Merge remote-tracking branch 'origin/dev' into housekeeping/remove-angularjs

.travis.yml

@@ -85,210 +85,138 @@ jobs:
         - bash script/ci/runner.sh npm
 
     - stage: test
-      name: 'spec_legacy (1/1) - mysql'
+      name: 'spec_legacy (1/1) - standard'
       script:
-      - bash script/ci/setup.sh spec_legacy mysql
+      - bash script/ci/setup.sh spec_legacy
       - bash script/ci/runner.sh spec_legacy 1 1
-      if: env(SKIP_MYSQL_TESTING) IS blank
     - stage: test
-      name: 'spec_legacy (1/1) - postgres standard'
+      name: 'spec_legacy (1/1) - bim'
       script:
-      - bash script/ci/setup.sh spec_legacy postgres
+        - bash script/ci/setup.sh spec_legacy bim
-      - bash script/ci/runner.sh spec_legacy 1 1
-    - stage: test
-      name: 'spec_legacy (1/1) - postgres bim'
-      script:
-        - bash script/ci/setup.sh spec_legacy postgres bim
         - bash script/ci/runner.sh spec_legacy 1 1
       if: head_branch =~ /^(bim\/|dev|release\/)/
     - stage: test
-      name: 'units (1/4) - mysql'
+      name: 'units (1/4) - standard'
       script:
-      - bash script/ci/setup.sh units mysql
+      - bash script/ci/setup.sh units
       - bash script/ci/runner.sh units 4 1
-      if: env(SKIP_MYSQL_TESTING) IS blank
     - stage: test
-      name: 'units (1/4) - postgres standard'
+      name: 'units (1/4) - bim'
       script:
-      - bash script/ci/setup.sh units postgres
+        - bash script/ci/setup.sh units bim
-      - bash script/ci/runner.sh units 4 1
-    - stage: test
-      name: 'units (1/4) - postgres bim'
-      script:
-        - bash script/ci/setup.sh units postgres bim
         - bash script/ci/runner.sh units 4 1
       if: head_branch =~ /^(bim\/|dev|release\/)/
     - stage: test
-      name: 'units (2/4) - mysql'
+      name: 'units (2/4) - standard'
-      script:
-      - bash script/ci/setup.sh units mysql
-      - bash script/ci/runner.sh units 4 2
-      if: env(SKIP_MYSQL_TESTING) IS blank
-    - stage: test
-      name: 'units (2/4) - postgres standard'
       script:
-      - bash script/ci/setup.sh units postgres
+      - bash script/ci/setup.sh units
       - bash script/ci/runner.sh units 4 2
     - stage: test
-      name: 'units (2/4) - postgres bim'
+      name: 'units (2/4) - bim'
       script:
-        - bash script/ci/setup.sh units postgres bim
+        - bash script/ci/setup.sh units bim
         - bash script/ci/runner.sh units 4 2
       if: head_branch =~ /^(bim\/|dev|release\/)/
     - stage: test
-      name: 'units (3/4) - mysql'
+      name: 'units (3/4) - standard'
       script:
-      - bash script/ci/setup.sh units mysql
+      - bash script/ci/setup.sh units
       - bash script/ci/runner.sh units 4 3
-      if: env(SKIP_MYSQL_TESTING) IS blank
     - stage: test
-      name: 'units (3/4) - postgres standard'
+      name: 'units (3/4) - bim'
       script:
-      - bash script/ci/setup.sh units postgres
+        - bash script/ci/setup.sh units bim
-      - bash script/ci/runner.sh units 4 3
-    - stage: test
-      name: 'units (3/4) - postgres bim'
-      script:
-        - bash script/ci/setup.sh units postgres bim
         - bash script/ci/runner.sh units 4 3
       if: head_branch =~ /^(bim\/|dev|release\/)/
     - stage: test
-      name: 'units (4/4) - mysql'
+      name: 'units (4/4) - standard'
       script:
-      - bash script/ci/setup.sh units mysql
+      - bash script/ci/setup.sh units
       - bash script/ci/runner.sh units 4 4
-      if: env(SKIP_MYSQL_TESTING) IS blank
     - stage: test
-      name: 'units (4/4) - postgres standard'
+      name: 'units (4/4) - bim'
       script:
-      - bash script/ci/setup.sh units postgres
+      - bash script/ci/setup.sh units bim
-      - bash script/ci/runner.sh units 4 4
-    - stage: test
-      name: 'units (4/4) - postgres bim'
-      script:
-      - bash script/ci/setup.sh units postgres bim
       - bash script/ci/runner.sh units 4 4
       if: head_branch =~ /^(bim\/|dev|release\/)/
     - stage: test
-      name: 'features (1/4) - mysql'
+      name: 'features (1/4) - standard'
-      script:
-      - bash script/ci/setup.sh features mysql
-      - bash script/ci/runner.sh features 4 1
-      if: env(SKIP_MYSQL_TESTING) IS blank
-    - stage: test
-      name: 'features (1/4) - postgres standard'
       script:
-      - bash script/ci/setup.sh features postgres
+      - bash script/ci/setup.sh features
       - bash script/ci/runner.sh features 4 1
     - stage: test
-      name: 'features (1/4) - postgres bim'
+      name: 'features (1/4) - bim'
       script:
-      - bash script/ci/setup.sh features postgres bim
+      - bash script/ci/setup.sh features bim
       - bash script/ci/runner.sh features 4 1
       if: head_branch =~ /^(bim\/|dev|release\/)/
     - stage: test
-      name: 'features (2/4) - mysql'
+      name: 'features (2/4) - standard'
       script:
-      - bash script/ci/setup.sh features mysql
+      - bash script/ci/setup.sh features
       - bash script/ci/runner.sh features 4 2
-      if: env(SKIP_MYSQL_TESTING) IS blank
     - stage: test
-      name: 'features (2/4) - postgres standard'
+      name: 'features (2/4) - bim'
       script:
-      - bash script/ci/setup.sh features postgres
+      - bash script/ci/setup.sh features bim
-      - bash script/ci/runner.sh features 4 2
-    - stage: test
-      name: 'features (2/4) - postgres bim'
-      script:
-      - bash script/ci/setup.sh features postgres bim
       - bash script/ci/runner.sh features 4 2
       if: head_branch =~ /^(bim\/|dev|release\/)/
     - stage: test
-      name: 'features (3/4) - mysql'
+      name: 'features (3/4) - standard'
       script:
-      - bash script/ci/setup.sh features mysql
+      - bash script/ci/setup.sh features
       - bash script/ci/runner.sh features 4 3
-      if: env(SKIP_MYSQL_TESTING) IS blank
     - stage: test
-      name: 'features (3/4) - postgres standard'
+      name: 'features (3/4) - bim'
       script:
-      - bash script/ci/setup.sh features postgres
+      - bash script/ci/setup.sh features bim
-      - bash script/ci/runner.sh features 4 3
-    - stage: test
-      name: 'features (3/4) - postgres bim'
-      script:
-      - bash script/ci/setup.sh features postgres bim
       - bash script/ci/runner.sh features 4 3
       if: head_branch =~ /^(bim\/|dev|release\/)/
     - stage: test
-      name: 'features (4/4) - mysql'
+      name: 'features (4/4) - standard'
-      script:
-      - bash script/ci/setup.sh features mysql
-      - bash script/ci/runner.sh features 4 4
-      if: env(SKIP_MYSQL_TESTING) IS blank
-    - stage: test
-      name: 'features (4/4) - postgres standard'
       script:
-      - bash script/ci/setup.sh features postgres
+      - bash script/ci/setup.sh features
       - bash script/ci/runner.sh features 4 4
     - stage: test
-      name: 'features (4/4) - postgres bim'
+      name: 'features (4/4) - bim'
       script:
-      - bash script/ci/setup.sh features postgres bim
+      - bash script/ci/setup.sh features bim
       - bash script/ci/runner.sh features 4 4
       if: head_branch =~ /^(bim\/|dev|release\/)/
     - stage: test
-      name: 'plugins:units (1/1) - mysql'
+      name: 'plugins:units (1/1) - standard'
       script:
-      - bash script/ci/setup.sh plugins:units mysql
+      - bash script/ci/setup.sh plugins:units
-      - bash script/ci/runner.sh plugins:units 1 1
-      if: env(SKIP_MYSQL_TESTING) IS blank AND head_branch !~ /^core\//
-    - stage: test
-      name: 'plugins:units (1/1) - postgres standard'
-      script:
-      - bash script/ci/setup.sh plugins:units postgres
       - bash script/ci/runner.sh plugins:units 1 1
       if: head_branch !~ /^core\//
     - stage: test
-      name: 'plugins:units (1/1) - postgres bim'
+      name: 'plugins:units (1/1) - bim'
       script:
-      - bash script/ci/setup.sh plugins:units postgres bim
+      - bash script/ci/setup.sh plugins:units bim
       - bash script/ci/runner.sh plugins:units 1 1
       if: head_branch =~ /^(bim\/|dev|release\/)/
     - stage: test
-      name: 'plugins:features (1/1) - mysql'
+      name: 'plugins:features (1/1) - standard'
       script:
-      - bash script/ci/setup.sh plugins:features mysql
+      - bash script/ci/setup.sh plugins:features
-      - bash script/ci/runner.sh plugins:features 1 1
-      if: env(SKIP_MYSQL_TESTING) IS blank AND head_branch !~ /^core\//
-    - stage: test
-      name: 'plugins:features (1/1) - postgres standard'
-      script:
-      - bash script/ci/setup.sh plugins:features postgres
       - bash script/ci/runner.sh plugins:features 1 1
       if: head_branch !~ /^core\//
     - stage: test
-      name: 'plugins:features (1/1) - postgres bim'
+      name: 'plugins:features (1/1) - bim'
       script:
-      - bash script/ci/setup.sh plugins:features postgres bim
+      - bash script/ci/setup.sh plugins:features bim
       - bash script/ci/runner.sh plugins:features 1 1
       if: head_branch =~ /^(bim\/|dev|release\/)/
     - stage: test
-      name: 'plugins:cucumber (1/1) - mysql'
+      name: 'plugins:cucumber (1/1) - standard'
-      script:
-      - bash script/ci/setup.sh plugins:cucumber mysql
-      - bash script/ci/runner.sh plugins:cucumber 1 1
-      if: env(SKIP_MYSQL_TESTING) IS blank AND head_branch !~ /^core\//
-    - stage: test
-      name: 'plugins:cucumber (1/1) - postgres standard'
       script:
-      - bash script/ci/setup.sh plugins:cucumber postgres
+      - bash script/ci/setup.sh plugins:cucumber
       - bash script/ci/runner.sh plugins:cucumber 1 1
       if: head_branch !~ /^core\//
     - stage: test
-      name: 'plugins:cucumber (1/1) - postgres bim'
+      name: 'plugins:cucumber (1/1) - bim'
       script:
-      - bash script/ci/setup.sh plugins:cucumber postgres bim
+      - bash script/ci/setup.sh plugins:cucumber bim
       - bash script/ci/runner.sh plugins:cucumber 1 1
       if: head_branch =~ /^(bim\/|dev|release\/)/
 

Gemfile

@@ -103,11 +103,6 @@ gem 'bcrypt', '~> 3.1.6'
 
 gem 'multi_json', '~> 1.13.1'
 gem 'oj', '~> 3.7.0'
-# We rely on this specific version, which is the latest as of now (start of 2019),
-# because we have to apply to it a bugfix which could break things in other versions.
-# This can be removed as soon as said bugfix is integrated into rabl itself.
-# See: config/initializers/rabl_hack.rb
-gem 'rabl', '~> 0.14.0'
 
 gem 'daemons'
 gem 'delayed_job_active_record', '~> 4.1.1'
@@ -281,10 +276,6 @@ gem 'reform-rails', '~> 0.1.7'
 gem 'roar', '~> 1.1.0'
 
 platforms :mri, :mingw, :x64_mingw do
-  group :mysql2 do
-    gem 'mysql2', '~> 0.5.0'
-  end
-
   group :postgres do
     gem 'pg', '~> 1.1.0'
   end

Gemfile.lock

@@ -578,7 +578,6 @@ GEM
     mustermann (1.0.3)
     mustermann-grape (1.0.0)
       mustermann (~> 1.0.0)
-    mysql2 (0.5.2)
     net-ldap (0.16.1)
     netrc (0.11.0)
     newrelic_rpm (6.0.0.351)
@@ -650,8 +649,6 @@ GEM
       pry (>= 0.9.11)
     public_suffix (3.0.3)
     puma (3.12.0)
-    rabl (0.14.0)
-      activesupport (>= 2.3.14)
     rack (2.0.6)
     rack-accept (0.4.5)
       rack (>= 0.4)
@@ -954,7 +951,6 @@ DEPENDENCIES
   meta-tags (~> 2.11.0)
   multi_json (~> 1.13.1)
   my_page!
-  mysql2 (~> 0.5.0)
   net-ldap (~> 0.16.0)
   newrelic_rpm
   nokogiri (~> 1.10.3)
@@ -998,7 +994,6 @@ DEPENDENCIES
   pry-rescue (~> 1.5.0)
   pry-stack_explorer (~> 0.4.9.2)
   puma (~> 3.12.0)
-  rabl (~> 0.14.0)
   rack-attack (~> 5.4.2)
   rack-mini-profiler
   rack-protection (~> 2.0.0)

app/assets/javascripts/onboarding/homescreen_tour.js

@@ -5,7 +5,8 @@
                 'next #top-menu': I18n.t('js.onboarding.steps.welcome'),
                 'skipButton': {className: 'enjoyhint_btn-transparent', text: I18n.t('js.onboarding.buttons.skip')},
                 'nextButton': {text: I18n.t('js.onboarding.buttons.next')},
-                'containerClass': '-hidden-arrow'
+                'containerClass': '-hidden-arrow',
+                'bottom': 7
             },
             {
                 'description': I18n.t('js.onboarding.steps.project_selection'),

app/assets/stylesheets/content/_modal.sass

@@ -63,7 +63,7 @@ $modal-footer-height: $modal-header-height
   max-width: 60vw
   overflow-y: auto
 
-  @include styled-scroll-bar-vertical
+  @include styled-scroll-bar
 
   &.-wide
     min-width: 75vw
@@ -81,7 +81,7 @@ $modal-footer-height: $modal-header-height
   padding: 0 1.5rem
   max-height: calc(100vh - #{$modal-header-height} - #{$modal-footer-height})
   overflow: auto
-  @include styled-scroll-bar-vertical
+  @include styled-scroll-bar
 
   &.-formattable
     p:last-of-type

app/assets/stylesheets/content/_table.sass

@@ -50,6 +50,7 @@ $input-elements: input, 'input.form--text-field', select, 'select.form--select',
   overflow:
     x: auto
     y: auto
+  @include styled-scroll-bar
 
 .generic-table--action-buttons
   margin-top: 2rem

app/assets/stylesheets/content/_user.sass

@@ -64,10 +64,12 @@
   user-select: none
 
 h1, h2, h3, h4
-  .avatar, .avatar-mini, .avatar-medium
+  user-avatar
     vertical-align: middle
-    margin-right: 7px
+    margin-right: 5px
-
+    
+tr user-avatar
+  margin-right: 5px
 
 .user-link
   display: inline-block

app/assets/stylesheets/content/_wiki.sass

@@ -72,6 +72,10 @@ div.wiki
     margin-left: 0
     display: table
     font-size: $wiki-toc-ul-font-size
+
+    .section-nav
+      margin-bottom: 0
+      margin-left: 12px
     &.right
       float: right
       margin-left: 12px
@@ -107,8 +111,10 @@ div.wiki
 
 a.wiki-anchor
   display: none
-  margin-left: 6px
   text-decoration: none
+  font-size: 16px
+  vertical-align: middle
+  padding-right: 2px
 
   &:hover
     color: #aaa !important

app/assets/stylesheets/content/menus/_project_autocompletion.sass

@@ -82,7 +82,7 @@
     // Borders to complete the menu look
     border-right: 1px solid $header-drop-down-border-color
     border-left: 1px solid $header-drop-down-border-color
-    @include styled-scroll-bar-vertical
+    @include styled-scroll-bar
 
   // Cut off result element width
   .ui-menu-item-wrapper

app/assets/stylesheets/content/work_packages/_table_content.sass

@@ -55,7 +55,7 @@
 
   // Avoid that the select field gets too small
   .wp-inline-edit--field.ng-select
-    min-width: 110px
+    min-width: 140px
 
 // Styles for inline editable attributes
 .work-package-table--container td.-editable
@@ -148,12 +148,7 @@ html:not(.-browser-mobile)
 .wp-table--cell-span
   padding: 2px
 
-// On edge, pointer-events only work on
-// block or inline-block elements
 body.-browser-edge
-  .wp-table--cell-span
-    display: inline-block !important
-
   // Ensure height is set in table
   .work-package-table .wp-table--cell-span
     height: 22px !important

app/assets/stylesheets/content/work_packages/_table_hierarchy.sass

@@ -9,11 +9,6 @@
   &:hover
     text-decoration: none
 
-  // On edge, pointer-events only work on
-  // block or inline-block elements
-  html.-browser-edge &
-    display: inline-block !important
-
 // Toggle the indicator accessibility texts
 // accordingly
 .wp-table--hierarchy-indicator-collapsed

app/assets/stylesheets/content/work_packages/tabs/_relations.sass

@@ -80,9 +80,6 @@
 .wp-relations-controls-section
   text-align: right
   flex-shrink: 1
-  .force-right
-    position: absolute
-    right: 0
 
   a:hover
     text-decoration: none
@@ -144,10 +141,12 @@
   .icon-button
     cursor: not-allowed
 
-// Disable overflow in grid-content of create form
+.wp-relations-create--form
-// To allow results indicator to overflow it
+  display: flex
-.wp-relations-create--form .grid-content
+
-  overflow-y: visible
+  .wp-relations-input-section
+    margin-right: 10px
+    flex: 1
 
 .detail-panel--relations
   .panel-toggler .icon-small

app/assets/stylesheets/layout/_main_menu.sass

@@ -50,7 +50,7 @@ $menu-item-line-height: 30px
     +allow-vertical-scrolling
     height: calc(100vh - #{$header-height})
     position: relative
-    @include styled-scroll-bar-vertical
+    @include styled-scroll-bar
 
     // Fixed heights to allow inner scrolling
     .menu_root.closed,
@@ -67,7 +67,7 @@ $menu-item-line-height: 30px
     .main-menu--children
       height: calc(100% - (#{$main-menu-item-height} + 10px)) // 10px spacing
       overflow: auto
-      @include styled-scroll-bar-vertical
+      @include styled-scroll-bar
 
   ul
     margin: 0
@@ -318,7 +318,7 @@ a.main-menu--parent-node
   padding-left: 7px
   padding-right: 7px
 
-  @include styled-scroll-bar-vertical
+  @include styled-scroll-bar
 
 .main-menu--segment-header
   @include varprop(color, main-menu-fieldset-header-color)

app/assets/stylesheets/layout/_toolbar_mobile.sass

@@ -38,7 +38,7 @@
         background: #fff
         display: flex
         flex-wrap: wrap
-        justify-content: stretch
+        justify-content: flex-end
         width: calc(100% + 10px)
 
         > li

app/assets/stylesheets/layout/_top_menu.sass

@@ -107,7 +107,7 @@ $search-input-height: 30px
       overflow-y: auto
       overflow-x: hidden
 
-      @include styled-scroll-bar-vertical
+      @include styled-scroll-bar
 
       li
         float: none
@@ -244,7 +244,7 @@ $search-input-height: 30px
         @include varprop(color, header-search-field-font-color)
 
       .scroll-host
-        @include styled-scroll-bar-vertical
+        @include styled-scroll-bar
         max-height: 80vh
         height: auto
 

app/assets/stylesheets/layout/work_packages/_details_view.sass

@@ -79,8 +79,11 @@ body.router--work-packages-split-view-new
   top:        50px
   bottom:     55px
   width:      100%
-  +allow-vertical-scrolling
+  overflow-x: hidden
-  padding:    0 15px 0 20px
+  overflow-y: scroll
+  padding:    0 5px 0 20px
+
+  @include styled-scroll-bar
 
 .work-packages--details
 

app/assets/stylesheets/layout/work_packages/_full_view.sass

@@ -79,9 +79,10 @@
   overflow-x: hidden
   flex: 2
   position: relative
+  @include styled-scroll-bar
 
   .work-packages--panel-inner
-    padding: 5px 15px 20px 0px
+    padding: 0px 5px 20px 0
     width: 100%
 
     // These styles were taken over from the details tab styling.
@@ -97,12 +98,13 @@
 
 .work-packages-full-view--split-right
   min-width: 500px
-  overflow-y: auto
+  overflow-y: scroll
   overflow-x: auto
   position: relative
+  @include styled-scroll-bar
 
   .work-packages--panel-inner
-    padding: 15px 15px 0px 15px
+    padding: 15px 5px 0px 15px
 
   .work-package-details-activities-activity-contents ul.work-package-details-activities-messages
     padding-left: 0

app/assets/stylesheets/layout/work_packages/_query_menu.sass

@@ -15,7 +15,7 @@ $wp-query-menu-search-container-height: 35px
     background: none
     z-index: 0 // Prevent overlapping with project select dropdown (https://community.openproject.com/wp/28175)
 
-    @include styled-scroll-bar-vertical
+    @include styled-scroll-bar
 
 
   .wp-query-menu--results-container

app/assets/stylesheets/layout/work_packages/_table.sass

@@ -121,6 +121,7 @@
   flex: 1 1
   // Show scrollbars for inner content
   overflow: auto
+  @include styled-scroll-bar
   // relative for loading indicator
   position: relative
   // Hint browser that this will inner-scroll
@@ -142,6 +143,7 @@
   overflow-x: scroll
   // Show the vertical scrollbar when necessary
   overflow-y: auto
+  @include styled-scroll-bar
   // Hidden by default
   display: none
   // Hint browser that this will inner-scroll

app/assets/stylesheets/layout/work_packages/_table_embedded.sass

@@ -47,6 +47,7 @@ $table-timeline--compact-row-height: 28px
   // Allow scrolling in narrow views
   .work-packages-split-view--tabletimeline-content
     overflow: auto
+    @include styled-scroll-bar
 
   // Disable css containment since we have no inner elements
   .work-packages-tabletimeline--table-side,

app/assets/stylesheets/openproject/_mixins.sass

@@ -87,16 +87,17 @@
 
 
 $scrollbar-color: #DDDDDD
+$scrollbar-size: 10px
 
-@mixin styled-scroll-bar-vertical
+@mixin styled-scroll-bar
   // Firefox specific styles
   scrollbar-color: transparent transparent
   scrollbar-width: thin
 
   // Other browser styles
   &::-webkit-scrollbar
-    width: 8px
+    height: $scrollbar-size
-    height: 12px
+    width: $scrollbar-size
 
   &::-webkit-scrollbar-track
     background: transparent
@@ -110,24 +111,6 @@ $scrollbar-color: #DDDDDD
     &::-webkit-scrollbar-thumb
       visibility: visible
 
-@mixin styled-scroll-bar-horizontal
-  // Firefox specific styles
-  scrollbar-color: $scrollbar-color transparent
-  scrollbar-width: thin
-
-  // Other browser styles
-  &::-webkit-scrollbar
-    width: 12px
-    height: 8px
-
-  &::-webkit-scrollbar-track
-    background: transparent
-
-  // Should always be visible otherwise it would not be displayed on mobile or tablet
-  &::-webkit-scrollbar-thumb
-    background: $scrollbar-color
-    visibility: visible
-
 @mixin two-column-layout
   column-count: 2
   column-gap: 3rem

app/contracts/delete_contract.rb

@@ -0,0 +1,70 @@
+#-- copyright
+# OpenProject is a project management system.
+# Copyright (C) 2012-2018 the OpenProject Foundation (OPF)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2017 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See docs/COPYRIGHT.rdoc for more details.
+#++
+
+class DeleteContract < ModelContract
+  class << self
+    def delete_permission(permission = nil)
+      if permission
+        @delete_permission = permission
+      end
+
+      @delete_permission
+    end
+  end
+
+  def validate
+    user_allowed
+
+    super
+  end
+
+  def user_allowed
+    unless authorized?
+      errors.add :base, :error_unauthorized
+    end
+  end
+
+  protected
+
+  def validate_model?
+    false
+  end
+
+  def authorized?
+    permission = self.class.delete_permission
+
+    case permission
+    when :admin
+      user.admin?
+    when Proc
+      instance_exec(&permission)
+    else
+      !model.project || user.allowed_to?(permission, model.project)
+    end
+  end
+end

app/contracts/members/base_contract.rb

@@ -28,10 +28,6 @@
 
 module Members
   class BaseContract < ::ModelContract
-    def self.model
-      Member
-    end
-
     delegate :principal,
              :project,
              :new_record?,
@@ -42,7 +38,6 @@ module Members
     def validate
       user_allowed_to_manage
       roles_grantable
-      principal_assignable
 
       super
     end
@@ -54,15 +49,10 @@ module Members
     end
 
     def roles_grantable
-      unless roles.all? { |r| r.builtin == Role::NON_BUILTIN && r.class == Role }
+      unmarked_roles = model.member_roles.reject(&:marked_for_destruction?).map(&:role)
-        errors.add(:roles, :ungrantable)
-      end
-    end
 
-    def principal_assignable
+      unless unmarked_roles.all? { |r| r.builtin == Role::NON_BUILTIN && r.class == Role }
-      if principal &&
+        errors.add(:roles, :ungrantable)
-         [Principal::STATUSES[:builtin], Principal::STATUSES[:locked]].include?(principal.status)
-        errors.add(:principal, :unassignable)
       end
     end
   end

app/contracts/members/create_contract.rb

@@ -30,6 +30,17 @@ module Members
   class CreateContract < BaseContract
     attribute :project
     attribute :user_id
-    attribute :principal
+    attribute :principal do
+      principal_assignable
+    end
+
+    private
+
+    def principal_assignable
+      if principal &&
+         [Principal::STATUSES[:builtin], Principal::STATUSES[:locked]].include?(principal.status)
+        errors.add(:principal, :unassignable)
+      end
+    end
   end
 end

app/contracts/members/delete_contract.rb

@@ -26,18 +26,8 @@
 # See docs/COPYRIGHT.rdoc for more details.
 #++
 
-test:
+module Members
-  adapter: mysql2
+  class DeleteContract < ::DeleteContract
-  database: travis_ci_test
+    delete_permission :manage_members
-  username: travis
+  end
-  encoding: utf8
+end
-  pool: 20
-  variables:
-    sql_mode:
-      "no_auto_value_on_zero,\
-      strict_trans_tables,\
-      no_zero_date,\
-      strict_all_tables,\
-      no_zero_in_date,\
-      error_for_division_by_zero,\
-      no_engine_substitution"

app/contracts/members/update_contract.rb

@@ -0,0 +1,32 @@
+#-- copyright
+# OpenProject is a project management system.
+# Copyright (C) 2012-2017 the OpenProject Foundation (OPF)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2017 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See doc/COPYRIGHT.rdoc for more details.
+#++
+
+module Members
+  class UpdateContract < BaseContract
+  end
+end

app/contracts/model_contract.rb

@@ -45,6 +45,10 @@ class ModelContract < Reform::Contract
       @attribute_validations ||= []
     end
 
+    def attribute_permissions
+      @attribute_permissions ||= {}
+    end
+
     def attribute_aliases
       @attribute_aliases ||= {}
     end
@@ -57,12 +61,23 @@ class ModelContract < Reform::Contract
       property attribute
 
       add_writable(attribute, options[:writeable])
+      attribute_permission(attribute, options[:permission])
 
       if block
         attribute_validations << block
       end
     end
 
+    def default_attribute_permission(permission)
+      attribute_permission(:default_permission, permission)
+    end
+
+    def attribute_permission(attribute, permission)
+      return unless permission
+
+      attribute_permissions[attribute] = Array(permission)
+    end
+
     private
 
     def add_writable(attribute, writeable)
@@ -89,7 +104,7 @@ class ModelContract < Reform::Contract
   end
 
   # we want to add a validation error whenever someone sets a property that we don't know.
-  # However AR will cleverly try to resolve the value for errorneous properties. Thus we need
+  # However AR will cleverly try to resolve the value for erroneous properties. Thus we need
   # to hook into this method and return nil for unknown properties to avoid NoMethod errors...
   def read_attribute_for_validation(attribute)
     if respond_to? attribute
@@ -99,13 +114,7 @@ class ModelContract < Reform::Contract
 
   def writable_attributes
     @writable_attributes ||= begin
-      writable = collect_ancestor_attributes(:writable_attributes)
+      reduce_writable_attributes(collect_writable_attributes)
-
-      collect_ancestor_attributes(:writable_conditions).each do |attribute, condition|
-        writable -= [attribute, "#{attribute}_id"] unless instance_exec(&condition)
-      end
-
-      writable
     end
   end
 
@@ -141,7 +150,7 @@ class ModelContract < Reform::Contract
   end
 
   def self.model
-    raise NotImplementedError
+    @model ||= name.deconstantize.singularize.constantize
   end
 
   # use activerecord as the base scope instead of 'activemodel' to be compatible
@@ -166,7 +175,7 @@ class ModelContract < Reform::Contract
   private
 
   def readonly_attributes_unchanged
-    invalid_changes = model.changed - writable_attributes
+    invalid_changes = attributes_changed_by_user - writable_attributes
 
     invalid_changes.each do |attribute|
       outside_attribute = collect_ancestor_attributes(:attribute_aliases)[attribute] || attribute
@@ -175,6 +184,16 @@ class ModelContract < Reform::Contract
     end
   end
 
+  def attributes_changed_by_user
+    changed = model.changed
+
+    if model.respond_to?(:changed_by_system)
+      changed -= model.changed_by_system
+    end
+
+    changed
+  end
+
   def run_attribute_validations
     attribute_validations.each { |validation| instance_exec(&validation) }
   end
@@ -208,4 +227,47 @@ class ModelContract < Reform::Contract
 
     attributes.send(cleanup_method)
   end
+
+  def collect_writable_attributes
+    writable = collect_ancestor_attributes(:writable_attributes)
+
+    if model.respond_to?(:available_custom_fields)
+      writable += model.available_custom_fields.map { |cf| "custom_field_#{cf.id}" }
+    end
+
+    writable
+  end
+
+  def reduce_writable_attributes(attributes)
+    attributes = reduce_by_writable_conditions(attributes)
+    reduce_by_writable_permissions(attributes)
+  end
+
+  def reduce_by_writable_conditions(attributes)
+    collect_ancestor_attributes(:writable_conditions).each do |attribute, condition|
+      attributes -= [attribute, "#{attribute}_id"] unless instance_exec(&condition)
+    end
+
+    attributes
+  end
+
+  def reduce_by_writable_permissions(attributes)
+    attribute_permissions = collect_ancestor_attributes(:attribute_permissions)
+
+    attributes.reject do |attribute|
+      canonical_attribute = attribute.gsub(/_id\z/, '')
+
+      permissions = attribute_permissions[canonical_attribute] ||
+                    attribute_permissions["#{canonical_attribute}_id"] ||
+                    attribute_permissions[:default_permission]
+
+      next unless permissions
+
+      # This will break once a model that does not respond to project is used.
+      # This is intended to be worked on then with the additional knowledge.
+      next if permissions.any? { |p| user.allowed_to?(p, model.project, global: model.project.nil?) }
+
+      true
+    end
+  end
 end

app/contracts/projects/delete_contract.rb

@@ -31,13 +31,7 @@
 require 'model_contract'
 
 module Projects
-  class DeleteContract < BaseContract
+  class DeleteContract < ::DeleteContract
-    def validate
+    delete_permission :admin
-      unless user.admin?
-        errors.add :base, :error_unauthorized
-      end
-
-      super
-    end
   end
 end

app/contracts/roles/base_contract.rb

@@ -0,0 +1,92 @@
+#-- copyright
+# OpenProject is a project management system.
+# Copyright (C) 2012-2017 the OpenProject Foundation (OPF)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2017 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See doc/COPYRIGHT.rdoc for more details.
+#++
+
+module Roles
+  class BaseContract < ::ModelContract
+    attribute :name
+    attribute :assignable
+
+    def validate
+      check_permission_prerequisites
+
+      super
+    end
+
+    def assignable_permissions
+      if model.is_a?(GlobalRole)
+        assignable_global_permissions
+      else
+        assignable_member_permissions
+      end
+    end
+
+    private
+
+    def assignable_member_permissions
+      permissions_to_remove = case model.builtin
+                              when Role::BUILTIN_NON_MEMBER
+                                OpenProject::AccessControl.members_only_permissions
+                              when Role::BUILTIN_ANONYMOUS
+                                OpenProject::AccessControl.loggedin_only_permissions
+                              else
+                                []
+                              end
+
+      OpenProject::AccessControl.permissions -
+        OpenProject::AccessControl.public_permissions -
+        OpenProject::AccessControl.global_permissions -
+        permissions_to_remove
+    end
+
+    def assignable_global_permissions
+      OpenProject::AccessControl.global_permissions
+    end
+
+    def check_permission_prerequisites
+      model.permissions.each do |name|
+        permission = OpenProject::AccessControl.permission(name)
+
+        next unless permission
+
+        unmet_dependencies = permission.dependencies - model.permissions
+
+        unmet_dependencies.each do |unmet_dependency|
+          add_unmet_dependency_error(name, unmet_dependency)
+        end
+      end
+    end
+
+    def add_unmet_dependency_error(selected, unmet)
+      errors.add(:permissions,
+                 I18n.t(:'activerecord.errors.models.role.permissions.dependency_missing',
+                        permission: I18n.t("permission_#{selected}"),
+                        dependency: I18n.t("permission_#{unmet}")),
+                 error_symbol: :dependency_missing)
+    end
+  end
+end

app/contracts/roles/create_contract.rb

@@ -1,12 +1,12 @@
 #-- copyright
 # OpenProject is a project management system.
-# Copyright (C) 2012-2013 the OpenProject Foundation (OPF)
+# Copyright (C) 2012-2017 the OpenProject Foundation (OPF)
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License version 3.
 #
 # OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
-# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2006-2017 Jean-Philippe Lang
 # Copyright (C) 2010-2013 the ChiliProject Team
 #
 # This program is free software; you can redistribute it and/or
@@ -26,32 +26,22 @@
 # See doc/COPYRIGHT.rdoc for more details.
 #++
 
-object @entry => "timeEntry"
+module Roles
-attributes :id,
+  class CreateContract < BaseContract
-           :spent_on,
+    attribute :type
-           :comments,
-           :hours
 
-node :user do |e|
+    def validate
-  partial('users/show', object: e.user)
+      type_in_allowed
-end
-
-child :activity => :activity do
-  attributes :name
-end
 
-child :project do
+      super
-  attributes :id, :name
+    end
-end
 
-child :work_package do
+    private
-  attributes :id, :subject
 
-  node :isVisible do |w|
+    def type_in_allowed
-    w.visible?
+      unless [Role.name, GlobalRole.name].include?(model.type)
+        errors.add(:type, :inclusion)
+      end
+    end
   end
 end
-
-node :isEditable do |e|
-  e.editable_by?(User.current)
-end

app/contracts/roles/update_contract.rb

@@ -0,0 +1,32 @@
+#-- copyright
+# OpenProject is a project management system.
+# Copyright (C) 2012-2017 the OpenProject Foundation (OPF)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2017 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See doc/COPYRIGHT.rdoc for more details.
+#++
+
+module Roles
+  class UpdateContract < BaseContract
+  end
+end

app/contracts/time_entries/delete_contract.rb

@@ -29,22 +29,8 @@
 #++
 
 module TimeEntries
-  class DeleteContract < BaseContract
+  class DeleteContract < ::DeleteContract
-    def validate
+    delete_permission -> {
-      unless user_allowed_to_delete?
-        errors.add :base, :error_unauthorized
-      end
-
-      super
-    end
-
-    private
-
-    ##
-    # Users may delete time entries IF
-    # they have the :edit_time_entries or
-    # user == deleting user and :edit_own_time_entries
-    def user_allowed_to_delete?
       edit_all = user.allowed_to?(:edit_time_entries, model.project)
       edit_own = user.allowed_to?(:edit_own_time_entries, model.project)
 
@@ -53,6 +39,6 @@ module TimeEntries
       else
         edit_all
       end
-    end
+    }
   end
 end

app/contracts/versions/delete_contract.rb

@@ -26,11 +26,10 @@
 # See docs/COPYRIGHT.rdoc for more details.
 #++
 
-require 'grids/base_contract'
-
 module Versions
-  class DeleteContract < BaseContract
+  class DeleteContract < ::DeleteContract
-    # super checks that we can manage the version
+    delete_permission :manage_versions
+
     def validate
       validate_no_work_packages_attached
 
@@ -44,9 +43,5 @@ module Versions
 
       errors.add(:base, :undeletable_work_packages_attached)
     end
-
-    def validate_model?
-      false
-    end
   end
 end

app/contracts/work_packages/base_contract.rb

@@ -34,23 +34,19 @@ module WorkPackages
   class BaseContract < ::ModelContract
     include ::Attachments::ValidateReplacements
 
-    def self.model
-      WorkPackage
-    end
-
     attribute :subject
     attribute :description
     attribute :status_id
     attribute :type_id
     attribute :priority_id
     attribute :category_id
-    attribute :fixed_version_id do
+    attribute :fixed_version_id,
+              permission: :assign_versions do
       validate_fixed_version_is_assignable
     end
 
     validate :validate_no_reopen_on_closed_version
 
-    attribute :lock_version
     attribute :project_id
 
     attribute :done_ratio,
@@ -63,9 +59,8 @@ module WorkPackages
                 model.leaf?
               }
 
-    attribute :parent_id do
+    attribute :parent_id,
-      validate_user_allowed_to_set_parent if model.changed.include?('parent_id')
+              permission: :manage_subtasks
-    end
 
     attribute :assigned_to_id do
       next unless model.project
@@ -128,13 +123,15 @@ module WorkPackages
     end
 
     def writable_attributes
+      ret = super
+
       # If we're in a readonly status and did not move into that status right now
       # only allow other status transitions
       if model.readonly_status? && !model.status_id_change
-        return %w[status status_id]
+        ret &= %w(status status_id)
       end
 
-      super + model.available_custom_fields.map { |cf| "custom_field_#{cf.id}" }
+      ret
     end
 
     private
@@ -212,10 +209,6 @@ module WorkPackages
       end
     end
 
-    def validate_user_allowed_to_set_parent
-      errors.add :base, :error_unauthorized unless @can.allowed?(model, :manage_subtasks)
-    end
-
     def validate_no_reopen_on_closed_version
       if model.fixed_version_id && model.reopened? && model.fixed_version.closed?
         errors.add :base, I18n.t(:error_can_not_reopen_work_package_on_closed_version)

app/contracts/work_packages/create_contract.rb

@@ -32,10 +32,15 @@ require 'work_packages/base_contract'
 
 module WorkPackages
   class CreateContract < BaseContract
-    attribute :author_id do
+    # TODO: Think about whether this can be removed
+    # as it is unwriteable. So why bother checking for the correct author
+    attribute :author_id,
+              writeable: false do
       errors.add :author_id, :invalid if model.author != user
     end
 
+    default_attribute_permission :add_work_packages
+
     def validate
       user_allowed_to_add
 
@@ -51,5 +56,10 @@ module WorkPackages
         errors.add :base, :error_unauthorized
       end
     end
+
+    def attributes_changed_by_user
+      # lock version is initialized by AR itself
+      super - ['lock_version']
+    end
   end
 end

app/contracts/work_packages/delete_contract.rb

@@ -29,23 +29,7 @@
 #++
 
 module WorkPackages
-  class DeleteContract < ::ModelContract
+  class DeleteContract < ::DeleteContract
-    def self.model
+    delete_permission :delete_work_packages
-      WorkPackage
-    end
-
-    def validate
-      user_allowed_to_delete
-
-      super
-    end
-
-    private
-
-    def user_allowed_to_delete
-      unless user.allowed_to?(:delete_work_packages, model.project)
-        errors.add(:base, :error_unauthorized)
-      end
-    end
   end
 end

app/contracts/work_packages/skip_authorization_checks.rb

@@ -36,4 +36,8 @@ module WorkPackages::SkipAuthorizationChecks
   def user_allowed_to_edit; end
 
   def user_allowed_to_move; end
+
+  def reduce_by_writable_permissions(attributes)
+    attributes
+  end
 end

app/contracts/work_packages/update_contract.rb

@@ -1,4 +1,5 @@
 #-- encoding: UTF-8
+
 #-- copyright
 # OpenProject is a project management system.
 # Copyright (C) 2012-2018 the OpenProject Foundation (OPF)
@@ -31,7 +32,8 @@ require 'work_packages/base_contract'
 
 module WorkPackages
   class UpdateContract < BaseContract
-    attribute :lock_version do
+    attribute :lock_version,
+              permission: %i[edit_work_packages assign_versions manage_subtasks move] do
       if model.lock_version.nil? || model.lock_version_changed?
         errors.add :base, :error_conflict
       end
@@ -41,45 +43,31 @@ module WorkPackages
 
     validate :user_allowed_to_edit
 
-    validate :user_allowed_to_move
-
     validate :can_move_to_milestone
 
+    default_attribute_permission :edit_work_packages
+    attribute_permission :project_id, :move_work_packages
+
     private
 
     def user_allowed_to_edit
       with_unchanged_project_id do
-        next if @can.allowed?(model, :edit)
+        next if @can.allowed?(model, :edit) ||
-        next user_allowed_to_change_parent if @can.allowed?(model, :manage_subtasks)
+                @can.allowed?(model, :assign_version) ||
+                @can.allowed?(model, :manage_subtasks) ||
+                @can.allowed?(model, :move)
         next if allowed_journal_addition?
 
         errors.add :base, :error_unauthorized
       end
     end
 
-    def user_allowed_to_change_parent
-      allowed_changes = { parent_id: true, lock_version: true }
-
-      model.changed.each do |key|
-        next if allowed_changes[key.to_sym]
-        return errors.add :base, :error_unauthorized
-      end
-    end
-
     def user_allowed_to_access
       unless ::WorkPackage.visible(@user).exists?(model.id)
         errors.add :base, :error_not_found
       end
     end
 
-    def user_allowed_to_move
-      if model.project_id_changed? &&
-        !@can.allowed?(model, :move)
-
-        errors.add :project, :error_unauthorized
-      end
-    end
-
     def with_unchanged_project_id
       if model.project_id_changed?
         current_project_id = model.project_id

app/controllers/projects_controller.rb

@@ -199,7 +199,7 @@ class ProjectsController < ApplicationController
       flash[:error] = I18n.t(:error_can_not_archive_project)
       redirect_back fallback_location: projects_url
     end
-    
+
     update_demo_project_settings @project, false
   end
 
@@ -231,10 +231,10 @@ class ProjectsController < ApplicationController
   end
 
   def level_list
-    @projects = Project.project_level_list(Project.visible)
+    projects = Project.project_level_list(Project.visible)
 
     respond_to do |format|
-      format.api
+      format.json { render json: projects_level_list_json(projects) }
     end
   end
 
@@ -242,6 +242,7 @@ class ProjectsController < ApplicationController
 
   def find_optional_project
     return true unless params[:id]
+
     @project = Project.find(params[:id])
     authorize
   rescue ActiveRecord::RecordNotFound

app/controllers/roles_controller.rb

@@ -29,42 +29,35 @@
 
 class RolesController < ApplicationController
   include PaginationHelper
+  include Roles::NotifyMixin
 
   layout 'admin'
 
   before_action :require_admin, except: [:autocomplete_for_role]
 
   def index
-    @roles = Role
+    @roles = roles_scope
-               .order(Arel.sql('builtin, position'))
+             .page(page_param)
-               .page(page_param)
+             .per_page(per_page_param)
-               .per_page(per_page_param)
 
     render action: 'index', layout: false if request.xhr?
   end
 
   def new
-    # Prefills the form with 'Non member' role permissions
+    @role = Role.new(permitted_params.role? || { permissions: Role.non_member.permissions })
-    @role = Role.new(permitted_params.role? || {permissions: Role.non_member.permissions})
 
-    define_setable_permissions
+    @roles = roles_scope
-
-    @roles = Role.order(Arel.sql('builtin, position'))
   end
 
   def create
-    @role = Role.new(permitted_params.role? || {permissions: Role.non_member.permissions})
+    @call = create_role
-    if @role.save
+    @role = @call.result
-      # workflow copy
+
-      if !params[:copy_workflow_from].blank? && (copy_from = Role.find_by(id: params[:copy_workflow_from]))
+    if @call.success?
-        @role.workflows.copy_from_role(copy_from)
+      flash[:notice] = t(:notice_successful_create)
-      end
-      flash[:notice] = l(:notice_successful_create)
       redirect_to action: 'index'
-      notify_changed_roles(:added, @role)
     else
-      define_setable_permissions
+      @roles = roles_scope
-      @roles = Role.order(Arel.sql('builtin, position'))
 
       render action: 'new'
     end
@@ -72,18 +65,17 @@ class RolesController < ApplicationController
 
   def edit
     @role = Role.find(params[:id])
-    define_setable_permissions
+    @call = set_role_attributes(@role, 'update')
   end
 
   def update
     @role = Role.find(params[:id])
+    @call = update_role(@role, permitted_params.role)
 
-    if @role.update_attributes(permitted_params.role)
+    if @call.success?
       flash[:notice] = l(:notice_successful_update)
       redirect_to action: 'index'
-      notify_changed_roles(:updated, @role)
     else
-      @permissions = @role.setable_permissions
       render action: 'edit'
     end
   end
@@ -101,21 +93,22 @@ class RolesController < ApplicationController
 
   def report
     @roles = Role.order(Arel.sql('builtin, position'))
-    @permissions = Redmine::AccessControl.permissions.select {|p| !p.public?}
+    @permissions = OpenProject::AccessControl.permissions.reject(&:public?)
   end
 
   def bulk_update
-    @roles = Role.order(Arel.sql('builtin, position'))
+    @roles = roles_scope
 
-    @roles.each do |role|
+    calls = bulk_update_roles(@roles)
-      new_permissions = params[:permissions][role.id.to_s].presence || []
-      role.permissions = new_permissions
-      role.save
-    end
 
-    flash[:notice] = l(:notice_successful_update)
+    if calls.all?(&:success?)
-    redirect_to action: 'index'
+      flash[:notice] = l(:notice_successful_update)
-    notify_changed_roles(:bulk_update, @roles)
+      redirect_to action: 'index'
+    else
+      @calls = calls
+      @permissions = OpenProject::AccessControl.permissions.reject(&:public?)
+      render action: 'report'
+    end
   end
 
   def autocomplete_for_role
@@ -134,11 +127,37 @@ class RolesController < ApplicationController
 
   private
 
-  def notify_changed_roles(action, changed_role)
+  def set_role_attributes(role, create_or_update)
-    OpenProject::Notifications.send(:roles_changed, action: action, role: changed_role)
+    contract = "Roles::#{create_or_update.camelize}Contract".constantize
+
+    Roles::SetAttributesService
+      .new(user: current_user, model: role, contract_class: contract)
+      .call(new_params)
   end
 
-  protected
+  def update_role(role, params)
+    Roles::UpdateService
+      .new(user: current_user, model: role)
+      .call(params)
+  end
+
+  def bulk_update_roles(roles)
+    roles.map do |role|
+      new_permissions = { permissions: params[:permissions][role.id.to_s].presence || [] }
+
+      update_role(role, new_permissions)
+    end
+  end
+
+  def create_role
+    Roles::CreateService
+      .new(user: current_user)
+      .call(create_params)
+  end
+
+  def roles_scope
+    Role.order(Arel.sql('builtin, position'))
+  end
 
   def default_breadcrumb
     if action_name == 'index'
@@ -152,17 +171,13 @@ class RolesController < ApplicationController
     true
   end
 
-  def define_setable_permissions
+  def new_params
-    @permissions = group_permissions_by_module(@role.setable_permissions)
+    permitted_params.role? || {}
   end
 
-  def group_permissions_by_module(perms)
+  def create_params
-    perms_by_module = perms.group_by {|p| p.project_module.to_s}
+    new_params
-    ::Redmine::AccessControl
+      .merge(copy_workflow_from: params[:copy_workflow_from],
-      .sorted_modules
+             global_role: params[:global_role])
-      .select {|module_name| perms_by_module[module_name].present?}
-      .map do |module_name|
-      [module_name, perms_by_module[module_name]]
-    end
   end
 end

app/controllers/timelog_controller.rb

@@ -29,8 +29,6 @@
 #++
 
 class TimelogController < ApplicationController
-  menu_item :issues
-
   before_action :disable_api, except: %i[index destroy]
   before_action :find_work_package, only: %i[new create]
   before_action :find_project, only: %i[new create]
@@ -72,49 +70,8 @@ class TimelogController < ApplicationController
 
     respond_to do |format|
       format.html do
-        # Paginate results
-        @entry_count = TimeEntry
-                       .visible
-                       .includes(:project, :work_package)
-                       .references(:projects)
-                       .where(cond.conditions)
-                       .count
-        @total_hours = TimeEntry
-                       .visible
-                       .includes(:project, :work_package)
-                       .references(:projects)
-                       .where(cond.conditions)
-                       .distinct(false)
-                       .sum(:hours).to_f
-
-        set_entries(cond)
-
-        gon.rabl template: 'app/views/timelog/index.rabl'
-        gon.project_id = @project.id if @project
-        gon.work_package_id = @issue.id if @issue
-        gon.sort_column = 'spent_on'
-        gon.sort_direction = 'desc'
-        gon.total_count = total_entry_count(cond)
-        gon.settings = client_preferences
-
         render layout: layout_non_or_no_menu
       end
-      format.json do
-        set_entries(cond)
-
-        gon.rabl template: 'app/views/timelog/index.rabl'
-      end
-      format.atom do
-        entries = TimeEntry
-                  .visible
-                  .includes(:project, :activity, :user, work_package: :type)
-                  .references(:projects)
-                  .where(cond.conditions)
-                  .order("#{TimeEntry.table_name}.created_on DESC")
-                  .limit(Setting.feeds_limit.to_i)
-
-        render_feed(entries, title: l(:label_spent_time))
-      end
       format.csv do
         # Export all entries
         @entries = TimeEntry
@@ -133,15 +90,6 @@ class TimelogController < ApplicationController
     end
   end
 
-  def show
-    respond_to do |format|
-      # TODO: Implement html response
-      format.html do
-        head 406
-      end
-    end
-  end
-
   def new
     @time_entry = new_time_entry(@project, @issue, permitted_params.time_entry.to_h)
 
@@ -206,30 +154,6 @@ class TimelogController < ApplicationController
 
   private
 
-  def total_entry_count(cond)
-    TimeEntry
-      .visible
-      .includes(:project, :activity, :user, work_package: :type)
-      .references(:projects)
-      .where(cond.conditions)
-      .count
-  end
-
-  def set_entries(cond)
-    # .visible introduces a distinct which we don't need here and which interferes
-    # with the order on postgresql.
-    # The distinct is therefore explicitly removed
-    @entries = TimeEntry
-               .visible
-               .includes(:project, :activity, :user, work_package: :type)
-               .references(:projects)
-               .where(cond.conditions)
-               .distinct(false)
-               .order(sort_clause)
-               .page(page_param)
-               .per_page(per_page_param)
-  end
-
   def find_time_entry
     @time_entry = TimeEntry.find(params[:id])
     unless @time_entry.editable_by?(User.current)

app/controllers/versions_controller.rb

@@ -144,10 +144,14 @@ class VersionsController < ApplicationController
   end
 
   def retrieve_selected_type_ids(selectable_types, default_types = nil)
-    @selected_type_ids = if (ids = params[:type_ids])
+    @selected_type_ids = selected_type_ids selectable_types, default_types
-                           ids.is_a?(Array) ? ids : ids.split('/')
+  end
-                         else
+
-                           default_types || selectable_types
+  def selected_type_ids(selectable_types, default_types = nil)
-                         end.map { |t| t.id.to_s }
+    if (ids = params[:type_ids])
+      ids.is_a?(Array) ? ids.map(&:to_s) : ids.split('/')
+    else
+      (default_types || selectable_types).map { |t| t.id.to_s }
+    end
   end
 end

app/helpers/projects_helper.rb

@@ -235,6 +235,22 @@ module ProjectsHelper
     s
   end
 
+  def projects_level_list_json(projects)
+    projects_list = projects.map do |item|
+      project = item[:project]
+
+      {
+        "id": project.id,
+        "name": project.name,
+        "identifier": project.identifier,
+        "has_children": !project.leaf?,
+        "level": item[:level]
+      }
+    end
+
+    { projects: projects_list }
+  end
+
   def projects_with_levels_order_sensitive(projects, &block)
     if sorted_by_lft?
       project_tree(projects, &block)

app/helpers/roles_helper.rb

@@ -28,4 +28,27 @@
 #++
 
 module RolesHelper
+  def setable_permissions(role)
+    # Use the base contract for now as we are only interested in the setable permissions
+    # which do not differentiate.
+    contract = Roles::BaseContract.new(role, current_user)
+
+    contract.assignable_permissions
+  end
+
+  def grouped_setable_permissions(role)
+    group_permissions_by_module(setable_permissions(role))
+  end
+
+  private
+
+  def group_permissions_by_module(perms)
+    perms_by_module = perms.group_by { |p| p.project_module.to_s }
+    ::OpenProject::AccessControl
+      .sorted_modules
+      .select { |module_name| perms_by_module[module_name].present? }
+      .map do |module_name|
+      [module_name, perms_by_module[module_name]]
+    end
+  end
 end

app/helpers/warning_bar_helper.rb

@@ -35,12 +35,6 @@ module WarningBarHelper
       OpenProject::Database.migrations_pending?
   end
 
-  def render_mysql_deprecation_warning?
-    current_user.admin? &&
-      OpenProject::Database.mysql? &&
-      current_layout == 'admin'
-  end
-
   ##
   # By default, never show a warning bar in the
   # test mode due to overshadowing other elements.

app/mailers/project_mailer.rb

@@ -61,7 +61,7 @@ class ProjectMailer < BaseMailer
     open_project_headers 'Source-Project' => source_project.identifier,
                          'Author'         => user.login
 
-    message_id project, user
+    message_id source_project, user
 
     with_locale_for(user) do
       subject = I18n.t('copy_project.failed', source_project_name: source_project.name)

app/models/attachment.rb

@@ -175,6 +175,21 @@ class Attachment < ActiveRecord::Base
     content_type || fallback
   end
 
+  def copy(&block)
+    attachment = dup
+    attachment.file = diskfile
+
+    yield attachment if block_given?
+
+    attachment
+  end
+
+  def copy!(&block)
+    attachment = copy &block
+
+    attachment.save!
+  end
+
   def extract_fulltext
     return unless OpenProject::Database.allows_tsv?
     job = ExtractFulltextJob.new(id)
@@ -183,16 +198,26 @@ class Attachment < ActiveRecord::Base
 
   # Extract the fulltext of any attachments where fulltext is still nil.
   # This runs inline and not in a asynchronous worker.
-  def self.extract_fulltext_where_missing
+  def self.extract_fulltext_where_missing(run_now: true)
     return unless OpenProject::Database.allows_tsv?
-    Attachment.where(fulltext: nil).pluck(:id).each do |id|
+
+    Attachment
+      .where(fulltext: nil)
+      .pluck(:id)
+      .each do |id|
       job = ExtractFulltextJob.new(id)
-      job.perform
+
+      if run_now
+        job.perform
+      else
+        Delayed::Job.enqueue job, priority: ::ApplicationJob.priority_number(:low)
+      end
     end
   end
 
   def self.force_extract_fulltext
     return unless OpenProject::Database.allows_tsv?
+
     Attachment.pluck(:id).each do |id|
       job = ExtractFulltextJob.new(id)
       job.perform

app/models/custom_field/order_statements.rb

@@ -108,15 +108,8 @@ module CustomField::OrderStatements
   end
 
   def select_custom_values_as_group
-    aggr_sql =
-      if OpenProject::Database.mysql?
-        "GROUP_CONCAT(cv_sort.value SEPARATOR '.')"
-      else
-        "string_agg(cv_sort.value, '.')"
-      end
-
     <<-SQL
-      COALESCE((SELECT #{aggr_sql} FROM #{CustomValue.table_name} cv_sort
+      COALESCE((SELECT string_agg(cv_sort.value, '.') FROM #{CustomValue.table_name} cv_sort
         WHERE cv_sort.customized_type='#{self.class.customized_class.name}'
           AND cv_sort.customized_id=#{self.class.customized_class.table_name}.id
           AND cv_sort.custom_field_id=#{id}
@@ -125,15 +118,8 @@ module CustomField::OrderStatements
   end
 
   def select_custom_values_joined_options_as_group
-    aggr_sql =
-      if OpenProject::Database.mysql?
-        "GROUP_CONCAT(co_sort.value SEPARATOR '.')"
-      else
-        "string_agg(co_sort.value, '.' ORDER BY co_sort.position ASC)"
-      end
-
     <<-SQL
-      COALESCE((SELECT #{aggr_sql} FROM #{CustomOption.table_name} co_sort
+      COALESCE((SELECT string_agg(co_sort.value, '.' ORDER BY co_sort.position ASC) FROM #{CustomOption.table_name} co_sort
         LEFT JOIN #{CustomValue.table_name} cv_sort
         ON co_sort.id = CAST(cv_sort.value AS decimal(60,3))
         WHERE cv_sort.customized_type='#{self.class.customized_class.name}'

app/models/journal.rb

@@ -56,17 +56,10 @@ class Journal < ActiveRecord::Base
 
   # Ensure that no INSERT/UPDATE/DELETE statements as well as other code inside :with_write_lock
   # is run concurrently to the code inside this block, by using database locking.
-  # Note for PostgreSQL: If this is called from inside a transaction, the lock will last until the
+  # Note: If this is called from inside a transaction, the lock will last until the
   #   end of that transaction.
-  # Note for MySQL: THis method does not currently change anything (no locking at all)
   def self.with_write_lock(journable)
-    lock_name =
+    lock_name = "journal.#{journable.class}.#{journable.id}"
-    if OpenProject::Database.mysql?
-      # MySQL only supports a single lock
-      "journals.write_lock"
-    else
-      "journal.#{journable.class}.#{journable.id}"
-    end
 
     result = Journal.with_advisory_lock_result(lock_name, timeout_seconds: 60) do
       yield

app/models/journal/aggregated_journal.rb

@@ -100,10 +100,10 @@ class Journal::AggregatedJournal
       # that our own row (master) would not already have been merged by its predecessor. If it is
       # (that means if we can find a valid predecessor), we drop our current row, because it will
       # already be present (in a merged form) in the row of our predecessor.
-      Journal.from("(#{sql_rough_group(1, journable, until_version, journal_id)}) #{table_name}")
+      Journal.from("(#{sql_rough_group(journable, until_version, journal_id)}) #{table_name}")
-      .joins(Arel.sql("LEFT OUTER JOIN (#{sql_rough_group(2, journable, until_version, journal_id)}) addition
+      .joins(Arel.sql("LEFT OUTER JOIN (#{sql_rough_group(journable, until_version, journal_id)}) addition
                               ON #{sql_on_groups_belong_condition(table_name, 'addition')}"))
-      .joins(Arel.sql("LEFT OUTER JOIN (#{sql_rough_group(3, journable, until_version, journal_id)}) predecessor
+      .joins(Arel.sql("LEFT OUTER JOIN (#{sql_rough_group(journable, until_version, journal_id)}) predecessor
                          ON #{sql_on_groups_belong_condition('predecessor', table_name)}"))
       .where(Arel.sql('predecessor.id IS NULL'))
       .order(Arel.sql("COALESCE(addition.created_at, #{table_name}.created_at) ASC"))
@@ -166,7 +166,7 @@ class Journal::AggregatedJournal
     # To be able to self-join results of this statement, we add an additional column called
     # "group_number" to the result. This allows to compare a group resulting from this query with
     # its predecessor and successor.
-    def sql_rough_group(uid, journable, until_version, journal_id)
+    def sql_rough_group(journable, until_version, journal_id)
       if until_version && !journable
         raise 'need to provide a journable, when specifying a version limit'
       elsif journable && journable.id.nil?
@@ -175,8 +175,8 @@ class Journal::AggregatedJournal
 
       conditions = additional_conditions(journable, until_version, journal_id)
 
-      "SELECT predecessor.*, #{sql_group_counter(uid)} AS group_number
+      "SELECT predecessor.*, #{sql_group_counter} AS group_number
-      FROM #{sql_rough_group_from_clause(uid)}
+      FROM journals predecessor
       #{sql_rough_group_join(conditions[:join_conditions])}
       #{sql_rough_group_where(conditions[:where_conditions])}
       #{sql_rough_group_order}"
@@ -229,33 +229,10 @@ class Journal::AggregatedJournal
       "ORDER BY predecessor.created_at"
     end
 
-    # The "group_number" required in :sql_rough_group has to be generated differently depending on
+    # This method returns the appropriate statement to be used inside a SELECT to
-    # the DBMS used. This method returns the appropriate statement to be used inside a SELECT to
     # obtain the current group number.
-    # The :uid parameter allows to define non-conflicting variable names (for MySQL).
+    def sql_group_counter
-    def sql_group_counter(uid)
+      'row_number() OVER (ORDER BY predecessor.version ASC)'
-      if OpenProject::Database.mysql?
-        group_counter = mysql_group_count_variable(uid)
-        "(#{group_counter} := #{group_counter} + 1)"
-      else
-        'row_number() OVER (ORDER BY predecessor.version ASC)'
-      end
-    end
-
-    # MySQL requires some initialization to be performed before being able to count the groups.
-    # This method allows to inject further FROM sources to achieve that in a single SQL statement.
-    # Sadly MySQL requires the whole statement to be wrapped in parenthesis, while PostgreSQL
-    # prohibits that.
-    def sql_rough_group_from_clause(uid)
-      if OpenProject::Database.mysql?
-        "(journals predecessor, (SELECT #{mysql_group_count_variable(uid)}:=0) number_initializer)"
-      else
-        'journals predecessor'
-      end
-    end
-
-    def mysql_group_count_variable(uid)
-      "@aggregated_journal_row_counter_#{uid}"
     end
 
     # Similar to the WHERE statement used in :sql_rough_group. However, this condition will
@@ -281,13 +258,8 @@ class Journal::AggregatedJournal
         return '(true = true)'
       end
 
-      if OpenProject::Database.mysql?
+      difference = "(#{successor}.created_at - #{predecessor}.created_at)"
-        difference = "TIMESTAMPDIFF(second, #{predecessor}.created_at, #{successor}.created_at)"
+      threshold = "interval '#{aggregation_time_seconds} second'"
-        threshold = aggregation_time_seconds
-      else
-        difference = "(#{successor}.created_at - #{predecessor}.created_at)"
-        threshold = "interval '#{aggregation_time_seconds} second'"
-      end
 
       "(#{difference} > #{threshold})"
     end

app/models/mail_handler.rb

@@ -31,10 +31,8 @@ class MailHandler < ActionMailer::Base
   include ActionView::Helpers::SanitizeHelper
   include Redmine::I18n
 
-  class UnauthorizedAction < StandardError;
+  class UnauthorizedAction < StandardError; end
-  end
+  class MissingInformation < StandardError; end
-  class MissingInformation < StandardError;
-  end
 
   attr_reader :email, :user
 

app/models/member_role.rb

@@ -98,7 +98,7 @@ class MemberRole < ActiveRecord::Base
       end
     end
 
-    users = inherited_roles_by_member.keys.map(&:user)
+    users = inherited_roles_by_member.keys.map(&:principal)
 
     Watcher.prune(user: users, project_id: member.project_id) unless users.empty?
   end

app/models/mixins/changed_by_system.rb

@@ -0,0 +1,65 @@
+#-- encoding: UTF-8
+
+#-- copyright
+# OpenProject is a project management system.
+# Copyright (C) 2012-2019 the OpenProject Foundation (OPF)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2017 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See doc/COPYRIGHT.rdoc for more details.
+#++
+
+module Mixins
+  module ChangedBySystem
+    extend ActiveSupport::Concern
+
+    def changed_by_system(attributes = nil)
+      @changed_by_system ||= []
+
+      if attributes
+        @changed_by_system += Array(attributes)
+      end
+
+      @changed_by_system
+    end
+
+    def change_by_system
+      prior_changes = non_no_op_changes
+
+      ret = yield
+
+      changed_by_system(changed_compared_to(prior_changes))
+
+      ret
+    end
+
+    private
+
+    def non_no_op_changes
+      changes.reject { |_, (old, new)| old == 0 && new.nil? }
+    end
+
+    def changed_compared_to(prior_changes)
+      changed.select { |c| !prior_changes[c] || prior_changes[c].last != changes[c].last }
+    end
+  end
+end

app/models/principal.rb

@@ -82,12 +82,6 @@ class Principal < ActiveRecord::Base
     firstnamelastname = "((firstname || ' ') || lastname)"
     lastnamefirstname = "((lastname || ' ') || firstname)"
 
-    # special concat for mysql
-    if OpenProject::Database.mysql?
-      firstnamelastname = "CONCAT(CONCAT(firstname, ' '), lastname)"
-      lastnamefirstname = "CONCAT(CONCAT(lastname, ' '), firstname)"
-    end
-
     s = "%#{q.to_s.downcase.strip.tr(',', '')}%"
 
     where(['LOWER(login) LIKE :s OR ' +

app/models/project.rb

@@ -715,13 +715,13 @@ class Project < ActiveRecord::Base
     @allowed_permissions ||= begin
       names = enabled_modules.loaded? ? enabled_module_names : enabled_modules.pluck(:name)
 
-      Redmine::AccessControl.modules_permissions(names).map(&:name)
+      OpenProject::AccessControl.modules_permissions(names).map(&:name)
     end
   end
 
   def allowed_actions
     @actions_allowed ||= allowed_permissions
-                         .map { |permission| Redmine::AccessControl.allowed_actions(permission) }
+                         .map { |permission| OpenProject::AccessControl.allowed_actions(permission) }
                          .flatten
   end
 

app/models/project/copy.rb

@@ -43,6 +43,8 @@ module Project::Copy
     def copy_attributes(project)
       super
       with_model(project) do |project|
+        # Clear enabled modules
+        self.enabled_modules = []
         self.enabled_module_names = project.enabled_module_names
         self.types = project.types
         self.work_package_custom_fields = project.work_package_custom_fields

app/models/queries/filters/strategies/relation.rb

@@ -1,4 +1,5 @@
 #-- encoding: UTF-8
+
 #-- copyright
 # OpenProject is a project management system.
 # Copyright (C) 2012-2018 the OpenProject Foundation (OPF)
@@ -27,32 +28,34 @@
 # See docs/COPYRIGHT.rdoc for more details.
 #++
 
-##
+module Queries::Filters::Strategies
-# Hack against rabl 0.13.0 which applies config.include_child_root to
+  class Relation < BaseStrategy
-# #collection as well as to #child calls as you would expect.
+    delegate :allowed_values_subset,
-#
+             to: :filter
-module Rabl
-  class Engine
-    def to_hash_with_hack(options = {})
-      if is_collection?(@_data_object)
-        options[:building_collection] = true
-      end
-      to_hash_without_hack(options)
-    end
 
-    alias_method :to_hash_without_hack, :to_hash
+    self.supported_operators = ::Relation::TYPES.keys + %w(parent children)
-    alias_method :to_hash, :to_hash_with_hack
+    self.default_operator = ::Relation::TYPE_RELATES
-  end
+
+    def validate
+      unique_values = values.uniq
+      allowed_and_desired_values = allowed_values_subset & unique_values
 
-  class Builder
+      if allowed_and_desired_values.sort != unique_values.sort
-    def to_hash_with_hack(object = nil, settings = nil, options = nil)
+        errors.add(:values, :inclusion)
-      if @options[:building_collection] && !@options[:child_root]
-        @options[:root_name] = false
       end
-      to_hash_without_hack(object, settings, options)
+      if too_many_values
+        errors.add(:values, "only one value allowed")
+      end
+    end
+
+    def valid_values!
+      filter.values &= allowed_values.map(&:last).map(&:to_s)
     end
 
-    alias_method :to_hash_without_hack, :to_hash
+    private
-    alias_method :to_hash, :to_hash_with_hack
+
+    def too_many_values
+      values.reject(&:blank?).length > 1
+    end
   end
 end

app/models/queries/not_existing_filter.rb

@@ -62,6 +62,18 @@ class Queries::NotExistingFilter < Queries::Filters::Base
     }
   end
 
+  def scope
+    # TODO: remove switch once the WP query is a
+    # subclass of Queries::Base
+    model = if context.respond_to?(:model)
+              context.model
+            else
+              WorkPackage
+            end
+
+    model.unscoped
+  end
+
   def attributes_hash
     nil
   end

app/models/queries/operators.rb

@@ -47,7 +47,20 @@ module Queries::Operators
     Queries::Operators::Ago,
     Queries::Operators::OnDate,
     Queries::Operators::BetweenDate,
-    Queries::Operators::Everywhere
+    Queries::Operators::Everywhere,
+    Queries::Operators::Relates,
+    Queries::Operators::Duplicates,
+    Queries::Operators::Duplicated,
+    Queries::Operators::Blocks,
+    Queries::Operators::Blocked,
+    Queries::Operators::Follows,
+    Queries::Operators::Precedes,
+    Queries::Operators::Includes,
+    Queries::Operators::PartOf,
+    Queries::Operators::Requires,
+    Queries::Operators::Required,
+    Queries::Operators::Parent,
+    Queries::Operators::Children
   ]
 
   OPERATORS = Hash[*(operators.map { |o| [o.symbol.to_s, o] }).flatten].freeze

app/models/queries/operators/blocked.rb

@@ -0,0 +1,36 @@
+#-- encoding: UTF-8
+
+#-- copyright
+# OpenProject is a project management system.
+# Copyright (C) 2012-2018 the OpenProject Foundation (OPF)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2017 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See docs/COPYRIGHT.rdoc for more details.
+#++
+
+module Queries::Operators
+  class Blocked < Base
+    label ::Relation::TYPE_BLOCKED
+    set_symbol ::Relation::TYPE_BLOCKED
+  end
+end

app/models/queries/operators/blocks.rb

@@ -0,0 +1,36 @@
+#-- encoding: UTF-8
+
+#-- copyright
+# OpenProject is a project management system.
+# Copyright (C) 2012-2018 the OpenProject Foundation (OPF)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2017 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See docs/COPYRIGHT.rdoc for more details.
+#++
+
+module Queries::Operators
+  class Blocks < Base
+    label ::Relation::TYPE_BLOCKS
+    set_symbol ::Relation::TYPE_BLOCKS
+  end
+end

app/models/queries/operators/children.rb

@@ -0,0 +1,36 @@
+#-- encoding: UTF-8
+
+#-- copyright
+# OpenProject is a project management system.
+# Copyright (C) 2012-2018 the OpenProject Foundation (OPF)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2017 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See docs/COPYRIGHT.rdoc for more details.
+#++
+
+module Queries::Operators
+  class Children < Base
+    label 'children'
+    set_symbol 'children'
+  end
+end

app/models/queries/operators/duplicated.rb

@@ -0,0 +1,36 @@
+#-- encoding: UTF-8
+
+#-- copyright
+# OpenProject is a project management system.
+# Copyright (C) 2012-2018 the OpenProject Foundation (OPF)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2017 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See docs/COPYRIGHT.rdoc for more details.
+#++
+
+module Queries::Operators
+  class Duplicated < Base
+    label ::Relation::TYPE_DUPLICATED
+    set_symbol ::Relation::TYPE_DUPLICATED
+  end
+end

app/models/queries/operators/duplicates.rb

@@ -0,0 +1,36 @@
+#-- encoding: UTF-8
+
+#-- copyright
+# OpenProject is a project management system.
+# Copyright (C) 2012-2018 the OpenProject Foundation (OPF)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2017 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See docs/COPYRIGHT.rdoc for more details.
+#++
+
+module Queries::Operators
+  class Duplicates < Base
+    label ::Relation::TYPE_DUPLICATES
+    set_symbol ::Relation::TYPE_DUPLICATES
+  end
+end

app/models/queries/operators/follows.rb

@@ -0,0 +1,36 @@
+#-- encoding: UTF-8
+
+#-- copyright
+# OpenProject is a project management system.
+# Copyright (C) 2012-2018 the OpenProject Foundation (OPF)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2017 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See docs/COPYRIGHT.rdoc for more details.
+#++
+
+module Queries::Operators
+  class Follows < Base
+    label 'follows'
+    set_symbol ::Relation::TYPE_FOLLOWS
+  end
+end

app/models/queries/operators/includes.rb

@@ -0,0 +1,36 @@
+#-- encoding: UTF-8
+
+#-- copyright
+# OpenProject is a project management system.
+# Copyright (C) 2012-2018 the OpenProject Foundation (OPF)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2017 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See docs/COPYRIGHT.rdoc for more details.
+#++
+
+module Queries::Operators
+  class Includes < Base
+    label ::Relation::TYPE_INCLUDES
+    set_symbol ::Relation::TYPE_INCLUDES
+  end
+end

app/models/queries/operators/parent.rb

@@ -0,0 +1,36 @@
+#-- encoding: UTF-8
+
+#-- copyright
+# OpenProject is a project management system.
+# Copyright (C) 2012-2018 the OpenProject Foundation (OPF)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2017 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See docs/COPYRIGHT.rdoc for more details.
+#++
+
+module Queries::Operators
+  class Parent < Base
+    label 'parent'
+    set_symbol 'parent'
+  end
+end

app/models/queries/operators/part_of.rb

@@ -0,0 +1,36 @@
+#-- encoding: UTF-8
+
+#-- copyright
+# OpenProject is a project management system.
+# Copyright (C) 2012-2018 the OpenProject Foundation (OPF)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2017 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See docs/COPYRIGHT.rdoc for more details.
+#++
+
+module Queries::Operators
+  class PartOf < Base
+    label ::Relation::TYPE_PARTOF
+    set_symbol ::Relation::TYPE_PARTOF
+  end
+end

app/models/queries/operators/precedes.rb

@@ -0,0 +1,36 @@
+#-- encoding: UTF-8
+
+#-- copyright
+# OpenProject is a project management system.
+# Copyright (C) 2012-2018 the OpenProject Foundation (OPF)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2017 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See docs/COPYRIGHT.rdoc for more details.
+#++
+
+module Queries::Operators
+  class Precedes < Base
+    label ::Relation::TYPE_PRECEDES
+    set_symbol ::Relation::TYPE_PRECEDES
+  end
+end

app/models/queries/operators/relates.rb

@@ -0,0 +1,36 @@
+#-- encoding: UTF-8
+
+#-- copyright
+# OpenProject is a project management system.
+# Copyright (C) 2012-2018 the OpenProject Foundation (OPF)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2017 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See docs/COPYRIGHT.rdoc for more details.
+#++
+
+module Queries::Operators
+  class Relates < Base
+    label 'relates'
+    set_symbol ::Relation::TYPE_RELATES
+  end
+end

app/models/queries/operators/required.rb

@@ -0,0 +1,36 @@
+#-- encoding: UTF-8
+
+#-- copyright
+# OpenProject is a project management system.
+# Copyright (C) 2012-2018 the OpenProject Foundation (OPF)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2017 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See docs/COPYRIGHT.rdoc for more details.
+#++
+
+module Queries::Operators
+  class Required < Base
+    label ::Relation::TYPE_REQUIRED
+    set_symbol ::Relation::TYPE_REQUIRED
+  end
+end

app/models/queries/operators/requires.rb

@@ -0,0 +1,36 @@
+#-- encoding: UTF-8
+
+#-- copyright
+# OpenProject is a project management system.
+# Copyright (C) 2012-2018 the OpenProject Foundation (OPF)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2017 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See docs/COPYRIGHT.rdoc for more details.
+#++
+
+module Queries::Operators
+  class Requires < Base
+    label ::Relation::TYPE_REQUIRES
+    set_symbol ::Relation::TYPE_REQUIRES
+  end
+end

app/models/queries/projects.rb

@@ -35,6 +35,7 @@ module Queries::Projects
   query = ::Queries::Projects::ProjectQuery
 
   register.filter query, filters::AncestorFilter
+  register.filter query, filters::TypeFilter
   register.filter query, filters::ActiveOrArchivedFilter
   register.filter query, filters::NameAndIdentifierFilter
   register.filter query, filters::CustomFieldFilter

app/models/queries/projects/filters/type_filter.rb

@@ -0,0 +1,66 @@
+#-- encoding: UTF-8
+#-- copyright
+# OpenProject is a project management system.
+# Copyright (C) 2012-2018 the OpenProject Foundation (OPF)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2017 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See docs/COPYRIGHT.rdoc for more details.
+#++
+
+module Queries
+  module Projects
+    module Filters
+      class TypeFilter < ::Queries::Projects::Filters::ProjectFilter
+        def allowed_values
+          @allowed_values ||= Type.pluck(:name, :id)
+        end
+
+        def joins
+          :types
+        end
+
+        def where
+          operator_strategy.sql_for_field(values, Type.table_name, :id)
+        end
+
+        def type
+          :list
+        end
+
+        def self.key
+          :type_id
+        end
+
+        private
+
+        def type_strategy
+          # Instead of getting the IDs of all the projects a user is allowed
+          # to see we only check that the value is an integer.  Non valid ids
+          # will then simply create an empty result but will not cause any
+          # harm.
+          @type_strategy ||= ::Queries::Filters::Strategies::IntegerList.new(self)
+        end
+      end
+    end
+  end
+end

app/models/queries/work_packages.rb

@@ -75,6 +75,7 @@ module Queries::WorkPackages
   register.filter Query, filters_module::CommentFilter
   register.filter Query, filters_module::SubjectOrIdFilter
   register.filter Query, filters_module::ManualSortFilter
+  register.filter Query, filters_module::RelatableFilter
 
   columns_module = Queries::WorkPackages::Columns
 

app/models/queries/work_packages/filter/filter_for_wp_mixin.rb

@@ -38,7 +38,7 @@ module Queries::WorkPackages::Filter::FilterForWpMixin
   end
 
   def value_objects
-    objects = scope.find(no_templated_values)
+    objects = visible_scope.find(no_templated_values)
 
     if has_templated_value?
       objects << ::Queries::Filters::TemplatedValue.new(WorkPackage)
@@ -52,7 +52,7 @@ module Queries::WorkPackages::Filter::FilterForWpMixin
   end
 
   def available?
-    scope.exists?
+    visible_scope.exists?
   end
 
   def ar_object_filter?
@@ -60,7 +60,7 @@ module Queries::WorkPackages::Filter::FilterForWpMixin
   end
 
   def allowed_values_subset
-    id_values = scope.where(id: no_templated_values).pluck(:id).map(&:to_s)
+    id_values = visible_scope.where(id: no_templated_values).pluck(:id).map(&:to_s)
 
     if has_templated_value?
       id_values + templated_value_keys
@@ -71,7 +71,7 @@ module Queries::WorkPackages::Filter::FilterForWpMixin
 
   private
 
-  def scope
+  def visible_scope
     if context.project
       WorkPackage
         .visible

app/models/queries/work_packages/filter/project_filter.rb

@@ -1,4 +1,5 @@
 #-- encoding: UTF-8
+
 #-- copyright
 # OpenProject is a project management system.
 # Copyright (C) 2012-2018 the OpenProject Foundation (OPF)

app/models/queries/work_packages/filter/relatable_filter.rb

@@ -1,4 +1,5 @@
 #-- encoding: UTF-8
+
 #-- copyright
 # OpenProject is a project management system.
 # Copyright (C) 2012-2018 the OpenProject Foundation (OPF)
@@ -26,34 +27,56 @@
 #
 # See docs/COPYRIGHT.rdoc for more details.
 #++
-require 'legacy_spec_helper'
 
-describe Redmine::AccessControl do
+class Queries::WorkPackages::Filter::RelatableFilter < Queries::WorkPackages::Filter::WorkPackageFilter
-  before do
+  include Queries::WorkPackages::Filter::FilterForWpMixin
-    @access_module = Redmine::AccessControl
+
+  def available?
+    User.current.allowed_to?(:manage_work_package_relations, nil, global: true)
+  end
+
+  def type
+    :relation
+  end
+
+  def type_strategy
+    @type_strategy ||= Queries::Filters::Strategies::Relation.new(self)
+  end
+
+  def where
+    # all of the filter logic is handled by #scope
+    "(1 = 1)"
+  end
+
+  def scope
+    if operator == Relation::TYPE_RELATES
+      relateable_from_or_to
+    elsif operator != 'parent' && canonical_operator == operator
+      relateable_to
+    else
+      relateable_from
+    end
+  end
+
+  private
+
+  def relateable_from_or_to
+    relateable_to.or(relateable_from)
+  end
+
+  def relateable_from
+    WorkPackage.relateable_from(from)
   end
 
-  it 'should permissions' do
+  def relateable_to
-    perms = @access_module.permissions
+    WorkPackage.relateable_to(from)
-    assert perms.is_a?(Array)
-    assert perms.first.is_a?(Redmine::AccessControl::Permission)
   end
 
-  it 'should module permission' do
+  def from
-    perm = @access_module.permission(:view_work_packages)
+    WorkPackage.find(values.first)
-    assert perm.is_a?(Redmine::AccessControl::Permission)
-    assert_equal :view_work_packages, perm.name
-    assert_equal :work_package_tracking, perm.project_module
-    assert perm.actions.is_a?(Array)
-    assert perm.actions.include?('issues/index')
   end
 
-  it 'should no module permission' do
+  def canonical_operator
-    perm = @access_module.permission(:edit_project)
+    Relation.canonical_type(operator)
-    assert perm.is_a?(Redmine::AccessControl::Permission)
-    assert_equal :edit_project, perm.name
-    assert_nil perm.project_module
-    assert perm.actions.is_a?(Array)
-    assert perm.actions.include?('project_settings/show')
   end
 end

app/models/queries/work_packages/filter/relates_filter.rb

@@ -32,7 +32,6 @@
 
 class Queries::WorkPackages::Filter::RelatesFilter <
   Queries::WorkPackages::Filter::WorkPackageFilter
-
   include ::Queries::WorkPackages::Filter::FilterOnUndirectedRelationsMixin
 
   def relation_type

app/models/queries/work_packages/filter/subject_or_id_filter.rb

@@ -30,7 +30,6 @@
 
 class Queries::WorkPackages::Filter::SubjectOrIdFilter <
   Queries::WorkPackages::Filter::WorkPackageFilter
-
   include Queries::WorkPackages::Filter::OrFilterForWpMixin
 
   CONTAINS_OPERATOR = '~'.freeze

app/models/queries/work_packages/filter/work_package_filter.rb

@@ -44,4 +44,12 @@ class Queries::WorkPackages::Filter::WorkPackageFilter < ::Queries::Filters::Bas
   def includes
     nil
   end
+
+  def scope
+    # We only return the WorkPackage base scope for now as most of the filters
+    # (this one's subclasses) currently do not follow the base filter approach of using the scope.
+    # The intend is to have more and more wp filters use the scope method just like the
+    # rest of the queries (e.g. project)
+    WorkPackage.unscoped
+  end
 end

app/models/query/results.rb

@@ -47,19 +47,18 @@ class ::Query::Results
 
   # Returns the work package count
   def work_package_count
-    WorkPackage.visible
+    work_package_scope
-               .joins(all_filter_joins)
+      .joins(all_filter_joins)
-               .includes(:status, :project)
+      .includes(:status, :project)
-               .where(query.statement)
+      .where(query.statement)
-               .references(:statuses, :projects)
+      .references(:statuses, :projects)
-               .count
+      .count
   rescue ::ActiveRecord::StatementInvalid => e
     raise ::Query::StatementInvalid.new(e.message)
   end
 
   def work_packages
-    WorkPackage
+    work_package_scope
-      .visible
       .where(query.statement)
       .where(options[:conditions])
       .includes(all_includes)
@@ -100,6 +99,12 @@ class ::Query::Results
 
   private
 
+  def work_package_scope
+    WorkPackage
+      .visible
+      .merge(filter_merges)
+  end
+
   def all_includes
     (%i(status project) +
       includes_for_columns(include_columns) +
@@ -210,6 +215,13 @@ class ::Query::Results
     query.filters.map(&:joins).flatten.compact
   end
 
+  def filter_merges
+    query.filters.inject(::WorkPackage.unscoped) do |scope, filter|
+      scope = scope.merge(filter.scope)
+      scope
+    end
+  end
+
   def clean_symbol_list(list)
     list.flatten.compact.uniq.map(&:to_sym)
   end

app/models/role.rb

@@ -63,7 +63,9 @@ class Role < ActiveRecord::Base
   validates_length_of :name, maximum: 30
 
   def self.givable
-    where(builtin: NON_BUILTIN).order(Arel.sql('position'))
+    where(builtin: NON_BUILTIN)
+      .where(type: 'Role')
+      .order(Arel.sql('position'))
   end
 
   def permissions
@@ -132,14 +134,6 @@ class Role < ActiveRecord::Base
     end
   end
 
-  # Return all the permissions that can be given to the role
-  def setable_permissions
-    setable_permissions = Redmine::AccessControl.permissions - Redmine::AccessControl.public_permissions
-    setable_permissions -= Redmine::AccessControl.members_only_permissions if builtin == BUILTIN_NON_MEMBER
-    setable_permissions -= Redmine::AccessControl.loggedin_only_permissions if builtin == BUILTIN_ANONYMOUS
-    setable_permissions
-  end
-
   # Return the builtin 'non member' role.  If the role doesn't exist,
   # it will be created on the fly.
   def self.non_member
@@ -179,12 +173,12 @@ class Role < ActiveRecord::Base
   private
 
   def allowed_permissions
-    @allowed_permissions ||= permissions + Redmine::AccessControl.public_permissions.map(&:name)
+    @allowed_permissions ||= permissions + OpenProject::AccessControl.public_permissions.map(&:name)
   end
 
   def allowed_actions
     @actions_allowed ||= allowed_permissions.map do |permission|
-      Redmine::AccessControl.allowed_actions(permission)
+      OpenProject::AccessControl.allowed_actions(permission)
     end.flatten
   end
 

app/models/user.rb

@@ -238,7 +238,7 @@ class User < Principal
   def self.activate_user!(user, session)
     if session[:invitation_token]
       token = Token::Invitation.find_by_plaintext_value session[:invitation_token]
-      invited_id = token && token.user.id
+      invited_id = token&.user&.id
 
       if user.id == invited_id
         user.activate!
@@ -476,28 +476,28 @@ class User < Principal
   # Find a user account by matching the exact login and then a case-insensitive
   # version.  Exact matches will be given priority.
   def self.find_by_login(login)
-    # force string comparison to be case sensitive on MySQL
-    type_cast = (OpenProject::Database.mysql?) ? 'BINARY' : ''
     # First look for an exact match
-    user = where(["#{type_cast} login = ?", login]).first
+    user = find_by(login: login)
     # Fail over to case-insensitive if none was found
-    user ||= where(["#{type_cast} LOWER(login) = ?", login.to_s.downcase]).first
+    user || where(["LOWER(login) = ?", login.to_s.downcase]).first
   end
 
   def self.find_by_rss_key(key)
     return nil unless Setting.feeds_enabled?
+
     token = Token::Rss.find_by(value: key)
 
-    if token && token.user.active?
+    if token&.user&.active?
       token.user
     end
   end
 
   def self.find_by_api_key(key)
     return nil unless Setting.rest_api_enabled?
+
     token = Token::Api.find_by_plaintext_value(key)
 
-    if token && token.user.active?
+    if token&.user&.active?
       token.user
     end
   end
@@ -513,16 +513,11 @@ class User < Principal
     skip_suffix_check, regexp = mail_regexp(mail)
 
     # If the recipient part already contains a suffix, don't expand
-    return where("LOWER(mail) = ?", mail) if skip_suffix_check
+    if skip_suffix_check
-
+      where("LOWER(mail) = ?", mail)
-    command =
+    else
-      if OpenProject::Database.mysql?
+      where("LOWER(mail) ~* ?", regexp)
-        'REGEXP'
+    end
-      else
-        '~*'
-      end
-
-    where("LOWER(mail) #{command} ?", regexp)
   end
 
   ##
@@ -563,7 +558,7 @@ class User < Principal
     roles = []
 
     # No role on archived projects
-    return roles unless project && project.active?
+    return roles unless project&.active?
 
     # Return all roles if user is admin
     return Role.givable.to_a if admin?

app/models/user/project_authorization_cache.rb

@@ -59,7 +59,7 @@ class User::ProjectAuthorizationCache
   private
 
   def normalized_permission_name(action)
-    Redmine::AccessControl.permission(action)
+    OpenProject::AccessControl.permission(action)
   end
 
   def projects_by_actions

app/models/work_package.rb

@@ -260,7 +260,7 @@ class WorkPackage < ActiveRecord::Base
   def assignable_versions
     @assignable_versions ||= begin
       current_version = fixed_version_id_changed? ? Version.find_by(id: fixed_version_id_was) : fixed_version
-      (project.assignable_versions + [current_version]).compact.uniq.sort
+      ((project&.assignable_versions || []) + [current_version]).compact.uniq.sort
     end
   end
 

app/policies/work_package_policy.rb

@@ -51,7 +51,8 @@ class WorkPackagePolicy < BasePolicy
       duplicate: copy_allowed?(work_package), # duplicating is another form of copying
       delete: delete_allowed?(work_package),
       manage_subtasks: manage_subtasks_allowed?(work_package),
-      comment: comment_allowed?(work_package)
+      comment: comment_allowed?(work_package),
+      assign_version: assign_version_allowed?(work_package)
     }
   end
 
@@ -125,4 +126,12 @@ class WorkPackagePolicy < BasePolicy
 
     @comment_cache[work_package.project]
   end
+
+  def assign_version_allowed?(work_package)
+    @assign_version_cache ||= Hash.new do |hash, project|
+      hash[project] = user.allowed_to?(:assign_versions, work_package.project)
+    end
+
+    @assign_version_cache[work_package.project]
+  end
 end

app/seeders/basic_data/role_seeder.rb

@@ -66,6 +66,7 @@ module BasicData
           add_work_packages
           move_work_packages
           edit_work_packages
+          assign_versions
           add_work_package_notes
           edit_own_work_package_notes
           manage_work_package_relations
@@ -141,7 +142,11 @@ module BasicData
     end
 
     def project_admin
-      { name: I18n.t(:default_role_project_admin), position: 5, permissions: Role.new.setable_permissions.map(&:name) }
+      {
+        name: I18n.t(:default_role_project_admin),
+        position: 5,
+        permissions: Roles::CreateContract.new(Role.new, nil).assignable_permissions.map(&:name)
+      }
     end
 
     def non_member

app/services/api/v3/parse_query_params_service.rb

@@ -127,9 +127,9 @@ module API
       end
 
       def highlighted_attributes_from_params(params)
-        highlighted_attributes = params[:highlightedAttributes]
+        highlighted_attributes = Array(params[:highlightedAttributes].presence)
 
-        return unless highlighted_attributes
+        return unless highlighted_attributes.present?
 
         highlighted_attributes.map do |attr|
           convert_attribute(attr)

app/services/api/v3/update_query_from_v3_params_service.rb

@@ -34,7 +34,7 @@ module API
         self.current_user = user
       end
 
-      def call(params)
+      def call(params, valid_subset: false)
         parsed = ::API::V3::ParseQueryParamsService
                  .new
                  .call(params)
@@ -42,7 +42,7 @@ module API
         if parsed.success?
           ::UpdateQueryFromParamsService
             .new(query, current_user)
-            .call(parsed.result)
+            .call(parsed.result, valid_subset: valid_subset)
         else
           parsed
         end

app/services/api/v3/work_package_collection_from_query_service.rb

@@ -37,10 +37,10 @@ module API
         self.current_user = user
       end
 
-      def call(params = {})
+      def call(params = {}, valid_subset: false)
         update = UpdateQueryFromV3ParamsService
                  .new(query, current_user)
-                 .call(params)
+                 .call(params, valid_subset: valid_subset)
 
         if update.success?
           representer = results_to_representer(params)

app/services/authorization/project_query.rb

@@ -132,9 +132,9 @@ class Authorization::ProjectQuery < Authorization::AbstractQuery
 
   def self.permissions(action)
     if action.is_a?(Hash)
-      Redmine::AccessControl.allow_actions(action)
+      OpenProject::AccessControl.allow_actions(action)
     else
-      [Redmine::AccessControl.permission(action)].compact
+      [OpenProject::AccessControl.permission(action)].compact
     end
   end
 

app/services/authorization/user_allowed_query.rb

@@ -46,7 +46,7 @@ class Authorization::UserAllowedQuery < Authorization::AbstractUserQuery
       has_role = roles_table[:id].not_eq(nil)
       has_permission = role_permissions_table[:id].not_eq(nil)
 
-      has_role_and_permission = if Redmine::AccessControl.permission(action).public?
+      has_role_and_permission = if OpenProject::AccessControl.permission(action).public?
                                   has_role
                                 else
                                   has_role.and(has_permission)
@@ -75,7 +75,7 @@ class Authorization::UserAllowedQuery < Authorization::AbstractUserQuery
   transformations.register :all,
                            :role_permissions_join,
                            after: [:roles_join] do |statement, action|
-    if Redmine::AccessControl.permission(action).public?
+    if OpenProject::AccessControl.permission(action).public?
       statement
     else
       statement.outer_join(role_permissions_table)

app/services/base_services/create.rb

@@ -65,16 +65,16 @@ module BaseServices
     def set_attributes(params)
       attributes_service_class
         .new(user: user,
-             model: new_instance,
+             model: new_instance(params),
              contract_class: contract_class)
         .call(params)
     end
 
-    def after_save(attributes_call)
+    def after_save(_attributes_call)
       # nothing for now but subclasses can override
     end
 
-    def new_instance
+    def new_instance(_params)
       instance_class.new
     end
 

app/services/base_services/set_attributes.rb

@@ -35,6 +35,13 @@ module BaseServices
     def initialize(user:, model:, contract_class:)
       self.user = user
       self.model = model
+
+      # Allow tracking changes caused by a user but done for him by the system.
+      # E.g. fixed_version of a work package might need to be changed as the user changed the project.
+      # This is currently used for permission checks where the changed project is checked but the fixed_version
+      # is not if it is done by the system.
+      model.extend(Mixins::ChangedBySystem)
+
       self.contract_class = contract_class
     end
 

app/services/members/create_service.rb

@@ -28,14 +28,4 @@
 # See doc/COPYRIGHT.rdoc for more details.
 #++
 
-class Members::CreateService < ::BaseServices::Create
+class Members::CreateService < ::BaseServices::Create; end
-  private
-
-  def after_save(attributes_call)
-    super
-
-    # Because of the way roles are assigned further down the stack,
-    # the roles association is empty after assign_roles has been called.
-    attributes_call.result.roles.reload
-  end
-end

app/services/members/delete_service.rb

@@ -1,12 +1,12 @@
 #-- copyright
 # OpenProject is a project management system.
-# Copyright (C) 2012-2013 the OpenProject Foundation (OPF)
+# Copyright (C) 2012-2019 the OpenProject Foundation (OPF)
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License version 3.
 #
 # OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
-# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2006-2017 Jean-Philippe Lang
 # Copyright (C) 2010-2013 the ChiliProject Team
 #
 # This program is free software; you can redistribute it and/or
@@ -26,5 +26,4 @@
 # See doc/COPYRIGHT.rdoc for more details.
 #++
 
-collection @entries => "timeEntries"
+class Members::DeleteService < ::BaseServices::Delete; end
-extends 'timelog/show'

app/services/members/update_service.rb

@@ -1,12 +1,14 @@
+#-- encoding: UTF-8
+
 #-- copyright
 # OpenProject is a project management system.
-# Copyright (C) 2012-2013 the OpenProject Foundation (OPF)
+# Copyright (C) 2012-2019 the OpenProject Foundation (OPF)
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License version 3.
 #
 # OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
-# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2006-2017 Jean-Philippe Lang
 # Copyright (C) 2010-2013 the ChiliProject Team
 #
 # This program is free software; you can redistribute it and/or
@@ -26,9 +28,4 @@
 # See doc/COPYRIGHT.rdoc for more details.
 #++
 
-object @user
+class Members::UpdateService < ::BaseServices::Update; end
-attributes :id,
-           :name,
-           :firstname,
-           :lastname
-

app/services/roles/create_service.rb

@@ -1,12 +1,14 @@
+#-- encoding: UTF-8
+
 #-- copyright
 # OpenProject is a project management system.
-# Copyright (C) 2012-2015 the OpenProject Foundation (OPF)
+# Copyright (C) 2012-2019 the OpenProject Foundation (OPF)
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License version 3.
 #
 # OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
-# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2006-2017 Jean-Philippe Lang
 # Copyright (C) 2010-2013 the ChiliProject Team
 #
 # This program is free software; you can redistribute it and/or
@@ -26,24 +28,36 @@
 # See doc/COPYRIGHT.rdoc for more details.
 #++
 
-collection @projects => "projects"
+class Roles::CreateService < ::BaseServices::Create
+  include Roles::NotifyMixin
 
-# This is a bit verbose as Project.level_list produces an array of hashes with the form:
+  private
-# [
-#  { :project => <Project object>,
-#    :level   => <hierarchy level> }
-# ]
 
-node(:id)           { |p| p[:project].id }
+  def create(params)
-node(:name)         { |p| p[:project].name }
+    copy_workflow_id = params.delete(:copy_workflow_from)
-node(:identifier)   { |p| p[:project].identifier }
-node(:has_children) { |p| !p[:project].leaf? }
-node(:level)        { |p| p[:level] }
 
-node(:created_on, if: lambda { |p| p[:project].created_on }) do |p|
+    super_call = super
-  p[:project].created_on.utc
+
-end
+    if super_call.success?
+      copy_workflows(copy_workflow_id, super_call.result)
+
+      notify_changed_roles(:added, super_call.result)
+    end
+
+    super_call
+  end
+
+  def new_instance(params)
+    if params.delete(:global_role)
+      GlobalRole.new
+    else
+      super
+    end
+  end
 
-node(:updated_on, if: lambda { |p| p[:project].updated_on }) do |p|
+  def copy_workflows(copy_workflow_id, role)
-  p[:project].updated_on.utc
+    if copy_workflow_id.present? && (copy_from = Role.find_by(id: copy_workflow_id))
+      role.workflows.copy_from_role(copy_from)
+    end
+  end
 end

app/services/roles/notify_mixin.rb

@@ -0,0 +1,37 @@
+#-- encoding: UTF-8
+
+#-- copyright
+# OpenProject is a project management system.
+# Copyright (C) 2012-2019 the OpenProject Foundation (OPF)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2017 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See doc/COPYRIGHT.rdoc for more details.
+#++
+
+module Roles::NotifyMixin
+  private
+
+  def notify_changed_roles(action, changed_role)
+    OpenProject::Notifications.send(:roles_changed, action: action, role: changed_role)
+  end
+end