opf
diff --git a/‎.github/workflows/brakeman-scan-core.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/brakeman-scan-core.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/continuous-delivery.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/continuous-delivery.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/docker.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/docker.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/downstream-ci.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/downstream-ci.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/i18n-tasks.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/i18n-tasks.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/packager.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/packager.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎app/contracts/work_package_types/update_form_configuration_contract.rb‎
Lines changed: 4 additions & 0 deletions b/‎app/contracts/work_package_types/update_form_configuration_contract.rb‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎app/controllers/concerns/accounts/authorization.rb‎
Lines changed: 23 additions & 13 deletions b/‎app/controllers/concerns/accounts/authorization.rb‎
Lines changed: 23 additions & 13 deletions
diff --git a/‎app/controllers/groups_controller.rb‎
Lines changed: 2 additions & 1 deletion b/‎app/controllers/groups_controller.rb‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎app/controllers/my/sessions_controller.rb‎
Lines changed: 5 additions & 6 deletions b/‎app/controllers/my/sessions_controller.rb‎
Lines changed: 5 additions & 6 deletions
@@ -18,7 +18,7 @@ jobs:
     permissions:
       contents: read  # for actions/checkout to fetch code
       security-events: write  # for github/codeql-action/upload-sarif to upload SARIF results
-    if: github.repository_owner == 'opf'
+    if: github.repository == 'opf/openproject'
     name: Brakeman Scan
     runs-on: ubuntu-latest
     env:
 
@@ -12,7 +12,7 @@ jobs:
   trigger_downstream_workflow:
     permissions:
       contents: none
-    if: github.repository_owner == 'opf'
+    if: github.repository == 'opf/openproject'
     runs-on: ubuntu-latest
     steps:
       - name: Trigger Flavours workflow
 
@@ -116,7 +116,7 @@ jobs:
       docker_tags: ${{ steps.extract_version.outputs.docker_tags }}
       registry_image: ${{ steps.extract_version.outputs.registry_image }}
   build:
-    if: github.repository_owner == 'opf'
+    if: github.repository == 'opf/openproject'
     needs:
       - setup
     runs-on:
 
@@ -25,7 +25,7 @@ jobs:
   trigger_saas_tests:
     permissions:
       contents: none
-    if: github.repository_owner == 'opf'
+    if: github.repository == 'opf/openproject'
     name: SaaS tests
     runs-on: ubuntu-latest
     steps:
 
@@ -23,7 +23,7 @@ jobs:
   i18n-tasks:
     permissions:
       contents: read
-    if: github.repository_owner == 'opf'
+    if: github.repository == 'opf/openproject'
     name: I18n inconsistency check
     runs-on: ubuntu-latest
     steps:
 
@@ -11,7 +11,7 @@ on:
 
 jobs:
   build:
-    if: github.repository_owner == 'opf'
+    if: github.repository == 'opf/openproject'
     name: ${{ matrix.target }}
     runs-on: ubuntu-latest
     services:
 
@@ -30,6 +30,10 @@
 
 module WorkPackageTypes
   class UpdateFormConfigurationContract < BaseContract
+    include RequiresEnterpriseGuard
+
+    self.enterprise_action = :edit_attribute_groups
+
     attribute :attribute_groups
 
     validate :validate_attribute_group_names
 
@@ -33,7 +33,14 @@
 module Accounts::Authorization
   extend ActiveSupport::Concern
 
-  METHODS_ENFORCING_AUTHORIZATION = %i[require_admin authorize authorize_global load_and_authorize_in_optional_project].freeze
+  METHODS_ENFORCING_AUTHORIZATION = %i[
+    require_admin
+    authorize
+    authorize_global
+    authorize_with_global_permission
+    load_and_authorize_in_optional_project
+    load_and_authorize_with_permission_in_project
+  ].freeze
 
   included do
     class_attribute :authorization_ensured,
@@ -86,13 +93,14 @@ def load_and_authorize_in_optional_project
   # * a parameter-like Hash (eg. { controller: '/projects', action: 'edit' })
   # * a permission Symbol (eg. :edit_project)
   def do_authorize(action, global: false) # rubocop:disable Metrics/PerceivedComplexity
-    is_authorized = if global
-                      User.current.allowed_based_on_permission_context?(action)
-                    else
-                      User.current.allowed_based_on_permission_context?(action,
-                                                                        project: @project || @projects,
-                                                                        entity: @work_package || @work_packages)
-                    end
+    is_authorized =
+      if global
+        User.current.allowed_based_on_permission_context?(action)
+      else
+        User.current.allowed_based_on_permission_context?(action,
+                                                          project: @project || @projects,
+                                                          entity: @work_package || @work_packages)
+      end
 
     unless is_authorized
       if @project&.archived?
@@ -206,14 +214,16 @@ def authorize_with_permission(permission, global: false, **args)
       end
     end
 
-    # Find a project based on params[:project_id]
-    # and authorize on a given permission
-    def load_and_authorize_with_permission_in_optional_project(permission, **args)
+    def authorize_with_global_permission(permission, **args)
+      authorize_with_permission(permission, global: true, **args)
+    end
+
+    def load_and_authorize_with_permission_in_project(permission, **args)
       authorization_checked_by_default_action(**args.slice(:only, :except))
 
       before_action(**args) do
-        @project = Project.find(params[:project_id]) if params[:project_id].present?
-        do_authorize(permission, global: params[:project_id].blank?)
+        @project = Project.find(params[:project_id])
+        do_authorize(permission, global: false)
       end
     end
   end
 
@@ -30,6 +30,7 @@
 
 class GroupsController < ApplicationController
   include GroupsHelper
+
   layout "admin"
 
   before_action :require_admin, except: %i[show]
@@ -163,7 +164,7 @@ def group_members
   def visible_group_members?
     current_user.admin? ||
       current_user.allowed_in_any_project?(:manage_members) ||
-      Group.in_project(Project.allowed_to(current_user, :view_members)).exists?
+      @group.projects.exists?(id: Project.allowed_to(current_user, :view_members))
   end
 
   def respond_membership_altered(service_call)
 
@@ -32,12 +32,9 @@ module My
   class SessionsController < ::ApplicationController
     before_action :require_login
     no_authorization_required! :index,
-                               :show,
                                :destroy
 
-    self._model_object = ::Sessions::UserSession
-
-    before_action :find_model_object, only: %i(show destroy)
+    before_action :load_session, only: %i(destroy)
     before_action :prevent_current_session_deletion, only: %i(destroy)
 
     layout "my"
@@ -59,8 +56,6 @@ def index
       end
     end
 
-    def show; end
-
     def destroy
       @session.delete
 
@@ -70,6 +65,10 @@ def destroy
 
     private
 
+    def load_session
+      @session = ::Sessions::UserSession.for_user(current_user).find(params[:id])
+    end
+
     def prevent_current_session_deletion
       if @session.current?(session)
         render_400 message: I18n.t("users.sessions.may_not_delete_current")