decidim-core 0.27.2 → 0.27.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 391ba34f55c860208f7644dd10b1b3e2b6465ed45b9e9f9fd194ce1036516995
-  data.tar.gz: 93636f8d556d73547fcdff45986fcc85ba4a22e9c399fdeca0c550ee6c241363
+  metadata.gz: d976829c2218ab34a1bf7c2ad99443edd61c4f37bb56963c8bb21a3e74afddef
+  data.tar.gz: acbaa2ce577af7e32648ce22941616e258f48bdbfb304e754344770fafaf9ef4
 SHA512:
-  metadata.gz: 157c005fbea98fe374586f91f15f17bc54450d6e4b6f7136d51582d5cae7af9442d250edbbf4fe2a4308aac902ba0eb28c49681153dcda6b6948f8589414e930
-  data.tar.gz: 8ebc9089ad86980956ded3024d490f419bf8015ae0dc4b3fe6e003d415010de8ed28751bd0c168cf526c8a17f5db50467c9223242c2150cf600304990e1eda04
+  metadata.gz: 868d324e0f83442b37750933c39985dffdba9bfd06a2f47ad00836b7c9b89164bafff5d2083d5e24d7f01eb9c47dac46f564a375bacaa17726fe5d472bf6c86b
+  data.tar.gz: 1af449d8a281aa2ae5db6c0f03a7be077f7a7eeaa2a300e8bc2a2d36622cd4be5aafb4245878a24e4bd2496542d0166a84287974e72cdeb294acdcd021144b00

data/app/cells/decidim/activities_cell.rb

@@ -27,13 +27,7 @@ module Decidim
     end
 
     def activities
-      @activities ||= last_activities.select do |activity|
-        activity.visible_for?(current_user)
-      end
-    end
-
-    def last_activities
-      @last_activities ||= model.map do |activity|
+      @activities ||= model.map do |activity|
         activity.organization_lazy
         activity.resource_lazy
         activity.participatory_space_lazy

data/app/cells/decidim/collapsible_list/show.erb

@@ -16,7 +16,7 @@
     </span>
   </div>
 <% else %>
-  <div class="collapsible-list <%= list_class %>">
+  <div class="<%= list_class %>">
     <% list.each do |element| %>
       <% if cell_name %>
         <%= cell cell_name, element, cell_options %>

data/app/cells/decidim/content_blocks/last_activity_cell.rb

@@ -56,10 +56,7 @@ module Decidim
       end
 
       def activities
-        @activities ||= ActionLog.where(
-          organization: current_organization,
-          visibility: %w(public-only all)
-        ).with_new_resource_type("all").order(created_at: :desc).limit(activities_to_show * 6)
+        @activities ||= Decidim::LastActivity.new(current_organization, current_user: current_user).query.limit(activities_to_show * 6)
       end
 
       def activities_to_show

data/app/cells/decidim/tags_cell.rb

@@ -55,7 +55,7 @@ module Decidim
     end
 
     def category_path
-      resource_locator(model).index(filter: { category_id: [model.category.id.to_s] })
+      resource_locator(model).index(filter: { filter_param(:category) => [model.category.id.to_s] })
     end
 
     def scope?
@@ -86,7 +86,18 @@ module Decidim
     end
 
     def scope_path
-      resource_locator(model).index(filter: { scope_id: [model.scope.id] })
+      resource_locator(model).index(filter: { filter_param(:scope) => [model.scope.id] })
+    end
+
+    def filter_param(name)
+      candidates = ["with_any_#{name}".to_sym, "with_#{name}".to_sym]
+      return candidates.first unless controller.respond_to?(:default_filter_params, true)
+
+      available_params = controller.send(:default_filter_params)
+      candidates.each do |candidate|
+        return candidate if available_params.has_key?(candidate)
+      end
+      candidates.first
     end
   end
 end

data/app/cells/decidim/upload_modal/files.erb

@@ -30,6 +30,7 @@
           add_attribute: add_attribute,
           resource_name: resource_name,
           resource_class: resource_class,
+          required: required?,
           optional: optional,
           max_file_size: max_file_size,
           multiple: multiple,

data/app/cells/decidim/upload_modal_cell.rb

@@ -5,6 +5,7 @@ module Decidim
   class UploadModalCell < Decidim::ViewModel
     include Cell::ViewModel::Partial
     include ERB::Util
+    include Decidim::SanitizeHelper
 
     alias form model
 
@@ -29,7 +30,7 @@ module Decidim
     end
 
     def label
-      options[:label]
+      form.send(:custom_label, attribute, options[:label], { required: required?, for: nil })
     end
 
     def button_label
@@ -72,8 +73,17 @@ module Decidim
       options[:multiple] || false
     end
 
+    # @deprecated Please use `required?` instead.
+    #
+    # NOTE: When this is removed, also the `optional` option should be removed.
     def optional
-      options[:optional]
+      !required?
+    end
+
+    def required?
+      return !options[:optional] if options.has_key?(:optional)
+
+      options[:required] == true
     end
 
     # By default Foundation adds form errors next to input, but since input is in the modal
@@ -81,7 +91,7 @@ module Decidim
     # This should only be necessary when file is required by the form.
     def input_validation_field
       object_name = form.object.present? ? "#{form.object.model_name.param_key}[#{add_attribute}_validation]" : "#{add_attribute}_validation"
-      input = check_box_tag object_name, 1, attachments.present?, class: "hide", label: false, required: !optional
+      input = check_box_tag object_name, 1, attachments.present?, class: "hide", label: false, required: required?
       message = form.send(:abide_error_element, add_attribute) + form.send(:error_and_help_text, add_attribute)
       input + message
     end
@@ -142,7 +152,7 @@ module Decidim
     def title_for(attachment)
       return unless has_title?
 
-      translated_attribute(attachment.title)
+      decidim_html_escape(decidim_sanitize(translated_attribute(attachment.title)))
     end
 
     def truncated_file_name_for(attachment, max_length = 31)

data/app/commands/decidim/attachment_methods.rb

@@ -12,8 +12,8 @@ module Decidim
       @attachment = Attachment.new(
         title: { I18n.locale => @form.attachment.title },
         attached_to: attached_to,
-        file: @form.attachment.file, # Define attached_to before this
-        content_type: @form.attachment.file.content_type
+        file: signed_id_for(@form.attachment.file),
+        content_type: content_type_for(@form.attachment.file)
       )
     end
 
@@ -53,5 +53,23 @@ module Decidim
     def delete_attachment?
       @form.attachment&.delete_file.present?
     end
+
+    protected
+
+    def signed_id_for(attachment)
+      return attachment[:file] if attachment.is_a?(Hash)
+
+      attachment
+    end
+
+    def content_type_for(attachment)
+      return attachment.content_type if attachment.instance_of?(ActionDispatch::Http::UploadedFile)
+
+      blob(signed_id_for(attachment)).content_type
+    end
+
+    def blob(signed_id)
+      ActiveStorage::Blob.find_signed(signed_id)
+    end
   end
 end

data/app/commands/decidim/create_omniauth_registration.rb

@@ -46,8 +46,6 @@ module Decidim
     attr_reader :form, :verified_email
 
     def create_or_find_user
-      generated_password = SecureRandom.hex
-
       @user = User.find_or_initialize_by(
         email: verified_email,
         organization: organization
@@ -59,6 +57,8 @@ module Decidim
         # to be marked confirmed.
         @user.skip_confirmation! if !@user.confirmed? && @user.email == verified_email
       else
+        generated_password = SecureRandom.hex
+
         @user.email = (verified_email || form.email)
         @user.name = form.name
         @user.nickname = form.normalized_nickname

data/app/commands/decidim/create_registration.rb

@@ -41,6 +41,7 @@ module Decidim
         nickname: form.nickname,
         password: form.password,
         password_confirmation: form.password_confirmation,
+        password_updated_at: Time.current,
         organization: form.current_organization,
         tos_agreement: form.tos_agreement,
         newsletter_notifications_at: form.newsletter_at,

data/app/commands/decidim/gallery_methods.rb

@@ -24,7 +24,7 @@ module Decidim
     end
 
     def update_attachment_title_for(photo)
-      Decidim::Attachment.find(photo[:id]).update(title: title_for(photo))
+      Decidim::Attachment.find(photo[:id]).update(title: photos_title(photo))
     end
 
     def image?(signed_id)

data/app/commands/decidim/update_account.rb

@@ -55,6 +55,7 @@ module Decidim
 
       @user.password = @form.password
       @user.password_confirmation = @form.password_confirmation
+      @user.password_updated_at = Time.current
     end
 
     def notify_followers

data/app/commands/decidim/update_password.rb

@@ -16,6 +16,8 @@ module Decidim
       return broadcast(:invalid) if form.invalid?
 
       user.password = form.password
+      user.password_confirmation = form.password
+      user.password_updated_at = Time.current
 
       if user.save
         broadcast(:ok)

data/app/controllers/decidim/authorization_modals_controller.rb

@@ -17,7 +17,7 @@ module Decidim
     end
 
     def current_component
-      @current_component ||= Decidim::Component.find(params[:component_id])
+      @current_component ||= Decidim::Component.where(participatory_space: current_organization.participatory_spaces).find(params[:component_id])
     end
 
     def authorization_action

data/app/controllers/decidim/devise/sessions_controller.rb

@@ -6,9 +6,25 @@ module Decidim
     class SessionsController < ::Devise::SessionsController
       include Decidim::DeviseControllers
 
-      # rubocop: disable Rails/LexicallyScopedActionFilter
       before_action :check_sign_in_enabled, only: :create
-      # rubocop: enable Rails/LexicallyScopedActionFilter
+
+      def create
+        super do |user|
+          if user.admin?
+            # Check that the admin password passes the validation and clear the
+            # `password_updated_at` field when the password is weak to force a
+            # password update on the user.
+            #
+            # Handles a case when the user registers through the registration
+            # form and they are promoted to an admin after that. In this case,
+            # the newly promoted admin user would otherwise have to change their
+            # password straight away even if they originally registered with a
+            # strong password.
+            validator = PasswordValidator.new({ attributes: :password })
+            user.update!(password_updated_at: nil) unless validator.validate_each(user, :password, sign_in_params[:password])
+          end
+        end
+      end
 
       def destroy
         current_user.invalidate_all_sessions!

data/app/controllers/decidim/last_activities_controller.rb

@@ -32,13 +32,7 @@ module Decidim
     end
 
     def search_collection
-      ActionLog
-        .where(
-          organization: current_organization,
-          visibility: %w(public-only all)
-        )
-        .with_new_resource_type("all")
-        .order(created_at: :desc)
+      LastActivity.new(current_organization, current_user: current_user).query
     end
 
     def default_filter_params

data/app/controllers/decidim/links_controller.rb

@@ -21,24 +21,21 @@ module Decidim
 
     def invalid_url
       flash[:alert] = I18n.t("decidim.links.invalid_url")
-      redirect_to decidim.root_path
+      if request.xhr?
+        render "invalid_url"
+      else
+        redirect_to decidim.root_path
+      end
     end
 
     def parse_url
+      raise Decidim::InvalidUrlError if params[:external_url].blank?
       raise Decidim::InvalidUrlError unless external_url
-
-      parts = external_url.match %r{\A(([a-z]+):)?//([^/]+)(/.*)?\z}
-      raise Decidim::InvalidUrlError unless parts
-
-      @url_parts = {
-        protocol: parts[1],
-        domain: parts[3],
-        path: parts[4]
-      }
+      raise Decidim::InvalidUrlError unless %w(http https).include?(external_url.scheme)
     end
 
     def external_url
-      @external_url ||= URI.parse(params[:external_url]).to_s
+      @external_url ||= URI.parse(params[:external_url])
     end
   end
 end

data/app/controllers/decidim/short_links_controller.rb

@@ -29,7 +29,7 @@ module Decidim
     #
     # @return [Decidim::ShortLink] The short link matching the identifier
     def link
-      @link ||= Decidim::ShortLink.find_by(identifier: params[:id])
+      @link ||= Decidim::ShortLink.find_by(identifier: params[:id], organization: current_organization)
     end
   end
 end

data/app/forms/decidim/notifications_settings_form.rb

@@ -53,7 +53,7 @@ module Decidim
     end
 
     def meet_push_notifications_requirements?
-      Rails.application.secrets.vapid[:enabled]
+      Rails.application.secrets.dig(:vapid, :enabled) || false
     end
   end
 end

data/app/forms/url_validator.rb

@@ -6,7 +6,7 @@
 #
 class UrlValidator < ActiveModel::EachValidator
   def validate_each(record, attribute, value)
-    record.errors.add attribute, (options[:message] || "must be a valid URL") unless url_valid?(value)
+    record.errors.add attribute, :url_format, **options unless url_valid?(value)
   end
 
   # a URL may be technically well-formed but may

data/app/helpers/decidim/cells_helper.rb

@@ -35,6 +35,7 @@ module Decidim
     end
 
     def user_flaggable?
+      return if (try(:profile_holder) || try(:profile_user) || try(:model)).try(:blocked)
       return unless context[:controller].try(:flaggable_controller?)
 
       true

data/app/helpers/decidim/external_domain_helper.rb

@@ -3,10 +3,21 @@
 module Decidim
   module ExternalDomainHelper
     def highlight_domain
+      highlighted_domain = [
+        external_url.host,
+        (external_url.port && [80, 443].include?(external_url.port) ? "" : ":#{external_url.port}")
+      ].join
+
+      path = [
+        external_url.path,
+        (external_url.query ? "?#{external_url.query}" : ""),
+        (external_url.fragment ? "##{external_url.fragment}" : "")
+      ].join
+
       tag.div do
-        content_tag(:span, "#{@url_parts[:protocol]}//") +
-          content_tag(:span, @url_parts[:domain], class: "alert") +
-          content_tag(:span, @url_parts[:path])
+        content_tag(:span, "#{external_url.scheme}://") +
+          content_tag(:span, highlighted_domain, class: "text-alert") +
+          content_tag(:span, path)
       end
     end
   end

data/app/helpers/decidim/layout_helper.rb

@@ -105,7 +105,10 @@ module Decidim
       # non-nil because otherwise it will be set to the asset host at
       # ActionView::Helpers::AssetUrlHelper#compute_asset_host.
       img_path = asset_pack_path(path, host: "", protocol: :relative)
-      Rails.public_path.join(img_path.sub(%r{^/}, ""))
+      path = Rails.public_path.join(img_path.sub(%r{^/}, ""))
+      return unless File.exist?(path)
+
+      path
     rescue ::Webpacker::Manifest::MissingEntryError
       nil
     end

data/app/helpers/decidim/layout_helper.rb.orig

@@ -0,0 +1,225 @@
+# frozen_string_literal: true
+
+module Decidim
+  # View helpers related to the layout.
+  module LayoutHelper
+    include Decidim::ModalHelper
+    include Decidim::TooltipHelper
+
+    # Public: Generates a set of meta tags that generate the different favicon
+    # versions for an organization.
+    #
+    # Returns a safe String with the versions.
+    def favicon
+      return if current_organization.favicon.blank?
+
+      safe_join(Decidim::OrganizationFaviconUploader::SIZES.map do |version, size|
+        favicon_link_tag(current_organization.attached_uploader(:favicon).variant_url(version, host: current_organization.host), sizes: "#{size}x#{size}")
+      end)
+    end
+
+    def apple_favicon
+      icon_image = current_organization.attached_uploader(:favicon).variant_url(:medium, host: current_organization.host)
+      return unless icon_image
+
+      favicon_link_tag(icon_image, rel: "apple-touch-icon", type: "image/png")
+    end
+
+    def legacy_favicon
+      variant = :favicon if current_organization.favicon.content_type != "image/vnd.microsoft.icon"
+      icon_image = current_organization.attached_uploader(:favicon).variant_url(variant, host: current_organization.host)
+      return unless icon_image
+
+      favicon_link_tag(icon_image, rel: "icon", sizes: "any", type: nil)
+    end
+
+    # Outputs an SVG-based icon.
+    #
+    # name    - The String with the icon name.
+    # options - The Hash options used to customize the icon (default {}):
+    #             :width  - The Number of width in pixels (optional).
+    #             :height - The Number of height in pixels (optional).
+    #             :title - The title for the SVG element (optional, similar to alt for img)
+    #             :aria_label - The String to set as aria label (optional).
+    #             :aria_hidden - The Truthy value to enable aria_hidden (optional).
+    #             :role - The String to set as the role (optional).
+    #             :class - The String to add as a CSS class (optional).
+    #
+    # Returns a String.
+    def redesigned_icon(name, options = {})
+      default_html_properties = {
+        "width" => "1em",
+        "height" => "1em",
+        "role" => "img",
+        "aria-hidden" => "true"
+      }
+
+      html_properties = options.with_indifferent_access.transform_keys(&:dasherize).slice("width", "height", "aria-label", "role", "aria-hidden", "class", "style")
+      html_properties = default_html_properties.merge(html_properties)
+
+      href = Decidim.cors_enabled ? "" : asset_pack_path("media/images/remixicon.symbol.svg")
+
+      content_tag :svg, html_properties do
+        content_tag :use, nil, "href" => "#{href}#ri-#{name}", tabindex: -1
+      end
+    end
+
+    def legacy_icon(name, options = {})
+      options = options.with_indifferent_access
+      html_properties = {}
+
+      html_properties["width"] = options[:width]
+      html_properties["height"] = options[:height]
+      html_properties["aria-label"] = options[:aria_label] || options[:"aria-label"]
+      html_properties["role"] = options[:role] || "img"
+      html_properties["aria-hidden"] = options[:aria_hidden] || options[:"aria-hidden"]
+
+      html_properties["class"] = (["icon--#{name}"] + _icon_classes(options)).join(" ")
+
+      title = options["title"] || html_properties["aria-label"]
+      if title.blank? && html_properties["role"] == "img"
+        # This will make the accessibility audit tools happy as with the "img"
+        # role, the alternative text (aria-label) and title are required for the
+        # element. This will also force the SVG to be hidden because otherwise
+        # the screen reader would announce the icon name which can be in
+        # different language (English) than the page language which is not
+        # allowed.
+        title = name
+        html_properties["aria-label"] = title
+        html_properties["aria-hidden"] = true
+      end
+
+      href = Decidim.cors_enabled ? "" : asset_pack_path("media/images/icons.svg")
+
+      content_tag :svg, html_properties do
+        inner = content_tag :title, title
+        inner += content_tag :use, nil, "href" => "#{href}#icon-#{name}"
+
+        inner
+      end
+    end
+
+    def icon(*args)
+      redesign_enabled? ? redesigned_icon(*args) : legacy_icon(*args)
+    end
+
+    # Outputs a SVG icon from an external file. It apparently renders an image
+    # tag, but then a JS script kicks in and replaces it with an inlined SVG
+    # version.
+    #
+    # path    - The asset's path
+    #
+    # Returns an <img /> tag with the SVG icon.
+    def external_icon(path, options = {})
+      classes = _icon_classes(options) + ["external-icon"]
+
+      if path.split(".").last == "svg"
+        icon_path = application_path(path)
+        return unless icon_path
+
+        attributes = { class: classes.join(" ") }.merge(options)
+        asset = File.read(icon_path)
+        asset.gsub("<svg ", "<svg#{tag_builder.tag_options(attributes)} ").html_safe
+      else
+        image_pack_tag(path, class: classes.join(" "), style: "display: none")
+      end
+    end
+
+    def application_path(path)
+      # Force the path to be returned without the protocol and host even when a
+      # custom asset host has been defined. The host parameter needs to be a
+      # non-nil because otherwise it will be set to the asset host at
+      # ActionView::Helpers::AssetUrlHelper#compute_asset_host.
+      img_path = asset_pack_path(path, host: "", protocol: :relative)
+      path = Rails.public_path.join(img_path.sub(%r{^/}, ""))
+      return unless File.exist?(path)
+
+      path
+    rescue ::Webpacker::Manifest::MissingEntryError
+      nil
+    end
+
+    # Allows to create role attribute according to accessibility rules
+    #
+    # Returns role attribute string if role option is specified
+    def role(options = {})
+      "role=\"#{options[:role]}\" " if options[:role]
+    end
+
+    def _icon_classes(options = {})
+      classes = options[:remove_icon_class] ? [] : ["icon"]
+      classes += [options[:class]]
+      classes.compact
+    end
+
+    def extended_navigation_bar(items, max_items: 5)
+      return unless items.any?
+
+      extra_items = items.slice((max_items + 1)..-1) || []
+      active_item = items.find { |item| item[:active] }
+
+      controller.view_context.render partial: "decidim/shared/extended_navigation_bar", locals: {
+        items:,
+        extra_items:,
+        active_item:,
+        max_items:
+      }
+    end
+
+    # Renders a view with the customizable CSS variables in two flavours:
+    # 1. as a hexadecimal valid CSS color (ie: #ff0000)
+    # 2. as a disassembled RGB components (ie: 255 0 0)
+    #
+    # Example:
+    #
+    # --primary: #ff0000;
+    # --primary-rgb: 255,0,0
+    #
+    # Hexadecimal variables can be used as a normal CSS color:
+    #
+    # color: var(--primary)
+    #
+    # While the disassembled variant can be used where you need to manipulate
+    # the color somehow (ie: adding a background transparency):
+    #
+    # background-color: rgba(var(--primary-rgb), 0.5)
+    def organization_colors
+      css = current_organization.colors.each.map { |k, v| "--#{k}: #{v};--#{k}-rgb: #{v[1..2].hex} #{v[3..4].hex} #{v[5..6].hex};" }.join
+      render partial: "layouts/decidim/organization_colors", locals: { css: }
+    end
+
+<<<<<<< HEAD
+    def current_user_unread_data
+      return {} if current_user.blank?
+
+      {}.tap do |d|
+        d.merge!(unread_notifications: true) if current_user.notifications.any?
+        d.merge!(unread_conversations: true) if current_user.unread_conversations.any?
+        d.merge!(unread_items: d.present?)
+      end
+    end
+
+||||||| parent of 53b6893e5c (Use local emojibase data instead of CDN)
+=======
+    # Public: Gets the name of the webpacker entrypoint that will be used
+    # for the locale of the Emojibase NPM package, used with @picmo/popup-picker
+    #
+    # Returns a string with the entrypoint name
+    def emojibase_entrypoint_locale
+      entrypoint = Decidim::Webpacker.configuration.entrypoints.keys.select do |entry|
+        entry == "decidim_emojibase_#{I18n.locale}"
+      end
+
+      return "decidim_emojibase_en" if entrypoint.empty?
+
+      entrypoint.first
+    end
+
+>>>>>>> 53b6893e5c (Use local emojibase data instead of CDN)
+    private
+
+    def tag_builder
+      @tag_builder ||= ActionView::Helpers::TagHelper::TagBuilder.new(self)
+    end
+  end
+end

data/app/helpers/decidim/sanitize_helper.rb

@@ -112,9 +112,10 @@ module Decidim
     #
     # @return ActiveSupport::SafeBuffer
     def render_sanitized_content(resource, method)
-      content = present(resource).send(method, links: true, strip_tags: !safe_content?)
+      content = present(resource).send(method, links: true, strip_tags: !try(:safe_content?))
 
-      return decidim_sanitize(content, {}) unless safe_content?
+      return decidim_sanitize(content, {}) unless try(:safe_content?)
+      return decidim_sanitize_editor_admin(content, {}) if try(:safe_content_admin?)
 
       decidim_sanitize_editor(content)
     end

data/app/models/decidim/organization.rb

@@ -87,6 +87,12 @@ module Decidim
       @top_scopes ||= scopes.top_level
     end
 
+    def participatory_spaces
+      @participatory_spaces ||= Decidim.participatory_space_manifests.flat_map do |manifest|
+        manifest.participatory_spaces.call(self)
+      end
+    end
+
     def public_participatory_spaces
       @public_participatory_spaces ||= Decidim.participatory_space_manifests.flat_map do |manifest|
         manifest.participatory_spaces.call(self).public_spaces