decidim-core 0.27.1 → 0.27.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d9cfa315481be2ecd36504616728a76d1c445b99a233f36e50db71a7351ac04b
-  data.tar.gz: d67d9216824b975d528f0e64a8f605eacc4849fb042836d63e5c2fe5bc4da218
+  metadata.gz: d6577740d87b562e24f541c4723480ec774239f69a389d4434536ab72be3b116
+  data.tar.gz: 8366df277375b9fadc5c96b4a9e647a0300057d7148eafcb672f3a57d3abd55f
 SHA512:
-  metadata.gz: 776eba5812d48f147afa41d5b0a2eab52d2c46ce2db9616bd784c2f784be2851eaa1e341439ba1ac13f9b8152e1a3fb09acdbe08e93a9e2e6721e7c9afb09982
-  data.tar.gz: eb00d8fe971338da9056eb5e6268934614f5803d1d102d643a14c7602e8323266195948a282220c1013c1f0e39511f8c5adc95aa9e843244be01904589eae57e
+  metadata.gz: f6f4e9e7bcf14ccc5943ec41d4468338d1cf62aec7d37b296d0fa37a3c1c7bc97711b06579d10b32167ce291b8d664989f90eecfcba9a94f228ff60e7e8698e0
+  data.tar.gz: 4fcd0dacd12572c3a4b404709ec632dcc6c5cc964dfd9dc29d92a4dd03da2b10ddc3e5df57a6ed91cb3f90e0dac70c4668ba89040f8cf5788e34d1f8e857d3b8

data/app/cells/decidim/newsletter_templates/base_cell.rb

@@ -25,6 +25,14 @@ module Decidim
       def recipient_user
         options[:recipient_user]
       end
+
+      def custom_url_for_mail_root
+        options[:custom_url_for_mail_root]
+      end
+
+      def decidim
+        @decidim ||= EngineRouter.new("decidim", {})
+      end
     end
   end
 end

data/app/cells/decidim/newsletter_templates/basic_only_text/show.erb

@@ -16,7 +16,7 @@
               <tr>
                 <th>
                   <center>
-                    <%= render partial: "layouts/decidim/mailer_logo.html", locals: { organization: organization } %>
+                    <%= render partial: "layouts/decidim/mailer_logo.html", locals: { organization: organization, custom_url_for_mail_root: custom_url_for_mail_root } %>
                   </center>
                 </th>
               </tr>
@@ -27,7 +27,7 @@
               <tr>
                 <th>
                   <% if organization.official_img_header.attached? %>
-                    <%= link_to organization.official_url do %>
+                    <%= link_to newsletter.organization_official_url do %>
                       <%= image_tag organization.attached_uploader(:official_img_header).path, alt: "", style: "max-height: 50px", class: "float-right" %>
                     <% end %>
                   <% end %>
@@ -72,8 +72,8 @@
           <th class="expander"></th>
           <th class="small-12 first columns cityhall-bar">
             <div class="decidim-logo" style="float: right; text-align: right; padding-right: 16px">
-              <% if @custom_url_for_mail_root.present? %>
-                <%= link_to organization.name.html_safe, @custom_url_for_mail_root %>
+              <% if custom_url_for_mail_root.present? %>
+                <%= link_to organization.name.html_safe, custom_url_for_mail_root %>
               <% else %>
                 <%= link_to organization.name.html_safe, decidim.root_url(host: organization.host) %>
               <% end %>

data/app/cells/decidim/newsletter_templates/image_text_cta/show.erb

@@ -24,7 +24,7 @@ table.button table td {
               <tr>
                 <th>
                   <center>
-                    <%= render partial: "layouts/decidim/mailer_logo.html", locals: { organization: organization } %>
+                    <%= render partial: "layouts/decidim/mailer_logo.html", locals: { organization: organization, custom_url_for_mail_root: custom_url_for_mail_root } %>
                   </center>
                 </th>
               </tr>
@@ -35,7 +35,7 @@ table.button table td {
               <tr>
                 <th>
                   <% if organization.official_img_header.attached? %>
-                    <%= link_to organization.official_url do %>
+                    <%= link_to newsletter.organization_official_url do %>
                       <%= image_tag organization.attached_uploader(:official_img_header).url(host: organization.host), alt: "", style: "max-height: 50px", class: "float-right" %>
                     <% end %>
                   <% end %>
@@ -111,8 +111,8 @@ table.button table td {
           <th class="expander"></th>
           <th class="small-12 first columns cityhall-bar">
             <div class="decidim-logo" style="float: right; text-align: right; padding-right: 16px">
-              <% if @custom_url_for_mail_root.present? %>
-                <%= link_to organization.name.html_safe, @custom_url_for_mail_root %>
+              <% if custom_url_for_mail_root.present? %>
+                <%= link_to organization.name.html_safe, custom_url_for_mail_root %>
               <% else %>
                 <%= link_to organization.name.html_safe, decidim.root_url(host: organization.host) %>
               <% end %>

data/app/cells/decidim/upload_modal/files.erb

@@ -30,6 +30,7 @@
           add_attribute: add_attribute,
           resource_name: resource_name,
           resource_class: resource_class,
+          required: required?,
           optional: optional,
           max_file_size: max_file_size,
           multiple: multiple,

data/app/cells/decidim/upload_modal_cell.rb

@@ -5,6 +5,7 @@ module Decidim
   class UploadModalCell < Decidim::ViewModel
     include Cell::ViewModel::Partial
     include ERB::Util
+    include Decidim::SanitizeHelper
 
     alias form model
 
@@ -29,7 +30,7 @@ module Decidim
     end
 
     def label
-      options[:label]
+      form.send(:custom_label, attribute, options[:label], { required: required?, for: nil })
     end
 
     def button_label
@@ -72,8 +73,17 @@ module Decidim
       options[:multiple] || false
     end
 
+    # @deprecated Please use `required?` instead.
+    #
+    # NOTE: When this is removed, also the `optional` option should be removed.
     def optional
-      options[:optional]
+      !required?
+    end
+
+    def required?
+      return !options[:optional] if options.has_key?(:optional)
+
+      options[:required] == true
     end
 
     # By default Foundation adds form errors next to input, but since input is in the modal
@@ -81,15 +91,24 @@ module Decidim
     # This should only be necessary when file is required by the form.
     def input_validation_field
       object_name = form.object.present? ? "#{form.object.model_name.param_key}[#{add_attribute}_validation]" : "#{add_attribute}_validation"
-      input = check_box_tag object_name, 1, attachments.present?, class: "hide", label: false, required: !optional
+      input = check_box_tag object_name, 1, attachments.present?, class: "hide", label: false, required: required?
       message = form.send(:abide_error_element, add_attribute) + form.send(:error_and_help_text, add_attribute)
       input + message
     end
 
     def explanation
-      return I18n.t("explanation", scope: options[:help_i18n_scope], attribute: attribute) if options[:help_i18n_scope].present?
+      i18n_options = {
+        scope: options[:help_i18n_scope].presence || "decidim.forms.upload_help",
+        attribute: attribute_translation
+      }
 
-      I18n.t("explanation", scope: "decidim.forms.upload_help", attribute: attribute)
+      I18n.t("explanation", **i18n_options)
+    end
+
+    def attribute_translation
+      I18n.t(attribute, scope: [:activemodel, :attributes, resource_class.constantize.model_name.param_key].join("."))
+    rescue NameError
+      I18n.t(attribute, scope: "activemodel.attributes")
     end
 
     def add_attribute
@@ -133,7 +152,7 @@ module Decidim
     def title_for(attachment)
       return unless has_title?
 
-      translated_attribute(attachment.title)
+      decidim_html_escape(decidim_sanitize(translated_attribute(attachment.title)))
     end
 
     def truncated_file_name_for(attachment, max_length = 31)
@@ -145,11 +164,7 @@ module Decidim
     end
 
     def file_name_for(attachment)
-      filename = determine_filename(attachment)
-
-      return "(#{filename})" if has_title?
-
-      filename
+      determine_filename(attachment)
     end
 
     def determine_filename(attachment)

data/app/commands/decidim/attachment_methods.rb

@@ -12,8 +12,8 @@ module Decidim
       @attachment = Attachment.new(
         title: { I18n.locale => @form.attachment.title },
         attached_to: attached_to,
-        file: @form.attachment.file, # Define attached_to before this
-        content_type: @form.attachment.file.content_type
+        file: signed_id_for(@form.attachment.file),
+        content_type: content_type_for(@form.attachment.file)
       )
     end
 
@@ -53,5 +53,23 @@ module Decidim
     def delete_attachment?
       @form.attachment&.delete_file.present?
     end
+
+    protected
+
+    def signed_id_for(attachment)
+      return attachment[:file] if attachment.is_a?(Hash)
+
+      attachment
+    end
+
+    def content_type_for(attachment)
+      return attachment.content_type if attachment.instance_of?(ActionDispatch::Http::UploadedFile)
+
+      blob(signed_id_for(attachment)).content_type
+    end
+
+    def blob(signed_id)
+      ActiveStorage::Blob.find_signed(signed_id)
+    end
   end
 end

data/app/commands/decidim/create_registration.rb

@@ -41,6 +41,7 @@ module Decidim
         nickname: form.nickname,
         password: form.password,
         password_confirmation: form.password_confirmation,
+        password_updated_at: Time.current,
         organization: form.current_organization,
         tos_agreement: form.tos_agreement,
         newsletter_notifications_at: form.newsletter_at,

data/app/commands/decidim/gallery_methods.rb

@@ -24,7 +24,7 @@ module Decidim
     end
 
     def update_attachment_title_for(photo)
-      Decidim::Attachment.find(photo[:id]).update(title: title_for(photo))
+      Decidim::Attachment.find(photo[:id]).update(title: photos_title(photo))
     end
 
     def image?(signed_id)

data/app/commands/decidim/unendorse_resource.rb

@@ -31,7 +31,7 @@ module Decidim
       query = if @current_group.present?
                 @resource.endorsements.where(decidim_user_group_id: @current_group&.id)
               else
-                @resource.endorsements.where(author: @current_user)
+                @resource.endorsements.where(author: @current_user, decidim_user_group_id: nil)
               end
       query.destroy_all
     end

data/app/commands/decidim/update_account.rb

@@ -55,6 +55,7 @@ module Decidim
 
       @user.password = @form.password
       @user.password_confirmation = @form.password_confirmation
+      @user.password_updated_at = Time.current
     end
 
     def notify_followers

data/app/commands/decidim/update_password.rb

@@ -16,6 +16,8 @@ module Decidim
       return broadcast(:invalid) if form.invalid?
 
       user.password = form.password
+      user.password_confirmation = form.password
+      user.password_updated_at = Time.current
 
       if user.save
         broadcast(:ok)

data/app/controllers/decidim/devise/sessions_controller.rb

@@ -6,9 +6,25 @@ module Decidim
     class SessionsController < ::Devise::SessionsController
       include Decidim::DeviseControllers
 
-      # rubocop: disable Rails/LexicallyScopedActionFilter
       before_action :check_sign_in_enabled, only: :create
-      # rubocop: enable Rails/LexicallyScopedActionFilter
+
+      def create
+        super do |user|
+          if user.admin?
+            # Check that the admin password passes the validation and clear the
+            # `password_updated_at` field when the password is weak to force a
+            # password update on the user.
+            #
+            # Handles a case when the user registers through the registration
+            # form and they are promoted to an admin after that. In this case,
+            # the newly promoted admin user would otherwise have to change their
+            # password straight away even if they originally registered with a
+            # strong password.
+            validator = PasswordValidator.new({ attributes: :password })
+            user.update!(password_updated_at: nil) unless validator.validate_each(user, :password, sign_in_params[:password])
+          end
+        end
+      end
 
       def destroy
         current_user.invalidate_all_sessions!

data/app/controllers/decidim/groups_controller.rb

@@ -7,6 +7,7 @@ module Decidim
     include UserGroups
 
     before_action :enforce_user_groups_enabled
+    before_action :ensure_user_group_not_blocked
 
     def new
       enforce_permission_to :create, :user_group, current_user: current_user
@@ -78,6 +79,10 @@ module Decidim
 
     private
 
+    def ensure_user_group_not_blocked
+      raise ActionController::RoutingError, "Blocked User Group" if user_group&.blocked?
+    end
+
     def accepted_user_group
       @accepted_user_group ||= Decidim::UserGroups::AcceptedUserGroups.for(current_user).find_by(nickname: params[:id])
     end

data/app/controllers/decidim/links_controller.rb

@@ -7,9 +7,11 @@ module Decidim
     skip_before_action :store_current_location
 
     helper Decidim::ExternalDomainHelper
+    helper_method :external_url
 
     before_action :parse_url
     rescue_from Decidim::InvalidUrlError, with: :invalid_url
+    rescue_from URI::InvalidURIError, with: :invalid_url
 
     def new
       headers["X-Robots-Tag"] = "noindex"
@@ -19,24 +21,21 @@ module Decidim
 
     def invalid_url
       flash[:alert] = I18n.t("decidim.links.invalid_url")
-      redirect_to decidim.root_path
+      if request.xhr?
+        render "invalid_url"
+      else
+        redirect_to decidim.root_path
+      end
     end
 
     def parse_url
+      raise Decidim::InvalidUrlError if params[:external_url].blank?
       raise Decidim::InvalidUrlError unless external_url
-
-      parts = external_url.match %r{^(([a-z]+):)?//([^/]+)(/.*)?$}
-      raise Decidim::InvalidUrlError unless parts
-
-      @url_parts = {
-        protocol: parts[1],
-        domain: parts[3],
-        path: parts[4]
-      }
+      raise Decidim::InvalidUrlError unless %w(http https).include?(external_url.scheme)
     end
 
     def external_url
-      @external_url ||= params[:external_url]
+      @external_url ||= URI.parse(params[:external_url])
     end
   end
 end

data/app/controllers/decidim/profiles_controller.rb

@@ -13,7 +13,7 @@ module Decidim
     before_action :ensure_profile_holder
     before_action :ensure_profile_holder_is_a_group, only: [:members]
     before_action :ensure_profile_holder_is_a_user, only: [:groups, :following]
-    before_action :ensure_user_not_blocked, only: [:following, :followers, :badges]
+    before_action :ensure_user_not_blocked
 
     def show
       return redirect_to profile_timeline_path(nickname: params[:nickname]) if profile_holder == current_user

data/app/helpers/decidim/cells_helper.rb

@@ -35,6 +35,7 @@ module Decidim
     end
 
     def user_flaggable?
+      return if (try(:profile_holder) || try(:profile_user) || try(:model)).try(:blocked)
       return unless context[:controller].try(:flaggable_controller?)
 
       true

data/app/helpers/decidim/external_domain_helper.rb

@@ -3,10 +3,21 @@
 module Decidim
   module ExternalDomainHelper
     def highlight_domain
+      highlighted_domain = [
+        external_url.host,
+        (external_url.port && [80, 443].include?(external_url.port) ? "" : ":#{external_url.port}")
+      ].join
+
+      path = [
+        external_url.path,
+        (external_url.query ? "?#{external_url.query}" : ""),
+        (external_url.fragment ? "##{external_url.fragment}" : "")
+      ].join
+
       tag.div do
-        content_tag(:span, "#{@url_parts[:protocol]}//") +
-          content_tag(:span, @url_parts[:domain], class: "alert") +
-          content_tag(:span, @url_parts[:path])
+        content_tag(:span, "#{external_url.scheme}://") +
+          content_tag(:span, highlighted_domain, class: "text-alert") +
+          content_tag(:span, path)
       end
     end
   end

data/app/helpers/decidim/icon_helper.rb

@@ -24,7 +24,7 @@ module Decidim
     #
     # Returns an HTML tag with the icon.
     def manifest_icon(manifest, options = {})
-      if manifest.icon
+      if manifest.respond_to?(:icon) && manifest.icon.present?
         external_icon manifest.icon, options
       else
         icon "question-mark", options
@@ -42,9 +42,9 @@ module Decidim
     def resource_icon(resource, options = {})
       if resource.instance_of?(Decidim::Comments::Comment)
         icon "comment-square", options
-      elsif resource.respond_to?(:component)
+      elsif resource.respond_to?(:component) && resource.component.present?
         component_icon(resource.component, options)
-      elsif resource.respond_to?(:manifest)
+      elsif resource.respond_to?(:manifest) && resource.manifest.present?
         manifest_icon(resource.manifest, options)
       elsif resource.is_a?(Decidim::User)
         icon "person", options

data/app/helpers/decidim/newsletters_helper.rb

@@ -31,6 +31,7 @@ module Decidim
     # this method is used to generate the root link on mail with the utm_codes
     # If the newsletter_id is nil, it returns the root_url
     def custom_url_for_mail_root(organization, newsletter_id = nil)
+      decidim = EngineRouter.new("decidim", {})
       if newsletter_id.present?
         decidim.root_url(host: organization.host) + utm_codes(organization.host, newsletter_id.to_s)
       else

data/app/helpers/decidim/sanitize_helper.rb

@@ -112,9 +112,10 @@ module Decidim
     #
     # @return ActiveSupport::SafeBuffer
     def render_sanitized_content(resource, method)
-      content = present(resource).send(method, links: true, strip_tags: !safe_content?)
+      content = present(resource).send(method, links: true, strip_tags: !try(:safe_content?))
 
-      return decidim_sanitize(content, {}) unless safe_content?
+      return decidim_sanitize(content, {}) unless try(:safe_content?)
+      return decidim_sanitize_editor_admin(content, {}) if try(:safe_content_admin?)
 
       decidim_sanitize_editor(content)
     end

data/app/mailers/decidim/newsletter_mailer.rb

@@ -11,14 +11,20 @@ module Decidim
 
     helper_method :cell
 
-    def newsletter(user, newsletter)
+    def newsletter(user, newsletter, preview: false)
       return if user.email.blank?
 
       @organization = user.organization
       @newsletter = newsletter
       @user = user
-
-      @custom_url_for_mail_root = custom_url_for_mail_root(@organization, @newsletter.id) if Decidim.config.track_newsletter_links
+      @preview = preview
+
+      @custom_url_for_mail_root =
+        if @preview
+          "#"
+        elsif Decidim.config.track_newsletter_links
+          custom_url_for_mail_root(@organization, @newsletter.id)
+        end
       @encrypted_token = Decidim::NewsletterEncryptor.sent_at_encrypted(@user.id, @newsletter.sent_at)
 
       with_user(user) do
@@ -40,6 +46,7 @@ module Decidim
         organization: @organization,
         newsletter: @newsletter,
         recipient_user: @user,
+        custom_url_for_mail_root: @custom_url_for_mail_root,
         context: {
           controller: self
         }

data/app/models/decidim/newsletter.rb

@@ -56,6 +56,24 @@ module Decidim
                     .find_by(scoped_resource_id: id)
     end
 
+    def url(**kwargs)
+      proxy_url(:newsletter_url, id: id, **kwargs)
+    end
+
+    def notifications_settings_url(**kwargs)
+      proxy_url(__method__, **kwargs)
+    end
+
+    def unsubscribe_newsletters_url(**kwargs)
+      proxy_url(__method__, **kwargs)
+    end
+
+    def organization_official_url
+      return "#" unless sent?
+
+      organization.official_url || proxy_url(:root_url)
+    end
+
     private
 
     def author_belongs_to_organization
@@ -63,5 +81,15 @@ module Decidim
 
       errors.add(:author, :invalid) unless author.organization == organization
     end
+
+    def proxy_url(method, **kwargs)
+      return "#" unless sent?
+
+      router.public_send(method, host: organization.host, **kwargs)
+    end
+
+    def router
+      @router ||= EngineRouter.new("decidim", {})
+    end
   end
 end

data/app/models/decidim/scope_type.rb

@@ -17,8 +17,32 @@ module Decidim
 
     validates :name, presence: true
 
+    before_destroy :detach_dynamic_associations
+
     def self.log_presenter_class_for(_log)
       Decidim::AdminLog::ScopeTypePresenter
     end
+
+    private
+
+    # This method detaches all records that may have association with the scope
+    # type. This cannot be done directly using the `dependent` option in the
+    # `has_many` relation in order to avoid tight coupling between the modules.
+    #
+    # This logic does not have to be applied to any classes that have been
+    # defined as `has_many` associations within this model already as they are
+    # already handled by the `dependent` option.
+    def detach_dynamic_associations
+      ActiveRecord::Base.descendants.each do |cls|
+        next if cls.abstract_class? || !cls.name&.match?(/^Decidim::/)
+        next if cls == self.class || cls == Decidim::Scope
+
+        cls.reflect_on_all_associations(:belongs_to).each do |ref|
+          next unless ref.options[:class_name] == self.class.name
+
+          cls.where(ref.options[:foreign_key] => id).update_all(ref.options[:foreign_key] => nil) # rubocop:disable Rails/SkipsModelValidations
+        end
+      end
+    end
   end
 end

data/app/models/decidim/user.rb

@@ -36,8 +36,6 @@ module Decidim
     has_many :access_tokens, class_name: "Doorkeeper::AccessToken", foreign_key: :resource_owner_id, dependent: :destroy
     has_many :reminders, foreign_key: "decidim_user_id", class_name: "Decidim::Reminder", dependent: :destroy
 
-    has_one :blocking, class_name: "Decidim::UserBlock", foreign_key: :id, primary_key: :block_id, dependent: :destroy
-
     validates :name, presence: true, unless: -> { deleted? }
     validates :nickname,
               presence: true,

data/app/models/decidim/user_base_entity.rb

@@ -17,6 +17,8 @@ module Decidim
     has_many :notifications, foreign_key: "decidim_user_id", class_name: "Decidim::Notification", dependent: :destroy
     has_many :following_follows, foreign_key: "decidim_user_id", class_name: "Decidim::Follow", dependent: :destroy
 
+    has_one :blocking, class_name: "Decidim::UserBlock", foreign_key: :id, primary_key: :block_id, dependent: :destroy
+
     # Regex for name & nickname format validations
     REGEXP_NAME = /\A(?!.*[<>?%&\^*#@()\[\]=+:;"{}\\|])/
 

data/app/models/decidim/user_block.rb

@@ -4,7 +4,7 @@ module Decidim
   class UserBlock < ApplicationRecord
     MINIMUM_JUSTIFICATION_LENGTH = 15
 
-    belongs_to :user, class_name: "Decidim::User", foreign_key: :decidim_user_id
-    belongs_to :blocking_user, class_name: "Decidim::User"
+    belongs_to :user, class_name: "Decidim::UserBaseEntity", foreign_key: :decidim_user_id
+    belongs_to :blocking_user, class_name: "Decidim::UserBaseEntity"
   end
 end

data/app/models/decidim/user_group.rb

@@ -21,7 +21,7 @@ module Decidim
              foreign_key: :decidim_user_id,
              source: :user
 
-    validates :name, presence: true, uniqueness: { scope: :decidim_organization_id }
+    validates :name, presence: true, uniqueness: { scope: :decidim_organization_id }, unless: -> { blocked? }
 
     validate :correct_state
     validate :unique_document_number, if: :has_document_number?

data/app/packs/src/decidim/direct_uploads/upload_modal.js

@@ -16,7 +16,6 @@ export default class UploadModal {
       // - addAttribute - Field name / attribute of resource (e.g. avatar)
       // - resourceName - The resource to which the attribute belongs (e.g. user)
       // - resourceClass - Ruby class of the resource (e.g. Decidim::User)
-      // - optional - Defines if file is optional
       // - multiple - Defines if multiple files can be uploaded
       // - titled - Defines if file(s) can have titles
       // - maxFileSize - Defines maximum file size in bytes

data/app/packs/src/decidim/editor/clipboard_override.js

@@ -70,7 +70,9 @@ export default class ClipboardOverride extends Clipboard {
     const text = ev.clipboardData.getData("text/plain");
     const files = Array.from(ev.clipboardData.files || []);
     if (!html && files.length > 0) {
-      this.quill.uploader.upload(range, files);
+      if (typeof this.quill.uploader !== "undefined") {
+        this.quill.uploader.upload(range, files);
+      }
       return;
     }
     if (html && files.length > 0) {
@@ -79,7 +81,9 @@ export default class ClipboardOverride extends Clipboard {
         doc.body.childElementCount === 1 &&
         doc.body.firstElementChild.tagName === "IMG"
       ) {
-        this.quill.uploader.upload(range, files);
+        if (typeof this.quill.uploader !== "undefined") {
+          this.quill.uploader.upload(range, files);
+        }
         return;
       }
     }