decidim-core 0.25.0 → 0.26.0.rc2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 42e511f59400c64469c3f38cc07211386f55536c8e8d1b83403a45cf3257feea
-  data.tar.gz: 1dc8707d02a1971035ff9ef3b809b4f0bcc7af556c6972959d44a17f137cfc39
+  metadata.gz: '008fc01a452a6ce6800305e9cd20ebaf12adade8db7b13aa2f62d5d11bf07eb0'
+  data.tar.gz: 9acc5acf5b9e95057be4731b089fb383e45f2ac90065d978e7f23f8a97dac4e6
 SHA512:
-  metadata.gz: e3c25eaf439667b98da4de8e71676f41a0cbf1e53181c0275e97080ea3a8342605931683a7a6c324296ce4a5f98d9d165a920878957104db179d4c1d61eca4e4
-  data.tar.gz: fdb4bfcbeab070cd3ad4a8f1b0eb212112f31901422d7ea60cbfbad2f457ed7f802b2a9bd98d83c87e38261b1e4b9d4dc604f12cc11a88f594a4b1a93c42eec8
+  metadata.gz: 5edc8e0a59cf89167962340fe5fca99b5ddd5257f1dd936b0e8a9c8e3f620f8cdd8596b1d831c2886750d94764dd009453fa117c347ba00020ceb6eefa8f911f
+  data.tar.gz: 7538bffa5a162c3e4777fc9317f529854e664540dcf77da130c6a08362afa37bff8a84d78b29ae78b04cf2f370b6c582da21a8fdeebdbf447cf360cf82419f63

data/app/cells/decidim/activity_cell.rb

@@ -92,10 +92,11 @@ module Decidim
 
     def cache_hash
       hash = []
+      hash << I18n.locale.to_s
       hash << model.class.name.underscore
       hash << model.cache_key_with_version
 
-      hash.join("/")
+      hash.join(Decidim.cache_key_separator)
     end
 
     private

data/app/cells/decidim/author/flag_user.erb

@@ -1,5 +1,5 @@
 <% if user_flaggable? && model.try(:id) != current_user.try(:id) %>
-  <button type="button" class="link-alt" data-open="<%= current_user.present? ? "flagUserModal" : "loginModal" %>" title="<%= t("report", scope: "decidim.proposals.proposals.show") %>" aria-controls="<%= current_user.present? ? "flagUserModal" : "loginModal" %>" aria-haspopup="true" tabindex="0">
+  <button type="button" class="link-alt" data-open="<%= current_user.present? ? "flagUserModal" : "loginModal" %>" title="<%= t("report", scope: "decidim.proposals.proposals.show") %>" aria-controls="<%= current_user.present? ? "flagUserModal" : "loginModal" %>" aria-haspopup="dialog" tabindex="0">
     <%= icon "flag", aria_hidden: true, class: "icon--small", role: "img", "aria-hidden": true %>
     <span class="show-for-sr">
         <%= t("report", scope: "decidim.proposals.proposals.show") %>

data/app/cells/decidim/author/profile_inline.erb

@@ -1,5 +1,5 @@
 <span class="author__avatar">
-  <%= image_tag model.avatar_url, alt: t("decidim.author.avatar", name: decidim_sanitize(author_name)) %>
+  <%= image_tag model.avatar_url(:thumb), alt: t("decidim.author.avatar", name: decidim_sanitize(author_name)) %>
 </span>
 
 <% if model.deleted? %>

data/app/cells/decidim/author/withdraw.erb

@@ -1,6 +1,6 @@
 <% if withdrawable? %>
-  <%= action_authorized_link_to :withdraw, withdraw_path, method: :put, class: "title-action__action button small hollow", title: t("withdraw_btn_hint", scope: "decidim.proposals.proposals.show"), data: { confirm: t("withdraw_confirmation_html", scope: "decidim.proposals.proposals.show") } do %>
-    <%= t("withdraw_proposal", scope: "decidim.proposals.proposals.show") %>
+  <%= action_authorized_link_to :withdraw, withdraw_path, method: :put, class: "title-action__action button small hollow", title: t("withdraw_btn_hint", scope: resource_i18n_scope ), data: { confirm: t("withdraw_confirmation_html", scope: resource_i18n_scope ) } do %>
+    <%= t("withdraw_#{resource_name}", scope: resource_i18n_scope) %>
     <%= icon "x", role: "img", "aria-hidden": true %>
   <% end %>
 <% end %>

data/app/cells/decidim/author_cell.rb

@@ -55,8 +55,28 @@ module Decidim
       render
     end
 
+    def perform_caching?
+      true
+    end
+
     private
 
+    def cache_hash
+      hash = []
+
+      hash.push(I18n.locale)
+      hash.push(model.cache_key_with_version) if model.respond_to?(:cache_key_with_version)
+      hash.push(current_user.try(:id))
+      hash.push(current_user.present?)
+      hash.push(commentable?)
+      hash.push(endorsable?)
+      hash.push(actionable?)
+      hash.push(withdrawable?)
+      hash.push(flaggable?)
+      hash.push(profile_path?)
+      hash.join(Decidim.cache_key_separator)
+    end
+
     def from_context_path
       resource_locator(from_context).path
     end
@@ -111,5 +131,17 @@ module Decidim
     def raw_model
       model.try(:__getobj__) || model
     end
+
+    def resource_i18n_scope
+      @resource_i18n_scope ||= [
+        from_context.class.name.deconstantize.underscore.gsub("/", "."),
+        resource_name.pluralize,
+        :show
+      ].join(".")
+    end
+
+    def resource_name
+      @resource_name ||= from_context.class.name.demodulize.underscore
+    end
   end
 end

data/app/cells/decidim/card_m_cell.rb

@@ -64,7 +64,7 @@ module Decidim
       attribute = model.try(:short_description) || model.try(:body) || model.description
       text = translated_attribute(attribute)
 
-      decidim_sanitize(html_truncate(text, length: 100))
+      decidim_sanitize_editor(html_truncate(text, length: 100))
     end
 
     def has_authors?

data/app/cells/decidim/content_blocks/cta_cell.rb

@@ -16,7 +16,7 @@ module Decidim
       end
 
       def translated_description
-        @translated_description ||= decidim_sanitize(translated_attribute(model.settings.description))
+        @translated_description ||= decidim_sanitize_editor(translated_attribute(model.settings.description))
       end
 
       def button_url

data/app/cells/decidim/content_blocks/hero_cell.rb

@@ -30,7 +30,7 @@ module Decidim
         hash << current_organization.cache_key_with_version
         hash << I18n.locale.to_s
 
-        hash.join("/")
+        hash.join(Decidim.cache_key_separator)
       end
     end
   end

data/app/cells/decidim/content_blocks/highlighted_content_banner/show.erb

@@ -7,7 +7,7 @@
           <%= translated_attribute current_organization.highlighted_content_banner_title %>
         </h1>
         <span class="text-highlight">
-          <%= decidim_sanitize translated_attribute current_organization.highlighted_content_banner_short_description %>
+          <%= decidim_sanitize_editor translated_attribute current_organization.highlighted_content_banner_short_description %>
         </span>
       </div>
       <div class="columns large-2">

data/app/cells/decidim/content_blocks/how_to_participate/show.erb

@@ -41,7 +41,7 @@
     <div class="row">
       <div class="columns small-centered small-10
                 smallmedium-8 medium-6 large-4">
-        <%= link_to t("decidim.pages.home.extended.more_info", resource_name: translated_attribute(current_organization.name, current_organization)), decidim.page_path("faq"), class: "button expanded hollow button--sc" %>
+        <%= link_to t("decidim.pages.home.extended.more_info", resource_name: translated_attribute(current_organization.name, current_organization)), decidim.pages_path, class: "button expanded hollow button--sc" %>
       </div>
     </div>
   </div>

data/app/cells/decidim/content_blocks/last_activity_cell.rb

@@ -52,7 +52,7 @@ module Decidim
         hash << Digest::MD5.hexdigest(valid_activities.map(&:cache_key_with_version).to_s)
         hash << I18n.locale.to_s
 
-        hash.join("/")
+        hash.join(Decidim.cache_key_separator)
       end
 
       def activities

data/app/cells/decidim/content_blocks/stats_cell.rb

@@ -3,9 +3,21 @@
 module Decidim
   module ContentBlocks
     class StatsCell < Decidim::ViewModel
+      cache :show, expires_in: 10.minutes, if: :perform_caching? do
+        cache_hash
+      end
+
       def stats
         @stats ||= HomeStatsPresenter.new(organization: current_organization)
       end
+
+      private
+
+      def cache_hash
+        hash = []
+        hash.push(I18n.locale)
+        hash.join(Decidim.cache_key_separator)
+      end
     end
   end
 end

data/app/cells/decidim/endorsers_list_cell.rb

@@ -23,7 +23,9 @@ module Decidim
     #
     # Returns an Array of presented Users/UserGroups
     def endorsers
-      @endorsers ||= model.endorsements.for_listing.map { |identity| present(identity.normalized_author) }
+      @endorsers ||= model.endorsements.for_listing
+                          .includes(:author, :user_group)
+                          .map { |identity| present(identity.normalized_author) }
     end
   end
 end

data/app/cells/decidim/flag_modal/flag_user.erb

@@ -1,6 +1,6 @@
-<div class="reveal flag-modal" id="flagUserModal" data-reveal>
+<div class="reveal flag-modal" id="flagUserModal" data-reveal role="dialog" aria-modal="true" aria-labelledby="flagUserModal-label">
   <div class="reveal__header">
-    <h3 class="reveal__title"><%= t("decidim.shared.flag_user_modal.title") %></h3>
+    <h3 id="flagUserModal-label" class="reveal__title"><%= t("decidim.shared.flag_user_modal.title") %></h3>
     <button class="close-button" data-close aria-label="<%= t("decidim.shared.flag_user_modal.close") %>" type="button">
       <span aria-hidden="true">&times;</span>
     </button>

data/app/cells/decidim/flag_modal/show.erb

@@ -1,6 +1,6 @@
-<div class="reveal flag-modal" id="<%= modal_id %>" data-reveal>
+<div class="reveal flag-modal" id="<%= modal_id %>" data-reveal role="dialog" aria-modal="true" aria-labelledby="<%= modal_id %>-label">
   <div class="reveal__header">
-    <h3 class="reveal__title"><%= t("decidim.shared.flag_modal.title") %></h3>
+    <h3 id="<%= modal_id %>-label" class="reveal__title"><%= t("decidim.shared.flag_modal.title") %></h3>
     <button class="close-button" data-close aria-label="<%= t("decidim.shared.flag_modal.close") %>" type="button">
       <span aria-hidden="true">&times;</span>
     </button>

data/app/cells/decidim/flag_modal_cell.rb

@@ -8,6 +8,16 @@ module Decidim
       render
     end
 
+    def cache_hash
+      hash = []
+      hash.push(I18n.locale)
+      hash.push(current_user.try(:id))
+      hash.push(model.reported_by?(current_user) ? 1 : 0)
+      hash.push(model.class.name.gsub("::", ":"))
+      hash.push(model.id)
+      hash.join(Decidim.cache_key_separator)
+    end
+
     private
 
     def user_report_form

data/app/cells/decidim/following/show.erb

@@ -1,9 +1,18 @@
-<div class="empty-notifications callout secondary <%= "hide" if followings.any? %>">
-  <p><%= t("decidim.following.no_followings") %></p>
-</div>
-<div class="row small-up-1 medium-up-2 card-grid">
-  <% followings.each do |following| %>
-    <%= card_for following, context: { label: true, show_space: true } %>
+<% if public_followings.any? %>
+  <% if non_public_followings? %>
+    <div class="empty-notifications callout secondary">
+      <p><%= t("decidim.following.non_public_followings") %></p>
+    </div>
   <% end %>
-</div>
-<%= decidim_paginate followings %>
+
+  <div class="row small-up-1 medium-up-2 card-grid">
+    <% public_followings.each do |followable| %>
+      <%= card_for followable, context: { label: true, show_space: true } %>
+    <% end %>
+  </div>
+  <%= decidim_paginate public_followings %>
+<% else %>
+  <div class="empty-notifications callout secondary">
+    <p><%= t("decidim.following.no_followings") %></p>
+  </div>
+<% end %>

data/app/cells/decidim/following_cell.rb

@@ -11,8 +11,12 @@ module Decidim
       render :show
     end
 
-    def followings
-      @followings ||= Kaminari.paginate_array(model.following).page(params[:page]).per(20)
+    def public_followings
+      @public_followings ||= Kaminari.paginate_array(model.public_followings).page(params[:page]).per(20)
+    end
+
+    def non_public_followings?
+      public_followings.count < model.following_count
     end
   end
 end

data/app/cells/decidim/notification/show.erb

@@ -0,0 +1,31 @@
+<div class="card card--widget">
+  <ul class="card-data">
+    <li class="card-data__item">
+      <div class="card__link text-center">
+        <%= resource_icon notification.resource, class: "icon--large" %>
+        <span class="text-medium mt-xs" title="<%= l(notification.created_at) %>" data-tooltip="true" data-disable-hover="false">
+          <%= notification.created_at_in_words %>
+        </span>
+      </div>
+    </li>
+    <li class="card-data__item card-data__item--expand absolutes">
+      <div class="mr-s">
+        <span class="text-small"><%= notification.event_class.constantize.model_name.human %></span>
+        <br>
+        <span>
+          <%= notification.event_class_instance.notification_title %>
+        </span>
+        <% if notification.display_resource_text? %>
+          <p>
+            <em><%= notification.resource_text %></em>
+          </p>
+        <% end %>
+      </div>
+      <div class="right center mr-s">
+        <%= link_to model, remote: true, method: :delete, class: "mark-as-read-button" do %>
+          <%= icon "circle-x", class: "card__link", aria_label: t("mark_as_read", scope: "layouts.decidim.notifications_dashboard"), role: "img" %>
+        <% end %>
+      </div>
+    </li>
+  </ul>
+</div>

data/app/cells/decidim/notification_cell.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Decidim
+  # This cell renders a notification from a notifications collection
+
+  class NotificationCell < Decidim::ViewModel
+    include Decidim::IconHelper
+    include Decidim::Core::Engine.routes.url_helpers
+
+    def show
+      render :show
+    end
+
+    private
+
+    def notification
+      @notification ||= Decidim::NotificationPresenter.new(model)
+    end
+  end
+end

data/app/cells/decidim/notifications/show.erb

@@ -17,30 +17,7 @@
   </div>
 
   <% notifications.select(&:resource).each do |notification| %>
-    <div class="card card--widget">
-      <ul class="card-data">
-        <li class="card-data__item">
-          <div class="card__link text-center">
-            <%= resource_icon notification.resource, class: "icon--large" %>
-            <span class="text-medium mt-xs"><%= l notification.created_at, format: :day_of_week_long %></span>
-          </div>
-        </li>
-        <li class="card-data__item card-data__item--expand absolutes">
-          <div class="mr-s">
-            <span class="text-small"><%= notification.event_class.constantize.model_name.human %></span>
-            <br>
-            <span>
-              <%= notification.event_class_instance.notification_title %>
-            </span>
-          </div>
-          <div class="right center mr-s">
-            <%= link_to notification, remote: true, method: :delete, class: "mark-as-read-button" do %>
-              <%= icon "circle-x", class: "card__link", aria_label: t("mark_as_read", scope: "layouts.decidim.notifications_dashboard"), role: "img" %>
-            <% end %>
-          </div>
-        </li>
-      </ul>
-    </div>
+    <%= cell("decidim/notification", notification) %>
   <% end %>
 </div>
 

data/app/cells/decidim/notifications_cell.rb

@@ -3,7 +3,6 @@
 module Decidim
   class NotificationsCell < Decidim::ViewModel
     include Decidim::CellsPaginateHelper
-    include Decidim::IconHelper
     include Decidim::Core::Engine.routes.url_helpers
 
     helper_method :notifications

data/app/cells/decidim/user_conversation/conversation_header.erb

@@ -9,6 +9,6 @@
   <% end %>
 
   <div class="ml-s">
-    <%= t("decidim.user_conversations.show.title", usernames: interlocutors_names) %>
+    <%= t("decidim.user_conversations.show.title", usernames: interlocutors_names).html_safe %>
   </div>
 </div>

data/app/cells/decidim/user_conversation/show.erb

@@ -10,10 +10,12 @@
         <% end %>
       </div>
 
-      <% if conversation.accept_user?(user) %>
+      <% if conversation.with_deleted_users?(user) %>
+        <div class="callout warning margin-top-2"><%= t "decidim.user_conversations.show.deleted_accounts" %></div>
+      <% elsif conversation.accept_user?(user) %>
         <%= render view: :reply, locals: { title: t("decidim.user_conversations.reply.title_reply") } %>
       <% else %>
-        <em><%= t "decidim.user_conversations.show.not_allowed" %></em>
+        <div class="callout warning margin-top-2"><%= t "decidim.user_conversations.show.not_allowed" %></div>
       <% end %>
     </div>
   </div>

data/app/cells/decidim/user_conversations/conversation_item.erb

@@ -10,7 +10,7 @@
     </li>
     <li class="card-data__item card--list__item card-data__item--expand absolutes">
       <div class="mr-s">
-        <%= t("decidim.user_conversations.index.from") %>: <strong><%= conversation_interlocutors(conversation) %></strong>
+        <%= t("decidim.user_conversations.index.from") %>: <strong><%= conversation_interlocutors(conversation).html_safe %></strong>
         <br>
         <span class="muted">
           <%= truncate conversation.last_message.body, length: 150 %>

data/app/commands/decidim/create_editor_image.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Decidim
+  # A command with all the business logic to create an editor image.
+  class CreateEditorImage < Rectify::Command
+    # Public: Initializes the command.
+    #
+    # form - A form object with the params.
+    def initialize(form)
+      @form = form
+    end
+
+    # Executes the command. Broadcasts these events:
+    #
+    # - :ok when everything is valid.
+    # - :invalid if the form wasn't valid and we couldn't proceed.
+    #
+    # Returns nothing.
+    def call
+      return broadcast(:invalid) if form.invalid?
+
+      transaction do
+        create_editor_image
+      end
+
+      broadcast(:ok, @editor_image)
+    end
+
+    private
+
+    attr_reader :form
+
+    def create_editor_image
+      @editor_image = EditorImage.create!(
+        decidim_author_id: form.current_user.id,
+        organization: form.organization,
+        file: form.file
+      )
+    end
+  end
+end

data/app/controllers/concerns/decidim/disable_redirection_to_external_host.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require "active_support/concern"
+
+module Decidim
+  module DisableRedirectionToExternalHost
+    extend ActiveSupport::Concern
+
+    included do
+      def redirect_back(fallback_location:, allow_other_host: true, **args) # rubocop:disable Lint/UnusedMethodArgument
+        super fallback_location: fallback_location, allow_other_host: Decidim.allow_open_redirects, **args
+      end
+    end
+  end
+end

data/app/controllers/concerns/decidim/safe_redirect.rb

@@ -14,10 +14,21 @@ module Decidim
       # that match the current organization.
       def redirect_url
         return if params[:redirect_url].blank?
-        return params[:redirect_url] unless params[:redirect_url].start_with?("http")
-        return if URI.parse(params[:redirect_url]).host != current_organization.host
 
-        params[:redirect_url]
+        # Parse given URL
+        target_uri = URI.parse(params[:redirect_url])
+
+        # Add the organization host to the URL if not present
+        target_uri = URI.join("#{request.scheme}://#{current_organization.host}", target_uri) unless target_uri.host
+
+        # Don't allow URLs without host or with a different host than the organization one
+        return if target_uri.host != current_organization.host
+
+        # Convert the URI to relative
+        target_uri.scheme = target_uri.host = target_uri.port = nil
+
+        # Return the relative URL
+        target_uri.to_s
       end
     end
   end

data/app/controllers/decidim/application_controller.rb

@@ -19,6 +19,7 @@ module Decidim
     include SafeRedirect
     include NeedsSnippets
     include UserBlockedChecker
+    include DisableRedirectionToExternalHost
 
     helper Decidim::MetaTagsHelper
     helper Decidim::DecidimFormHelper

data/app/controllers/decidim/cookie_policy_controller.rb

@@ -10,6 +10,8 @@ module Decidim
         Decidim.config.consent_cookie_name,
         value: "true",
         path: "/",
+        httponly: true,
+        secure: request.session_options[:secure],
         expires: 1.year.from_now.utc
       )
 

data/app/controllers/decidim/editor_images_controller.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module Decidim
+  class EditorImagesController < Decidim::ApplicationController
+    include FormFactory
+
+    # overwrite original rescue_from to ensure we print messages from ajax methods (update)
+    rescue_from Decidim::ActionForbidden, with: :ajax_user_has_no_permission
+
+    def create
+      enforce_permission_to :create, :editor_image
+
+      @form = form(EditorImageForm).from_params(form_values)
+
+      CreateEditorImage.call(@form) do
+        on(:ok) do |image|
+          render json: { url: image.attached_uploader(:file).path, message: I18n.t("success", scope: "decidim.editor_images.create") }
+        end
+
+        on(:invalid) do |_message|
+          render json: { message: I18n.t("error", scope: "decidim.editor_images.create") }, status: :unprocessable_entity
+        end
+      end
+    end
+
+    private
+
+    # Rescue ajax calls and print the update.js view which prints the info on the message ajax form
+    # Only if the request is AJAX, otherwise behave as Decidim standards
+    def ajax_user_has_no_permission
+      return user_has_no_permission unless request.xhr?
+
+      render json: { message: I18n.t("actions.unauthorized", scope: "decidim.core") }, status: :unprocessable_entity
+    end
+
+    def form_values
+      {
+        file: params[:image],
+        author_id: current_user.id
+      }
+    end
+
+    def permission_scope
+      :admin
+    end
+  end
+end

data/app/controllers/decidim/user_activities_controller.rb

@@ -12,7 +12,8 @@ module Decidim
     helper_method :activities, :resource_types, :user
 
     def index
-      raise ActionController::RoutingError, "Blocked User" if user&.blocked? && !current_user&.admin?
+      raise ActionController::RoutingError, "Missing user: #{params[:nickname]}" unless user
+      raise ActionController::RoutingError, "Blocked User" if user.blocked? && !current_user&.admin?
     end
 
     private

data/app/forms/decidim/editor_image_form.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module Decidim
+  class EditorImageForm < Decidim::Form
+    mimic :editor_image
+
+    attribute :file
+    attribute :author_id, Integer
+
+    validates :author_id, presence: true
+    validates :file, presence: true
+    validates :file, passthru: { to: Decidim::EditorImage }
+
+    alias organization current_organization
+  end
+end

data/app/helpers/decidim/amendments_helper.rb

@@ -136,7 +136,7 @@ module Decidim
 
       return body unless rich_text_editor_in_public_views?
 
-      decidim_sanitize(body)
+      decidim_sanitize_editor(body)
     end
 
     # Return the edited field value or presents the original attribute value in a form.

data/app/helpers/decidim/application_helper.rb

@@ -15,7 +15,7 @@ module Decidim
     # options - A Hash with the options to truncate the text (default: {}):
     #           :length - An Integer number with the max length of the text.
     #           :separator - A String to append to the text when it's being
-    #           truncated. See `truncato` gem for more options.
+    #           truncated.
     #
     # Returns a String.
     def html_truncate(text, options = {})
@@ -25,7 +25,7 @@ module Decidim
       options[:count_tail] ||= false
       options[:tail_before_final_tag] = true unless options.has_key?(:tail_before_final_tag)
 
-      Truncato.truncate(text, options)
+      Decidim::HtmlTruncation.new(text, options).perform
     end
 
     def present(object, presenter_class: nil)