decidim-core 0.11.2 → 0.12.0.pre

data/app/cells/decidim/tags_cell.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+module Decidim
+  # This cell renders the category of a resource
+  # shown with the translated name and links to
+  # the resource parent `component` and `participatory space` index.
+  # The context `resource` must be present
+  # example use inside another `cell`:
+  #   <%= cell("decidim/category", model.category, context: {resource: model}) %>
+  #
+  class TagsCell < Decidim::ViewModel
+    def show
+      render if category? || scope?
+    end
+
+    def category
+      render if category?
+    end
+
+    def scope
+      render if scope?
+    end
+
+    private
+
+    def tags_classes
+      (["tags"] + context[:extra_classes].to_a).join(" ")
+    end
+
+    def category?
+      model.category.present?
+    end
+
+    def link_to_category
+      link_to category_name, category_path
+    end
+
+    def category_name
+      model.category.translated_name
+    end
+
+    def category_path
+      resource_locator(model).index(filter: { category_id: model.category.id })
+    end
+
+    def scope?
+      has_visible_scopes?(model)
+    end
+
+    def link_to_scope
+      link_to scope_name, scope_path
+    end
+
+    def scope_name
+      translated_attribute model.scope.name
+    end
+
+    def scope_path
+      resource_locator(model).index(filter: { scope_id: model.scope.id })
+    end
+  end
+end

data/app/cells/decidim/tos_page/announcement.erb

@@ -0,0 +1,2 @@
+<%= cell("decidim/announcement", announcement_args) %>
+<%= content_tag :div, nil, id: "sticky-top-stop" %>

data/app/cells/decidim/tos_page/refuse_btn_modal.erb

@@ -0,0 +1,23 @@
+<button class="clear button secondary button--nomargin small" type="button" data-open="tos-refuse-modal">
+  <%= t("refuse.modal_button", scope: "decidim.pages.terms_and_conditions") %>
+</button>
+
+<div id="tos-refuse-modal" class="reveal" data-reveal aria-labelledby="#{modal_title}" aria-hidden="true" role="dialog">
+  <h2>
+    <%= t("refuse.modal_title", scope: "decidim.pages.terms_and_conditions") %>
+  </h2>
+
+  <p>
+    <%= t("refuse.modal_body", scope: "decidim.pages.terms_and_conditions", data_portability_path: "#", delete_path: decidim.delete_account_path) %>
+  </p>
+
+  <div class="row column flex-center">
+    <%= button_to decidim.destroy_user_session_path, method: :delete, class: "clear button secondary button--nomargin small" do %>
+      <%= t("refuse.modal_btn_exit", scope: "decidim.pages.terms_and_conditions") %>
+    <% end %>
+
+    <%= button_to decidim.accept_tos_path, method: :put, class: "button button--nomargin small" do %>
+      <%= t("refuse.modal_btn_continue", scope: "decidim.pages.terms_and_conditions") %>
+    <% end %>
+  </div>
+</div>

data/app/cells/decidim/tos_page/sticky_form.erb

@@ -0,0 +1,29 @@
+<div data-sticky-container class="cell-sticky">
+  <div class="sticky"
+        data-sticky
+        data-stick-to="bottom"
+        data-margin-bottom="0"
+        data-top-anchor="sticky-top-stop:top"
+        data-btm-anchor="sticky-btm-stop:top"
+        data-sticky-on="small">
+    <article class="card">
+      <div class="card__content">
+        <div class="card__header">
+          <h5 class="card__title text-center">
+            <%= t("form.legend", scope: "decidim.pages.terms_and_conditions") %>
+          </h5>
+        </div>
+
+        <div class="row column flex-center">
+          <%= cell "decidim/tos_page", :refuse_btn_modal %>
+
+          <%= button_to decidim.accept_tos_path, method: :put, class: "button button--nomargin small" do %>
+            <%= t("form.agreement", scope: "decidim.pages.terms_and_conditions") %>
+          <% end %>
+        </div>
+      </div>
+    </article>
+  </div>
+</div>
+
+<div id="sticky-btm-stop"></div>

data/app/cells/decidim/tos_page_cell.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module Decidim
+  # This cell renders specific _partials_ for the `terms_and_conditions` StaticPage
+  # the `model` is the partial to render
+  # - :announcement, the TOS updated announcement when redirected to the TOS page.
+  # - :sticky_form, the Accept updated TOS form in the TOS page.
+  # - :refuse_btn_modal, the Modal with info when refusing the updated TOS.
+  class TosPageCell < Decidim::ViewModel
+    include Decidim::SanitizeHelper
+    include Cell::ViewModel::Partial
+
+    delegate :current_user, to: :controller, prefix: false
+
+    def show
+      return if model.nil?
+      return unless current_user
+      return if current_user.tos_accepted?
+      render model
+    end
+
+    private
+
+    def announcement_args
+      args = {
+        callout_class: "warning",
+        announcement: {
+          title: t("required_review.title", scope: "decidim.pages.terms_and_conditions"),
+          body: t("required_review.body", scope: "decidim.pages.terms_and_conditions")
+        }
+      }
+      args
+    end
+
+    def decidim
+      Decidim::Core::Engine.routes.url_helpers
+    end
+  end
+end

data/app/cells/decidim/user_profile/footer.erb

@@ -0,0 +1,5 @@
+<div class="card__footer">
+  <div class="card__support">
+    <%= link_to t("decidim.profile.view"), resource_path, class: "card__button button secondary button--sc small light" %>
+  </div>
+</div>

data/app/cells/decidim/user_profile/header.erb

@@ -0,0 +1,20 @@
+<div class="card__header">
+  <div class="author-data author-data--big">
+    <div class="author-data__main">
+      <div class="author author--flex">
+        <%= link_to resource_path, class: "author__avatar" do %>
+          <%= image_tag avatar %>
+        <% end %>
+        <div>
+          <div class="author__name--container">
+            <%= link_to name, resource_path, class: "author__name" %>
+            <%= icon "verified-badge", class: "author__verified" if officialized? %>
+          </div>
+          <%= link_to nickname, resource_path, class: "author__nickname" %>
+        </div>
+      </div>
+    </div>
+  </div>
+
+  <%= render :author if has_author? %>
+</div>

data/app/cells/decidim/user_profile_cell.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Decidim
+  # This cell renders the profile of the given user.
+  class UserProfileCell < Decidim::CardMCell
+    property :name
+    property :nickname
+    property :officialized?
+
+    def resource_path
+      decidim.profile_path(model.nickname)
+    end
+
+    def nickname
+      "@" + model.nickname
+    end
+
+    def description
+      html_truncate(model.about.to_s, length: 100)
+    end
+
+    def avatar
+      model.avatar_url(:big)
+    end
+  end
+end

data/app/commands/decidim/create_omniauth_registration.rb

@@ -51,7 +51,7 @@ module Decidim
         @user.email = (verified_email || form.email)
         @user.name = form.name
         @user.nickname = form.normalized_nickname
-        @user.newsletter_notifications = true
+        @user.newsletter_notifications = false
         @user.email_on_notification = true
         @user.password = generated_password
         @user.password_confirmation = generated_password

data/app/commands/decidim/create_registration.rb

@@ -41,7 +41,8 @@ module Decidim
                            organization: form.current_organization,
                            tos_agreement: form.tos_agreement,
                            newsletter_notifications: form.newsletter,
-                           email_on_notification: true)
+                           email_on_notification: true,
+                           accepted_tos_version: form.current_organization.tos_version)
     end
 
     def create_user_group

data/app/commands/decidim/search.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module Decidim
+  # A command that will act as a search service, with all the business logic for performing searches.
+  class Search < Rectify::Command
+    ACCEPTED_FILTERS = [:resource_type, :decidim_scope_id].freeze
+
+    attr_reader :term, :results
+
+    # Public: Initializes the command.
+    #
+    # @param term: The term to search for.
+    def initialize(term, organization, filters = {})
+      @term = term
+      @organization = organization
+      @filters = filters
+    end
+
+    # Executes the command. Broadcasts these events:
+    #
+    # - :ok when everything is valid, together with the search results.
+    # - :invalid if something failed and couldn't proceed.
+    #
+    # Returns nothing.
+    def call
+      query = SearchableResource.where(organization: @organization, locale: I18n.locale)
+      @filters.each_pair do |attribute_name, value|
+        query = query.where(attribute_name => value) if permit_filter?(attribute_name, value)
+      end
+      @results = if term.present?
+                   query.global_search(I18n.transliterate(term))
+                 else
+                   query.all
+                 end
+
+      broadcast(:ok, @results.order("datetime DESC"))
+    end
+
+    private
+
+    def permit_filter?(attribute_name, value)
+      ACCEPTED_FILTERS.include?(attribute_name.to_sym) && value.present?
+    end
+  end
+end

data/app/controllers/concerns/decidim/devise_controllers.rb

@@ -11,9 +11,7 @@ module Decidim
       include Decidim::NeedsOrganization
       include Decidim::LocaleSwitcher
       include ImpersonateUsers
-      include NeedsAuthorization
-
-      skip_authorization_check
+      include NeedsPermission
 
       helper Decidim::TranslationsHelper
       helper Decidim::MetaTagsHelper
@@ -30,18 +28,23 @@ module Decidim
       # Saves the location before loading each page so we can return to the
       # right page.
       before_action :store_current_location
-    end
 
-    # Overwrites `cancancan`'s method to point to the correct ability class,
-    # since the gem expects the ability class to be in the root namespace.
-    def current_ability_klass
-      Decidim::Abilities::BaseAbility
-    end
+      def permission_class_chain
+        [
+          Decidim::Admin::Permissions,
+          Decidim::Permissions
+        ]
+      end
+
+      def permission_scope
+        :public
+      end
 
-    def store_current_location
-      return if params[:redirect_url].blank? || !request.format.html?
+      def store_current_location
+        return if params[:redirect_url].blank? || !request.format.html?
 
-      store_location_for(:user, params[:redirect_url])
+        store_location_for(:user, params[:redirect_url])
+      end
     end
   end
 end

data/app/controllers/concerns/decidim/http_caching_disabler.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require "active_support/concern"
+
+module Decidim
+  # This module will disable http caching from the controller in
+  # order to prevent proxies from storing sensible information.
+  module HttpCachingDisabler
+    extend ActiveSupport::Concern
+
+    included do
+      before_action :disable_http_caching
+    end
+
+    def disable_http_caching
+      response.headers["Cache-Control"] = "no-cache, no-store"
+      response.headers["Pragma"] = "no-cache"
+      response.headers["Expires"] = "Fri, 01 Jan 1990 00:00:00 GMT"
+    end
+  end
+end

data/app/controllers/concerns/decidim/impersonate_users.rb

@@ -49,13 +49,8 @@ module Decidim
         redirect_to decidim_admin.impersonatable_users_path
       end
 
-      # Gets the ability instance for the real user logged in.
-      def real_ability
-        @real_ability ||= current_ability_klass.new(real_user, ability_context)
-      end
-
       def can_impersonate_users?
-        real_user && real_ability.can?(:impersonate, :managed_users)
+        real_user && allowed_to?(:impersonate, :managed_user, {}, [Decidim::Admin::Permissions], real_user)
       end
 
       def expired_log

data/app/controllers/concerns/decidim/locale_switcher.rb

@@ -46,7 +46,7 @@ module Decidim
       #
       # Returns an Array of Strings.
       def available_locales
-        @available_locales ||= current_organization.available_locales
+        @available_locales ||= (current_organization || Decidim).public_send(:available_locales)
       end
 
       # The default locale of this organization.

data/app/controllers/concerns/decidim/needs_permission.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+require "active_support/concern"
+
+module Decidim
+  # Common logic to work with the permissions system
+  module NeedsPermission
+    extend ActiveSupport::Concern
+
+    included do
+      helper_method :allowed_to?
+
+      class ::Decidim::ActionForbidden < StandardError
+      end
+
+      rescue_from Decidim::ActionForbidden, with: :user_has_no_permission
+
+      # Handles the case when a user visits a path that is not allowed to them.
+      # Redirects the user to the root path and shows a flash message telling
+      # them they are not authorized.
+      def user_has_no_permission
+        flash[:alert] = t("actions.unauthorized", scope: "decidim.core")
+        redirect_to(request.referer || user_has_no_permission_path)
+      end
+
+      def user_has_no_permission_path
+        raise NotImplementedError
+      end
+
+      def permissions_context
+        {
+          current_settings: try(:current_settings),
+          component_settings: try(:component_settings),
+          current_organization: try(:current_organization),
+          current_component: try(:current_component)
+        }
+      end
+
+      def enforce_permission_to(action, subject, extra_context = {})
+        Rails.logger.debug "==========="
+        Rails.logger.debug [permission_scope, action, subject, permission_class_chain].map(&:inspect).join("\n")
+        Rails.logger.debug "==========="
+
+        raise Decidim::ActionForbidden unless allowed_to?(action, subject, extra_context)
+      end
+
+      def allowed_to?(action, subject, extra_context = {}, chain = permission_class_chain, user = current_user)
+        permission_action = Decidim::PermissionAction.new(scope: permission_scope, action: action, subject: subject)
+
+        chain.inject(permission_action) do |current_permission_action, permission_class|
+          permission_class.new(
+            user,
+            current_permission_action,
+            permissions_context.merge(extra_context)
+          ).permissions
+        end.allowed?
+      rescue Decidim::PermissionAction::PermissionNotSetError
+        false
+      end
+
+      def permission_class_chain
+        raise "Please, make this method return an array of permission classes"
+      end
+
+      def permission_scope
+        raise "Please, make this method return a symbol"
+      end
+    end
+  end
+end