8 files changed, 120 insertions, 4 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 074392709..a01d5c75f 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -131,6 +131,14 @@ class ApplicationController < ActionController::Base
       if (key = api_key_from_request)
         # Use API key
         user = User.find_by_api_key(key)
+      elsif access_token = Doorkeeper.authenticate(request)
+        # Oauth
+        if access_token.accessible?
+          user = User.active.find_by_id(access_token.resource_owner_id)
+          user.oauth_scope = access_token.scopes.all.map(&:to_sym)
+        else
+          doorkeeper_render_error
+        end
       elsif /\ABasic /i.match?(request.authorization.to_s)
         # HTTP Basic, either username/password or API key/random
         authenticate_with_http_basic do |username, password|
diff --git a/app/controllers/messages_controller.rb b/app/controllers/messages_controller.rb
index 22daf9f90..8b26bee73 100644
--- a/app/controllers/messages_controller.rb
+++ b/app/controllers/messages_controller.rb
@@ -51,6 +51,8 @@ class MessagesController < ApplicationController
       offset(@reply_pages.offset).
       to_a
 
+    Message.preload_reaction_details(@replies)
+
     @reply = Message.new(:subject => "RE: #{@message.subject}")
     render :action => "show", :layout => false if request.xhr?
   end
diff --git a/app/controllers/news_controller.rb b/app/controllers/news_controller.rb
index 06240e359..dd6bade24 100644
--- a/app/controllers/news_controller.rb
+++ b/app/controllers/news_controller.rb
@@ -67,8 +67,10 @@ class NewsController < ApplicationController
   end
 
   def show
-    @comments = @news.comments.to_a
+    @comments = @news.comments.preload(:commented).to_a
     @comments.reverse! if User.current.wants_comments_in_reverse_order?
+
+    Comment.preload_reaction_details(@comments)
   end
 
   def new
diff --git a/app/controllers/oauth2_applications_controller.rb b/app/controllers/oauth2_applications_controller.rb
new file mode 100644
index 000000000..107af2ec0
--- /dev/null
+++ b/app/controllers/oauth2_applications_controller.rb
@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+#
+# Redmine - project management software
+# Copyright (C) 2006-  Jean-Philippe Lang
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+class Oauth2ApplicationsController < Doorkeeper::ApplicationsController
+  private
+
+  def application_params
+    params[:doorkeeper_application] ||= {}
+    params[:doorkeeper_application][:scopes] ||= []
+
+    scopes = Redmine::AccessControl.public_permissions.map{|p| p.name.to_s}
+
+    if params[:doorkeeper_application][:scopes].is_a?(Array)
+      scopes |= params[:doorkeeper_application][:scopes]
+    else
+      scopes |= params[:doorkeeper_application][:scopes].split(/\s+/)
+    end
+    params[:doorkeeper_application][:scopes] = scopes.join(' ')
+    super
+  end
+end
diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index f9a390c58..2a42c99ed 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -176,7 +176,7 @@ class ProjectsController < ApplicationController
     respond_to do |format|
       format.html do
         @principals_by_role = @project.principals_by_role
-        @subprojects = @project.children.visible.to_a
+        @subprojects = @project.leaf? ? [] : @project.children.visible.to_a
         @news = @project.news.limit(5).includes(:author, :project).reorder("#{News.table_name}.created_on DESC").to_a
         with_subprojects = Setting.display_subprojects_issues?
         @trackers = @project.rolled_up_trackers(with_subprojects).visible
diff --git a/app/controllers/reactions_controller.rb b/app/controllers/reactions_controller.rb
new file mode 100644
index 000000000..71b37e5f8
--- /dev/null
+++ b/app/controllers/reactions_controller.rb
@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+# Redmine - project management software
+# Copyright (C) 2006-  Jean-Philippe Lang
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+class ReactionsController < ApplicationController
+  before_action :require_login
+
+  before_action :check_enabled
+  before_action :set_object, :authorize_reactable
+
+  def create
+    respond_to do |format|
+      format.js do
+        @object.reactions.find_or_create_by!(user: User.current)
+      end
+      format.any { head :not_found }
+    end
+  end
+
+  def destroy
+    respond_to do |format|
+      format.js do
+        reaction = @object.reactions.by(User.current).find_by(id: params[:id])
+        reaction&.destroy
+      end
+      format.any { head :not_found }
+    end
+  end
+
+  private
+
+  def check_enabled
+    render_403 unless Setting.reactions_enabled?
+  end
+
+  def set_object
+    object_type = params[:object_type]
+
+    unless Redmine::Reaction::REACTABLE_TYPES.include?(object_type)
+      render_403
+      return
+    end
+
+    @object = object_type.constantize.find(params[:object_id])
+  end
+
+  def authorize_reactable
+    render_403 unless Redmine::Reaction.editable?(@object, User.current)
+  end
+end
diff --git a/app/controllers/versions_controller.rb b/app/controllers/versions_controller.rb
index d52b43ba3..328d3e56e 100644
--- a/app/controllers/versions_controller.rb
+++ b/app/controllers/versions_controller.rb
@@ -51,7 +51,7 @@ class VersionsController < ApplicationController
         if @selected_tracker_ids.any? && @versions.any?
           issues = Issue.visible.
             includes(:project, :tracker).
-            preload(:status, :priority, :fixed_version).
+            preload(:status, :priority, :fixed_version, {:assigned_to => :email_address}).
             where(:tracker_id => @selected_tracker_ids, :project_id => project_ids, :fixed_version_id => @versions.map(&:id)).
             order("#{Project.table_name}.lft, #{Tracker.table_name}.position, #{Issue.table_name}.id")
           @issues_by_version = issues.group_by(&:fixed_version)
@@ -69,7 +69,7 @@ class VersionsController < ApplicationController
       format.html do
         @issues = @version.fixed_issues.visible.
           includes(:status, :tracker, :priority).
-          preload(:project).
+          preload(:project, {:assigned_to => :email_address}).
           reorder("#{Tracker.table_name}.position, #{Issue.table_name}.id").
           to_a
       end
diff --git a/app/controllers/wiki_controller.rb b/app/controllers/wiki_controller.rb
index 36b90da77..bcb3b0891 100644
--- a/app/controllers/wiki_controller.rb
+++ b/app/controllers/wiki_controller.rb
@@ -240,6 +240,7 @@ class WikiController < ApplicationController
     # don't load text
     @versions = @page.content.versions.
       select("id, author_id, comments, updated_on, version").
+      preload(:author).
       reorder('version DESC').
       limit(@version_pages.per_page + 1).
       offset(@version_pages.offset).