Merge branch 'release/16.0' into dev

Author: openprojectci

app/services/work_packages/delete_service.rb

@@ -50,7 +50,7 @@ def persist(service_result)
 
   def destroy_descendants(descendants, result)
     descendants.each do |descendant|
-      success = destroy(descendant)
+      success = destroy(descendant.reload)
       result.add_dependent!(ServiceResult.new(success:, result: descendant))
     end
   end
@@ -63,6 +63,7 @@ def destroy(work_package)
 
   def find_successors_of_self_and_descendants(work_package)
     WorkPackage.where(id: Relation.follows.of_predecessor(work_package.self_and_descendants).select(:from_id))
+               .where.not(id: work_package.self_and_descendants)
   end
 
   def update_ancestors_and_successors(successors, result)
@@ -94,8 +95,8 @@ def reschedule_related(deleted_work_package, successors)
       .new(user:, work_package: work_packages_to_reschedule)
       .call
 
-    result.dependent_results.map(&:result).each do |dependent_result|
-      dependent_result.save(validate: false)
+    result.dependent_results.map(&:result).each do |rescheduled_work_package|
+      rescheduled_work_package.save(validate: false)
     end
 
     result

docs/installation-and-operations/configuration/README.md

@@ -320,7 +320,7 @@ OPENPROJECT_SEED_DESIGN_EXPORT__COVER="..."
 
 ### Allowing public access
 
-By default, any request to the OpenProject application needs to be authenticated. If you want to enable public unauthenticated access like we do for https://community.openproject.org, you can set the `login_required` to `false`. If not provided through environment variables, this setting is also accessible in the administrative UI. Please see the [authentication settings guide](../../system-admin-guide/authentication/authentication-settings/#general-authentication-settings) for more details.
+By default, any request to the OpenProject application needs to be authenticated. If you want to enable public unauthenticated access like we do for https://community.openproject.org, you can set the `login_required` to `false`. If not provided through environment variables, this setting is also accessible in the administrative UI. Please see the [authentication settings guide](../../system-admin-guide/authentication/login-registration-settings/) for more details.
 
 *default: true*
 

docs/system-admin-guide/authentication/README.md

@@ -13,12 +13,12 @@ Configure **authentication** settings and authentication providers in OpenProjec
 
 ## Overview
 
-| Topic                                                                        | Content                                                                               |
-|------------------------------------------------------------------------------|:--------------------------------------------------------------------------------------|
-| [Authentication settings](authentication-settings)                           | Configure general authentication settings, such as registration, passwords, and more. |
-| [OAuth applications](oauth-applications)                                     | How to configure OAuth applications in OpenProject.                                   |
-| [OpenID providers](openid-providers)                                         | How to configure OpenID providers in OpenProject.                                     |
-| [Two-factor authentication](two-factor-authentication)                       | Set up and manage two-factor authentication (2FA) in OpenProject.                     |
-| [reCAPTCHA](recaptcha)                                                       | How to activate reCAPTCHA in OpenProject.                                             |
-| [LDAP authentication](ldap-connections)                                      | How to set up LDAP authentication in OpenProject.                                     |
-| [LDAP group synchronization](ldap-connections/ldap-group-synchronization) | How to configure LDAP group synchronization in OpenProject. (Enterprise add-on)         |
+| Topic                                                        | Content                                                      |
+| ------------------------------------------------------------ | :----------------------------------------------------------- |
+| [Login and registration settings](login-registration-settings) | Configure general authentication settings, such as registration, SSO, passwords, and more. |
+| [OAuth applications](oauth-applications)                     | How to configure OAuth applications in OpenProject.          |
+| [OpenID providers](openid-providers)                         | How to configure OpenID providers in OpenProject.            |
+| [Two-factor authentication](two-factor-authentication)       | Set up and manage two-factor authentication (2FA) in OpenProject. |
+| [reCAPTCHA](recaptcha)                                       | How to activate reCAPTCHA in OpenProject.                    |
+| [LDAP authentication](ldap-connections)                      | How to set up LDAP authentication in OpenProject.            |
+| [LDAP group synchronization](ldap-connections/ldap-group-synchronization) | How to configure LDAP group synchronization in OpenProject. (Enterprise add-on) |

docs/system-admin-guide/authentication/authentication-faq/README.md

@@ -22,7 +22,7 @@ For on premises installations the functionality can be deactivated the same way
 
 ## Can we ensure that passwords are secure / have a high strength?
 
-Password parameters for OpenProject can be configured on each OpenProject environment. Typically passwords require 10+ characters, as well as special characters. Please find the respective instruction [here](../authentication-settings/#configure-password-settings).
+Password parameters for OpenProject can be configured on each OpenProject environment. Typically passwords require 10+ characters, as well as special characters. Please find the respective instruction [here](../login-registration-settings/#password-settings).
 
 ## How can a user change his/her authentication method?
 

docs/system-admin-guide/authentication/authentication-settings/README.md

@@ -0,0 +1,97 @@
+---
+sidebar_navigation:
+  title: Settings
+  priority: 990
+description: Login and registration settings in OpenProject.
+keywords: authentication settings, login settings, registration settings, OpenProject login, login, registration
+---
+# Login and registration
+
+To adapt general system **login and registration settings** in OpenProject, navigate to *Administration -> Authentication* and choose -> *Login and registration*.
+
+Here you can adapt various settings related to login and registration in OpenProject, grouped under three tabs: 
+
+- Login and SSO
+
+- Registration 
+
+- Passwords
+
+![Login and registration settings in OpenProject administration](openproject_system_admin_guide_authentication_settings_login_and_registration.png)
+
+## Login and SSO settings
+
+Under the *Login and SSO* tab you can adjust following settings: 
+
+1. Select a **direct login SSO provider**. If this option is active, login requests will be redirected to the configured Omniauth provider. This will disable the login dropdown and sign-in page. 
+
+   > [!NOTE]
+   >
+   > Unless you also disable password logins, with this option enabled, users can still log in internally by visiting internal login page, for example `https://yourinstancename.openproject.com/login/internal` login page.
+
+2. Enable or disable the **autologin option**. This allows a user to remain logged in, even if they leave the site. If this option is activated, the “Stay signed in” option will appear on the login screen to be selected.
+
+3. Activate the **session expiration option**. 
+
+4. Set the **duration for inactivity time**, after which a session will expire. Note that any value below 5 will be treated as disabling the session expiry setting.
+
+5. Define whether **user login, name, and mail address** should be logged for all requests.
+
+6. Define a path to **redirect users to after their first login**. If left empty, users are redirected to the homepage to see the onboarding tour.
+
+7. Set a **default path to redirect users to after login** (only if the login link is not a back link, i.e. `www.example.openproject.com/login`). If left empty, users are redirected to the homepage.
+
+   Do not forget to **save** your changes.
+
+![Login and SSO tab under login and registration settings in OpenProject system administration](openproject_system_admin_guide_authentication_settings_login_sso_tab.png)
+
+## Registration settings
+
+Under the *Registration* tab you can adjust following settings: 
+
+1. Select if the **authentication is required** to access OpenProject. For versions 13.1 and higher of OpenProject, this setting will be checked by default
+
+> [!IMPORTANT]
+> If you uncheck this box, your OpenProject instance will be visible to the general public without logging in. The visibility of individual projects depends on [this setting](../../../user-guide/projects/#set-a-project-to-public).
+
+2. Select an option for **self-registration**. Self-registration can either be **disabled**, or it can be allowed with the following criteria:
+
+   a) **Account activation by email** - users can register on their own. They will receive an activation email and will need to activate their account after confirming  their email address. 
+
+   > [!WARNING]
+   >
+   > Administrators have no moderation control over this  activation process if this method is selected.
+   
+   b) **Manual account activation** - users can register on their own. However, an administrator (or a user with the global permission to create or manage  users) needs to activate them.
+   
+   c) **Automatic account activation** - users can register on their own. Their accounts are immediately active  without further action. 
+   
+   >  [!WARNING]
+   >
+   > Administrators have no moderation control over this  activation process if this method is selected.
+
+> [!NOTE]
+> By default, self-registration is only applied to internal users (logging in with username and password). If you have an identity provider such as LDAP, SAML or OpenID Connect, use the respective settings in their configuration to control which users are applicable for automatic user creation.
+
+3. Define after how many days the **activation email sent to new users will expire**. Afterwards, you will have the possibility to [re-send the activation email](../../users-permissions/users/#resend-user-invitation-via-email) via the user settings.
+
+3. Choose for which **language** you want to define **the footer displayed at the bottom of the registration page** and formulate that footer text.
+
+
+![Registration tab under Login and Registration section of authentication settings in OpenProject administration](openproject_system_admin_guide_authentication_settings_registration_tab.png)
+
+## Password settings
+
+Under the *Password* tab you can adjust following settings: 
+
+1. Define the **minimum password length**.
+2. Select what **character classes are a mandatory part of the password**.
+3. Define the **minimum number of required character classes**.
+4. Define the number of days, after which a **password change should be enforced**. Value of 0 disables this option, i.e. no password change will be enforced.
+5. Define the **number of the most recently used passwords that a user should not be allowed to reuse**.
+6. Activate the **password reset** (Forgot your password option). This way users will be able to reset their own passwords via email.
+7. Define the number of failed **login attempts, after which a user will be temporarily blocked**. Value of 0 disables this option, i.e. users will not be blocked after any amount of failed login attempts.
+8. Define the **duration of the time, for which the user will be blocked after failed login attempts**. Value of 0 disables this option.
+
+![Password settings tab under Login and Registration section of authentication settings in OpenProject administration](openproject_system_admin_guide_authentication_settings_password_tab.png)
+

docs/system-admin-guide/authentication/authentication-settings/openproject_system_admin_guide_authentication_settings.png

@@ -250,7 +250,7 @@ OPENPROJECT_SAML_SAML_SECURITY_DIGEST__METHOD="http://www.w3.org/2000/09/xmldsig
 
 #### Optional: Restrict who can automatically self-register
 
-You can configure OpenProject to restrict which users can register on the system with the [authentication self-registration setting](../authentication-settings)
+You can configure OpenProject to restrict which users can register on the system with the [authentication self-registration setting](../login-registration-settings/)
 
  By default, users returning from a SAML idP will be automatically created. If you'd like for the SAML integration to respect the configured self-registration option, please use this setting:
 
@@ -304,7 +304,7 @@ When you return from the authentication provider, you might be shown one of thes
 
 Once created, you can assign this SAML provider to become the direct login provider. Users will be directed to the login page of the provider without seeing a login form in OpenProject. [Read more](../../../installation-and-operations/configuration/#omniauth-direct-login-provider).
 
-In the user interface, you can assign this through [Administration > Authentication > Settings](../authentication-settings/).
+In the user interface, you can assign this through [Administration > Authentication > Settings](../login-registration-settings/).
 
 Using environment variables, you could also set this in the following way