decidim-consultations 0.11.2 → 0.12.0.pre

data/app/controllers/decidim/consultations/admin/responses_controller.rb

@@ -4,22 +4,22 @@ module Decidim
   module Consultations
     module Admin
       # Controller that manages responses for a question
-      class ResponsesController < Decidim::Admin::ApplicationController
+      class ResponsesController < Decidim::Consultations::Admin::ApplicationController
         include QuestionAdmin
 
         helper_method :current_response
 
         def index
-          authorize! :index, Decidim::Consultations::Response
+          enforce_permission_to :read, :response
         end
 
         def new
-          authorize! :create, Decidim::Consultations::Response
+          enforce_permission_to :create, :response
           @form = response_form.instance
         end
 
         def create
-          authorize! :create, Decidim::Consultations::Response
+          enforce_permission_to :create, :response
           @form = response_form.from_params(params, current_question: current_question)
 
           CreateResponse.call(@form) do
@@ -36,12 +36,12 @@ module Decidim
         end
 
         def edit
-          authorize! :update, current_response
+          enforce_permission_to :update, :response, response: current_response
           @form = response_form.from_model(current_response, current_question: current_question)
         end
 
         def update
-          authorize! :update, current_response
+          enforce_permission_to :update, :response, response: current_response
 
           @form = response_form.from_params(params, current_question: current_question)
           UpdateResponse.call(current_response, @form) do
@@ -58,7 +58,7 @@ module Decidim
         end
 
         def destroy
-          authorize! :destroy, current_response
+          enforce_permission_to :destroy, :response, response: current_response
 
           current_response.destroy
           if current_response.valid?

data/app/controllers/decidim/consultations/application_controller.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Consultations
+    # A controller that holds the logic to show consultations in a
+    # public layout.
+    class ApplicationController < Decidim::ApplicationController
+      include NeedsPermission
+
+      private
+
+      def permission_class_chain
+        [
+          Decidim::Consultations::Permissions,
+          Decidim::Admin::Permissions,
+          Decidim::Permissions
+        ]
+      end
+
+      def permission_scope
+        :public
+      end
+    end
+  end
+end

data/app/controllers/decidim/consultations/consultations_controller.rb

@@ -4,7 +4,7 @@ module Decidim
   module Consultations
     # A controller that holds the logic to show consultations in a
     # public layout.
-    class ConsultationsController < Decidim::ApplicationController
+    class ConsultationsController < Decidim::Consultations::ApplicationController
       layout "layouts/decidim/consultation", only: :show
 
       include NeedsConsultation
@@ -22,29 +22,15 @@ module Decidim
       helper Decidim::WidgetUrlsHelper
 
       def index
-        authorize! :read, Consultation
-        redirect_to consultation_path(active_consultations.first) if active_consultations.count == 1
+        enforce_permission_to :read, :consultation_list
       end
 
       def show
-        authorize! :read, current_consultation
-      end
-
-      def finished
-        authorize! :read, Consultation
-        render layout: "layouts/decidim/consultation_choose"
+        enforce_permission_to :read, :consultation, consultation: current_consultation
       end
 
       private
 
-      def finished_consultations
-        @finished_consultations ||= OrganizationConsultations.for(current_organization).finished.published
-      end
-
-      def active_consultations
-        @active_consultations ||= OrganizationConsultations.for(current_organization).active.published
-      end
-
       def consultations
         @consultations = search.results
         @consultations = reorder(@consultations)

data/app/controllers/decidim/consultations/question_votes_controller.rb

@@ -2,14 +2,14 @@
 
 module Decidim
   module Consultations
-    class QuestionVotesController < Decidim::ApplicationController
+    class QuestionVotesController < Decidim::Consultations::ApplicationController
       include NeedsQuestion
       include Decidim::FormFactory
 
       before_action :authenticate_user!
 
       def create
-        authorize! :vote, current_question
+        enforce_permission_to :vote, :question, question: current_question
 
         vote_form = form(VoteForm).from_params(params, current_question: current_question)
         VoteQuestion.call(vote_form) do
@@ -27,7 +27,7 @@ module Decidim
       end
 
       def destroy
-        authorize! :unvote, current_question
+        enforce_permission_to :unvote, :question, question: current_question
         UnvoteQuestion.call(current_question, current_user) do
           on(:ok) do
             current_question.reload

data/app/controllers/decidim/consultations/questions_controller.rb

@@ -4,7 +4,7 @@ module Decidim
   module Consultations
     # A controller that holds the logic to show questions in a
     # public layout.
-    class QuestionsController < Decidim::ApplicationController
+    class QuestionsController < Decidim::Consultations::ApplicationController
       layout "layouts/decidim/question"
 
       include NeedsQuestion
@@ -16,7 +16,7 @@ module Decidim
       helper Decidim::ResourceReferenceHelper
 
       def show
-        authorize! :read, current_question
+        enforce_permission_to :read, :question, question: current_question
       end
     end
   end

data/app/forms/decidim/consultations/admin/consultation_form.rb

@@ -17,6 +17,7 @@ module Decidim
         attribute :remove_banner_image
         attribute :introductory_video_url, String
         attribute :introductory_image, String
+        attribute :remove_introductory_image
         attribute :decidim_highlighted_scope_id, Integer
         attribute :start_voting_date, Date
         attribute :end_voting_date, Date

data/app/models/decidim/consultation.rb

@@ -5,6 +5,7 @@ module Decidim
   class Consultation < ApplicationRecord
     include Decidim::Participable
     include Decidim::Publicable
+    include Decidim::Resourceable
     include Decidim::Consultations::PublicableResults
 
     belongs_to :organization,
@@ -56,8 +57,8 @@ module Decidim
       questions.published.where(decidim_scope_id: decidim_highlighted_scope_id)
     end
 
-    def regular_questions
-      questions.published.where.not(decidim_scope_id: decidim_highlighted_scope_id).group_by(&:scope)
+    def questions_by_scope
+      questions.published.group_by(&:scope)
     end
 
     # This method exists with the only purpose of getting rid of whats seems to be an issue in
@@ -72,7 +73,7 @@ module Decidim
     def self.order_randomly(seed)
       transaction do
         connection.execute("SELECT setseed(#{connection.quote(seed)})")
-        select('"decidim_consultations".*, RANDOM()').order("RANDOM()").load
+        select('"decidim_consultations".*, RANDOM()').order(Arel.sql("RANDOM()")).load
       end
     end
   end

data/app/models/decidim/consultations/question.rb

@@ -87,6 +87,27 @@ module Decidim
         votes.where(author: user).any?
       end
 
+      # Public: Checks whether the given user can unvote the question or note.
+      #
+      # Returns a Boolean.
+      def can_be_unvoted_by?(user)
+        consultation.active? &&
+          consultation.published? &&
+          published? &&
+          voted_by?(user)
+      end
+
+      # Public: Checks whether the given user can vote the question or note.
+      #
+      # Returns a Boolean.
+      def can_be_voted_by?(user)
+        organization.id == user.organization.id &&
+          consultation.active? &&
+          consultation.published? &&
+          published? &&
+          !voted_by?(user)
+      end
+
       def scopes_enabled?
         false
       end
@@ -119,7 +140,7 @@ module Decidim
       def self.order_randomly(seed)
         transaction do
           connection.execute("SELECT setseed(#{connection.quote(seed)})")
-          select('"decidim_consultations_questions".*, RANDOM()').order("RANDOM()").load
+          select('"decidim_consultations_questions".*, RANDOM()').order(Arel.sql("RANDOM()")).load
         end
       end
     end

data/app/permissions/decidim/consultations/admin/permissions.rb

@@ -0,0 +1,108 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Consultations
+    module Admin
+      class Permissions < Decidim::DefaultPermissions
+        def permissions
+          return permission_action unless user
+          return permission_action unless permission_action.scope == :admin
+          return permission_action if consultation && !consultation.is_a?(Decidim::Consultation)
+
+          unless user.admin?
+            disallow!
+            return permission_action
+          end
+
+          user_can_enter_space_area?
+
+          if read_admin_dashboard_action?
+            allow!
+            return permission_action
+          end
+
+          allowed_read_participatory_space?
+          allowed_consultation_action?
+          allowed_question_action?
+          allowed_response_action?
+
+          permission_action
+        end
+
+        private
+
+        def question
+          @question ||= context.fetch(:question, nil)
+        end
+
+        def consultation
+          @consultation ||= context.fetch(:consultation, nil) || context.fetch(:participatory_space, nil)
+        end
+
+        def response
+          @response ||= context.fetch(:response, nil)
+        end
+
+        def allowed_consultation_action?
+          return unless permission_action.subject == :consultation
+
+          case permission_action.action
+          when :create, :read, :publish
+            allow!
+          when :update, :destroy, :preview
+            toggle_allow(consultation.present?)
+          when :publish_results
+            toggle_allow(consultation.finished? && !consultation.results_published?)
+          when :unpublish_results
+            toggle_allow(consultation.results_published?)
+          end
+        end
+
+        def allowed_question_action?
+          return unless permission_action.subject == :question
+
+          case permission_action.action
+          when :create, :read
+            allow!
+          when :update, :destroy, :preview
+            toggle_allow(question.present?)
+          when :publish
+            toggle_allow(question.external_voting || question.responses_count.positive?)
+          end
+        end
+
+        def allowed_response_action?
+          return unless permission_action.subject == :response
+
+          case permission_action.action
+          when :create, :read
+            allow!
+          when :update, :destroy
+            toggle_allow(response.present?)
+          end
+        end
+
+        # Only admin users can enter the consultations area.
+        def user_can_enter_space_area?
+          return unless permission_action.action == :enter &&
+                        permission_action.subject == :space_area &&
+                        context.fetch(:space_name, nil) == :consultations
+
+          allow!
+        end
+
+        def read_admin_dashboard_action?
+          permission_action.action == :read &&
+            permission_action.subject == :admin_dashboard
+        end
+
+        def allowed_read_participatory_space?
+          return unless permission_action.action == :read &&
+                        permission_action.subject == :participatory_space
+
+          allow!
+        end
+      end
+    end
+  end
+end

data/app/permissions/decidim/consultations/permissions.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Consultations
+    class Permissions < Decidim::DefaultPermissions
+      def permissions
+        allowed_public_anonymous_action?
+
+        permission_action unless user
+        allowed_public_action?
+
+        permission_action unless permission_action.scope == :admin
+        return Decidim::Consultations::Admin::Permissions.new(user, permission_action, context).permissions if permission_action.scope == :admin
+
+        permission_action
+      end
+
+      private
+
+      def question
+        @question ||= context.fetch(:question, nil)
+      end
+
+      def consultation
+        @consultation ||= context.fetch(:consultation, nil)
+      end
+
+      def allowed_public_anonymous_action?
+        return unless permission_action.action == :read
+        return unless permission_action.scope == :public
+
+        case permission_action.subject
+        when :consultation_list
+          allow!
+        when :consultation
+          toggle_allow(consultation.published? || user&.admin?)
+        when :question
+          toggle_allow(question.published? || user&.admin?)
+        end
+      end
+
+      def allowed_public_action?
+        return unless permission_action.scope == :public
+        return unless permission_action.subject == :question
+
+        case permission_action.action
+        when :vote
+          toggle_allow(question.can_be_voted_by?(user))
+        when :unvote
+          toggle_allow(question.can_be_unvoted_by?(user))
+        end
+      end
+    end
+  end
+end

data/app/views/decidim/consultations/admin/consultations/edit.html.erb

@@ -3,7 +3,7 @@
   <div class="button--double form-general-submit">
     <%= f.submit t("consultations.edit.update", scope: "decidim.admin"), class: "button" %>
 
-    <% if can? :publish, current_consultation %>
+    <% if allowed_to? :publish, :consultation, consultation: current_consultation %>
       <% if current_consultation.published? %>
         <%= link_to t("actions.unpublish", scope: "decidim.admin"),
                     consultation_publish_path(current_consultation),
@@ -17,21 +17,21 @@
       <% end %>
     <% end %>
 
-    <% if can? :publish_results, current_consultation %>
+    <% if allowed_to? :publish_results, :consultation, consultation: current_consultation %>
       <%= link_to t("actions.publish_results", scope: "decidim.admin"),
                   consultation_publish_results_path(current_consultation),
                   method: :post,
                   class: "button hollow" %>
     <% end %>
 
-    <% if can? :unpublish_results, current_consultation %>
+    <% if allowed_to? :unpublish_results, :consultation, consultation: current_consultation %>
       <%= link_to t("actions.unpublish_results", scope: "decidim.admin"),
                   consultation_publish_results_path(current_consultation),
                   method: :delete,
                   class: "button muted" %>
     <% end %>
 
-    <% if can? :destroy, current_consultation %>
+    <% if allowed_to? :destroy, :consultation, consultation: current_consultation %>
       <%= link_to t("decidim.admin.actions.destroy"),
                   current_consultation,
                   method: :delete,

data/app/views/decidim/consultations/admin/consultations/index.html.erb

@@ -3,7 +3,7 @@
     <h2 class="card-title">
       <%= t "decidim.admin.titles.consultations" %>
       <%= link_to t("actions.new", scope: "decidim.admin", name: t("models.consultation.name", scope: "decidim.admin")),
-                  ["new", "consultation"], class: "button tiny button--title" if can? :create, Decidim::Consultation %>
+                  ["new", "consultation"], class: "button tiny button--title" if allowed_to? :create, :consultation %>
     </h2>
   </div>
   <div class="card-section">
@@ -23,10 +23,10 @@
           <% @consultations.each do |consultation| %>
             <tr>
               <td>
-                <% if can? :update, consultation %>
+                <% if allowed_to? :update, :consultation, consultation: consultation %>
                   <%= link_to translated_attribute(consultation.title), edit_consultation_path(consultation) %>
                   <br />
-                <% elsif can? :preview, consultation %>
+                <% elsif allowed_to? :preview, :consultation, consultation: consultation %>
                   <%= link_to translated_attribute(consultation.title),
                               decidim_consultations.consultation_path(consultation),
                               target: "_blank" %>
@@ -50,14 +50,14 @@
                 <% end %>
               </td>
               <td class="table-list__actions">
-                <% if can? :update, consultation %>
+                <% if allowed_to? :update, :consultation, consultation: consultation %>
                   <%= icon_link_to "pencil",
                                    edit_consultation_path(consultation),
                                    t("actions.configure", scope: "decidim.admin"),
                                    class: "action-icon--edit" %>
                 <% end %>
 
-                <% if can? :preview, consultation %>
+                <% if allowed_to? :preview, :consultation, consultation: consultation %>
                   <%= icon_link_to "eye",
                                    decidim_consultations.consultation_path(consultation),
                                    t("actions.preview", scope: "decidim.admin"),