Release OpenProject 16.6.3

Author: oliverguenther

app/controllers/account_controller.rb

@@ -90,12 +90,12 @@ def logout
   end
 
   # Enable user to choose a new password
-  def lost_password
-    return redirect_to(home_url) unless allow_lost_password_recovery?
+  def lost_password # rubocop:disable Metrics/AbcSize, Metrics/PerceivedComplexity
+    return redirect_to(home_url, status: :see_other) unless allow_lost_password_recovery?
 
     if params[:token]
       @token = ::Token::Recovery.find_by_plaintext_value(params[:token])
-      redirect_to(home_url) && return unless @token and !@token.expired?
+      redirect_to(home_url, status: :see_other) && return unless @token and !@token.expired?
 
       @user = @token.user
       if request.post?
@@ -104,7 +104,7 @@ def lost_password
 
         if call.success?
           @token.destroy
-          redirect_to action: "login"
+          redirect_to action: "login", status: :see_other
           return
         end
       end
@@ -121,13 +121,15 @@ def lost_password
       unless user
         # user not found in db
         Rails.logger.error "Lost password unknown email input: #{mail}"
+        redirect_to action: :lost_password, status: :see_other
         return
       end
 
       unless user.change_password_allowed?
         # user uses an external authentication
         UserMailer.password_change_not_possible(user).deliver_later
         Rails.logger.warn "Password cannot be changed for user: #{mail}"
+        redirect_to action: :lost_password, status: :see_other
         return
       end
 
@@ -136,7 +138,7 @@ def lost_password
       if token.save
         UserMailer.password_lost(token).deliver_later
         flash[:notice] = I18n.t(:notice_account_lost_email_sent)
-        redirect_to action: "login", back_url: home_url
+        redirect_to action: :lost_password, status: :see_other
         nil
       end
     end

app/models/work_packages/scopes/allowed_to.rb

@@ -98,54 +98,34 @@ def logged_in_non_admin_allowed_to_large_instances(user, permissions)
           WHERE entity_id IS NULL
         SQL
 
-        # Remove those entries from before that are
-        # * entity (WorkPackage) specific AND
-        # * have the same project as a non-entity specific entry.
-        # That is the case if a work package is shared with a user
-        # while the user is already a member in the project.
-        # Since the allowed_to filtering is already specific to the permissions, that removal is safe.
-        entity_member_projects_without_duplicates = Arel.sql(<<~SQL.squish)
-          SELECT * FROM entity_member_projects
-          WHERE NOT EXISTS (
-            SELECT 1 FROM project_member_projects
-            WHERE project_member_projects.id = entity_member_projects.id
-          )
-        SQL
-
         # Take all work packages allowed by either project-wide or entity-specific membership.
-        # But now remove all those that are in a project for which an entity-specific membership exists that is not
-        # for that entity (work package).
-        # An alternative way of formulating this would be by comparing
-        # * That the project_id matches AND
-        # * the entity_id matches OR the entity_id is null
-        #  ```
-        #   SELECT * from work_packages
-        # 	WHERE EXISTS (
-        # 	  SELECT 1 FROM allowed_projects projects
-        #     WHERE projects.id = work_packages.project_id
-        #     AND (projects.entity_id = work_packages.id OR projects.entity_id IS NULL)
-        # 	)
-        # ```
-        # Postgresql however sometimes turns to a sequential scan with the query above.
+        # PostgreSQL however sometimes turns to a sequential scan with the query above.
         #
-        # Index scans can still happen in the combination of the CTE with the check outside of the
-        # CTEs for the existence of any record.
-        # This is particularly likely in case AR.exists? is used which adds a LIMIT 1
+        # It is currently unclear if index scans can still happen in the combination of the CTE with the check
+        # outside of the CTEs for the existence of any record.
+        # This happened in the past, before changing this CTE to a UNION, in case AR.exists? is used which adds a LIMIT 1
         # to the query. In this case, there is a known shortcoming that PostgreSQL's query planner
         # will make poor choices
         # (https://www.postgresql.org/message-id/flat/CA%2BU5nMLbXfUT9cWDHJ3tpxjC3bTWqizBKqTwDgzebCB5bAGCgg%40mail.gmail.com).
         #
         # Once AR supports adding materialization hints (https://github.com/rails/rails/pull/54322), the inner
         # `allowed` CTE can be abandoned as it is only used for being able to provide such a hint.
+        # Having the inner materialized CTE has no known negative side effects which is why it is kept.
         allowed_by_projects_and_work_packages = Arel.sql(<<~SQL.squish)
           WITH allowed AS MATERIALIZED (
-            SELECT id from work_packages
-            WHERE project_id in (SELECT id FROM member_projects)
-            AND NOT EXISTS (
-              SELECT 1 FROM entity_member_projects_without_duplicates
-              WHERE entity_member_projects_without_duplicates.id = work_packages.project_id
-              AND entity_member_projects_without_duplicates.entity_id != work_packages.id
-            )
+            SELECT
+              work_packages.id
+            FROM
+              work_packages
+            JOIN project_member_projects ON project_member_projects.id	= work_packages.project_id
+
+            UNION
+
+            SELECT
+              work_packages.id
+            FROM
+              work_packages
+            JOIN entity_member_projects ON entity_member_projects.entity_id = work_packages.id
           )
 
           SELECT * from allowed
@@ -154,7 +134,6 @@ def logged_in_non_admin_allowed_to_large_instances(user, permissions)
         with(member_projects: Arel.sql(allowed_via_project_or_work_package_membership.to_sql),
              entity_member_projects:,
              project_member_projects:,
-             entity_member_projects_without_duplicates:,
              allowed_by_projects_and_work_packages:)
           .where(<<~SQL.squish)
             EXISTS (

docs/release-notes/16-6-2/README.md

@@ -25,6 +25,7 @@ Below you will find a complete list of all changes and bug fixes.
 - Bugfix: OpenID Connect: Claims escaped twice \[[#69079](https://community.openproject.org/wp/69079)\]
 - Bugfix: Disable editing of sendmail attributes through UI \[[#69577](https://community.openproject.org/wp/69577)\]
 
+
 <!-- END AUTOMATED SECTION -->
 <!-- Warning: Anything above this line will be automatically removed by the release script -->
 

docs/release-notes/16-6-3/README.md

@@ -0,0 +1,29 @@
+---
+title: OpenProject 16.6.3
+sidebar_navigation:
+    title: 16.6.3
+release_version: 16.6.3
+release_date: 2025-12-11
+---
+
+# OpenProject 16.6.3
+
+Release date: 2025-12-11
+
+We released OpenProject [OpenProject 16.6.3](https://community.openproject.org/versions/2247).
+The release contains several bug fixes and we recommend updating to the newest version.
+Below you will find a complete list of all changes and bug fixes.
+
+<!--more-->
+
+## Bug fixes and changes
+
+<!-- Warning: Anything within the below lines will be automatically removed by the release script -->
+<!-- BEGIN AUTOMATED SECTION -->
+
+- Bugfix: Shared WP inaccessible to non-project members (Error 404) #68852 \[[#68921](https://community.openproject.org/wp/68921)\]
+- Bugfix: User not fully deleted if that user created a recurring meeting \[[#69517](https://community.openproject.org/wp/69517)\]
+- Bugfix: No message when using &quot;forgot password&quot; with unknown email \[[#69730](https://community.openproject.org/wp/69730)\]
+
+<!-- END AUTOMATED SECTION -->
+<!-- Warning: Anything above this line will be automatically removed by the release script -->

docs/release-notes/README.md

@@ -13,6 +13,13 @@ Stay up to date and get an overview of the new features included in the releases
 <!--- New release notes are generated below. Do not remove comment. -->
 <!--- RELEASE MARKER -->
 
+## 16.6.3
+
+Release date: 2025-12-11
+
+[Release Notes](16-6-3/)
+
+
 ## 16.6.2
 
 Release date: 2025-12-02

docs/security-and-privacy/statement-on-security/README.md

@@ -62,7 +62,11 @@ You can also [report a vulnerability directly in GitHub](https://github.com/opf/
 
 Please include a description on how to reproduce the issue if possible. Our security team will get your email and will attempt to reproduce and fix the issue as soon as possible.
 
-> **Please note:** OpenProject currently does not offer a bug bounty program. We will do our best to give you the appropriate credits for responsibly disclosing a security vulnerability to us. We will gladly reference your work, name, website on every publication we do related to the security update.
+## Bug bounty program
+
+OpenProject is currently subject of a bug bounty program, kindly sponsored by the European Commission. Please see https://yeswehack.com/programs/openproject for more details.
+
+Please note that OpenProject does not offer its own bug bounty program. For any security vulnerability you responsibly disclose to it, whether it's through another bug bounty porgram or through our website, we will do our best to give you the appropriate credits for responsibly disclosing a security vulnerability to us. We will gladly reference your work, name, website on every publication we do related to the security update.
 
 ## OpenProject security features
 

docs/use-cases/project-management-pm2-pmflex/README.md

@@ -38,7 +38,7 @@ This table provides an overview of the key terms and structures used to **map**
 | Project Roles                                                | Project members with roles                       | [Members](https://pm2.openproject.com/projects/pm2-test/members) | [#31411](https://community.openproject.org/wp/31141) Add PM² roles and permissions to seed data |
 | [5 Initiating Phase](../../project-management-guide/5-initiating-phase) |                                                  |                                                              |                                                              |
 | Project Charter                                              | Project Charter (work package type)              | [Project Charter](https://pm2.openproject.com/projects/pm2-test/work_packages/451) | [#68064](https://community.openproject.org/wp/68064) Beyond documents for project artefacts |
-| Project Initiation Request                                   | Project Initiation Request (work package type)   | [Project Initiation Request](https://pm2.openproject.com/projects/pm2-test/work_packages/449) | [#68854](https://community.openproject.org/wp/68854) Multi-step project creation wizard to create and process PM²/PMflex project initiation requests |
+| Project Initiation Request                                   | Project Initiation Request (work package type)   | [Project Initiation Request](https://pm2.openproject.com/projects/pm2-test/work_packages/449) | [#68854](https://community.openproject.org/wp/68854) Multi-step project creation wizard to create and process PM²/PMflex project initiation requests<br />**Release info**: first version will be shipped in [17.0](https://community.openproject.org/wp/67801) behind a feature flag - general availability starting with [17.1](https://community.openproject.org/wp/69276). |
 | Business Case                                                | Business Case (work package type)                | [Business Case](https://pm2.openproject.com/projects/pm2-test/work_packages/450) | [#68064](https://community.openproject.org/wp/68064) Beyond documents for project artefacts<br />[#67726](https://community.openproject.org/wp/67726) Project business case widget for project overview |
 | Phase Gate RfP (Ready for Planning)                          | Phase Gate                                       |                                                              |                                                              |
 | [6 Planning Phase](../../project-management-guide/6-planning-phase) |                                                  |                                                              |                                                              |

lib/api/decorators/linked_resource.rb

@@ -90,7 +90,6 @@ def resource(name,
                      show_if: ->(*) { true },
                      skip_render: nil,
                      embedded: true)
-
           link(link_attr(name, uncacheable_link, link_cache_if), &link)
 
           property name,
@@ -113,7 +112,6 @@ def resources(name,
                       show_if: ->(*) { true },
                       skip_render: nil,
                       embedded: true)
-
           links(link_attr(name, uncacheable_link, link_cache_if), &link)
 
           property name,
@@ -131,7 +129,6 @@ def resource_link(name,
                           setter:,
                           getter:,
                           show_if: ->(*) { true })
-
           resource(name,
                    getter: ->(*) {},
                    setter:,
@@ -154,16 +151,18 @@ def associated_resource(name,
                                 skip_link: skip_render,
                                 undisclosed: false,
                                 link_title_attribute: :name,
+                                link_getter: :"#{name}_id",
+                                link_property_name: nil,
                                 uncacheable_link: false,
                                 getter: associated_resource_default_getter(name, representer),
                                 setter: associated_resource_default_setter(name, as, v3_path),
-                                link: associated_resource_default_link(name,
+                                link: associated_resource_default_link(link_property_name || name,
                                                                        v3_path:,
                                                                        skip_link:,
                                                                        undisclosed:,
-                                                                       title_attribute: link_title_attribute))
-
-          resource((as || name),
+                                                                       title_attribute: link_title_attribute,
+                                                                       getter: link_getter))
+          resource(as || name,
                    getter:,
                    setter:,
                    link:,
@@ -240,7 +239,6 @@ def associated_resources(name,
                                                                          v3_path:,
                                                                          skip_link:,
                                                                          title_attribute: link_title_attribute))
-
           resources(as,
                     getter:,
                     setter:,
@@ -251,7 +249,6 @@ def associated_resources(name,
 
         def associated_resources_default_getter(name,
                                                 representer)
-
           representer ||= default_representer(name.to_s.singularize)
 
           ->(*) do

lib/open_project/version.rb

@@ -33,7 +33,7 @@ module OpenProject
   module VERSION # :nodoc:
     MAJOR = 16
     MINOR = 6
-    PATCH = 2
+    PATCH = 3
 
     class << self
       # Used by semver to define the special version (if any).

modules/costs/lib/api/v3/cost_entries/cost_entry_representer.rb

@@ -45,7 +45,9 @@ class CostEntryRepresenter < ::API::Decorators::Single
 
         # TODO: DEPRECATED!
         associated_resource :work_package,
-                            skip_render: ->(*) { represented.entity_type != "WorkPackage" }
+                            skip_render: ->(*) { represented.entity_type != "WorkPackage" },
+                            link_property_name: :entity, # to avoid deprecation warnings with cost_entry.work_package
+                            link_getter: :entity_id # to avoid deprecation warnings with cost_entry.work_package_id
 
         property :id, render_nil: true
         property :units, as: :spentUnits