decidim-core 0.11.2 → 0.12.0.pre

data/app/controllers/concerns/decidim/needs_tos_accepted.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+module Decidim
+  # Shared behaviour for signed_in users that require the latest TOS accepted
+  module NeedsTosAccepted
+    extend ActiveSupport::Concern
+
+    included do
+      before_action :tos_accepted_by_user
+      helper_method :terms_and_conditions_page
+    end
+
+    private
+
+    def tos_accepted_by_user
+      return true unless current_user
+      return if current_user.tos_accepted?
+      return if permitted_paths?
+
+      redirect_to_tos
+    end
+
+    def terms_and_conditions_page
+      @terms_and_conditions_page ||= Decidim::StaticPage.find_by(slug: "terms-and-conditions", organization: current_organization)
+    end
+
+    def permitted_paths?
+      permitted_paths = [tos_path, decidim.delete_account_path, decidim.accept_tos_path]
+      permitted_paths.include?(request.path)
+    end
+
+    def tos_path
+      decidim.page_path terms_and_conditions_page
+    end
+
+    def redirect_to_tos
+      flash[:notice] = flash[:notice] if flash[:notice]
+      flash[:secondary] = t("required_review.alert", scope: "decidim.pages.terms_and_conditions")
+      redirect_to tos_path
+    end
+  end
+end

data/app/controllers/concerns/decidim/participatory_space_context.rb

@@ -44,13 +44,7 @@ module Decidim
     end
 
     def authorize_participatory_space
-      authorize! :read, current_participatory_space
-    end
-
-    def ability_context
-      super.merge(
-        current_participatory_space: current_participatory_space
-      )
+      enforce_permission_to :read, :participatory_space, current_participatory_space: current_participatory_space
     end
 
     def layout

data/app/controllers/concerns/decidim/user_profile.rb

@@ -21,7 +21,9 @@ module Decidim
                     :user_groups
 
       before_action :current_user
-      authorize_resource :current_user
+      before_action do
+        enforce_permission_to :update_profile, :user, current_user: current_user
+      end
     end
 
     # Public: Available authorization handlers in order to conditionally

data/app/controllers/decidim/account_controller.rb

@@ -6,12 +6,12 @@ module Decidim
     include Decidim::UserProfile
 
     def show
-      authorize! :show, current_user
+      enforce_permission_to :show, :user, current_user: current_user
       @account = form(AccountForm).from_model(current_user)
     end
 
     def update
-      authorize! :update, current_user
+      enforce_permission_to :update, :user, current_user: current_user
       @account = form(AccountForm).from_params(account_params)
 
       UpdateAccount.call(current_user, @account) do
@@ -34,12 +34,12 @@ module Decidim
     end
 
     def delete
-      authorize! :delete, current_user
+      enforce_permission_to :delete, :user, current_user: current_user
       @form = form(DeleteAccountForm).from_model(current_user)
     end
 
     def destroy
-      authorize! :delete, current_user
+      enforce_permission_to :delete, :user, current_user: current_user
       @form = form(DeleteAccountForm).from_params(params)
 
       DestroyAccount.call(current_user, @form) do

data/app/controllers/decidim/application_controller.rb

@@ -5,9 +5,11 @@ module Decidim
   class ApplicationController < ::DecidimController
     include NeedsOrganization
     include LocaleSwitcher
-    include NeedsAuthorization
+    include NeedsPermission
     include PayloadInfo
     include ImpersonateUsers
+    include NeedsTosAccepted
+    include HttpCachingDisabler
 
     helper Decidim::MetaTagsHelper
     helper Decidim::DecidimFormHelper
@@ -30,6 +32,8 @@ module Decidim
 
     layout "layouts/decidim/application"
 
+    skip_before_action :disable_http_caching, unless: :user_signed_in?
+
     private
 
     # Stores the url where the user will be redirected after login.
@@ -44,21 +48,26 @@ module Decidim
       store_location_for(:user, value)
     end
 
-    def user_not_authorized_path
+    def user_has_no_permission_path
       decidim.root_path
     end
 
+    def permission_class_chain
+      [
+        Decidim::Admin::Permissions,
+        Decidim::Permissions
+      ]
+    end
+
+    def permission_scope
+      :public
+    end
+
     # Make sure Chrome doesn't use the cache from a different format. This
     # prevents a bug where clicking the back button of the browser
     # displays the JS response instead of the HTML one.
     def add_vary_header
       response.headers["Vary"] = "Accept"
     end
-
-    # Overwrites `cancancan`'s method to point to the correct ability class,
-    # since the gem expects the ability class to be in the root namespace.
-    def current_ability_klass
-      Decidim::Abilities::BaseAbility
-    end
   end
 end

data/app/controllers/decidim/components/base_controller.rb

@@ -8,6 +8,7 @@ module Decidim
     class BaseController < Decidim::ApplicationController
       include Settings
       include ActionAuthorization
+      include Decidim::NeedsPermission
 
       include ParticipatorySpaceContext
       participatory_space_layout
@@ -27,11 +28,10 @@ module Decidim
                     :current_participatory_space,
                     :current_manifest
 
-      skip_authorize_resource
-
       before_action do
-        authorize! :read, current_component
+        enforce_permission_to :read, :component, component: current_component
       end
+
       before_action :redirect_unless_feature_private
 
       def current_participatory_space
@@ -49,12 +49,17 @@ module Decidim
         @current_manifest ||= current_component.manifest
       end
 
-      def ability_context
-        super.merge(
-          current_manifest: current_manifest,
-          current_settings: current_settings,
-          component_settings: component_settings
-        )
+      def permission_scope
+        :public
+      end
+
+      def permission_class_chain
+        [
+          current_component.manifest.permissions_class,
+          current_participatory_space.manifest.permissions_class,
+          Decidim::Admin::Permissions,
+          Decidim::Permissions
+        ]
       end
 
       def redirect_unless_feature_private

data/app/controllers/decidim/cookie_policy_controller.rb

@@ -3,8 +3,6 @@
 module Decidim
   # This controller allows the user to accept the cookie policy.
   class CookiePolicyController < Decidim::ApplicationController
-    skip_authorization_check
-
     skip_before_action :store_current_location
 
     def accept

data/app/controllers/decidim/devise/confirmations_controller.rb

@@ -5,6 +5,19 @@ module Decidim
     # Custom Devise ConfirmationsController to avoid namespace problems.
     class ConfirmationsController < ::Devise::ConfirmationsController
       include Decidim::DeviseControllers
+
+      # Since we're using a single Devise installation for multiple
+      # organizations, and user emails can be repeated across organizations,
+      # we need to identify the user by both the email and the organization.
+      # Setting the organization ID here will be used by Devise internally to
+      # find the correct user.
+      #
+      # Note that in order for this to work we need to define the `confirmation_keys`
+      # Devise attribute in the `Decidim::User` model to include the
+      # `decidim_organization_id` attribute.
+      def resource_params
+        super.merge(decidim_organization_id: current_organization.id)
+      end
     end
   end
 end

data/app/controllers/decidim/devise/invitations_controller.rb

@@ -5,6 +5,7 @@ module Decidim
     # This controller customizes the behaviour of Devise::Invitiable.
     class InvitationsController < ::Devise::InvitationsController
       include Decidim::DeviseControllers
+      include NeedsTosAccepted
 
       before_action :configure_permitted_parameters
 
@@ -25,13 +26,14 @@ module Decidim
       def accept_resource
         resource = resource_class.accept_invitation!(update_resource_params)
         resource.update!(managed: false) if resource.managed?
+        resource.update!(accepted_tos_version: resource.organization.tos_version)
         resource
       end
 
       protected
 
       def configure_permitted_parameters
-        devise_parameter_sanitizer.permit(:accept_invitation, keys: [:nickname])
+        devise_parameter_sanitizer.permit(:accept_invitation, keys: [:nickname, :tos_agreement, :newsletter_notifications])
       end
     end
   end

data/app/controllers/decidim/devise/omniauth_registrations_controller.rb

@@ -72,14 +72,13 @@ module Decidim
       private
 
       def oauth_data
-        return {} unless request.env["omniauth.auth"]
-        @oauth_data ||= request.env["omniauth.auth"].slice(:provider, :uid, :info)
+        @oauth_data ||= oauth_hash.slice(:provider, :uid, :info)
       end
 
       # Private: Create form params from omniauth hash
       # Since we are using trusted omniauth data we are generating a valid signature.
       def user_params_from_oauth_hash
-        return nil unless request.env["omniauth.auth"]
+        return nil if oauth_data.empty?
         {
           provider: oauth_data[:provider],
           uid: oauth_data[:uid],
@@ -93,6 +92,13 @@ module Decidim
       def verified_email
         @verified_email ||= oauth_data.dig(:info, :email)
       end
+
+      def oauth_hash
+        raw_hash = request.env["omniauth.auth"]
+        return {} unless raw_hash
+
+        raw_hash.deep_symbolize_keys
+      end
     end
   end
 end

data/app/controllers/decidim/devise/passwords_controller.rb

@@ -14,7 +14,7 @@ module Decidim
       # Setting the organization ID here will be used by Devise internally to
       # find the correct user.
       #
-      # Note that in orther for this to work we need to define the `reset_password_keys`
+      # Note that in order for this to work we need to define the `reset_password_keys`
       # Devise attribute in the `Decidim::User` model to include the
       # `decidim_organization_id` attribute.
       def resource_params

data/app/controllers/decidim/devise/registrations_controller.rb

@@ -7,9 +7,9 @@ module Decidim
     class RegistrationsController < ::Devise::RegistrationsController
       include FormFactory
       include Decidim::DeviseControllers
+      include NeedsTosAccepted
 
       before_action :configure_permitted_parameters
-      helper_method :terms_and_conditions_page
 
       invisible_captcha
 
@@ -43,12 +43,6 @@ module Decidim
         end
       end
 
-      private
-
-      def terms_and_conditions_page
-        @terms_and_conditions_page ||= Decidim::StaticPage.find_by(slug: "terms-and-conditions", organization: current_organization)
-      end
-
       protected
 
       def configure_permitted_parameters

data/app/controllers/decidim/doorkeeper/authorizations_controller.rb

@@ -4,8 +4,6 @@ module Decidim
   module Doorkeeper
     # Custom Doorkeeper AuthorizationsController to avoid namespace problems.
     class AuthorizationsController < ::Doorkeeper::AuthorizationsController
-      skip_authorization_check
-
       helper_method :oauth_application
 
       def oauth_application

data/app/controllers/decidim/doorkeeper/credentials_controller.rb

@@ -4,7 +4,6 @@ module Decidim
   module Doorkeeper
     # A controller to expose a simple JSON API so OAuth clients can get the user's information.
     class CredentialsController < ApplicationController
-      skip_authorization_check
       before_action :doorkeeper_authorize!
       respond_to :json
 

data/app/controllers/decidim/errors_controller.rb

@@ -2,8 +2,6 @@
 
 module Decidim
   class ErrorsController < Decidim::ApplicationController
-    skip_authorization_check
-
     def not_found
       render status: :not_found
     end

data/app/controllers/decidim/follows_controller.rb

@@ -8,7 +8,8 @@ module Decidim
 
     def destroy
       @form = form(Decidim::FollowForm).from_params(params)
-      authorize! :delete, @form.follow
+      @inline = params[:follow][:inline] == "true"
+      enforce_permission_to :delete, :follow, follow: @form.follow
 
       DeleteFollow.call(@form, current_user) do
         on(:ok) do
@@ -23,7 +24,8 @@ module Decidim
 
     def create
       @form = form(Decidim::FollowForm).from_params(params)
-      authorize! :create, Follow
+      @inline = params[:follow][:inline] == "true"
+      enforce_permission_to :create, :follow
 
       CreateFollow.call(@form, current_user) do
         on(:ok) do

data/app/controllers/decidim/locales_controller.rb

@@ -4,9 +4,9 @@ module Decidim
   # A controller to allow users switching their locale.
   class LocalesController < Decidim::ApplicationController
     skip_before_action :store_current_location
-    authorize_resource :locales, class: false
 
     def create
+      enforce_permission_to :create, :locales
       current_user.update!(locale: params["locale"]) if current_user && params["locale"] && available_locales.include?(params["locale"])
 
       redirect_to referer_with_new_locale

data/app/controllers/decidim/messaging/conversations_controller.rb

@@ -14,7 +14,7 @@ module Decidim
       helper_method :username_list, :conversation
 
       def new
-        authorize! :create, Conversation
+        enforce_permission_to :create, :conversation
         @form = form(ConversationForm).from_params(params)
 
         redirect_back(fallback_location: profile_path(current_user.nickname)) && return unless @form.recipient
@@ -24,7 +24,7 @@ module Decidim
       end
 
       def create
-        authorize! :create, Conversation
+        enforce_permission_to :create, :conversation
 
         @form = form(ConversationForm).from_params(params)
 
@@ -43,13 +43,13 @@ module Decidim
       end
 
       def index
-        authorize! :index, Conversation
+        enforce_permission_to :list, :conversation
 
         @conversations = UserConversations.for(current_user)
       end
 
       def show
-        authorize! :show, conversation
+        enforce_permission_to :read, :conversation, conversation: conversation
 
         @conversation.mark_as_read(current_user)
 
@@ -57,7 +57,7 @@ module Decidim
       end
 
       def update
-        authorize! :update, conversation
+        enforce_permission_to :update, :conversation, conversation: conversation
 
         @form = form(MessageForm).from_params(params)
 

data/app/controllers/decidim/newsletters_controller.rb

@@ -3,8 +3,6 @@
 module Decidim
   # The controller to show the newsletter on the website.
   class NewslettersController < Decidim::ApplicationController
-    skip_authorization_check
-
     layout "decidim/mailer", only: [:show]
     helper Decidim::SanitizeHelper
     include Decidim::NewslettersHelper

data/app/controllers/decidim/notifications_controller.rb

@@ -1,27 +1,16 @@
 # frozen_string_literal: true
 
 module Decidim
-  # The controller to handle the user's notifications dashboard.
+  # The controller to handle the user's notifications deletion.
   class NotificationsController < Decidim::ApplicationController
-    helper Decidim::IconHelper
-    helper Decidim::PaginateHelper
-    include Paginable
-
-    helper_method :notifications
-
-    def index
-      authorize! :read, Notification
-      @notifications = paginate(notifications)
-    end
-
     def destroy
       notification = notifications.find(params[:id])
-      authorize! :destroy, notification
+      enforce_permission_to :destroy, :notification, notification: notification
       notification.destroy
     end
 
     def read_all
-      authorize! :destroy, notifications.first
+      enforce_permission_to :destroy, :notification, notification: notifications.first
       notifications.destroy_all
     end
 
@@ -30,10 +19,5 @@ module Decidim
     def notifications
       @notifications ||= current_user.notifications.order(created_at: :desc)
     end
-
-    # Private: overwrites the amount of elements per page.
-    def per_page
-      50
-    end
   end
 end