Merge branch 'release/8.3' into stable/8

[ci skip]

app/models/user.rb

@@ -136,6 +136,7 @@ class User < Principal
   after_save :update_password
 
   before_create :sanitize_mail_notification_setting
+  before_create :enforce_user_limit
   before_destroy :delete_associated_private_queries
   before_destroy :reassign_associated
 
@@ -751,6 +752,20 @@ class User < Principal
     end
   end
 
+  def enforce_user_limit
+    return if anonymous?
+    return unless active? && OpenProject::Enterprise.user_limit_reached?
+
+    if OpenProject::Enterprise.fail_fast?
+      errors.add :base, :user_limit_reached
+
+      throw :abort # prevent user creation
+    else
+      # allow creation but change status to registered so user cannot login
+      register!
+    end
+  end
+
   private
 
   def self.mail_regexp(mail)

app/uploaders/fog_file_uploader.rb

@@ -58,7 +58,7 @@ class FogFileUploader < CarrierWave::Uploader::Base
   end
 
   def download_url
-    remote_file.url
+    remote_file.url(query: { "response-content-disposition" => model.content_disposition })
   end
 
   ##

config/locales/en.yml

@@ -634,6 +634,8 @@ en:
               group_without_name: "Unnamed groups are not allowed."
         user:
           attributes:
+            base:
+              user_limit_reached: "User limit reached."
             password:
               weak: "Must contain characters of the following classes (at least %{min_count} of %{all_count}): %{rules}."
               lowercase: "lowercase (e.g. 'a')"

spec/controllers/attachments_controller_spec.rb

@@ -158,6 +158,22 @@ describe AttachmentsController, type: :controller do
       it 'redirects to AWS' do
         expect(subject.location).to match(url)
       end
+
+      context 'with an inline image' do
+        let(:file) { FileHelpers.mock_uploaded_file name: 'foobar.jpg', content_type: 'image/jpeg' }
+
+        it 'returns a download disposition' do
+          expect(subject.location).to include 'response-content-disposition=inline'
+        end
+      end
+
+      context 'with an SVG (#28715)' do
+        let(:file) { FileHelpers.mock_uploaded_file name: 'foobar.svg', content_type: 'image/svg+xml' }
+
+        it 'returns a download disposition' do
+          expect(subject.location).to include 'response-content-disposition=attachment'
+        end
+      end
     end
   end
 end

spec/controllers/users_controller_spec.rb

@@ -39,15 +39,15 @@ describe UsersController, type: :controller do
   end
 
   let(:user_password) {'bob!' * 4}
-  let(:user) do
+  let!(:user) do
     FactoryBot.create(:user,
                        login: 'bob',
                        password: user_password,
                        password_confirmation: user_password,
                        )
   end
-  let(:admin) { FactoryBot.create(:admin) }
-  let(:anonymous) { FactoryBot.create(:anonymous) }
+  let!(:admin) { FactoryBot.create(:admin) }
+  let!(:anonymous) { FactoryBot.create(:anonymous) }
 
   describe 'GET new' do
     context "with user limit reached" do

spec/lib/open_project/enterprise_spec.rb

@@ -54,7 +54,13 @@ describe OpenProject::Enterprise do
         let(:num_active_users) { 0 }
 
         before do
-          FactoryBot.create_list :user, num_active_users
+          begin
+            allow(OpenProject::Enterprise).to receive(:user_limit_reached?).and_return(false)
+
+            FactoryBot.create_list :user, num_active_users
+          ensure
+            allow(OpenProject::Enterprise).to receive(:user_limit_reached?).and_call_original
+          end
 
           expect(User.active.count).to eq num_active_users
         end

spec/requests/api/v3/user/create_user_with_user_limits_spec.rb

@@ -0,0 +1,116 @@
+#-- encoding: UTF-8
+#-- copyright
+# OpenProject is a project management system.
+# Copyright (C) 2012-2015 the OpenProject Foundation (OPF)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See doc/COPYRIGHT.rdoc for more details.
+
+require 'spec_helper'
+
+describe "user limits in users API", type: :request do
+  include API::V3::Utilities::PathHelper
+
+  let(:path) { api_v3_paths.users }
+  let(:admin) { FactoryBot.build(:admin) }
+
+  let(:parameters) do
+    {
+      login: "p.putzig",
+      firstName: "Peter",
+      lastName: "Putzig",
+      email: "p.putzig@openproject.com",
+      password: "hallohallo"
+    }
+  end
+
+  let(:user) { User.find_by(login: parameters[:login]) }
+
+  before do
+    login_as admin
+  end
+
+  def send_request
+    header "Content-Type", "application/json"
+
+    post path, parameters.to_json
+  end
+
+  shared_examples "creating the user" do
+    let(:response_status) { 201 }
+    let(:status) { :active }
+
+    def status_name(status)
+      User::STATUSES.find { |k, v| v == status }.first
+    end
+
+    before do
+      send_request
+
+      expect(last_response.status).to eq response_status
+    end
+
+    it "creates the new user" do
+      expect(user).to be_present
+    end
+
+    it "sets the right user status" do
+      expect(status_name(user.status)).to eq status
+    end
+  end
+
+  context "with user limit reached" do
+    before do
+      allow(OpenProject::Enterprise).to receive(:user_limit_reached?).and_return(true)
+    end
+
+    context "with fail fast (hard limit)" do
+      before do
+        allow(OpenProject::Enterprise).to receive(:fail_fast?).and_return(true)
+      end
+
+      it "does not create the user" do
+        send_request
+
+        expect(user).not_to be_present
+
+        expect(last_response.status).to eq 422
+        expect(JSON.parse(last_response.body)["message"]).to eq "User limit reached."
+      end
+    end
+
+    context "without fail fast (soft limit)" do
+      before do
+        allow(OpenProject::Enterprise).to receive(:fail_fast?).and_return(false)
+      end
+
+      it_behaves_like "creating the user" do
+        let(:status) { :registered }
+      end
+    end
+  end
+
+  context "with user limit not reached" do
+    it_behaves_like "creating the user"
+  end
+end