decidim-core 0.26.3 → 0.26.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3cbd72f4c386bc8730dfa1d3958a691c5ed719b3cf43b15f778d2011ae5a7f0d
-  data.tar.gz: 32e72e8185fc2f28f0298ef2a9a0350cd8b436e1a39bda136fe82c9da5644433
+  metadata.gz: 8937550934aed6ed69fa84837edbbc2902c5fd6779654a5180a63abbfe25d700
+  data.tar.gz: ba86b8da585b54db8845cf1d5e476086db70d03920f99ddf3a32cbe023521992
 SHA512:
-  metadata.gz: 3d7a4d41fa9aeb76c68e21e5a486b8a3149d117a956c4d0ec17020db1abad1c8a8ce1316ba014a158bbb2fe254ebc0db4b4923a756d0f97997c06bb128c3e440
-  data.tar.gz: e282e746492e32a9e85edb4b72ede7804be3b5b7fd9567e49eac2ba6b9430f6d46da2596f044b87fa520fb4cde0e92259c40695837c87d6fb0943f2c244fa8e2
+  metadata.gz: de40caba191fb9ff0b88bbf9055fbb4592fcc12352c6e35d21d812e87399b1772254d669438ade3ada960ca994247ab87b3eb4743e80df9121cb3bb07c6a9f18
+  data.tar.gz: c115b3d2e531d0b0d8e43f7b41a863dc51eb2c076bc8c4f2c8731e642fb191115b2fdf6aebe6a3cf28c48fb746c3e9cec85ea9a5be630d382ee695cff238278f

data/app/cells/decidim/amendable/announcement_cell.rb

@@ -39,7 +39,7 @@ module Decidim::Amendable
     end
 
     def proposal_link(resource = model.amendable, text = nil)
-      text ||= %(<strong>#{present(model.amendable).title}</strong>)
+      text ||= %(<strong>#{decidim_sanitize(present(model.amendable).title, strip_tags: true)}</strong>)
       link_to resource_locator(resource).path do
         text
       end

data/app/cells/decidim/card_m_cell.rb

@@ -57,7 +57,7 @@ module Decidim
     end
 
     def title
-      translated_attribute model.title
+      decidim_html_escape(translated_attribute(model.title))
     end
 
     def description

data/app/cells/decidim/newsletter_templates/base_cell.rb

@@ -25,6 +25,14 @@ module Decidim
       def recipient_user
         options[:recipient_user]
       end
+
+      def custom_url_for_mail_root
+        options[:custom_url_for_mail_root]
+      end
+
+      def decidim
+        @decidim ||= EngineRouter.new("decidim", {})
+      end
     end
   end
 end

data/app/cells/decidim/newsletter_templates/basic_only_text/show.erb

@@ -16,7 +16,7 @@
               <tr>
                 <th>
                   <center>
-                    <%= render partial: "layouts/decidim/mailer_logo.html", locals: { organization: organization } %>
+                    <%= render partial: "layouts/decidim/mailer_logo.html", locals: { organization: organization, custom_url_for_mail_root: custom_url_for_mail_root } %>
                   </center>
                 </th>
               </tr>
@@ -27,7 +27,7 @@
               <tr>
                 <th>
                   <% if organization.official_img_header.attached? %>
-                    <%= link_to organization.official_url do %>
+                    <%= link_to newsletter.organization_official_url do %>
                       <%= image_tag organization.attached_uploader(:official_img_header).path, alt: "", style: "max-height: 50px", class: "float-right" %>
                     <% end %>
                   <% end %>
@@ -72,8 +72,8 @@
           <th class="expander"></th>
           <th class="small-12 first columns cityhall-bar">
             <div class="decidim-logo" style="float: right; text-align: right; padding-right: 16px">
-              <% if @custom_url_for_mail_root.present? %>
-                <%= link_to organization.name.html_safe, @custom_url_for_mail_root %>
+              <% if custom_url_for_mail_root.present? %>
+                <%= link_to organization.name.html_safe, custom_url_for_mail_root %>
               <% else %>
                 <%= link_to organization.name.html_safe, decidim.root_url(host: organization.host) %>
               <% end %>

data/app/cells/decidim/newsletter_templates/image_text_cta/show.erb

@@ -24,7 +24,7 @@ table.button table td {
               <tr>
                 <th>
                   <center>
-                    <%= render partial: "layouts/decidim/mailer_logo.html", locals: { organization: organization } %>
+                    <%= render partial: "layouts/decidim/mailer_logo.html", locals: { organization: organization, custom_url_for_mail_root: custom_url_for_mail_root } %>
                   </center>
                 </th>
               </tr>
@@ -35,7 +35,7 @@ table.button table td {
               <tr>
                 <th>
                   <% if organization.official_img_header.attached? %>
-                    <%= link_to organization.official_url do %>
+                    <%= link_to newsletter.organization_official_url do %>
                       <%= image_tag organization.attached_uploader(:official_img_header).url(host: organization.host), alt: "", style: "max-height: 50px", class: "float-right" %>
                     <% end %>
                   <% end %>
@@ -111,8 +111,8 @@ table.button table td {
           <th class="expander"></th>
           <th class="small-12 first columns cityhall-bar">
             <div class="decidim-logo" style="float: right; text-align: right; padding-right: 16px">
-              <% if @custom_url_for_mail_root.present? %>
-                <%= link_to organization.name.html_safe, @custom_url_for_mail_root %>
+              <% if custom_url_for_mail_root.present? %>
+                <%= link_to organization.name.html_safe, custom_url_for_mail_root %>
               <% else %>
                 <%= link_to organization.name.html_safe, decidim.root_url(host: organization.host) %>
               <% end %>

data/app/commands/decidim/unendorse_resource.rb

@@ -31,7 +31,7 @@ module Decidim
       query = if @current_group.present?
                 @resource.endorsements.where(decidim_user_group_id: @current_group&.id)
               else
-                @resource.endorsements.where(author: @current_user)
+                @resource.endorsements.where(author: @current_user, decidim_user_group_id: nil)
               end
       query.destroy_all
     end

data/app/controllers/decidim/devise/invitations_controller.rb

@@ -19,7 +19,7 @@ module Decidim
       # invitation. Using the param `invite_redirect` we can redirect the user
       # to a custom path after it has accepted the invitation.
       def after_accept_path_for(resource)
-        params[:invite_redirect] || after_sign_in_path_for(resource)
+        invite_redirect_path || after_sign_in_path_for(resource)
       end
 
       # When a managed user accepts the invitation is promoted to non-managed user.
@@ -30,7 +30,6 @@ module Decidim
           resource.update!(newsletter_notifications_at: Time.current) if update_resource_params[:newsletter_notifications]
           resource.update!(managed: false) if resource.managed?
           resource.update!(accepted_tos_version: resource.organization.tos_version)
-          Decidim::Gamification.increment_score(resource.invited_by, :invitations) if resource.invited_by
         end
 
         resource
@@ -38,6 +37,14 @@ module Decidim
 
       protected
 
+      def invite_redirect_path
+        path = params[:invite_redirect]
+        return unless path
+        return unless path.starts_with?(%r{^/[a-z0-9]+})
+
+        path
+      end
+
       def configure_permitted_parameters
         devise_parameter_sanitizer.permit(:accept_invitation, keys: [:nickname, :tos_agreement, :newsletter_notifications])
       end

data/app/controllers/decidim/devise/registrations_controller.rb

@@ -58,6 +58,10 @@ module Decidim
         super(hash)
         resource.organization = current_organization
       end
+
+      def devise_mapping
+        ::Devise.mappings[:user]
+      end
     end
   end
 end

data/app/controllers/decidim/groups_controller.rb

@@ -7,6 +7,7 @@ module Decidim
     include UserGroups
 
     before_action :enforce_user_groups_enabled
+    before_action :ensure_user_group_not_blocked
 
     def new
       enforce_permission_to :create, :user_group, current_user: current_user
@@ -73,6 +74,10 @@ module Decidim
 
     private
 
+    def ensure_user_group_not_blocked
+      raise ActionController::RoutingError, "Blocked User Group" if user_group&.blocked?
+    end
+
     def accepted_user_group
       @accepted_user_group ||= Decidim::UserGroups::AcceptedUserGroups.for(current_user).find_by(nickname: params[:id])
     end

data/app/controllers/decidim/links_controller.rb

@@ -7,9 +7,11 @@ module Decidim
     skip_before_action :store_current_location
 
     helper Decidim::ExternalDomainHelper
+    helper_method :external_url
 
     before_action :parse_url
     rescue_from Decidim::InvalidUrlError, with: :invalid_url
+    rescue_from URI::InvalidURIError, with: :invalid_url
 
     def new
       headers["X-Robots-Tag"] = "noindex"
@@ -25,7 +27,7 @@ module Decidim
     def parse_url
       raise Decidim::InvalidUrlError unless external_url
 
-      parts = external_url.match %r{^(([a-z]+):)?//([^/]+)(/.*)?$}
+      parts = external_url.match %r{\A(([a-z]+):)?//([^/]+)(/.*)?\z}
       raise Decidim::InvalidUrlError unless parts
 
       @url_parts = {
@@ -36,7 +38,7 @@ module Decidim
     end
 
     def external_url
-      @external_url ||= params[:external_url]
+      @external_url ||= URI.parse(params[:external_url]).to_s
     end
   end
 end

data/app/controllers/decidim/profiles_controller.rb

@@ -13,7 +13,7 @@ module Decidim
     before_action :ensure_profile_holder
     before_action :ensure_profile_holder_is_a_group, only: [:members]
     before_action :ensure_profile_holder_is_a_user, only: [:groups, :following]
-    before_action :ensure_user_not_blocked, only: [:following, :followers, :badges]
+    before_action :ensure_user_not_blocked
 
     def show
       return redirect_to profile_timeline_path(nickname: params[:nickname]) if profile_holder == current_user

data/app/forms/decidim/account_form.rb

@@ -19,9 +19,9 @@ module Decidim
     attribute :personal_url
     attribute :about
 
-    validates :name, presence: true
-    validates :email, presence: true, 'valid_email_2/email': { disposable: true }
-    validates :nickname, presence: true, format: Decidim::User::REGEXP_NICKNAME
+    validates :name, presence: true, format: { with: Decidim::User::REGEXP_NAME }
+    validates :email, presence: true, "valid_email_2/email": { disposable: true }
+    validates :nickname, presence: true, format: { with: Decidim::User::REGEXP_NICKNAME }
 
     validates :nickname, length: { maximum: Decidim::User.nickname_max_length, allow_blank: true }
     validates :password, confirmation: true

data/app/forms/decidim/amendable/form.rb

@@ -66,7 +66,8 @@ module Decidim
           errors = amendable_form_errors.details[key] - @original_form.errors.details[key]
 
           errors.map do |hash|
-            @amendable_form.errors.add(key, hash[:error]) unless @amendable_form.errors.details[key].include? error: hash[:error]
+            error = hash.delete(:error)
+            @amendable_form.errors.add(key, error, **hash) unless @amendable_form.errors.details[key].include?(error: error)
           end
         end
       end

data/app/forms/decidim/registration_form.rb

@@ -14,9 +14,9 @@ module Decidim
     attribute :tos_agreement, Boolean
     attribute :current_locale, String
 
-    validates :name, presence: true
-    validates :nickname, presence: true, format: /\A[\w\-]+\z/, length: { maximum: Decidim::User.nickname_max_length }
-    validates :email, presence: true, 'valid_email_2/email': { disposable: true }
+    validates :name, presence: true, format: { with: Decidim::User::REGEXP_NAME }
+    validates :nickname, presence: true, format: { with: Decidim::User::REGEXP_NICKNAME }, length: { maximum: Decidim::User.nickname_max_length }
+    validates :email, presence: true, "valid_email_2/email": { disposable: true }
     validates :password, confirmation: true
     validates :password, password: { name: :name, email: :email, username: :nickname }
     validates :password_confirmation, presence: true

data/app/helpers/decidim/icon_helper.rb

@@ -24,7 +24,7 @@ module Decidim
     #
     # Returns an HTML tag with the icon.
     def manifest_icon(manifest, options = {})
-      if manifest.icon
+      if manifest.respond_to?(:icon) && manifest.icon.present?
         external_icon manifest.icon, options
       else
         icon "question-mark", options
@@ -42,9 +42,9 @@ module Decidim
     def resource_icon(resource, options = {})
       if resource.class.name == "Decidim::Comments::Comment"
         icon "comment-square", options
-      elsif resource.respond_to?(:component)
+      elsif resource.respond_to?(:component) && resource.component.present?
         component_icon(resource.component, options)
-      elsif resource.respond_to?(:manifest)
+      elsif resource.respond_to?(:manifest) && resource.manifest.present?
         manifest_icon(resource.manifest, options)
       elsif resource.is_a?(Decidim::User)
         icon "person", options

data/app/helpers/decidim/newsletters_helper.rb

@@ -31,6 +31,7 @@ module Decidim
     # this method is used to generate the root link on mail with the utm_codes
     # If the newsletter_id is nil, it returns the root_url
     def custom_url_for_mail_root(organization, newsletter_id = nil)
+      decidim = EngineRouter.new("decidim", {})
       if newsletter_id.present?
         decidim.root_url(host: organization.host) + utm_codes(organization.host, newsletter_id.to_s)
       else

data/app/mailers/decidim/newsletter_mailer.rb

@@ -11,14 +11,20 @@ module Decidim
 
     helper_method :cell
 
-    def newsletter(user, newsletter)
+    def newsletter(user, newsletter, preview: false)
       return if user.email.blank?
 
       @organization = user.organization
       @newsletter = newsletter
       @user = user
-
-      @custom_url_for_mail_root = custom_url_for_mail_root(@organization, @newsletter.id) if Decidim.config.track_newsletter_links
+      @preview = preview
+
+      @custom_url_for_mail_root =
+        if @preview
+          "#"
+        elsif Decidim.config.track_newsletter_links
+          custom_url_for_mail_root(@organization, @newsletter.id)
+        end
       @encrypted_token = Decidim::NewsletterEncryptor.sent_at_encrypted(@user.id, @newsletter.sent_at)
 
       with_user(user) do
@@ -40,6 +46,7 @@ module Decidim
         organization: @organization,
         newsletter: @newsletter,
         recipient_user: @user,
+        custom_url_for_mail_root: @custom_url_for_mail_root,
         context: {
           controller: self
         }

data/app/mailers/decidim/notification_mailer.rb

@@ -5,6 +5,7 @@ module Decidim
   # a events are received.
   class NotificationMailer < Decidim::ApplicationMailer
     helper Decidim::ResourceHelper
+    helper Decidim::SanitizeHelper
 
     def event_received(event, event_class_name, resource, user, user_role, extra) # rubocop:disable Metrics/ParameterLists
       with_user(user) do

data/app/models/decidim/newsletter.rb

@@ -56,6 +56,24 @@ module Decidim
                     .find_by(scoped_resource_id: id)
     end
 
+    def url(**kwargs)
+      proxy_url(:newsletter_url, id: id, **kwargs)
+    end
+
+    def notifications_settings_url(**kwargs)
+      proxy_url(__method__, **kwargs)
+    end
+
+    def unsubscribe_newsletters_url(**kwargs)
+      proxy_url(__method__, **kwargs)
+    end
+
+    def organization_official_url
+      return "#" unless sent?
+
+      organization.official_url || proxy_url(:root_url)
+    end
+
     private
 
     def author_belongs_to_organization
@@ -63,5 +81,15 @@ module Decidim
 
       errors.add(:author, :invalid) unless author.organization == organization
     end
+
+    def proxy_url(method, **kwargs)
+      return "#" unless sent?
+
+      router.public_send(method, host: organization.host, **kwargs)
+    end
+
+    def router
+      @router ||= EngineRouter.new("decidim", {})
+    end
   end
 end

data/app/models/decidim/user.rb

@@ -35,8 +35,6 @@ module Decidim
     has_many :access_grants, class_name: "Doorkeeper::AccessGrant", foreign_key: :resource_owner_id, dependent: :destroy
     has_many :access_tokens, class_name: "Doorkeeper::AccessToken", foreign_key: :resource_owner_id, dependent: :destroy
 
-    has_one :blocking, class_name: "Decidim::UserBlock", foreign_key: :id, primary_key: :block_id, dependent: :destroy
-
     validates :name, presence: true, unless: -> { deleted? }
     validates :nickname,
               presence: true,

data/app/models/decidim/user_base_entity.rb

@@ -17,6 +17,8 @@ module Decidim
     has_many :notifications, foreign_key: "decidim_user_id", class_name: "Decidim::Notification", dependent: :destroy
     has_many :following_follows, foreign_key: "decidim_user_id", class_name: "Decidim::Follow", dependent: :destroy
 
+    has_one :blocking, class_name: "Decidim::UserBlock", foreign_key: :id, primary_key: :block_id, dependent: :destroy
+
     # Regex for name & nickname format validations
     REGEXP_NAME = /\A(?!.*[<>?%&\^*#@()\[\]=+:;"{}\\|])/.freeze
 

data/app/models/decidim/user_block.rb

@@ -4,7 +4,7 @@ module Decidim
   class UserBlock < ApplicationRecord
     MINIMUM_JUSTIFICATION_LENGTH = 15
 
-    belongs_to :user, class_name: "Decidim::User", foreign_key: :decidim_user_id
-    belongs_to :blocking_user, class_name: "Decidim::User"
+    belongs_to :user, class_name: "Decidim::UserBaseEntity", foreign_key: :decidim_user_id
+    belongs_to :blocking_user, class_name: "Decidim::UserBaseEntity"
   end
 end

data/app/models/decidim/user_group.rb

@@ -21,7 +21,7 @@ module Decidim
              foreign_key: :decidim_user_id,
              source: :user
 
-    validates :name, presence: true, uniqueness: { scope: :decidim_organization_id }
+    validates :name, presence: true, uniqueness: { scope: :decidim_organization_id }, unless: -> { blocked? }
 
     validate :correct_state
     validate :unique_document_number, if: :has_document_number?

data/app/packs/src/decidim/editor/clipboard_override.js

@@ -0,0 +1,143 @@
+/* eslint max-lines: ["error", 350] */
+
+/**
+ * Quill clipboard utilities
+ *
+ * Copyright (c) 2017, Slab
+ * Copyright (c) 2014, Jason Chen
+ * Copyright (c) 2013, salesforce.com
+ * BSD 3-Clause "New" or "Revised" License
+ *
+ * Extends the original version from https://github.com/quilljs/quill
+ * Relevant parts converted from TypeScript to JavaScript
+ */
+
+import CodeBlock from "quill/formats/code";
+import { matchNewline, matchBreak, deltaEndsWith, traverse } from "src/decidim/editor/clipboard_utilities";
+
+const Delta = Quill.import("delta");
+const Clipboard = Quill.import("modules/clipboard");
+
+/**
+ * Pasting bold text is broken in Quill as described at:
+ * https://github.com/quilljs/quill/issues/306
+ *
+ * The reason is that the `<strong>` nodes are not recognized as bold types.
+ * This override fixes the issue by introducing parts of the newer Quill code
+ * at GitHub and defining the `<strong>` tags as bold tags.
+ */
+export default class ClipboardOverride extends Clipboard {
+  constructor(quill, options) {
+    super(quill, options);
+    this.overrideMatcher("b", "b, strong");
+    this.overrideMatcher("br", "br", matchBreak);
+
+    // Change the matchNewLine matchers to the newer version
+    this.matchers[1][1] = matchNewline;
+    this.matchers[3][1] = matchNewline;
+
+    // Remove `matchSpacing` as that is also removed in the newer versions.
+    this.removeMatcher(Node.ELEMENT_NODE, "matchSpacing");
+  }
+
+  overrideMatcher(originalSelector, newSelector, newMatcher = null) {
+    const idx = this.matchers.findIndex((item) => item[0] === originalSelector);
+    if (idx >= 0) {
+      this.matchers[idx][0] = newSelector;
+      if (newMatcher) {
+        this.matchers[idx][1] = newMatcher;
+      }
+    }
+  }
+
+  removeMatcher(selector, matcherName) {
+    const idx = this.matchers.findIndex((item) => item[0] === selector && item[1].name === matcherName);
+    if (idx >= 0) {
+      this.matchers.splice(idx, 1);
+    }
+  }
+
+  onPaste(ev) {
+    if (ev.defaultPrevented || !this.quill.isEnabled()) {
+      return;
+    }
+    ev.preventDefault();
+    const range = this.quill.getSelection(true);
+    if (range === null) {
+      return;
+    }
+    const html = ev.clipboardData.getData("text/html");
+    const text = ev.clipboardData.getData("text/plain");
+    const files = Array.from(ev.clipboardData.files || []);
+    if (!html && files.length > 0) {
+      this.quill.uploader.upload(range, files);
+      return;
+    }
+    if (html && files.length > 0) {
+      const doc = new DOMParser().parseFromString(html, "text/html");
+      if (
+        doc.body.childElementCount === 1 &&
+        doc.body.firstElementChild.tagName === "IMG"
+      ) {
+        this.quill.uploader.upload(range, files);
+        return;
+      }
+    }
+    this.onPasteRange(range, { html, text });
+  }
+
+  onPasteRange(range, { text, html }) {
+    const formats = this.quill.getFormat(range.index);
+    const pastedDelta = this.convertPaste({ text, html }, formats);
+    // debug.log('onPaste", pastedDelta, { text, html });
+    const delta = new Delta().retain(range.index).delete(range.length).concat(pastedDelta);
+    this.quill.updateContents(delta, Quill.sources.USER);
+    // range.length contributes to delta.length()
+    this.quill.setSelection(
+      delta.length() - range.length,
+      Quill.sources.SILENT,
+    );
+    this.quill.scrollIntoView();
+  }
+
+  convertPaste({ html, text }, formats = {}) {
+    if (formats[CodeBlock.blotName]) {
+      return new Delta().insert(text, {
+        [CodeBlock.blotName]: formats[CodeBlock.blotName]
+      });
+    }
+    if (!html) {
+      return new Delta().insert(text || "");
+    }
+    const delta = this.convertPasteHTML(html);
+    // Remove trailing newline
+    if (
+      deltaEndsWith(delta, "\n") &&
+      (delta.ops[delta.ops.length - 1].attributes === null || formats.table)
+    ) {
+      return delta.compose(new Delta().retain(delta.length() - 1).delete(1));
+    }
+    return delta;
+  }
+
+  convertPasteHTML(html) {
+    const doc = new DOMParser().parseFromString(html, "text/html");
+    const container = doc.body;
+    const nodeMatches = new WeakMap();
+    const [elementMatchers, textMatchers] = this.prepareMatching(
+      container,
+      nodeMatches
+    );
+    return traverse(
+      this.quill.scroll,
+      container,
+      elementMatchers,
+      textMatchers,
+      nodeMatches
+    );
+  }
+}
+
+// Disable warning messages from overwritting modules
+Quill.debug("error");
+Quill.register({"modules/clipboard": ClipboardOverride}, true);