Release OpenProject 12.5.4

app/services/authentication/omniauth_service.rb

@@ -162,7 +162,7 @@ def find_existing_user
     def remap_existing_user
       return unless Setting.oauth_allow_remapping_of_existing_users?
 
-      User.find_by_login(user_attributes[:login])
+      User.not_builtin.find_by(login: user_attributes[:login])
     end
 
     ##

app/services/sessions/drop_all_sessions_service.rb

@@ -0,0 +1,46 @@
+#-- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) 2012-2023 the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See COPYRIGHT and LICENSE files for more details.
+#++
+require_relative './base_service'
+
+module Sessions
+  class DropAllSessionsService < BaseService
+    class << self
+      ##
+      # Drop all sessions for the given user
+      def call(user)
+        return false unless active_record_sessions?
+
+        ::Sessions::UserSession
+          .for_user(user)
+          .delete_all
+
+        true
+      end
+    end
+  end
+end

app/services/users/change_password_service.rb

@@ -42,6 +42,8 @@ def call(params)
         current_user.force_password_change = false
 
         if current_user.save
+          invalidate_recovery_tokens
+
           log_success
           ::ServiceResult.new success: true,
                               result: current_user,
@@ -58,6 +60,10 @@ def call(params)
 
     private
 
+    def invalidate_recovery_tokens
+      Token::Recovery.where(user: current_user).delete_all
+    end
+
     def invalidate_session_result
       update_message = I18n.t(:notice_account_password_updated)
 

app/views/activities/index.html.erb

@@ -42,13 +42,21 @@ See COPYRIGHT and LICENSE files for more details.
 
 <div style="float:left;">
   <%= link_to_content_update(t(:label_previous),
-                             { from: (@date_to - @days - 1), with_subprojects: @with_subprojects ? '1' : '0' },
+                             {
+                               from: (@date_to - @days - 1),
+                               with_subprojects: @with_subprojects ? '1' : '0',
+                               user_id: params[:user_id]
+                             }.compact,
                              {title: t(:label_date_from_to, start: format_date(@date_to - 2*@days), end: format_date(@date_to - @days - 1)),
                              class: 'navigate-left'}) %>
 </div>
 <div style="float:right;">
   <%= link_to_content_update(t(:label_next),
-                             { from: (@date_to + @days - 1), with_subprojects: @with_subprojects ? '1' : '0' },
+                             {
+                               from: (@date_to + @days - 1),
+                               with_subprojects: @with_subprojects ? '1' : '0',
+                               user_id: params[:user_id]
+                             }.compact,
                              {title: t(:label_date_from_to, start: format_date(@date_to), end: format_date(@date_to + @days - 1)),
                              class: 'navigate-right'}) unless @date_to >= Date.today %>
 </div>

config/locales/crowdin/de.yml

@@ -229,7 +229,7 @@ de:
       failed_text: "Die Anfrage zum Löschen des Projekts %{name} ist fehlgeschlagen. Das Projekt wurde archiviert."
       completed: "Löschen des Projekts %{name} abgeschlossen"
       completed_text: "Die Anfrage zum Löschen des Projekts '%{name}' wurde abgeschlossen."
-      completed_text_children: "Additionally, the following subprojects have been deleted:"
+      completed_text_children: "Zusätzlich wurden folgende Unterprojekte gelöscht:"
     index:
       open_as_gantt: 'Als Gantt-Ansicht öffnen'
       open_as_gantt_title: "Eine Gantt-Ansicht für Arbeitspakete aus den auf dieser Seite sichtbaren Projekten erzeugen."

docs/release-notes/12-5-4/README.md

@@ -0,0 +1,55 @@
+---
+title: OpenProject 12.5.4
+sidebar_navigation:
+    title: 12.5.4
+release_version: 12.5.4
+release_date: 2023-05-02
+---
+
+# OpenProject 12.5.4
+
+Release date: 2023-05-02
+
+We released [OpenProject 12.5.4](https://community.openproject.com/versions/1728).
+The release contains two security related bug fixes and we recommend updating to the newest version.
+
+
+
+### Invalidation of existing sessions when 2FA activated \[[#48035](https://community.openproject.com/wp/48035)\]
+
+When a user registers and confirms their first two-factor authentication (2FA) device for an account, existing logged in sessions for that user account are not terminated. Likewise, if an administrators creates a mobile phone 2FA device on behalf of a user, their existing sessions are not terminated. The issue has been resolved in OpenProject version 12.5.4 by actively terminating sessions of user accounts having registered and confirmed a 2FA device.
+
+This security related issue was responsibly disclosed by [Vaishnavi Pardeshi](mailto:[email protected]). Thank you for reaching out to us and your help in identifying this issue. If you have a security vulnerability you would like to disclose, please see our [statement on security](https://www.openproject.org/docs/development/security/).
+
+**A CVE for this issue is currently being requested**
+
+**Workarounds**
+
+As a workaround, users who register the first 2FA device on their account can manually log out to terminate all other active sessions. This is the default behavior of OpenProject but might be disabled [through a configuration option](https://www.openproject.org/docs/installation-and-operations/configuration/#setting-session-options). Double check that this option is not overridden if you plan to employ the workaround.
+
+### Invalidation of password reset link when user changes password in the meantime \[[#48036](https://community.openproject.com/wp/48036)\]
+
+When a user requests a password reset, an email is sent with a link to confirm and reset the password. If the user changes the password in an active session in the meantime, the password reset link was not invalidated and continued to be usable for the duration of its validity period.
+
+The issue has been resolved in OpenProject version 12.5.4 by actively revoking any active password reset tokens for user accounts having changed their passwords successfully within the application.
+
+This security related issue was responsibly disclosed by [Vaishnavi Pardeshi](mailto:[email protected]). Thank you for reaching out to us and your help in identifying this issue. If you have a security vulnerability you would like to disclose, please see our [statement on security](https://www.openproject.org/docs/development/security/).
+
+<!--more-->
+
+#### Bug fixes and changes
+
+- Fixed: Google reCAPTCHA v2 and V3 changed implementation \[[#44115](https://community.openproject.com/wp/44115)\]
+- Fixed: User activity: Previous link removes user parameter from URL \[[#47855](https://community.openproject.com/wp/47855)\]
+- Fixed: Work package HTML titles needlessly truncated \[[#47876](https://community.openproject.com/wp/47876)\]
+- Fixed: Wrong spacing in Firefox when using line breaks in user content tables \[[#48027](https://community.openproject.com/wp/48027)\]
+- Fixed: Previously Created Session Continue Being Valid After 2FA Activation \[[#48035](https://community.openproject.com/wp/48035)\]
+- Fixed: Forgotten password link does not expire when user changes password in the meantime \[[#48036](https://community.openproject.com/wp/48036)\]
+
+#### Contributions
+A big thanks to community members for reporting bugs and helping us identifying and providing fixes.
+
+Special thanks for reporting and finding bugs go to
+
+Björn Schümann
+

docs/release-notes/README.md

@@ -14,6 +14,13 @@ Stay up to date and get an overview of the new features included in the releases
 <!--- New release notes are generated below. Do not remove comment. -->
 <!--- RELEASE MARKER -->
 
+## 12.5.4
+
+Release date: 2023-05-02
+
+[Release Notes](12-5-4/)
+
+
 ## 12.5.3
 
 Release date: 2023-04-24

docs/user-guide/time-and-costs/time-tracking/time-tracker-integration/README.md

@@ -10,11 +10,13 @@ keywords: time tracking, time tracker integration
 
 Please note that the Time Tracker integration is not developed, nor officially supported by OpenProject.
 
-[Time Tracker for OpenProject](https://open-time-tracker.com/) is a mobile app that records time spent on tasks and logs it to your Open  Project instance. 
+<img src="./time_tracker_app.png" alt="Screenshot of the Time Tracker app" width="300" />
+
+[Time Tracker for OpenProject](https://open-time-tracker.com/) is a mobile app that records time spent on tasks and logs it to your Open Project instance. 
 
 ## Installation
 
-Time Tracker app is available in the Apple AppStore and on GitHub.
+Time Tracker app is available in the Apple [AppStore](https://apps.apple.com/us/app/time-tracker-for-open-project/id1669753978), Google [PlayStore](https://play.google.com/store/apps/details?id=vonrehberg.timetracker) and on [GitHub](https://github.com/VonRehbergConsulting/open-time-tracker).
 
 ## Configuration
 

frontend/src/app/features/work-packages/routing/wp-view-base/work-package-single-view.base.ts

@@ -178,7 +178,7 @@ export class WorkPackageSingleViewBase extends UntilDestroyedMixin {
     this.authorisationService.initModelAuth('work_package', this.workPackage.$links);
 
     // Push the current title
-    this.titleService.setFirstPart(this.workPackage.subjectWithType(20));
+    this.titleService.setFirstPart(this.workPackage.subjectWithType(-1));
 
     // Preselect this work package for future list operations
     this.showStaticPagePath = this.PathHelper.workPackagePath(this.workPackageId);

frontend/src/global_styles/content/user-content/_mixins.sass

@@ -1,7 +1,10 @@
 @mixin user-content-children 
   > * + *
     margin-top: 0.8rem
-
+
+  > br
+    margin-top: 0
+
   > .op-uc-h1 + *,
   > .op-uc-h2 + *,
   > .op-uc-h3 + *,

lib/open_project/version.rb

@@ -33,7 +33,7 @@ module OpenProject
   module VERSION # :nodoc:
     MAJOR = 12
     MINOR = 5
-    PATCH = 3
+    PATCH = 4
 
     class << self
       # Used by semver to define the special version (if any).

modules/backlogs/config/locales/crowdin/hi.yml

@@ -25,60 +25,60 @@ hi:
       work_package:
         position: "स्थिति"
         remaining_hours: "बाकी बचे घंटे"
-        remaining_time: "Remaining hours"
-        story_points: "Story Points"
-        backlogs_work_package_type: "Backlog type"
+        remaining_time: "बाकी बचे घंटे"
+        story_points: "कहानी अंक"
+        backlogs_work_package_type: "बैकलॉग प्रकार"
     errors:
       models:
         work_package:
           attributes:
             blocks_ids:
-              can_only_contain_work_packages_of_current_sprint: "can only contain IDs of work packages in the current sprint."
-              must_block_at_least_one_work_package: "must contain the ID of at least one ticket."
+              can_only_contain_work_packages_of_current_sprint: "वर्तमान स्प्रिंट में केवल कार्य पैकेजों की आईडी हो सकती है।"
+              must_block_at_least_one_work_package: "कम से कम एक टिकट की आईडी होनी चाहिए।"
             parent_id:
-              parent_child_relationship_across_projects: "is invalid because the work package '%{work_package_name}' is a backlog task and therefore cannot have a parent outside of the current project."
-              type_must_be_one_of_the_following: "Type must be one of the following: %{type_names}."
+              parent_child_relationship_across_projects: "अमान्य है क्योंकि वर्क पैकेज '%{work_package_name}' एक बैकलॉग टास्क है और इसलिए मौजूदा प्रोजेक्ट के बाहर पैरेंट नहीं हो सकता है |"
+              type_must_be_one_of_the_following: "प्रकार निम्न में से एक होना चाहिए:"
             version_id:
-              task_version_must_be_the_same_as_story_version: "must be the same as the parent story's version."
+              task_version_must_be_the_same_as_story_version: "मूल कहानी के संस्करण के समान होना चाहिए।"
         sprint:
-          cannot_end_before_it_starts: "Sprint cannot end before it starts."
+          cannot_end_before_it_starts: "स्प्रिंट शुरू होने से पहले खत्म नहीं हो सकता।"
   backlogs:
-    add_new_story: "New Story"
-    any: "any"
-    backlog_settings: "Backlogs settings"
-    burndown_graph: "Burndown Graph"
-    card_paper_size: "Paper size for card printing"
-    chart_options: "Chart options"
+    add_new_story: "नई कहानी"
+    any: "कोई"
+    backlog_settings: "बैकलॉग सेटिंग्स"
+    burndown_graph: "बर्नडाउन ग्राफ"
+    card_paper_size: "कार्ड छपाई के लिए कागज का आकार"
+    chart_options: "चार्ट विकल्प"
     close: "बंद करें"
-    column_width: "Column width:"
-    date: "Day"
-    definition_of_done: "Definition of Done"
-    generating_chart: "Generating Graph..."
+    column_width: "स्तंभ की चौड़ाई:"
+    date: "दिन"
+    definition_of_done: "पूर्ण की परिभाषा"
+    generating_chart: "ग्राफ़ जनरेट कर रहा है..."
     hours: "घंटे"
-    impediment: "Impediment"
-    label_versions_default_fold_state: "Show versions folded"
-    work_package_is_closed: "Work package is done, when"
-    label_is_done_status: "Status %{status_name} means done"
-    no_burndown_data: "No burndown data available. It is necessary to have the sprint start- and end dates set."
-    points: "Points"
-    positions_could_not_be_rebuilt: "Positions could not be rebuilt."
-    positions_rebuilt_successfully: "Positions rebuilt successfully."
-    properties: "Properties"
-    rebuild: "Rebuild"
-    rebuild_positions: "Rebuild positions"
-    remaining_hours: "Remaining hours"
-    remaining_hours_ideal: "Remaining hours (ideal)"
-    show_burndown_chart: "Burndown Chart"
-    story: "Story"
-    story_points: "Story Points"
-    story_points_ideal: "Story Points (ideal)"
-    task: "Task"
-    task_color: "Task color"
-    unassigned: "Unassigned"
-    x_more: "%{count} more..."
-  backlogs_active: "active"
-  backlogs_any: "any"
-  backlogs_card_specification: "Label types for card printing"
+    impediment: "बाधा"
+    label_versions_default_fold_state: "मुड़े हुए संस्करण दिखाएं"
+    work_package_is_closed: "काम का पैकेज हो गया, जब"
+    label_is_done_status: "स्थिति %{status_name} का अर्थ हो गया"
+    no_burndown_data: "जलने का कोई डेटा उपलब्ध नहीं है। स्प्रिंट की शुरुआत और समाप्ति तिथि निर्धारित करना आवश्यक है।"
+    points: "अंक"
+    positions_could_not_be_rebuilt: "पदों का पुनर्निर्माण नहीं किया जा सका।"
+    positions_rebuilt_successfully: "पदों का सफलतापूर्वक पुनर्निर्माण किया गया।"
+    properties: "गुण"
+    rebuild: "फिर से बनाना"
+    rebuild_positions: "पदों का पुनर्निर्माण करें"
+    remaining_hours: "बाकी बचे घंटे"
+    remaining_hours_ideal: "शेष घंटे (आदर्श)"
+    show_burndown_chart: "कार्य समय चार्ट"
+    story: "कहानी"
+    story_points: "कहानी अंक"
+    story_points_ideal: "कहानी अंक (आदर्श)"
+    task: "कार्य"
+    task_color: "कार्य का रंग"
+    unassigned: "सौंपे नहीं गए"
+    x_more: "%{count}और..."
+  backlogs_active: "सक्रिय"
+  backlogs_any: "कोई"
+  backlogs_card_specification: "कार्ड छपाई के लिए लेबल प्रकार"
   backlogs_inactive: "Project shows no activity"
   backlogs_points_burn_direction: "Points burn up/down"
   backlogs_product_backlog: "Product backlog"

modules/budgets/config/locales/crowdin/sv.yml

@@ -41,7 +41,7 @@ sv:
       material_budget_item: "Enhet"
   activity:
     filter:
-      budget: "Budgets"
+      budget: "Budget"
   attributes:
     budget: "Budget"
   button_add_budget_item: "Lägg till planerade kostnader"

modules/openid_connect/config/locales/crowdin/de.yml

@@ -9,7 +9,7 @@ de:
         identifier: Kennung
         secret: Secret
         scope: Geltungsbereich
-        limit_self_registration: Limit self registration
+        limit_self_registration: Selbstregistrierung begrenzen
   openid_connect:
     menu_title: OpenID-Anbieter
     providers:
@@ -20,4 +20,4 @@ de:
       singular: OpenID-Anbieter
     setting_instructions:
       limit_self_registration: >
-        If enabled users can only register using this provider if the self registration setting allows for it.
+        Wenn aktiviert, können sich Benutzer nur dann mit diesem Anbieter registrieren, wenn die Einstellung zur Selbstregistrierung dies zulässt.

modules/openid_connect/config/locales/crowdin/ru.yml

@@ -9,7 +9,7 @@ ru:
         identifier: Идентификатор
         secret: Секретный ключ
         scope: Область
-        limit_self_registration: Limit self registration
+        limit_self_registration: Ограничить саморегистрацию
   openid_connect:
     menu_title: Провайдеры OpenID
     providers:
@@ -20,4 +20,4 @@ ru:
       singular: Провайдер OpenID
     setting_instructions:
       limit_self_registration: >
-        If enabled users can only register using this provider if the self registration setting allows for it.
+        Если включено, пользователи могут зарегистрироваться только с помощью данного провайдера, если это позволяет сама регистрация.

modules/recaptcha/lib/open_project/recaptcha/engine.rb

@@ -35,7 +35,7 @@ class Engine < ::Rails::Engine
           keys.index_with value
         else
           {
-            frame_src: %w(https://www.google.com/recaptcha/)
+            frame_src: %w[https://www.recaptcha.net/recaptcha/ https://www.gstatic.com/recaptcha/]
           }
         end
       end

modules/storages/config/locales/crowdin/js-de.yml

@@ -57,7 +57,7 @@ de:
           other: "%{count} Dateiverknüpfungen erfolgreich erstellt."
         upload_error:
           default: >
-            Your file (%{fileName}) could not be uploaded. Please check that the latest version of the Nextcloud App "OpenProject Integration" is installed and contact your administrator for more information.
+            Ihre Datei (%{fileName}) konnte nicht hochgeladen werden. Bitte überprüfen Sie, ob die neueste Version der Nextcloud-App „OpenProject Integration“ installiert ist und kontaktieren Sie Ihren Administrator für weitere Informationen.
           403: >
             Ihre Datei (%{fileName}) konnte aufgrund von Systembeschränkungen nicht hochgeladen werden. Bitte kontaktieren Sie Ihren Administrator für weitere Informationen.
           413: >