diff --git a/app/assets/stylesheets/content/_index.sass b/app/assets/stylesheets/content/_index.sass index b4b203428d..14d5064fc6 100644 --- a/app/assets/stylesheets/content/_index.sass +++ b/app/assets/stylesheets/content/_index.sass @@ -64,6 +64,7 @@ @import content/hide_until_initialized @import content/hidden @import content/search +@import content/security_badge @import content/contextual @import content/tooltip @import content/grid diff --git a/app/assets/stylesheets/content/_security_badge.sass b/app/assets/stylesheets/content/_security_badge.sass new file mode 100644 index 0000000000..739cfef871 --- /dev/null +++ b/app/assets/stylesheets/content/_security_badge.sass @@ -0,0 +1,6 @@ +.security-badge--container + height: 28px + +.security-badge--help-icon + position: relative + top: -8px diff --git a/app/helpers/security_badge_helper.rb b/app/helpers/security_badge_helper.rb index d7c6c10c66..79109b2eff 100644 --- a/app/helpers/security_badge_helper.rb +++ b/app/helpers/security_badge_helper.rb @@ -41,4 +41,8 @@ module SecurityBadgeHelper uri.query = info.to_query uri.to_s end + + def display_security_badge_graphic? + OpenProject::Configuration.security_badge_displayed? && Setting.security_badge_displayed? + end end diff --git a/app/models/permitted_params.rb b/app/models/permitted_params.rb index 76bea5f06f..3964c4dedd 100644 --- a/app/models/permitted_params.rb +++ b/app/models/permitted_params.rb @@ -108,7 +108,10 @@ class PermittedParams end def group - params.require(:group).permit(*self.class.permitted_attributes[:group]) + permitted_params = params.require(:group).permit(*self.class.permitted_attributes[:group]) + permitted_params = permitted_params.merge(custom_field_values(:group)) + + permitted_params end def group_membership diff --git a/app/views/admin/info.html.erb b/app/views/admin/info.html.erb index 708a740ce7..352d0b3057 100644 --- a/app/views/admin/info.html.erb +++ b/app/views/admin/info.html.erb @@ -48,13 +48,18 @@ See docs/COPYRIGHT.rdoc for more details. <%= OpenProject::Info.versioned_name %> (<%= @db_adapter_name %>) - <% if Setting.security_badge_displayed? %> + <% if display_security_badge_graphic? %>
- <%= content_tag :span do %> +
<%= content_tag :object, nil, data: security_badge_url, type: "image/svg+xml" %> - <% end %> + <%= link_to '', + ::OpenProject::Static::Links[:security_badge_documentation][:href], + title: t(:label_what_is_this), + class: 'security-badge--help-icon icon-context icon-help1', + target: '_blank' %> +
<% end %> diff --git a/app/views/customizable/_form.html.erb b/app/views/customizable/_form.html.erb index 4282e0b31a..bffe793b98 100644 --- a/app/views/customizable/_form.html.erb +++ b/app/views/customizable/_form.html.erb @@ -35,7 +35,7 @@ See docs/COPYRIGHT.rdoc for more details.
<%# display all fields OR only display required fields OR only display optional fields #%> <% if all_fields || (only_required && required) || (!only_required && !required) %> - <%= value_form.custom_field(container_class: '-wide') %> + <%= value_form.custom_field(container_class: '-wide', required: required) %> <% end %>
<% end %> diff --git a/app/views/homescreen/blocks/_administration.html.erb b/app/views/homescreen/blocks/_administration.html.erb index 4c050ed3a0..92bb5f8b8e 100644 --- a/app/views/homescreen/blocks/_administration.html.erb +++ b/app/views/homescreen/blocks/_administration.html.erb @@ -47,9 +47,14 @@ <%= link_to t(:label_custom_style), custom_style_path, title: t(:label_custom_style) %> - <%= content_tag :li do %> - <%= content_tag :object, nil, data: security_badge_url, type: "image/svg+xml", style: "vertical-align:top;" %> - <% end if Setting.security_badge_displayed? %> - <%= call_hook(:homescreen_administration_links) %> + +<%= content_tag :div, class: 'security-badge--container' do %> + <%= content_tag :object, nil, data: security_badge_url, type: "image/svg+xml" %> + <%= link_to '', + ::OpenProject::Static::Links[:security_badge_documentation][:href], + title: t(:label_what_is_this), + class: 'security-badge--help-icon icon-context icon-help1', + target: '_blank' %> +<% end if display_security_badge_graphic? %> diff --git a/app/views/settings/_general.html.erb b/app/views/settings/_general.html.erb index 411b0126c4..01b867c4d9 100644 --- a/app/views/settings/_general.html.erb +++ b/app/views/settings/_general.html.erb @@ -57,12 +57,18 @@ See docs/COPYRIGHT.rdoc for more details. <%= setting_text_field :file_max_size_displayed, size: 6, unit: t(:"number.human.storage_units.units.kb"), container_class: '-xslim' %>
<%= setting_text_field :diff_max_lines_displayed, size: 6, container_class: '-xslim' %>
+ + <% if OpenProject::Configuration.security_badge_displayed? %>
<%= setting_check_box :security_badge_displayed %> - <%= t(:text_notice_security_badge_displayed_html, information_panel_label: t(:label_information), information_panel_path: info_admin_index_path) %> + <%= t(:text_notice_security_badge_displayed_html, + information_panel_label: t(:label_information), + more_info_url: ::OpenProject::Static::Links[:security_badge_documentation][:href], + information_panel_path: info_admin_index_path) %>
+ <% end %> <%= call_hook(:view_settings_general_form) %>
<%= t(:setting_welcome_text) %> diff --git a/config/locales/en.yml b/config/locales/en.yml index 8ae95b8657..6ed27c7c8d 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -1582,6 +1582,7 @@ en: label_view_diff: "View differences" label_view_revisions: "View revisions" label_watched_work_packages: "Watched work packages" + label_what_is_this: "What is this?" label_week: "Week" label_wiki_content_added: "Wiki page added" label_wiki_content_updated: "Wiki page updated" @@ -2113,6 +2114,7 @@ en: setting_per_page_options: "Objects per page options" setting_plain_text_mail: "Plain text mail (no HTML)" setting_protocol: "Protocol" + setting_security_badge_displayed: "Display security badge" setting_registration_footer: "Registration footer" setting_repositories_automatic_managed_vendor: "Automatic repository vendor type" setting_repositories_encodings: "Repositories encodings" @@ -2258,6 +2260,12 @@ en: text_no_configuration_data: "Roles, types, work package statuses and workflow have not been configured yet.\nIt is highly recommended to load the default configuration. You will be able to modify it once loaded." text_no_notes: "There are no comments available for this work package." text_notice_too_many_values_are_inperformant: "Note: Displaying more than 100 items per page can increase the page load time." + text_notice_security_badge_displayed_html: > + Note: if enabled, this will display a badge with your installation status in the %{information_panel_label} administration panel, + and on the home page. It is displayed to administrators only. +
+ The badge will check your current OpenProject version against the official OpenProject release database to alert you of any updates or known vulnerabilities. + For more information on what the check provides, what data is needed to provide available updates, and how to disable this check, please visit the configuration documentation. text_own_membership_delete_confirmation: "You are about to remove some or all of your permissions and may no longer be able to edit this project after that.\nAre you sure you want to continue?" text_plugin_assets_writable: "Plugin assets directory writable" text_powered_by: "Powered by %{link}" diff --git a/docs/configuration/configuration.md b/docs/configuration/configuration.md index c52684c393..eefcf62da7 100644 --- a/docs/configuration/configuration.md +++ b/docs/configuration/configuration.md @@ -310,6 +310,21 @@ default: password: admin ``` +## Security badge + +OpenProject now provides a release indicator (security badge) that will inform administrators of an OpenProject +installation on whether new releases or security updates are available for your platform. + +If enabled, this option will display a badge with your installation status at Administration > Information right next to the release version, +and on the home screen. It is only displayed to administrators. + +The badge will match your current OpenProject version against the official OpenProject release database to alert you of any updates or known vulnerabilities. +To ensure the newest available update can be returned, the check will include your installation type, current version, database type, enterprise status and an anonymous unique ID of the instance. +To localize the badge, the user's locale is sent. + +To disable rendering the badge, uncheck the setting at Administration > System settings > General or pass +the configuration flag `security_badge_displayed: false` . + ## Email configuration * `email_delivery_method`: The way emails should be delivered. Possible values: `smtp` or `sendmail` diff --git a/lib/open_project/configuration.rb b/lib/open_project/configuration.rb index f6f40b1ff3..8168d0b704 100644 --- a/lib/open_project/configuration.rb +++ b/lib/open_project/configuration.rb @@ -124,8 +124,11 @@ module OpenProject # Allow in-context translations to be loaded with CSP 'crowdin_in_context_translations' => true, + 'registration_footer' => {}, + # Display update / security badge, enabled by default + 'security_badge_displayed' => true, 'installation_type' => "manual", 'security_badge_url' => "https://releases.openproject.com/v1/check.svg" } diff --git a/lib/open_project/static/links.rb b/lib/open_project/static/links.rb index 9fe4cb6ed2..98056005b7 100644 --- a/lib/open_project/static/links.rb +++ b/lib/open_project/static/links.rb @@ -117,6 +117,9 @@ module OpenProject client_credentials_code_flow: { href: 'https://oauth.net/2/grant-types/client-credentials/', label: 'oauth.flows.client_credentials' + }, + security_badge_documentation: { + href: 'https://github.com/opf/openproject/blob/dev/docs/configuration/configuration.md#security-badge' } } end