Release OpenProject 17.1.1

Author: oliverguenther

app/components/users/edit_page_header_component.html.erb

@@ -80,7 +80,7 @@ See COPYRIGHT and LICENSE files for more details.
         end
       end
 
-      if Setting.users_deletable_by_admins?
+      if Users::DeleteContract.deletion_allowed?(@user, User.current)
         header.with_action_button(
           tag: :a,
           scheme: :danger,

app/contracts/users/delete_contract.rb

@@ -40,6 +40,8 @@ class DeleteContract < ::DeleteContract
     # @param user [User] User to be deleted.
     # @param actor [User] User who wants to delete the given user.
     def self.deletion_allowed?(user, actor)
+      return false if user.admin? && User.admin.active.where.not(id: user.id).empty?
+
       if actor == user
         Setting.users_deletable_by_self?
       else

app/controllers/external_link_warning_controller.rb

@@ -63,11 +63,11 @@ def parse_external_url
   def parse_url(url)
     return nil if url.blank?
 
-    uri = URI.parse(url)
-    return url if uri.is_a?(URI::HTTP) || uri.is_a?(URI::HTTPS)
+    uri = Addressable::URI.parse(url)
+    return url if %w[http https].include?(uri.scheme&.downcase)
 
     nil
-  rescue URI::InvalidURIError
+  rescue Addressable::URI::InvalidURIError
     nil
   end
 end

app/controllers/users_controller.rb

@@ -226,9 +226,13 @@ def destroy
     # true if the user deletes him/herself
     self_delete = (@user == User.current)
 
-    Users::DeleteService.new(model: @user, user: User.current).call
+    result = Users::DeleteService.new(model: @user, user: User.current).call
 
-    flash[:notice] = I18n.t("account.deletion_pending")
+    if result.success?
+      flash[:notice] = I18n.t("account.deletion_pending")
+    else
+      flash[:error] = result.errors.full_messages.join(", ")
+    end
 
     respond_to do |format|
       format.html do
@@ -283,7 +287,12 @@ def authorize_for_user
   end
 
   def check_if_deletion_allowed
-    render_404 unless Users::DeleteContract.deletion_allowed? @user, User.current
+    return if Users::DeleteContract.deletion_allowed?(@user, User.current)
+
+    render_error_flash_message_via_turbo_stream(message: I18n.t("user.error_cannot_delete_user"))
+    respond_with_turbo_streams(status: :not_found) do |format|
+      format.html { render_404 }
+    end
   end
 
   def my_or_admin_layout

app/forms/concerns/browser_aware.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+#-- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See COPYRIGHT and LICENSE files for more details.
+#++
+
+module BrowserAware
+  extend ActiveSupport::Concern
+
+  included do
+    include BrowserHelper
+  end
+
+  # N.B. This is an inelegant, and very likely brittle solution.
+  #
+  # The Browser gem uses `helper_method(:browser)` to declare a
+  # controller method as a helper. This helper is available in classic
+  # Rails views, but since upgrading to ViewComponent 4.0, no longer
+  # works with Primer Forms.
+  def browser
+    @view_context.controller.send(:browser)
+  end
+end

app/forms/projects/life_cycle/form.rb

@@ -29,6 +29,8 @@
 #++
 module Projects::LifeCycle
   class Form < ApplicationForm
+    include BrowserAware
+
     form do |f|
       f.group(layout: :horizontal) do |horizontal_form|
         start_date_input(horizontal_form)
@@ -152,15 +154,5 @@ def field_type
     def placeholder
       browser.device.mobile? ? "yyyy-mm-dd" : nil
     end
-
-    # N.B. This is an inelegant, and very likely brittle solution.
-    #
-    # The Browser gem uses `helper_method(:browser)` to declare a
-    # controller method as a helper. This helper is available in classic
-    # Rails views, but since upgrading to ViewComponent 4.0, no longer
-    # works with Primer Forms.
-    def browser
-      @view_context.controller.send(:browser)
-    end
   end
 end

app/forms/projects/settings/creation_wizard/submission_form.rb

@@ -100,9 +100,6 @@ class SubmissionForm < ApplicationForm
             label: I18n.t("settings.project_initiation_request.submission.work_package_comment"),
             caption: I18n.t("settings.project_initiation_request.submission.work_package_comment_caption"),
             required: false,
-            value: model.project_creation_wizard_work_package_comment.presence || I18n.t(
-              "settings.project_initiation_request.submission.work_package_comment_default", project_name: model.name
-            ),
             rich_text_options: {
               showAttachments: false,
               editorType: "constrained"

app/models/exports/pdf/components/cover.rb

@@ -185,15 +185,24 @@ def cover_background_image
     [image_obj, image_info, image_opts, height]
   end
 
-  def custom_cover_image
+  def custom_cover_image_file
     return unless CustomStyle.current.present? &&
-      CustomStyle.current.export_cover.present? && CustomStyle.current.export_cover.local_file.present?
+                  CustomStyle.current.export_cover.present? && CustomStyle.current.export_cover.local_file.present?
+
+    CustomStyle.current.export_cover.local_file.path
+  end
+
+  def custom_cover_image
+    image_file = custom_cover_image_file
+    return unless image_file
 
-    image_file = CustomStyle.current.export_cover.local_file.path
     content_type = OpenProject::ContentTypeDetector.new(image_file).detect
     return unless pdf_embeddable?(content_type)
 
     image_file
+  rescue StandardError => e
+    Rails.logger.error "Failed to access custom PDF cover file: #{e}"
+    nil # Fallback to default cover
   end
 
   def write_background_image

app/models/projects/creation_wizard.rb

@@ -66,6 +66,14 @@ def project_creation_wizard_status_when_submitted_id
       super.presence || project_creation_wizard_default_status_when_submitted&.id
     end
 
+    def project_creation_wizard_work_package_comment
+      super.presence ||
+        I18n.t(
+          "settings.project_initiation_request.submission.work_package_comment_default",
+          project_name: name
+        )
+    end
+
     def project_creation_wizard_default_work_package_type
       types.first
     end

app/services/mcp_tools.rb

@@ -35,8 +35,11 @@ def all
         McpTools::CurrentUser,
         McpTools::ListStatuses,
         McpTools::ListTypes,
+        McpTools::SearchPortfolios,
+        McpTools::SearchPrograms,
         McpTools::SearchProjects,
         McpTools::SearchUsers,
+        McpTools::SearchVersions,
         McpTools::SearchWorkPackages
       ]
     end