RubyGems - decidim-core - Versions diffs - 0.18.1 → 0.19.0 - Mend

decidim-core 0.18.1 → 0.19.0

Potentially problematic release.

This version of decidim-core might be problematic. Click here for more details.

Files changed (275) hide show

checksums.yaml +4 -4
data/app/assets/config/decidim_core_manifest.js +3 -0
data/app/assets/javascripts/decidim/social_share.js +2 -0
data/app/assets/stylesheets/decidim/extras/_social_share.css.scss +36 -0
data/app/assets/stylesheets/decidim/modules/_input-gallery.scss +24 -0
data/app/assets/stylesheets/decidim/modules/_navbar.scss +1 -1
data/app/cells/decidim/activities_cell.rb +13 -8
data/app/cells/decidim/activity_cell.rb +19 -5
data/app/cells/decidim/address/details.erb +2 -2
data/app/cells/decidim/amendable/amenders_list/show.erb +1 -1
data/app/cells/decidim/amendable/amenders_list_cell.rb +5 -1
data/app/cells/decidim/amendable/announcement_cell.rb +22 -9
data/app/cells/decidim/amendable/wizard_step_form_cell.rb +121 -0
data/app/cells/decidim/announcement_cell.rb +1 -0
data/app/cells/decidim/author_cell.rb +7 -0
data/app/cells/decidim/card_m_cell.rb +3 -1
data/app/cells/decidim/coauthorships_cell.rb +3 -1
data/app/cells/decidim/collapsible_authors_cell.rb +1 -0
data/app/cells/decidim/collapsible_list_cell.rb +1 -0
data/app/cells/decidim/content_blocks/highlighted_content_banner_cell.rb +1 -0
data/app/cells/decidim/content_blocks/last_activity_cell.rb +3 -2
data/app/cells/decidim/content_blocks/metrics_cell.rb +1 -0
data/app/cells/decidim/content_blocks/stats_cell.rb +1 -0
data/app/cells/decidim/content_blocks/sub_hero_cell.rb +1 -0
data/app/cells/decidim/diff_cell.rb +1 -1
data/app/cells/decidim/fingerprint/show.erb +1 -1
data/app/cells/decidim/follow_button_cell.rb +3 -0
data/app/cells/decidim/members_cell.rb +1 -0
data/app/cells/decidim/notifications/show.erb +1 -1
data/app/cells/decidim/profile_cell.rb +1 -0
data/app/cells/decidim/profile_sidebar_cell.rb +4 -0
data/app/cells/decidim/search_results_cell.rb +1 -0
data/app/cells/decidim/search_results_section/show.erb +1 -1
data/app/cells/decidim/tos_page_cell.rb +1 -0
data/app/cells/decidim/user_group_pending_invitations_list_cell.rb +1 -0
data/app/cells/decidim/user_group_pending_requests_list_cell.rb +1 -0
data/app/cells/decidim/wizard_step_form/wizard_aside.erb +14 -0
data/app/cells/decidim/wizard_step_form/wizard_header.erb +18 -0
data/app/cells/decidim/wizard_step_form_cell.rb +112 -0
data/app/commands/decidim/amendable/accept.rb +1 -1
data/app/commands/decidim/amendable/create_draft.rb +70 -0
data/app/commands/decidim/amendable/destroy_draft.rb +40 -0
data/app/commands/decidim/amendable/promote.rb +13 -11
data/app/commands/decidim/amendable/publish_draft.rb +76 -0
data/app/commands/decidim/amendable/update_draft.rb +54 -0
data/app/commands/decidim/amendable/withdraw.rb +31 -15
data/app/commands/decidim/create_follow.rb +1 -0
data/app/commands/decidim/create_omniauth_registration.rb +22 -4
data/app/commands/decidim/create_registration.rb +5 -0
data/app/commands/decidim/delete_follow.rb +1 -0
data/app/commands/decidim/search.rb +1 -0
data/app/controllers/concerns/decidim/action_authorization.rb +2 -0
data/app/controllers/concerns/decidim/amendments_controller.rb +148 -28
data/app/controllers/concerns/decidim/devise_controllers.rb +3 -2
data/app/controllers/concerns/decidim/force_authentication.rb +38 -0
data/app/controllers/concerns/decidim/impersonate_users.rb +1 -0
data/app/controllers/concerns/decidim/locale_switcher.rb +44 -17
data/app/controllers/concerns/decidim/needs_tos_accepted.rb +8 -0
data/app/controllers/concerns/decidim/orderable.rb +36 -0
data/app/controllers/concerns/decidim/participatory_space_context.rb +2 -0
data/app/controllers/concerns/decidim/safe_redirect.rb +24 -0
data/app/controllers/decidim/application_controller.rb +19 -2
data/app/controllers/decidim/devise/confirmations_controller.rb +6 -0
data/app/controllers/decidim/devise/invitations_controller.rb +8 -4
data/app/controllers/decidim/devise/omniauth_registrations_controller.rb +4 -1
data/app/controllers/decidim/errors_controller.rb +3 -0
data/app/controllers/decidim/follows_controller.rb +2 -2
data/app/controllers/decidim/messaging/conversations_controller.rb +2 -2
data/app/controllers/decidim/profiles_controller.rb +4 -1
data/app/controllers/decidim/scopes_controller.rb +16 -4
data/app/events/decidim/amendable/amendment_base_event.rb +4 -0
data/app/forms/decidim/account_form.rb +1 -1
data/app/forms/decidim/amendable/create_form.rb +3 -19
data/app/forms/decidim/amendable/edit_form.rb +22 -0
data/app/forms/decidim/amendable/form.rb +42 -20
data/app/forms/decidim/amendable/promote_form.rb +4 -7
data/app/forms/decidim/amendable/publish_form.rb +21 -0
data/app/forms/decidim/amendable/reject_form.rb +1 -1
data/app/forms/decidim/amendable/review_form.rb +9 -4
data/app/forms/decidim/invite_user_form.rb +1 -0
data/app/forms/decidim/notifications_settings_form.rb +1 -0
data/app/forms/decidim/registration_form.rb +4 -3
data/app/forms/decidim/user_group_form.rb +1 -0
data/app/forms/decidim/user_interests_form.rb +1 -0
data/app/helpers/decidim/amendments_helper.rb +33 -19
data/app/helpers/decidim/cells_helper.rb +2 -0
data/app/helpers/decidim/layout_helper.rb +1 -0
data/app/helpers/decidim/map_helper.rb +1 -1
data/app/helpers/decidim/meta_tags_helper.rb +1 -0
data/app/helpers/decidim/resource_reference_helper.rb +1 -0
data/app/jobs/decidim/event_publisher_job.rb +60 -0
data/app/jobs/decidim/metric_job.rb +1 -0
data/app/models/decidim/action_log.rb +12 -0
data/app/models/decidim/amendment.rb +31 -2
data/app/models/decidim/attachment.rb +2 -0
data/app/models/decidim/authorization.rb +1 -0
data/app/models/decidim/category.rb +1 -0
data/app/models/decidim/component.rb +7 -0
data/app/models/decidim/content_block.rb +1 -0
data/app/models/decidim/follow.rb +3 -0
data/app/models/decidim/identity.rb +1 -0
data/app/models/decidim/impersonation_log.rb +2 -0
data/app/models/decidim/newsletter.rb +1 -0
data/app/models/decidim/participatory_process_user_role.rb +1 -0
data/app/models/decidim/participatory_space_private_user.rb +1 -0
data/app/models/decidim/permission_action.rb +2 -0
data/app/models/decidim/report.rb +1 -0
data/app/models/decidim/scope.rb +1 -0
data/app/models/decidim/searchable_resource.rb +1 -1
data/app/models/decidim/static_page.rb +1 -0
data/app/models/decidim/user.rb +2 -0
data/app/permissions/decidim/permissions.rb +18 -14
data/app/permissions/decidim/user_manager_permissions.rb +9 -2
data/app/presenters/decidim/admin_log/organization_presenter.rb +1 -0
data/app/presenters/decidim/admin_log/participatory_space_private_user_presenter.rb +1 -1
data/app/presenters/decidim/admin_log/user_presenter.rb +1 -1
data/app/presenters/decidim/hashtag_presenter.rb +1 -1
data/app/presenters/decidim/log/base_presenter.rb +1 -0
data/app/presenters/decidim/log/diff_presenter.rb +1 -1
data/app/presenters/decidim/log/value_types/area_presenter.rb +1 -0
data/app/presenters/decidim/log/value_types/area_type_presenter.rb +1 -0
data/app/presenters/decidim/log/value_types/currency_presenter.rb +1 -0
data/app/presenters/decidim/log/value_types/date_presenter.rb +1 -0
data/app/presenters/decidim/log/value_types/locale_presenter.rb +1 -0
data/app/presenters/decidim/log/value_types/percentage_presenter.rb +1 -0
data/app/presenters/decidim/log/value_types/scope_presenter.rb +1 -0
data/app/presenters/decidim/log/value_types/scope_type_presenter.rb +1 -0
data/app/presenters/decidim/metric_charts_presenter.rb +1 -0
data/app/presenters/decidim/metric_object_presenter.rb +4 -0
data/app/queries/decidim/metric_manage.rb +3 -0
data/app/queries/decidim/metric_measure.rb +1 -0
data/app/queries/decidim/metrics/followers_metric_manage.rb +3 -0
data/app/queries/decidim/metrics/participants_metric_manage.rb +4 -0
data/app/queries/decidim/similar_emendations.rb +56 -0
data/app/resolvers/decidim/core/metric_resolver.rb +1 -0
data/app/services/decidim/action_authorizer.rb +1 -0
data/app/services/decidim/action_logger.rb +1 -0
data/app/services/decidim/activity_search.rb +1 -0
data/app/services/decidim/email_notification_generator.rb +4 -0
data/app/services/decidim/notification_generator.rb +2 -0
data/app/services/decidim/notification_generator_for_recipient.rb +0 -1
data/app/services/decidim/resource_search.rb +1 -1
data/app/services/decidim/traceability.rb +1 -0
data/app/uploaders/decidim/application_uploader.rb +1 -0
data/app/uploaders/decidim/attachment_uploader.rb +16 -0
data/app/uploaders/decidim/avatar_uploader.rb +0 -2
data/app/uploaders/decidim/data_portability_uploader.rb +1 -0
data/app/uploaders/decidim/homepage_image_uploader.rb +0 -2
data/app/uploaders/decidim/image_uploader.rb +15 -1
data/app/uploaders/decidim/oauth_application_logo_uploader.rb +0 -1
data/app/uploaders/decidim/official_image_footer_uploader.rb +0 -1
data/app/uploaders/decidim/official_image_header_uploader.rb +0 -1
data/app/uploaders/decidim/open_data_uploader.rb +1 -0
data/app/validators/etiquette_validator.rb +5 -0
data/app/views/decidim/account/delete.html.erb +2 -2
data/app/views/decidim/account/show.html.erb +1 -1
data/app/views/decidim/amendments/_edit_form_fields.html.erb +16 -13
data/app/views/decidim/amendments/_similar_emendation.html.erb +24 -0
data/app/views/decidim/amendments/compare_draft.html.erb +21 -0
data/app/views/decidim/amendments/edit_draft.html.erb +31 -0
data/app/views/decidim/amendments/new.html.erb +5 -17
data/app/views/decidim/amendments/preview_draft.html.erb +32 -0
data/app/views/decidim/amendments/review.html.erb +5 -3
data/app/views/decidim/application/_document.html.erb +1 -1
data/app/views/decidim/application/_photos.html.erb +1 -1
data/app/views/decidim/data_portability/show.html.erb +1 -1
data/app/views/decidim/devise/invitations/edit.html.erb +2 -2
data/app/views/decidim/devise/sessions/new.html.erb +1 -1
data/app/views/decidim/doorkeeper/authorizations/new.html.erb +3 -3
data/app/views/decidim/export_mailer/data_portability_export.html.erb +1 -1
data/app/views/decidim/searches/index.js.erb +6 -0
data/app/views/decidim/shared/_address_details.html.erb +2 -2
data/app/views/decidim/shared/_embed_modal.html.erb +1 -1
data/app/views/decidim/shared/_share_modal.html.erb +7 -4
data/app/views/layouts/decidim/_application.html.erb +0 -1
data/app/views/layouts/decidim/_head.html.erb +13 -12
data/app/views/layouts/decidim/_logo.html.erb +1 -1
data/app/views/layouts/decidim/_social_media_links.html.erb +5 -5
data/app/views/layouts/decidim/_user_menu.html.erb +1 -1
data/app/views/layouts/decidim/_wrapper.html.erb +2 -2
data/app/views/layouts/decidim/mailer.html.erb +2 -2
data/config/locales/ar.yml +27 -17
data/config/locales/ca.yml +79 -15
data/config/locales/cs.yml +73 -14
data/config/locales/de.yml +62 -12
data/config/locales/en.yml +80 -16
data/config/locales/eo-UY.yml +16 -0
data/config/locales/es-MX.yml +73 -11
data/config/locales/es-PY.yml +73 -11
data/config/locales/es.yml +79 -15
data/config/locales/eu.yml +6 -13
data/config/locales/fi-plain.yml +75 -11
data/config/locales/fi.yml +80 -16
data/config/locales/fr.yml +70 -16
data/config/locales/gl.yml +6 -13
data/config/locales/hu.yml +80 -17
data/config/locales/id-ID.yml +6 -12
data/config/locales/it.yml +56 -14
data/config/locales/nl.yml +76 -12
data/config/locales/no.yml +11 -2
data/config/locales/pl.yml +6 -15
data/config/locales/pt-BR.yml +6 -13
data/config/locales/pt.yml +6 -13
data/config/locales/ru.yml +7 -2
data/config/locales/sv.yml +34 -18
data/config/locales/tr-TR.yml +15 -12
data/config/locales/uk.yml +7 -2
data/config/routes.rb +7 -0
data/db/migrate/20180226140756_add_version_to_action_logs.rb +1 -0
data/db/migrate/20180305132906_rename_features_to_components.rb +1 -0
data/db/migrate/20190412131728_fix_user_names.rb +1 -1
data/db/migrate/20190610093742_add_force_users_to_authenticate_before_access_organization.rb +10 -0
data/db/migrate/20190618075906_add_confidential_to_doorkeeper_application.rb +13 -0
data/db/migrate/{20190925091507_add_uniq_index_to_decidim_metrics.rb → 20190829092826_add_uniq_index_to_decidim_metrics.rb} +0 -0
data/lib/decidim/amendable.rb +87 -13
data/lib/decidim/attributes/localized_date.rb +5 -0
data/lib/decidim/attributes/time_with_zone.rb +5 -0
data/lib/decidim/authorable.rb +3 -0
data/lib/decidim/authorization_form_builder.rb +2 -2
data/lib/decidim/component_manifest.rb +2 -0
data/lib/decidim/content_parsers.rb +2 -0
data/lib/decidim/content_parsers/hashtag_parser.rb +1 -1
data/lib/decidim/content_parsers/link_parser.rb +10 -0
data/lib/decidim/content_parsers/newline_parser.rb +20 -0
data/lib/decidim/content_parsers/user_parser.rb +1 -1
data/lib/decidim/content_processor.rb +2 -0
data/lib/decidim/content_renderers.rb +1 -0
data/lib/decidim/content_renderers/hashtag_renderer.rb +1 -1
data/lib/decidim/content_renderers/link_renderer.rb +24 -0
data/lib/decidim/content_renderers/user_renderer.rb +2 -2
data/lib/decidim/core.rb +11 -0
data/lib/decidim/core/engine.rb +2 -28
data/lib/decidim/core/test.rb +4 -1
data/lib/decidim/core/test/factories.rb +35 -8
data/lib/decidim/core/test/shared_examples/amendable/create_amendment_draft_examples.rb +50 -0
data/lib/decidim/core/test/shared_examples/amendable/destroy_amendment_draft_examples.rb +39 -0
data/lib/decidim/core/test/shared_examples/amendable/promote_amendment_examples.rb +27 -3
data/lib/decidim/core/test/shared_examples/amendable/{create_amendment_examples.rb → publish_amendment_draft_examples.rb} +26 -17
data/lib/decidim/core/test/shared_examples/amendable/update_amendment_draft_examples.rb +42 -0
data/lib/decidim/core/test/shared_examples/amendable/withdraw_amendment_examples.rb +19 -11
data/lib/decidim/core/test/shared_examples/has_attachment_collections.rb +1 -1
data/lib/decidim/core/test/shared_examples/has_attachments.rb +1 -1
data/lib/decidim/core/test/shared_examples/simple_event.rb +4 -0
data/lib/decidim/core/version.rb +1 -1
data/lib/decidim/data_portability_file_zipper.rb +3 -0
data/lib/decidim/events/author_event.rb +1 -0
data/lib/decidim/events/base_event.rb +12 -22
data/lib/decidim/events/coauthor_event.rb +1 -0
data/lib/decidim/events/simple_event.rb +3 -0
data/lib/decidim/exporters/csv.rb +1 -0
data/lib/decidim/fingerprintable.rb +1 -0
data/lib/decidim/followable.rb +8 -0
data/lib/decidim/form_builder.rb +24 -3
data/lib/decidim/gamification.rb +4 -0
data/lib/decidim/gamification/badge_status.rb +1 -0
data/lib/decidim/has_category.rb +2 -0
data/lib/decidim/has_component.rb +2 -7
data/lib/decidim/has_private_users.rb +8 -1
data/lib/decidim/has_settings.rb +12 -8
data/lib/decidim/hashtaggable.rb +4 -0
data/lib/decidim/metric_operation_manifest.rb +1 -0
data/lib/decidim/nicknamizable.rb +1 -0
data/lib/decidim/participable.rb +1 -0
data/lib/decidim/participatory_space_resourceable.rb +1 -0
data/lib/decidim/randomable.rb +20 -0
data/lib/decidim/search_resource_fields_mapper.rb +2 -0
data/lib/decidim/searchable.rb +2 -0
data/lib/decidim/settings_manifest.rb +10 -1
data/lib/decidim/stats_registry.rb +1 -0
data/lib/decidim/view_model.rb +1 -1
data/lib/tasks/decidim_data_portability_tasks.rake +1 -0
data/lib/tasks/decidim_metrics_tasks.rake +2 -0
data/vendor/assets/javascripts/datepicker-locales/foundation-datepicker.no.js +12 -12
metadata +140 -82
data/app/commands/decidim/amendable/create.rb +0 -80

data/app/controllers/concerns/decidim/devise_controllers.rb CHANGED

@@ -17,6 +17,7 @@ module Decidim
       include Decidim::LocaleSwitcher
       include ImpersonateUsers
       include NeedsPermission
+      include Decidim::SafeRedirect
       helper Decidim::TranslationsHelper
       helper Decidim::MetaTagsHelper
@@ -43,9 +44,9 @@ module Decidim
       end
       def store_current_location
-        return if params[:redirect_url].blank? || !request.format.html?
+        return if redirect_url.blank? || !request.format.html?
-        store_location_for(:user, params[:redirect_url])
+        store_location_for(:user, redirect_url)
       end
     end
   end

data/app/controllers/concerns/decidim/force_authentication.rb ADDED

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+module Decidim
+  # Shared behaviour for force_users_to_authenticate_before_access_organization
+  module ForceAuthentication
+    extend ActiveSupport::Concern
+    included do
+      before_action :ensure_authenticated!, unless: :allow_unauthorized_path?
+    end
+    private
+    # For Devise helper functions, see:
+    # https://github.com/plataformatec/devise#getting-started
+    #
+    # Breaks the request lifecycle, if user is not authenticated.
+    # Otherwise returns.
+    def ensure_authenticated!
+      return true unless current_organization.force_users_to_authenticate_before_access_organization
+      # Next stop: Let's check whether auth is ok
+      unless user_signed_in?
+        flash[:warning] = t("actions.login_before_access", scope: "decidim.core")
+        return redirect_to decidim.new_user_session_path
+      end
+    end
+    # Check for all paths that should be allowed even if the user is not yet
+    # authorized
+    def allow_unauthorized_path?
+      # Changing the locale
+      return true if %r{^\/locale}.match?(request.path) || %r{^\/cookies}.match?(request.path)
+      false
+    end
+  end
+end

data/app/controllers/concerns/decidim/impersonate_users.rb CHANGED

@@ -36,6 +36,7 @@ module Decidim
       # Returns the managed user impersonated by an admin if exists
       def managed_user
         return unless can_impersonate_users?
         impersonation_log&.user
       end

data/app/controllers/concerns/decidim/locale_switcher.rb CHANGED

@@ -10,19 +10,18 @@ module Decidim
     included do
       around_action :switch_locale
       helper_method :current_locale, :available_locales, :default_locale
-      before_action :set_locale
       # Sets the locale for the current session.
-      #
+      # Saves current locale in a session variable in case some links are locale-orphaned
       # Returns nothing.
       def switch_locale(&action)
-        locale = if params["locale"]
-                   params["locale"]
-                 elsif current_user && current_user.locale.present?
-                   current_user.locale
-                 end
-        I18n.with_locale(available_locales.include?(locale) ? locale : default_locale, &action)
+        locale = detect_locale
+        if available_locales.include?(locale)
+          session[:user_locale] = locale
+        else
+          locale = default_locale
+        end
+        I18n.with_locale(locale, &action)
       end
       # Adds the current locale to all the URLs generated by url_for so users
@@ -57,17 +56,45 @@ module Decidim
         @default_locale ||= (current_organization || Decidim).public_send(:default_locale)
       end
-      # Save current locale in session variable
-      # to prevent unnecessary redirects
-      def set_locale
-        session[:user_locale] = params[:locale] if params[:locale].present?
-        locale = session[:user_locale] || extract_locale_from_accept_language_header
-        I18n.locale = available_locales.include?(locale) ? locale : I18n.default_locale
+      # Detects the locale priority: query string, user saved, session, browser
+      def detect_locale
+        if params[:locale].present?
+          params[:locale]
+        elsif current_user && current_user.locale.present?
+          current_user.locale
+        elsif session[:user_locale].present?
+          session[:user_locale]
+        else
+          extract_locale_from_accept_language_header
+        end
       end
+      # Finds a suitable language or returns nil
+      # Follows the RFC 2616 rules with this particularities:
+      # if no language matches, goes for the 2 chars prefixes
+      # i.e.: pt-BR is available locale but user requests pt, then pt-BR will be served
+      #     pt is available locale but user requests pt-BR, then pt will be served
       def extract_locale_from_accept_language_header
-        lang = request.env["HTTP_ACCEPT_LANGUAGE"] || I18n.locale.to_s
-        lang.scan(/\A^[a-z]{2}\z/).first
+        return nil unless request.env["HTTP_ACCEPT_LANGUAGE"]
+        accept_langs = request.env["HTTP_ACCEPT_LANGUAGE"].gsub(/[^a-z0-9\-;,=.]/i, "")
+        langs_and_qs = accept_langs.split(",").each_with_index.map do |l, i|
+          l += ";q=1.0" unless l =~ /;q=\d+(?:\.\d+)?$/
+          parts = l.split(";q=")
+          [parts[0], parts[1].to_f - (i.to_f / 1000)]
+        end
+        langs_and_qs = langs_and_qs.sort_by { |(_l, q)| q }.reverse
+        lang = langs_and_qs.detect do |(locale, _q)|
+          locale == "*" || available_locales.map(&:to_s).include?(locale.to_s)
+        end
+        lang &&= lang.first
+        # if no language detected go for RFC 2616 non-compliant (check prefixes)
+        lang ||= available_locales.detect do |available|
+          langs_and_qs.any? { |locale, _q| locale.to_s[0..1] == available.to_s[0..1] }
+        end
+        lang == "*" ? nil : lang
       end
     end
   end

data/app/controllers/concerns/decidim/needs_tos_accepted.rb CHANGED

@@ -13,6 +13,7 @@ module Decidim
     private
     def tos_accepted_by_user
+      return true unless request.format.html?
       return true unless current_user
       return if current_user.tos_accepted?
       return if permitted_paths?
@@ -40,6 +41,13 @@ module Decidim
     end
     def redirect_to_tos
+      # Store the location where the user needs to be redirected to after the
+      # TOS is agreed.
+      store_location_for(
+        current_user,
+        stored_location_for(current_user) || request.path
+      )
       flash[:notice] = flash[:notice] if flash[:notice]
       flash[:secondary] = t("required_review.alert", scope: "decidim.pages.terms_and_conditions")
       redirect_to tos_path

data/app/controllers/concerns/decidim/orderable.rb ADDED

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+require "active_support/concern"
+module Decidim
+  # Common logic to ordering resources
+  module Orderable
+    extend ActiveSupport::Concern
+    included do
+      helper_method :order, :available_orders, :random_seed
+      private
+      # Gets how the proposals should be ordered based on the choice
+      # made by the user.
+      def order
+        @order ||= detect_order(params[:order]) || default_order
+      end
+      def detect_order(candidate)
+        available_orders.detect { |order| order == candidate }
+      end
+      def default_order
+        "random"
+      end
+      # Returns: A random float number between -1 and 1 to be used as a
+      # random seed at the database.
+      def random_seed
+        @random_seed ||= session.fetch(:random_seed, (rand * 2 - 1)).to_f
+      end
+    end
+  end
+end

data/app/controllers/concerns/decidim/participatory_space_context.rb CHANGED

@@ -50,6 +50,7 @@ module Decidim
       )
       raise NotImplementedError unless manifest
       manifest
     end
@@ -72,6 +73,7 @@ module Decidim
     def check_current_user_can_visit_space
       return if current_user_can_visit_space?
       flash[:alert] = I18n.t("participatory_space_private_users.not_allowed", scope: "decidim")
       redirect_to action: "index"
     end

data/app/controllers/concerns/decidim/safe_redirect.rb ADDED

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+require "active_support/concern"
+module Decidim
+  # This concern groups methods and helpers related to redirecting the user from URL params.
+  module SafeRedirect
+    extend ActiveSupport::Concern
+    included do
+      helper_method :redirect_url
+      # Sanitizes the redirect url only allowing relative paths or absolute URLs
+      # that match the current organization.
+      def redirect_url
+        return if params[:redirect_url].blank?
+        return params[:redirect_url] unless params[:redirect_url].start_with?("http")
+        return if URI.parse(params[:redirect_url]).host != current_organization.host
+        params[:redirect_url]
+      end
+    end
+  end
+end

data/app/controllers/decidim/application_controller.rb CHANGED

@@ -11,6 +11,8 @@ module Decidim
     include NeedsTosAccepted
     include HttpCachingDisabler
     include ActionAuthorization
+    include ForceAuthentication
+    include SafeRedirect
     helper Decidim::MetaTagsHelper
     helper Decidim::DecidimFormHelper
@@ -50,12 +52,26 @@ module Decidim
     # In Devise controllers we only store the URL if it's from the params, we don't
     # want to overwrite the stored URL for a Devise one.
     def store_current_location
-      return if (devise_controller? && params[:redirect_url].blank?) || !request.format.html?
+      return if skip_store_location?
-      value = params[:redirect_url] || request.url
+      value = redirect_url || request.url
       store_location_for(:user, value)
     end
+    def skip_store_location?
+      # Skip if Devise already handles the redirection
+      return true if devise_controller? && redirect_url.blank?
+      # Skip for all non-HTML requests"
+      return true unless request.format.html?
+      # Skip if a signed in user requests the TOS page without having agreed to
+      # the TOS. Most of the times this is because of a redirect to the TOS
+      # page (in which case the desired location is somewhere else after the
+      # TOS is agreed).
+      return true if current_user && !current_user.tos_accepted? && request.path == tos_path
+      false
+    end
     def user_has_no_permission_path
       decidim.root_path
     end
@@ -77,6 +93,7 @@ module Decidim
     def track_continuity_badge
       return unless current_user
       Decidim::ContinuityBadgeTracker.new(current_user).track!(Time.zone.today)
     end
   end

data/app/controllers/decidim/devise/confirmations_controller.rb CHANGED

@@ -8,6 +8,12 @@ module Decidim
       helper_method :new_user_group_session_path
+      def create
+        super do |resource|
+          resource.errors.delete(:decidim_organization_id) if resource.errors.any?
+        end
+      end
       # Since we're using a single Devise installation for multiple
       # organizations, and user emails can be repeated across organizations,
       # we need to identify the user by both the email and the organization.

data/app/controllers/decidim/devise/invitations_controller.rb CHANGED

@@ -25,10 +25,14 @@ module Decidim
       # When a managed user accepts the invitation is promoted to non-managed user.
       def accept_resource
         resource = resource_class.accept_invitation!(update_resource_params)
-        resource.update!(newsletter_notifications_at: Time.current) if update_resource_params[:newsletter_notifications]
-        resource.update!(managed: false) if resource.managed?
-        resource.update!(accepted_tos_version: resource.organization.tos_version)
-        Decidim::Gamification.increment_score(resource.invited_by, :invitations) if resource.invited_by
+        if resource.valid? && resource.invitation_accepted?
+          resource.update!(newsletter_notifications_at: Time.current) if update_resource_params[:newsletter_notifications]
+          resource.update!(managed: false) if resource.managed?
+          resource.update!(accepted_tos_version: resource.organization.tos_version)
+          Decidim::Gamification.increment_score(resource.invited_by, :invitations) if resource.invited_by
+        end
         resource
       end

data/app/controllers/decidim/devise/omniauth_registrations_controller.rb CHANGED

@@ -24,7 +24,8 @@ module Decidim
               set_flash_message :notice, :success, kind: @form.provider.capitalize
             else
               expire_data_after_sign_in!
-              redirect_to root_path
+              user.resend_confirmation_instructions unless user.confirmed?
+              redirect_to decidim.root_path
               flash[:notice] = t("devise.registrations.signed_up_but_unconfirmed")
             end
           end
@@ -66,6 +67,7 @@ module Decidim
       def action_missing(action_name)
         return send(:create) if devise_mapping.omniauthable? && User.omniauth_providers.include?(action_name.to_sym)
         raise AbstractController::ActionNotFound, "The action '#{action_name}' could not be found for Decidim::Devise::OmniauthCallbacksController"
       end
@@ -79,6 +81,7 @@ module Decidim
       # Since we are using trusted omniauth data we are generating a valid signature.
       def user_params_from_oauth_hash
         return nil if oauth_data.empty?
         {
           provider: oauth_data[:provider],
           uid: oauth_data[:uid],

data/app/controllers/decidim/errors_controller.rb CHANGED

@@ -2,6 +2,9 @@
 module Decidim
   class ErrorsController < Decidim::ApplicationController
+    skip_before_action :verify_authenticity_token
+    skip_after_action :verify_same_origin_request
     def not_found
       render status: :not_found
     end

data/app/controllers/decidim/follows_controller.rb CHANGED

@@ -17,7 +17,7 @@ module Decidim
         end
         on(:invalid) do
-          render json: { error: I18n.t("follows.destroy.error", scope: "decidim") }, status: 422
+          render json: { error: I18n.t("follows.destroy.error", scope: "decidim") }, status: :unprocessable_entity
         end
       end
     end
@@ -33,7 +33,7 @@ module Decidim
         end
         on(:invalid) do
-          render json: { error: I18n.t("follows.create.error", scope: "decidim") }, status: 422
+          render json: { error: I18n.t("follows.create.error", scope: "decidim") }, status: :unprocessable_entity
         end
       end
     end

data/app/controllers/decidim/messaging/conversations_controller.rb CHANGED

@@ -37,7 +37,7 @@ module Decidim
           end
           on(:invalid) do
-            render json: { error: I18n.t("messaging.conversations.create.error", scope: "decidim") }, status: 422
+            render json: { error: I18n.t("messaging.conversations.create.error", scope: "decidim") }, status: :unprocessable_entity
           end
         end
       end
@@ -67,7 +67,7 @@ module Decidim
           end
           on(:invalid) do
-            render json: { error: I18n.t("messaging.conversations.update.error", scope: "decidim") }, status: 422
+            render json: { error: I18n.t("messaging.conversations.update.error", scope: "decidim") }, status: :unprocessable_entity
           end
         end
       end

data/app/controllers/decidim/profiles_controller.rb CHANGED

@@ -16,6 +16,7 @@ module Decidim
     def show
       return redirect_to profile_timeline_path(nickname: params[:nickname]) if profile_holder == current_user
       return redirect_to profile_members_path if profile_holder.is_a?(Decidim::UserGroup)
       redirect_to profile_activity_path(nickname: params[:nickname])
     end
@@ -64,10 +65,12 @@ module Decidim
     end
     def ensure_profile_holder
-      raise ActionController::RoutingError, "No user or user group with the given nickname" unless profile_holder
+      raise ActionController::RoutingError, "No user or user group with the given nickname" if !profile_holder || profile_holder.nickname.blank?
     end
     def profile_holder
+      return if params[:nickname].blank?
       @profile_holder ||= Decidim::User.find_by(
         nickname: params[:nickname],
         organization: current_organization

data/app/controllers/decidim/scopes_controller.rb CHANGED

@@ -8,12 +8,11 @@ module Decidim
     def picker
       enforce_permission_to :pick, :scope
-      title = params[:title] || t("decidim.scopes.picker.title", field: params[:field]&.downcase)
-      root = current_organization.scopes.find(params[:root]) if params[:root]
       context = root ? { root: root.id, title: title } : { title: title }
       required = params[:required] && params[:required] != "false"
-      if params[:current]
-        current = (root&.descendants || current_organization.scopes).find_by(id: params[:current]) || root
+      current = (root&.descendants || current_organization.scopes).find_by(id: params[:current]) if params[:current].present?
+      if current
         scopes = current.children
         parent_scopes = current.part_of_scopes(root)
       else
@@ -21,8 +20,21 @@ module Decidim
         scopes = root&.children || current_organization.scopes.top_level
         parent_scopes = [root].compact
       end
       render :picker, layout: nil, locals: { required: required, title: title, root: root, current: current, scopes: scopes.order(name: :asc),
                                              parent_scopes: parent_scopes, global_value: params[:global_value], context: context }
     end
+    private
+    def title
+      @title ||= params[:title] || t("decidim.scopes.picker.title", field: params[:field]&.downcase)
+    end
+    def root
+      return if params[:root].blank?
+      @root ||= current_organization.scopes.find(params[:root])
+    end
   end
 end