoming stable releases.
-
-## Versioning
-
-OpenProject follows [Semantic Versioning](https://semver.org/).
-Therefore, the version is a composition of three digits in the format of e.g. 0.1.1 and can be summarised as followed:
-  * MAJOR version when you make incompatible API changes,
-  * MINOR version when you add functionality in a backwards-compatible manner, and
-  * PATCH version when you make backwards-compatible bug fixes.
-
-Please note that OpenProject considers the following to be non breaking changes which do not lead to a new major version:
-* Database schema changes
-* Updates on depended upon libraries packaged with the distributions of OpenProject (e.g. Ruby, Rails, etc.)
-
-Changes to those can thus happen also in minor or patch releases.
-
-On the other hand, changes to the following are considered breaking changes and thus lead to a new major version.
-* Changes to the minimum version of supported operating systems.
-* Changes to the minimum version of the supported database system (PostgreSQL).
-
-This list is not conclusive but rather serves to highlight the difference to the previous list of non breaking changes.
-
-## Support of releases
-
-For the community edition, only the current stable release is maintained. The [Enterprise on-premises](https://www.openproject.org/enterprise-edition) provides extended maintenance.
-
-We recommended to update to a new stable release as soon as possible to have a supported version installed. To that end, OpenProject will show an information banner to administrators in case a new stable release is available.
-
-
-## Change history
-
-All changes made to the OpenProject software are documented via work packages bundled by the version. The [Roadmap view](https://community.openproject.com/projects/openproject/roadmap) gives a corresponding overview. A release is also summarized in the [release notes](../../release-notes/).
-
-## Distribution
-
-OpenProject is distributed in [various formats](../../installation-and-operations/installation/). Manual installation based on the code in GitHub is possible but not supported.
-
-## Versions in the codebase
-
-The version is represented as [tags](../git-workflow#tagging) and [branches](../git-workflow#branching-model) in the repository. The version is also manifested in the [version.rb](https://github.com/opf/openproject/blob/dev/lib/open_project/version.rb).
+This page has been integrated into the [application architecture guide](../application-architecture/#patch-and-change-management).

docs/enterprise-guide/enterprise-cloud-guide/openproject-cloud-status/README.md

@@ -8,66 +8,4 @@ keywords: enterprise cloud, status, incidents
 
 # OpenProject cloud status page
 
-On this page, we will report any outages and reports of degraded services for our Enterprise cloud edition customers.
-
-* * *
-
-## Current issues
-
-–
-
-* * *
-
-## Past incidents
-
-### June 25, 2020
-
-We are currently seeing elevated response times and degraded performance. We are investigating the issue.
-
-* * *
-
-### September 11, 2018
-
-(13:20 - 13:50 UTC) During the latest deployment of OpenProject 8.0. on our cloud infrastructure, a migration was added to rename a specific table used for the new application. This migration turned out to run through significantly longer.
-
-* * *
-
-### May 26 - 27th, 2018
-
-(7:30 UTC) Services operating normally, root cause is being worked at.
-
-(1:00 UTC) One of the Aurora databases in our PostgreSQL cluster failed in an autovacuum operation scheduled to execute at nights (UTC + 2). A failover to the reader database happened, but not all web workers of the OpenProject cloud services reconnected correctly, resulting in consistently dropped connections during that night.
-
-* * *
-
-### April 25th, 2018
-
-(8:15 UTC) OpenProject email notifciation service has been restored.
-
-(7:28 UTC) We are aware of degradede mail notifications on our OpenProject Enterprise cloud edition service due to a technical issue with our mail notification provider and are actively working on resolving it.
-
-* * *
-
-### April 20th, 2018
-
-(3:00 UTC) The OpenProject Enterprise cloud edition is currently not available in Russia since the IP address is being blocked in connection with blocking Telegram ([more information](https://www.bbc.com/news/technology-43797176)).
-
-(3:00 UTC) The OpenProject Enterprise cloud edition service is currently not available in Russia.
-
-* * *
-
-### April 16th, 2018
-
-(7:30 UTC) Services operating normally.
-
-(7:20 UTC) One of the Aurora databases in our PostgreSQL cluster denied new client connections, resulting in timeouts whenever new web workers were restarted (this is scheduled randomly after a few thousand requests). The instance however reported normal operation and in turn did not automatically failover by itself. Once the failing database was took out of the cluster and restarted, access returned to normal.
-
-(6:30 UTC) We're investigating page timeouts and incomplete responses returned to some of our cloud environment instances.
-
-* * *
-
-### March 14th, 2018
-
-(14:25 UTC) Services operating normally.
-
-(14:07 UTC) We're aware of occasional Gateway timeout responses from one of our load balancers.
+The following status page provides information about outages, maintenance announcements, and degraded services for our Enterprise cloud customers: https://status.openproject.com/

docs/getting-started/my-activity/README.md

@@ -14,7 +14,11 @@ You can open your **My Activity** page by clicking on your user avatar in the up
 
 ![OpenProject navigate to My Activity Page](openproject_select_my_actvity.png)
 
-You will see two lists by default. **Projects** will show all projects you are a member of. **Activity** will show all of your activities that are being recorded in OpenProject.
+You will see two lists by default. 
+
+**Projects** will show all projects you are a member of. 
+
+**Activity** will show all of your activities that are being recorded in OpenProject. Note that only activities from projects that have enabled the "Activity" module will be shown.
 
 ![Openproject_my_activity_page](openproject_my_activity_overview.png)
 

docs/release-notes/13-0-6/README.md

@@ -0,0 +1,19 @@
+---
+title: OpenProject 13.0.6
+sidebar_navigation:
+    title: 13.0.6
+release_version: 13.0.6
+release_date: 2023-10-13
+---
+
+# OpenProject 13.0.6
+
+Release date: 2023-10-13
+
+We released [OpenProject 13.0.6](https://community.openproject.com/versions/1937).
+The release contains several bug fixes and we recommend updating to the newest version.
+
+<!--more-->
+#### Bug fixes and changes
+
+- Fixed: Project storage members page can be accessed without a session. \[[#50519](https://community.openproject.com/wp/50519)\]

docs/release-notes/README.md

@@ -14,6 +14,13 @@ Stay up to date and get an overview of the new features included in the releases
 <!--- New release notes are generated below. Do not remove comment. -->
 <!--- RELEASE MARKER -->
 
+## 13.0.6
+
+Release date: 2023-10-13
+
+[Release Notes](13-0-6/)
+
+
 ## 13.0.5
 
 Release date: 2023-10-10

docs/user-guide/work-packages/work-package-relations-hierarchies/README.md

@@ -35,11 +35,18 @@ Work package relations indicate that work packages address a similar topic or cr
 You can select one of the following relations:
 
 - **Related to** - This option adds a link from the work package A to work package B, so that project members can immediately see the connection, even if the work packages are not members of the same hierarchy. 
-- **Duplicates / Duplicated by** - This option indicates that the work package A duplicates a work package B in one way or another, for example both address the same task. This can be useful if you have the same work package that needs to be a part of a closed and public projects at the same time. The connection in this case is only semantic, the changes you make in work package A will need to be adapted in work package B manually. However, this does not affect the status, so if you change the status of work package A the status of work package B will change automatically to the same. 
+
+- **Duplicates / Duplicated by** - This option indicates that the work package B duplicates a work package A in one way or another, for example both address the same task. This can be useful if you have the same work package that needs to be a part of a closed and public projects at the same time. The connection in this case is only semantic, the changes you make in work package A will need to be adapted in work package B manually. 
+
+  **Note**: some changes in statuses will de adjusted automatically for the duplicated work package. Specifically, if the status of a work package A is set to be "closed" (or set to any status that is defined to count as "closed" in the  [system settings](../../../system-admin-guide/manage-work-packages/work-package-status/), for example "rejected" often counts as a "closed" status), the status of the work package B will change to "closed". Note that this is direction dependent. Only if the work package A is closed will the work package B be closed as well, not the other way around. 
+
 - **Blocks / Blocked by** - This option defines status change restrictions between two work packages. If you set a work package A to be blocking work package B, the status of work package B cannot be set to closed or resolved until the work package A is closed.
+
 - **Precedes / Follows** - Defines a chronological relation between two work packages. For example, if you set a work package A to precede a work package B, the start date of B has to be at least a day after the finish date of A.
   Please note: If work package B is in [manual scheduling mode](../../gantt-chart/scheduling/#manual-scheduling-mode), changing the finish date of work package A will have no effect on work package B.
+
 - **Includes / Part of** - Defines if work package A includes or is part of work package B. This relation type can be used for example when you have a roll-out work package and work packages which should be shown as included without using hierarchical relationships. There is no additional effect.
+
 - **Requires / Required by** - Defines if work package A requires or is required by work package B. There is no additional effect.
 
 The selected relation status will be automatically displayed in the work package that you enter. For example if you select "Blocks" in the current work package A and specify work package B, work package B will automatically show that it is "Blocked by" A.

lib/open_project/version.rb

@@ -33,7 +33,7 @@ module OpenProject
   module VERSION # :nodoc:
     MAJOR = 13
     MINOR = 0
-    PATCH = 5
+    PATCH = 6
 
     class << self
       # Used by semver to define the special version (if any).

modules/storages/app/controllers/storages/project_settings/project_storage_members_controller.rb

@@ -29,7 +29,7 @@
 # Purpose: Let OpenProject create folders per project automatically.
 # This is recommended as it ensures that every team member always has the correct access permissions.
 #
-class Storages::ProjectSettings::ProjectStorageMembersController < ApplicationController
+class Storages::ProjectSettings::ProjectStorageMembersController < Projects::SettingsController
   include PaginationHelper
 
   menu_item :settings_project_storages
@@ -61,6 +61,5 @@ def find_model_object(object_id = :project_storage_id)
     super(object_id)
     @project_storage = @object
     @storage = @project_storage.storage
-    @project = @project_storage.project
   end
 end

modules/storages/spec/features/view_project_storage_members_spec.rb

@@ -46,6 +46,13 @@
                                                  connected_no_permissions_user])
   end
 
+  it 'cannot be accessed without being logged in' do
+    visit project_settings_project_storage_members_path(project, project_storage_id: project_storage.id)
+
+    expect(page).to have_title('Sign in | OpenProject')
+    expect(page).not_to have_text('Members connection status')
+  end
+
   it 'lists project members connection statuses' do
     login_as user