decidim-core 0.27.0 → 0.27.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4d066aea0f8b2cede42dcd7ac23f6a22d8685f45e776cd5f7e2a8a39a8498ee9
-  data.tar.gz: a5536659a0c2c25cedde842b9c3f747e428a9b9b667d69bbf04c64bb9ef98125
+  metadata.gz: 391ba34f55c860208f7644dd10b1b3e2b6465ed45b9e9f9fd194ce1036516995
+  data.tar.gz: 93636f8d556d73547fcdff45986fcc85ba4a22e9c399fdeca0c550ee6c241363
 SHA512:
-  metadata.gz: a818266bb8122ab36bedb0aac0991a98ac0eb460482b4d1c4188eab66136fadda00ffe7d8452735598a2ee8a2198670d25d57afe6a2b4c7a3761bd21cac41655
-  data.tar.gz: e5c1b93af9f057e33a773e443a3badc07c20af25be4f874ad1ed6219cbf92ed82bd0e91d9aeb48534ef90952087f0be26a718b872afe71254085ca9629e8dd25
+  metadata.gz: 157c005fbea98fe374586f91f15f17bc54450d6e4b6f7136d51582d5cae7af9442d250edbbf4fe2a4308aac902ba0eb28c49681153dcda6b6948f8589414e930
+  data.tar.gz: 8ebc9089ad86980956ded3024d490f419bf8015ae0dc4b3fe6e003d415010de8ed28751bd0c168cf526c8a17f5db50467c9223242c2150cf600304990e1eda04

data/app/cells/decidim/amendable/announcement_cell.rb

@@ -36,7 +36,7 @@ module Decidim::Amendable
     end
 
     def proposal_link(resource = model.amendable, text = nil)
-      text ||= %(<strong>#{present(model.amendable).title}</strong>)
+      text ||= %(<strong>#{decidim_sanitize(present(model.amendable).title, strip_tags: true)}</strong>)
       link_to resource_locator(resource).path do
         text
       end

data/app/cells/decidim/card_m_cell.rb

@@ -57,7 +57,7 @@ module Decidim
     end
 
     def title
-      translated_attribute model.title
+      decidim_html_escape(translated_attribute(model.title))
     end
 
     def description

data/app/cells/decidim/newsletter_templates/base_cell.rb

@@ -25,6 +25,14 @@ module Decidim
       def recipient_user
         options[:recipient_user]
       end
+
+      def custom_url_for_mail_root
+        options[:custom_url_for_mail_root]
+      end
+
+      def decidim
+        @decidim ||= EngineRouter.new("decidim", {})
+      end
     end
   end
 end

data/app/cells/decidim/newsletter_templates/basic_only_text/show.erb

@@ -16,7 +16,7 @@
               <tr>
                 <th>
                   <center>
-                    <%= render partial: "layouts/decidim/mailer_logo.html", locals: { organization: organization } %>
+                    <%= render partial: "layouts/decidim/mailer_logo.html", locals: { organization: organization, custom_url_for_mail_root: custom_url_for_mail_root } %>
                   </center>
                 </th>
               </tr>
@@ -27,7 +27,7 @@
               <tr>
                 <th>
                   <% if organization.official_img_header.attached? %>
-                    <%= link_to organization.official_url do %>
+                    <%= link_to newsletter.organization_official_url do %>
                       <%= image_tag organization.attached_uploader(:official_img_header).path, alt: "", style: "max-height: 50px", class: "float-right" %>
                     <% end %>
                   <% end %>
@@ -72,8 +72,8 @@
           <th class="expander"></th>
           <th class="small-12 first columns cityhall-bar">
             <div class="decidim-logo" style="float: right; text-align: right; padding-right: 16px">
-              <% if @custom_url_for_mail_root.present? %>
-                <%= link_to organization.name.html_safe, @custom_url_for_mail_root %>
+              <% if custom_url_for_mail_root.present? %>
+                <%= link_to organization.name.html_safe, custom_url_for_mail_root %>
               <% else %>
                 <%= link_to organization.name.html_safe, decidim.root_url(host: organization.host) %>
               <% end %>

data/app/cells/decidim/newsletter_templates/image_text_cta/show.erb

@@ -24,7 +24,7 @@ table.button table td {
               <tr>
                 <th>
                   <center>
-                    <%= render partial: "layouts/decidim/mailer_logo.html", locals: { organization: organization } %>
+                    <%= render partial: "layouts/decidim/mailer_logo.html", locals: { organization: organization, custom_url_for_mail_root: custom_url_for_mail_root } %>
                   </center>
                 </th>
               </tr>
@@ -35,7 +35,7 @@ table.button table td {
               <tr>
                 <th>
                   <% if organization.official_img_header.attached? %>
-                    <%= link_to organization.official_url do %>
+                    <%= link_to newsletter.organization_official_url do %>
                       <%= image_tag organization.attached_uploader(:official_img_header).url(host: organization.host), alt: "", style: "max-height: 50px", class: "float-right" %>
                     <% end %>
                   <% end %>
@@ -111,8 +111,8 @@ table.button table td {
           <th class="expander"></th>
           <th class="small-12 first columns cityhall-bar">
             <div class="decidim-logo" style="float: right; text-align: right; padding-right: 16px">
-              <% if @custom_url_for_mail_root.present? %>
-                <%= link_to organization.name.html_safe, @custom_url_for_mail_root %>
+              <% if custom_url_for_mail_root.present? %>
+                <%= link_to organization.name.html_safe, custom_url_for_mail_root %>
               <% else %>
                 <%= link_to organization.name.html_safe, decidim.root_url(host: organization.host) %>
               <% end %>

data/app/cells/decidim/upload_modal_cell.rb

@@ -87,9 +87,18 @@ module Decidim
     end
 
     def explanation
-      return I18n.t("explanation", scope: options[:help_i18n_scope], attribute: attribute) if options[:help_i18n_scope].present?
+      i18n_options = {
+        scope: options[:help_i18n_scope].presence || "decidim.forms.upload_help",
+        attribute: attribute_translation
+      }
 
-      I18n.t("explanation", scope: "decidim.forms.upload_help", attribute: attribute)
+      I18n.t("explanation", **i18n_options)
+    end
+
+    def attribute_translation
+      I18n.t(attribute, scope: [:activemodel, :attributes, resource_class.constantize.model_name.param_key].join("."))
+    rescue NameError
+      I18n.t(attribute, scope: "activemodel.attributes")
     end
 
     def add_attribute
@@ -145,11 +154,7 @@ module Decidim
     end
 
     def file_name_for(attachment)
-      filename = determine_filename(attachment)
-
-      return "(#{filename})" if has_title?
-
-      filename
+      determine_filename(attachment)
     end
 
     def determine_filename(attachment)

data/app/commands/decidim/unendorse_resource.rb

@@ -31,7 +31,7 @@ module Decidim
       query = if @current_group.present?
                 @resource.endorsements.where(decidim_user_group_id: @current_group&.id)
               else
-                @resource.endorsements.where(author: @current_user)
+                @resource.endorsements.where(author: @current_user, decidim_user_group_id: nil)
               end
       query.destroy_all
     end

data/app/controllers/decidim/devise/invitations_controller.rb

@@ -21,7 +21,7 @@ module Decidim
       # invitation. Using the param `invite_redirect` we can redirect the user
       # to a custom path after it has accepted the invitation.
       def after_accept_path_for(resource)
-        params[:invite_redirect] || after_sign_in_path_for(resource)
+        invite_redirect_path || after_sign_in_path_for(resource)
       end
 
       # When a managed user accepts the invitation is promoted to non-managed user.
@@ -32,7 +32,6 @@ module Decidim
           resource.update!(newsletter_notifications_at: Time.current) if update_resource_params[:newsletter_notifications]
           resource.update!(managed: false) if resource.managed?
           resource.update!(accepted_tos_version: resource.organization.tos_version)
-          Decidim::Gamification.increment_score(resource.invited_by, :invitations) if resource.invited_by
         end
 
         resource
@@ -40,6 +39,14 @@ module Decidim
 
       protected
 
+      def invite_redirect_path
+        path = params[:invite_redirect]
+        return unless path
+        return unless path.starts_with?(%r{^/[a-z0-9]+})
+
+        path
+      end
+
       def configure_permitted_parameters
         devise_parameter_sanitizer.permit(:accept_invitation, keys: [:nickname, :tos_agreement, :newsletter_notifications])
       end

data/app/controllers/decidim/groups_controller.rb

@@ -7,6 +7,7 @@ module Decidim
     include UserGroups
 
     before_action :enforce_user_groups_enabled
+    before_action :ensure_user_group_not_blocked
 
     def new
       enforce_permission_to :create, :user_group, current_user: current_user
@@ -78,6 +79,10 @@ module Decidim
 
     private
 
+    def ensure_user_group_not_blocked
+      raise ActionController::RoutingError, "Blocked User Group" if user_group&.blocked?
+    end
+
     def accepted_user_group
       @accepted_user_group ||= Decidim::UserGroups::AcceptedUserGroups.for(current_user).find_by(nickname: params[:id])
     end

data/app/controllers/decidim/last_activities_controller.rb

@@ -33,8 +33,11 @@ module Decidim
 
     def search_collection
       ActionLog
-        .where(visibility: %w(public-only all))
-        .where(organization: current_organization)
+        .where(
+          organization: current_organization,
+          visibility: %w(public-only all)
+        )
+        .with_new_resource_type("all")
         .order(created_at: :desc)
     end
 

data/app/controllers/decidim/links_controller.rb

@@ -7,9 +7,11 @@ module Decidim
     skip_before_action :store_current_location
 
     helper Decidim::ExternalDomainHelper
+    helper_method :external_url
 
     before_action :parse_url
     rescue_from Decidim::InvalidUrlError, with: :invalid_url
+    rescue_from URI::InvalidURIError, with: :invalid_url
 
     def new
       headers["X-Robots-Tag"] = "noindex"
@@ -25,7 +27,7 @@ module Decidim
     def parse_url
       raise Decidim::InvalidUrlError unless external_url
 
-      parts = external_url.match %r{^(([a-z]+):)?//([^/]+)(/.*)?$}
+      parts = external_url.match %r{\A(([a-z]+):)?//([^/]+)(/.*)?\z}
       raise Decidim::InvalidUrlError unless parts
 
       @url_parts = {
@@ -36,7 +38,7 @@ module Decidim
     end
 
     def external_url
-      @external_url ||= params[:external_url]
+      @external_url ||= URI.parse(params[:external_url]).to_s
     end
   end
 end

data/app/controllers/decidim/profiles_controller.rb

@@ -13,7 +13,7 @@ module Decidim
     before_action :ensure_profile_holder
     before_action :ensure_profile_holder_is_a_group, only: [:members]
     before_action :ensure_profile_holder_is_a_user, only: [:groups, :following]
-    before_action :ensure_user_not_blocked, only: [:following, :followers, :badges]
+    before_action :ensure_user_not_blocked
 
     def show
       return redirect_to profile_timeline_path(nickname: params[:nickname]) if profile_holder == current_user

data/app/forms/decidim/account_form.rb

@@ -19,9 +19,9 @@ module Decidim
     attribute :personal_url
     attribute :about
 
-    validates :name, presence: true
+    validates :name, presence: true, format: { with: Decidim::User::REGEXP_NAME }
     validates :email, presence: true, "valid_email_2/email": { disposable: true }
-    validates :nickname, presence: true, format: Decidim::User::REGEXP_NICKNAME
+    validates :nickname, presence: true, format: { with: Decidim::User::REGEXP_NICKNAME }
 
     validates :nickname, length: { maximum: Decidim::User.nickname_max_length, allow_blank: true }
     validates :password, confirmation: true

data/app/forms/decidim/amendable/form.rb

@@ -66,7 +66,8 @@ module Decidim
           errors = amendable_form_errors.details[key] - @original_form.errors.details[key]
 
           errors.map do |hash|
-            @amendable_form.errors.add(key, hash[:error]) unless @amendable_form.errors.details[key].include? error: hash[:error]
+            error = hash.delete(:error)
+            @amendable_form.errors.add(key, error, **hash) unless @amendable_form.errors.details[key].include?(error: error)
           end
         end
       end

data/app/forms/decidim/registration_form.rb

@@ -14,8 +14,8 @@ module Decidim
     attribute :tos_agreement, Boolean
     attribute :current_locale, String
 
-    validates :name, presence: true
-    validates :nickname, presence: true, format: Decidim::User::REGEXP_NICKNAME, length: { maximum: Decidim::User.nickname_max_length }
+    validates :name, presence: true, format: { with: Decidim::User::REGEXP_NAME }
+    validates :nickname, presence: true, format: { with: Decidim::User::REGEXP_NICKNAME }, length: { maximum: Decidim::User.nickname_max_length }
     validates :email, presence: true, "valid_email_2/email": { disposable: true }
     validates :password, confirmation: true
     validates :password, password: { name: :name, email: :email, username: :nickname }

data/app/forms/decidim/upload_validation_form.rb

@@ -7,8 +7,8 @@ module Decidim
     include Decidim::HasUploadValidations
 
     attribute :resource_class, String
-    # Property is named as attribute in upload modal and passthru validator, but it
-    # cannot be named as attribute here.
+    # Property is named as attribute in upload modal and passthru validator, but
+    # it cannot be named as attribute here.
     attribute :property, String
     attribute :blob, String
     attribute :form_class, String
@@ -16,9 +16,22 @@ module Decidim
     validates :resource_class, presence: true
     validates :property, presence: true
     validates :blob, presence: true
-    validate :file, if: ->(form) { form.resource_class.present? && form.property.present? && form.blob.present? }
+    validate :file_validators, if: ->(form) { form.resource_class.present? && form.property.present? && form.blob.present? }
 
-    def file
+    alias organization current_organization
+
+    # This is a "trick" to provide the attachment context (i.e. admin or
+    # participant) to the attachment records being validated. This is to show
+    # the invalid content type / file extension errors with the correct file
+    # extensions that may be shown in the help text next to the upload
+    # drag'n'drop field.
+    def attached_to
+      @attached_to ||= AttachmentContextProxy.new(organization, attachment_context)
+    end
+
+    private
+
+    def file_validators
       org = organization
       PassthruValidator.new(
         attributes: [property],
@@ -31,8 +44,6 @@ module Decidim
       ).validate_each(self, property.to_sym, blob)
     end
 
-    private
-
     def validate_with
       if form_object_class && form_object_class._validators[property.to_sym].is_a?(Array) && form_object_class._validators[property.to_sym].size.positive?
         passthru = form_object_class._validators[property.to_sym].find { |v| v.is_a?(PassthruValidator) }
@@ -49,6 +60,39 @@ module Decidim
       end
     end
 
-    alias organization current_organization
+    # The attachment context (i.e. admin or participant) is determined using the
+    # form class name and checking if it contains the `Admin` namespace in it.
+    # And example use case is the attachment forms in the admin panel.
+    def attachment_context
+      return :participant unless form_object_class
+      return :admin if form_object_class.name.include? "::Admin::"
+
+      :participant
+    end
+
+    # This class provides ability to interpret the attachment context based on
+    # the details available within the context of this class. Normally the
+    # attachment context would be defined by the record to which the attachment
+    # are added to, e.g. proposals (participant contenxt) or participatory
+    # processes (admin context). Unfortunately this information is not available
+    # when the parameters are passed to the upload validation.
+    class AttachmentContextProxy
+      attr_reader :organization, :attachment_context
+
+      delegate :id, :_read_attribute, to: :organization
+
+      def initialize(organization, attachment_context)
+        @organization = organization
+        @attachment_context = attachment_context
+      end
+
+      def self.primary_key
+        :id
+      end
+
+      def self.polymorphic_name
+        "Decidim::Organization"
+      end
+    end
   end
 end

data/app/helpers/decidim/icon_helper.rb

@@ -24,7 +24,7 @@ module Decidim
     #
     # Returns an HTML tag with the icon.
     def manifest_icon(manifest, options = {})
-      if manifest.icon
+      if manifest.respond_to?(:icon) && manifest.icon.present?
         external_icon manifest.icon, options
       else
         icon "question-mark", options
@@ -42,9 +42,9 @@ module Decidim
     def resource_icon(resource, options = {})
       if resource.instance_of?(Decidim::Comments::Comment)
         icon "comment-square", options
-      elsif resource.respond_to?(:component)
+      elsif resource.respond_to?(:component) && resource.component.present?
         component_icon(resource.component, options)
-      elsif resource.respond_to?(:manifest)
+      elsif resource.respond_to?(:manifest) && resource.manifest.present?
         manifest_icon(resource.manifest, options)
       elsif resource.is_a?(Decidim::User)
         icon "person", options

data/app/helpers/decidim/layout_helper.rb

@@ -88,8 +88,11 @@ module Decidim
       classes = _icon_classes(options) + ["external-icon"]
 
       if path.split(".").last == "svg"
+        icon_path = application_path(path)
+        return unless icon_path
+
         attributes = { class: classes.join(" ") }.merge(options)
-        asset = File.read(application_path(path))
+        asset = File.read(icon_path)
         asset.gsub("<svg ", "<svg#{tag_builder.tag_options(attributes)} ").html_safe
       else
         image_pack_tag(path, class: classes.join(" "), style: "display: none")
@@ -97,9 +100,14 @@ module Decidim
     end
 
     def application_path(path)
-      img_path = asset_pack_path(path)
-      img_path = URI(img_path).path if Decidim.cors_enabled
-      Rails.root.join("public/#{img_path}")
+      # Force the path to be returned without the protocol and host even when a
+      # custom asset host has been defined. The host parameter needs to be a
+      # non-nil because otherwise it will be set to the asset host at
+      # ActionView::Helpers::AssetUrlHelper#compute_asset_host.
+      img_path = asset_pack_path(path, host: "", protocol: :relative)
+      Rails.public_path.join(img_path.sub(%r{^/}, ""))
+    rescue ::Webpacker::Manifest::MissingEntryError
+      nil
     end
 
     # Allows to create role attribute according to accessibility rules

data/app/helpers/decidim/newsletters_helper.rb

@@ -31,6 +31,7 @@ module Decidim
     # this method is used to generate the root link on mail with the utm_codes
     # If the newsletter_id is nil, it returns the root_url
     def custom_url_for_mail_root(organization, newsletter_id = nil)
+      decidim = EngineRouter.new("decidim", {})
       if newsletter_id.present?
         decidim.root_url(host: organization.host) + utm_codes(organization.host, newsletter_id.to_s)
       else

data/app/helpers/decidim/sanitize_helper.rb

@@ -37,7 +37,7 @@ module Decidim
     end
 
     def decidim_sanitize_editor(html, options = {})
-      content_tag(:div, decidim_sanitize(html, options), class: %w(ql-editor ql-reset-decidim))
+      content_tag(:div, decidim_sanitize(html, options), class: %w(ql-editor-display))
     end
 
     def decidim_sanitize_editor_admin(html, options = {})

data/app/mailers/decidim/newsletter_mailer.rb

@@ -11,14 +11,20 @@ module Decidim
 
     helper_method :cell
 
-    def newsletter(user, newsletter)
+    def newsletter(user, newsletter, preview: false)
       return if user.email.blank?
 
       @organization = user.organization
       @newsletter = newsletter
       @user = user
-
-      @custom_url_for_mail_root = custom_url_for_mail_root(@organization, @newsletter.id) if Decidim.config.track_newsletter_links
+      @preview = preview
+
+      @custom_url_for_mail_root =
+        if @preview
+          "#"
+        elsif Decidim.config.track_newsletter_links
+          custom_url_for_mail_root(@organization, @newsletter.id)
+        end
       @encrypted_token = Decidim::NewsletterEncryptor.sent_at_encrypted(@user.id, @newsletter.sent_at)
 
       with_user(user) do
@@ -40,6 +46,7 @@ module Decidim
         organization: @organization,
         newsletter: @newsletter,
         recipient_user: @user,
+        custom_url_for_mail_root: @custom_url_for_mail_root,
         context: {
           controller: self
         }

data/app/mailers/decidim/notification_mailer.rb

@@ -5,6 +5,7 @@ module Decidim
   # a events are received.
   class NotificationMailer < Decidim::ApplicationMailer
     helper Decidim::ResourceHelper
+    helper Decidim::SanitizeHelper
 
     def event_received(event, event_class_name, resource, user, user_role, extra) # rubocop:disable Metrics/ParameterLists
       with_user(user) do

data/app/mailers/decidim/notifications_digest_mailer.rb

@@ -5,6 +5,7 @@ module Decidim
   # a events are received.
   class NotificationsDigestMailer < Decidim::ApplicationMailer
     helper Decidim::ResourceHelper
+    helper Decidim::SanitizeHelper
     SIZE_LIMIT = 10
 
     def digest_mail(user, notification_ids)

data/app/models/decidim/newsletter.rb

@@ -56,6 +56,24 @@ module Decidim
                     .find_by(scoped_resource_id: id)
     end
 
+    def url(**kwargs)
+      proxy_url(:newsletter_url, id: id, **kwargs)
+    end
+
+    def notifications_settings_url(**kwargs)
+      proxy_url(__method__, **kwargs)
+    end
+
+    def unsubscribe_newsletters_url(**kwargs)
+      proxy_url(__method__, **kwargs)
+    end
+
+    def organization_official_url
+      return "#" unless sent?
+
+      organization.official_url || proxy_url(:root_url)
+    end
+
     private
 
     def author_belongs_to_organization
@@ -63,5 +81,15 @@ module Decidim
 
       errors.add(:author, :invalid) unless author.organization == organization
     end
+
+    def proxy_url(method, **kwargs)
+      return "#" unless sent?
+
+      router.public_send(method, host: organization.host, **kwargs)
+    end
+
+    def router
+      @router ||= EngineRouter.new("decidim", {})
+    end
   end
 end

data/app/models/decidim/user.rb

@@ -36,8 +36,6 @@ module Decidim
     has_many :access_tokens, class_name: "Doorkeeper::AccessToken", foreign_key: :resource_owner_id, dependent: :destroy
     has_many :reminders, foreign_key: "decidim_user_id", class_name: "Decidim::Reminder", dependent: :destroy
 
-    has_one :blocking, class_name: "Decidim::UserBlock", foreign_key: :id, primary_key: :block_id, dependent: :destroy
-
     validates :name, presence: true, unless: -> { deleted? }
     validates :nickname,
               presence: true,

data/app/models/decidim/user_base_entity.rb

@@ -17,6 +17,8 @@ module Decidim
     has_many :notifications, foreign_key: "decidim_user_id", class_name: "Decidim::Notification", dependent: :destroy
     has_many :following_follows, foreign_key: "decidim_user_id", class_name: "Decidim::Follow", dependent: :destroy
 
+    has_one :blocking, class_name: "Decidim::UserBlock", foreign_key: :id, primary_key: :block_id, dependent: :destroy
+
     # Regex for name & nickname format validations
     REGEXP_NAME = /\A(?!.*[<>?%&\^*#@()\[\]=+:;"{}\\|])/
 

data/app/models/decidim/user_block.rb

@@ -4,7 +4,7 @@ module Decidim
   class UserBlock < ApplicationRecord
     MINIMUM_JUSTIFICATION_LENGTH = 15
 
-    belongs_to :user, class_name: "Decidim::User", foreign_key: :decidim_user_id
-    belongs_to :blocking_user, class_name: "Decidim::User"
+    belongs_to :user, class_name: "Decidim::UserBaseEntity", foreign_key: :decidim_user_id
+    belongs_to :blocking_user, class_name: "Decidim::UserBaseEntity"
   end
 end

data/app/models/decidim/user_group.rb

@@ -21,7 +21,7 @@ module Decidim
              foreign_key: :decidim_user_id,
              source: :user
 
-    validates :name, presence: true, uniqueness: { scope: :decidim_organization_id }
+    validates :name, presence: true, uniqueness: { scope: :decidim_organization_id }, unless: -> { blocked? }
 
     validate :correct_state
     validate :unique_document_number, if: :has_document_number?