Redmine

that patch did not apply to my 5.1-stable branch. However, I finagled the changes into config/routes.rb and acts_as_attachable.rb and that works.

also I am fine with myplugin/init.rb having

Redmine::Plugin.register :myplugin do
  ... 
  Redmine::Acts::Attachable::ObjectTypeConstraint.register_object_type(Expense.name.underscore.pluralize) 
  ...
end

thanks!

Hi,

this change breaks all redmineup plugins with Redmine 5.1-stable branch (I suppose same with 5.0-stable branch). They use redmine_crm gem in all plugins with this compatibility issue.

bundle exec rake db:migrate
rake aborted!
NoMethodError: undefined method `[]' for Redmine::Acts::Attachable::ObjectTypeConstraint:Class

          options[:object_type] = /.+/ if options[:object_type] && options[:object_type].is_a?(Regexp)
                                                 ^^^^^^^^^^^^^^
/srv/redmine/.local/share/gem/ruby/3.1.0/gems/redmine_crm-0.0.62/lib/redmine_crm/compatibility/routing_mapper_patch.rb:15:in `constraints_with_redmine_crm'
/srv/redmine/redmine/config/routes.rb:322:in `block in <top (required)>'
/srv/redmine/.local/share/gem/ruby/3.1.0/gems/actionpack-6.1.7.6/lib/action_dispatch/routing/route_set.rb:427:in `instance_exec'
/srv/redmine/.local/share/gem/ruby/3.1.0/gems/actionpack-6.1.7.6/lib/action_dispatch/routing/route_set.rb:427:in `eval_block'
/srv/redmine/.local/share/gem/ruby/3.1.0/gems/actionpack-6.1.7.6/lib/action_dispatch/routing/route_set.rb:409:in `draw'
/srv/redmine/redmine/config/routes.rb:20:in `<top (required)>'

I am not sure this change should go to stable branch, if it breaks existing plugins.

Alexander Meindl wrote in #note-5:

Hi,

this change breaks all redmineup plugins with Redmine 5.1-stable branch (I suppose same with 5.0-stable branch). They use redmine_crm gem in all plugins with this compatibility issue.

[...]

I am not sure this change should go to stable branch, if it breaks existing plugins.

In this case, yes, I think we cannot deliver the change in maintenance releases. Jens, Mischa, what do you think?

All redmineup plugins broken after update

Well, the patch in the redmine_crm gem (here in version 0.0.62 licensed under GPL 2) is as follows:

# lib/redmine_crm/compatibility/routing_mapper_patch.rb

module RedmineCrm
  module Patches
    module RoutingMapperPatch
      def self.included(base)
        base.send(:include, InstanceMethods)

        base.class_eval do
          alias_method :constraints_without_redmine_crm, :constraints
          alias_method :constraints, :constraints_with_redmine_crm
        end
      end

      module InstanceMethods
        def constraints_with_redmine_crm(options = {}, &block)
          options[:object_type] = /.+/ if options[:object_type] && options[:object_type].is_a?(Regexp)
          constraints_without_redmine_crm(options, &block)
        end
      end
    end
  end
end

unless ActionDispatch::Routing::Mapper.included_modules.include?(RedmineCrm::Patches::RoutingMapperPatch)
  ActionDispatch::Routing::Mapper.send(:include, RedmineCrm::Patches::RoutingMapperPatch)
end

This patch thus circumvents/removes one of the security fixes we have introduced in #37772 for CVE-2022-44030. The patch in the plugin gem thus reduces the security of the entire Redmine the plugins are installed to.

As they do not use a supported Redmine extension API but effectively change code on assumptions they made at the time they created the patch, this was always prone to breakage in any release.

Accordingly, rather than postpone the patch in this issue here, we should roll it out in order to give the plugin authors a supported extension API so that they can fix their plugin in a way which does not impact Redmine's security and is not prone to arbitrary breakage anymore. The underlying issue must be fixed by the plugin authors in any case.

Thank you Holger.

We just updated our gem redmine_crm v0.0.63 with routes fix

Holger Just wrote in #note-9:

Well, the patch in the redmine_crm gem (here in version 0.0.62 licensed under GPL 2) is as follows:

Alexander Meindl wrote in #note-5:

Hi,

this change breaks all redmineup plugins with Redmine 5.1-stable branch (I suppose same with 5.0-stable branch). They use redmine_crm gem in all plugins with this compatibility issue.

[...]

I am not sure this change should go to stable branch, if it breaks existing plugins.

Marius BĂLTEANU wrote in #note-14:

Committed and merged to stable branches, thanks!

It was in Redmine 5.0.8

But I got the same error in the 5.1.2 ( #40409 )