decidim-core 0.27.4 → 0.27.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d976829c2218ab34a1bf7c2ad99443edd61c4f37bb56963c8bb21a3e74afddef
-  data.tar.gz: acbaa2ce577af7e32648ce22941616e258f48bdbfb304e754344770fafaf9ef4
+  metadata.gz: 99119ce695e1aa34d4a744deca10b822209b52253058e77548a6399cd78f0069
+  data.tar.gz: '052746495077e884e4cb8e5bc33c8bcb6af257efbee57b385b39f62404530fd5'
 SHA512:
-  metadata.gz: 868d324e0f83442b37750933c39985dffdba9bfd06a2f47ad00836b7c9b89164bafff5d2083d5e24d7f01eb9c47dac46f564a375bacaa17726fe5d472bf6c86b
-  data.tar.gz: 1af449d8a281aa2ae5db6c0f03a7be077f7a7eeaa2a300e8bc2a2d36622cd4be5aafb4245878a24e4bd2496542d0166a84287974e72cdeb294acdcd021144b00
+  metadata.gz: e5b7a3d7779697415e7ec9badd7d4d00bd408a1f42e7c667f01b797558ba22524231273b94f3f6beeb644f7aee8692bd5d2d580a7493c84dfaa5eb563241bc58
+  data.tar.gz: 193b200909cc1fa784ccad5583b3c9593b8e6a9be31c10ab03c90ee9153075ac0d168566e7fe275bb9140c1bc53a8a42e58f84ffc9b852fe91269deef496d5a3

data/app/cells/decidim/activity_cell.rb

@@ -38,9 +38,9 @@ module Decidim
 
       case resource_title
       when String
-        resource_title
+        decidim_html_escape(resource_title)
       when Hash
-        translated_attribute(resource_title)
+        decidim_escape_translated(resource_title)
       end
     end
 

data/app/cells/decidim/card_cell.rb

@@ -28,11 +28,11 @@ module Decidim
     end
 
     def title
-      model.try(:title) || model.try(:name) || ""
+      decidim_escape_translated(model.try(:title) || model.try(:name) || "")
     end
 
     def body
-      model.try(:body) || model.try(:about) || ""
+      decidim_escape_translated(model.try(:body) || model.try(:about) || "")
     end
 
     def resource_manifest

data/app/cells/decidim/card_m/top.erb

@@ -1,7 +1,7 @@
 <div class="card__top">
   <% if render_space? %>
     <div class="card__content text-small">
-      <span class="muted"><%= searchable_resource_human_name(model.participatory_space.class, count: 1) %>:</span>&nbsp;<%= link_to translated_attribute(model.participatory_space.title), Decidim::ResourceLocatorPresenter.new(model.participatory_space).path, class: "card__link text-ellipsis" %>
+      <span class="muted"><%= searchable_resource_human_name(model.participatory_space.class, count: 1) %>:</span>&nbsp;<%= link_to decidim_escape_translated(model.participatory_space.title), Decidim::ResourceLocatorPresenter.new(model.participatory_space).path, class: "card__link text-ellipsis" %>
     </div>
   <% end %>
 </div>

data/app/cells/decidim/card_m_cell.rb

@@ -57,7 +57,7 @@ module Decidim
     end
 
     def title
-      decidim_html_escape(translated_attribute(model.title))
+      decidim_escape_translated(model.title)
     end
 
     def description

data/app/cells/decidim/scopes_picker/scope_picker_values.erb

@@ -1,5 +1,5 @@
 <div class="picker-values">
   <%- scopes.each do |scope, params| %>
-    <div><%= link_to params[:text], params[:url], data: { picker_value: scope.id } %></div>
+    <div><%= link_to decidim_html_escape(params[:text]), params[:url], data: { picker_value: scope.id } %></div>
   <% end %>
 </div>

data/app/cells/decidim/tags_cell.rb

@@ -9,6 +9,8 @@ module Decidim
   #   <%= cell("decidim/category", model.category, context: {resource: model}) %>
   #
   class TagsCell < Decidim::ViewModel
+    include Decidim::SanitizeHelper
+
     def show
       render if category? || scope?
     end
@@ -51,7 +53,7 @@ module Decidim
     end
 
     def category_name
-      model.category.translated_name
+      decidim_html_escape model.category.translated_name
     end
 
     def category_path

data/app/cells/decidim/upload_modal/modal.erb

@@ -35,7 +35,10 @@
         label: false,
         multiple: true,
         direct_upload: true,
-        data: { direct_upload_url: direct_upload_url } %>
+        data: {
+          direct_upload_url: direct_upload_url,
+          upload_validations_url: upload_validations_url
+        } %>
       <span><%= t("decidim.forms.upload_help.dropzone") %></span>
     </label>
   </div>

data/app/cells/decidim/upload_modal_cell.rb

@@ -156,15 +156,15 @@ module Decidim
     end
 
     def truncated_file_name_for(attachment, max_length = 31)
-      filename = file_name_for(attachment)
-      return filename if filename.length <= max_length
+      filename = determine_filename(attachment)
+      return decidim_html_escape(filename).html_safe if filename.length <= max_length
 
       name = File.basename(filename, File.extname(filename))
-      name.truncate(max_length, omission: "...#{name.last((max_length / 2) - 3)}#{File.extname(filename)}")
+      decidim_html_escape(name.truncate(max_length, omission: "...#{name.last((max_length / 2) - 3)}#{File.extname(filename)}")).html_safe
     end
 
     def file_name_for(attachment)
-      determine_filename(attachment)
+      decidim_html_escape(determine_filename(attachment)).html_safe
     end
 
     def determine_filename(attachment)
@@ -205,6 +205,10 @@ module Decidim
       Rails.application.class.routes.url_helpers.rails_direct_uploads_path
     end
 
+    def upload_validations_url
+      Decidim::Core::Engine.routes.url_helpers.upload_validations_path
+    end
+
     def form_object_class
       form.object.class.to_s
     end

data/app/cells/decidim/user_profile_cell.rb

@@ -29,7 +29,7 @@ module Decidim
     delegate :badge, to: :presented_resource
 
     def description
-      html_truncate(decidim_html_escape(user.about.to_s), length: 100)
+      html_truncate(decidim_escape_translated(user.about), length: 100)
     end
 
     def avatar

data/app/cells/decidim/version_cell.rb

@@ -66,7 +66,7 @@ module Decidim
     end
 
     def resource_path
-      resource_locator(versioned_resource).path
+      Decidim::ResourceLocatorPresenter.new(versioned_resource).path
     end
   end
 end

data/app/cells/decidim/versions_list_cell.rb

@@ -13,7 +13,7 @@ module Decidim
     end
 
     def resource_path
-      resource_locator(versioned_resource).path
+      Decidim::ResourceLocatorPresenter.new(versioned_resource).path
     end
 
     def i18n_changes_title

data/app/commands/decidim/create_omniauth_registration.rb

@@ -57,14 +57,12 @@ module Decidim
         # to be marked confirmed.
         @user.skip_confirmation! if !@user.confirmed? && @user.email == verified_email
       else
-        generated_password = SecureRandom.hex
-
         @user.email = (verified_email || form.email)
         @user.name = form.name
         @user.nickname = form.normalized_nickname
         @user.newsletter_notifications_at = nil
-        @user.password = generated_password
-        @user.password_confirmation = generated_password
+        @user.password = SecureRandom.hex
+        @user.password_confirmation = @user.password
         if form.avatar_url.present?
           url = URI.parse(form.avatar_url)
           filename = File.basename(url.path)

data/app/commands/decidim/endorse_resource.rb

@@ -31,6 +31,8 @@ module Decidim
       else
         broadcast(:invalid)
       end
+    rescue ActiveRecord::RecordNotUnique
+      broadcast(:invalid)
     end
 
     private

data/app/commands/decidim/messaging/reply_to_conversation.rb

@@ -54,11 +54,13 @@ module Decidim
               notify(manager) do
                 ConversationMailer.new_group_message(sender, manager, conversation, message, recipient).deliver_later
               end
+              Decidim::PushNotificationMessageSender.new.new_group_message(sender, manager, conversation, message, recipient).deliver
             end
           else
             notify(recipient) do
               ConversationMailer.new_message(sender, recipient, conversation, message).deliver_later
             end
+            Decidim::PushNotificationMessageSender.new.new_message(sender, recipient, conversation, message).deliver
           end
         end
       end
@@ -68,6 +70,7 @@ module Decidim
           notify(recipient) do
             ConversationMailer.comanagers_new_message(sender, recipient, conversation, message, form.context.current_user).deliver_later
           end
+          Decidim::PushNotificationMessageSender.new.comanagers_new_message(sender, recipient, conversation, message, form.context.current_user).deliver
         end
       end
 

data/app/commands/decidim/messaging/start_conversation.rb

@@ -54,11 +54,13 @@ module Decidim
               notify(manager) do
                 ConversationMailer.new_group_conversation(originator, manager, conversation, recipient).deliver_later
               end
+              Decidim::PushNotificationMessageSender.new.new_group_conversation(originator, manager, conversation, recipient).deliver
             end
           else
             notify(recipient) do
               ConversationMailer.new_conversation(originator, recipient, conversation).deliver_later
             end
+            Decidim::PushNotificationMessageSender.new.new_conversation(originator, recipient, conversation).deliver
           end
         end
       end
@@ -68,6 +70,7 @@ module Decidim
           notify(recipient) do
             ConversationMailer.comanagers_new_conversation(originator, recipient, conversation, form.context.current_user).deliver_later
           end
+          Decidim::PushNotificationMessageSender.new.comanagers_new_conversation(originator, recipient, conversation, form.context.current_user).deliver
         end
       end
 

data/app/commands/decidim/search.rb

@@ -3,7 +3,7 @@
 module Decidim
   # A command that will act as a search service, with all the business logic for performing searches.
   class Search < Decidim::Command
-    ACCEPTED_FILTERS = [:decidim_scope_id_eq].freeze
+    ACCEPTED_FILTERS = [:decidim_scope_id_in].freeze
     HIGHLIGHTED_RESULTS_COUNT = 4
 
     # Public: Initializes the command.

data/app/commands/decidim/unendorse_resource.rb

@@ -31,7 +31,7 @@ module Decidim
       query = if @current_group.present?
                 @resource.endorsements.where(decidim_user_group_id: @current_group&.id)
               else
-                @resource.endorsements.where(author: @current_user, decidim_user_group_id: nil)
+                @resource.endorsements.where(author: @current_user, decidim_user_group_id: 0)
               end
       query.destroy_all
     end

data/app/controllers/concerns/decidim/devise_authentication_methods.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require "active_support/concern"
+
+module Decidim
+  module DeviseAuthenticationMethods
+    extend ActiveSupport::Concern
+    include Decidim::UserBlockedChecker
+
+    included do
+      def after_sign_in_path_for(user)
+        if user.present? && user.blocked?
+          check_user_block_status(user)
+        elsif user.needs_password_update?
+          change_password_path
+        elsif first_login_and_not_authorized?(user) && !user.admin? && !pending_redirect?(user)
+          decidim_verifications.first_login_authorizations_path
+        else
+          super
+        end
+      end
+
+      # Calling the `stored_location_for` method removes the key, so in order
+      # to check if there is any pending redirect after login I need to call
+      # this method and use the value to set a pending redirect. This is the
+      # only way to do this without checking the session directly.
+      def pending_redirect?(user)
+        store_location_for(user, stored_location_for(user))
+      end
+
+      def first_login_and_not_authorized?(user)
+        user.is_a?(User) && user.sign_in_count == 1 && current_organization.available_authorizations.any? && user.verifiable?
+      end
+    end
+  end
+end

data/app/controllers/concerns/decidim/force_authentication.rb

@@ -35,11 +35,15 @@ module Decidim
     end
 
     def unauthorized_paths
-      # /locale is for changing the locale
-      %w(/locale) + Decidim::StaticPage.where(
+      default_unauthorized_paths + Decidim::StaticPage.where(
         organization: current_organization,
         allow_public_access: true
       ).pluck(Arel.sql("CONCAT('/pages/', slug)"))
     end
+
+    def default_unauthorized_paths
+      # /locale is for changing the locale and /manifest.webmanifest to request PWA manifest
+      %w(/locale /manifest.webmanifest)
+    end
   end
 end

data/app/controllers/concerns/decidim/paginable.rb

@@ -19,7 +19,7 @@ module Decidim
 
       def per_page
         if OPTIONS.include?(params[:per_page])
-          params[:per_page]
+          params[:per_page].to_i
         elsif params[:per_page]
           sorted = OPTIONS.sort
           params[:per_page].to_i.clamp(sorted.first, sorted.last)

data/app/controllers/decidim/devise/omniauth_registrations_controller.rb

@@ -6,6 +6,7 @@ module Decidim
     class OmniauthRegistrationsController < ::Devise::OmniauthCallbacksController
       include FormFactory
       include Decidim::DeviseControllers
+      include Decidim::DeviseAuthenticationMethods
 
       def new
         @form = form(OmniauthRegistrationForm).from_params(params[:user])
@@ -45,28 +46,6 @@ module Decidim
         end
       end
 
-      def after_sign_in_path_for(user)
-        if user.present? && user.blocked?
-          check_user_block_status(user)
-        elsif !pending_redirect?(user) && first_login_and_not_authorized?(user)
-          decidim_verifications.authorizations_path
-        else
-          super
-        end
-      end
-
-      # Calling the `stored_location_for` method removes the key, so in order
-      # to check if there's any pending redirect after login I need to call
-      # this method and use the value to set a pending redirect. This is the
-      # only way to do this without checking the session directly.
-      def pending_redirect?(user)
-        store_location_for(user, stored_location_for(user))
-      end
-
-      def first_login_and_not_authorized?(user)
-        user.is_a?(User) && user.sign_in_count == 1 && Decidim::Verifications.workflows.any? && user.verifiable?
-      end
-
       def action_missing(action_name)
         return send(:create) if devise_mapping.omniauthable? && current_organization.enabled_omniauth_providers.keys.include?(action_name.to_sym)
 

data/app/controllers/decidim/devise/registrations_controller.rb

@@ -39,7 +39,7 @@ module Decidim
           end
 
           on(:invalid) do
-            flash.now[:alert] = @form.errors.full_messages.join(", ") if @form.errors.full_messages.any?
+            flash.now[:alert] = t("error", scope: "decidim.devise.registrations.create")
             render :new
           end
         end

data/app/controllers/decidim/devise/sessions_controller.rb

@@ -5,6 +5,7 @@ module Decidim
     # Custom Devise SessionsController to avoid namespace problems.
     class SessionsController < ::Devise::SessionsController
       include Decidim::DeviseControllers
+      include Decidim::DeviseAuthenticationMethods
 
       before_action :check_sign_in_enabled, only: :create
 
@@ -35,30 +36,6 @@ module Decidim
         end
       end
 
-      def after_sign_in_path_for(user)
-        if user.present? && user.blocked?
-          check_user_block_status(user)
-        elsif user.needs_password_update?
-          change_password_path
-        elsif first_login_and_not_authorized?(user) && !user.admin? && !pending_redirect?(user)
-          decidim_verifications.first_login_authorizations_path
-        else
-          super
-        end
-      end
-
-      # Calling the `stored_location_for` method removes the key, so in order
-      # to check if there's any pending redirect after login I need to call
-      # this method and use the value to set a pending redirect. This is the
-      # only way to do this without checking the session directly.
-      def pending_redirect?(user)
-        store_location_for(user, stored_location_for(user))
-      end
-
-      def first_login_and_not_authorized?(user)
-        user.is_a?(User) && user.sign_in_count == 1 && current_organization.available_authorizations.any? && user.verifiable?
-      end
-
       def after_sign_out_path_for(user)
         request.referer || super
       end

data/app/controllers/decidim/links_controller.rb

@@ -35,7 +35,7 @@ module Decidim
     end
 
     def external_url
-      @external_url ||= URI.parse(params[:external_url])
+      @external_url ||= URI.parse(URI::Parser.new.escape(params[:external_url]))
     end
   end
 end

data/app/controllers/decidim/searches_controller.rb

@@ -26,7 +26,7 @@ module Decidim
         term: params[:term],
         with_resource_type: nil,
         with_space_state: nil,
-        decidim_scope_id_eq: nil
+        decidim_scope_id_in: nil
       }
     end
 

data/app/controllers/decidim/user_timeline_controller.rb

@@ -12,7 +12,7 @@ module Decidim
     helper_method :activities, :resource_types, :user
 
     def index
-      raise ActionController::RoutingError, "Not Found" if current_user != user
+      raise ActionController::RoutingError, "Not Found" unless user && current_user == user
     end
 
     private

data/app/controllers/decidim/widgets_controller.rb

@@ -11,6 +11,8 @@ module Decidim
     helper_method :model, :iframe_url, :current_participatory_space
 
     def show
+      raise ActionController::RoutingError, "Not Found" if model.nil?
+
       respond_to do |format|
         format.js { render "decidim/widgets/show" }
         format.html
@@ -19,6 +21,10 @@ module Decidim
 
     private
 
+    def current_component
+      @current_component ||= request.env["decidim.current_component"]
+    end
+
     def current_participatory_space
       @current_participatory_space ||= model.component.participatory_space
     end

data/app/events/decidim/welcome_notification_event.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "mustache"
-
 module Decidim
   class WelcomeNotificationEvent < Decidim::Events::BaseEvent
     include Decidim::Events::EmailEvent
@@ -46,13 +44,12 @@ module Decidim
     private
 
     def interpolate(template)
-      Mustache.render(
-        template.to_s,
-        organization: organization.name,
-        name: user.name,
-        help_url: url_helpers.pages_url(host: organization.host),
-        badges_url: url_helpers.gamification_badges_url(host: organization.host)
-      ).html_safe
+      template
+        .gsub("{{name}}", user.name)
+        .gsub("{{organization}}", organization.name)
+        .gsub("{{help_url}}", url_helpers.pages_url(host: organization.host))
+        .gsub("{{badges_url}}", url_helpers.gamification_badges_url(host: organization.host))
+        .html_safe
     end
   end
 end

data/app/forms/decidim/account_form.rb

@@ -24,7 +24,7 @@ module Decidim
     validates :nickname, presence: true, format: { with: Decidim::User::REGEXP_NICKNAME }
 
     validates :nickname, length: { maximum: Decidim::User.nickname_max_length, allow_blank: true }
-    validates :password, confirmation: true
+    validates :password, confirmation: { message: I18n.t("errors.messages.password_confirmation_message") }
     validates :password, password: { name: :name, email: :email, username: :nickname }, if: -> { password.present? }
     validates :password_confirmation, presence: true, if: :password_present
     validates :avatar, passthru: { to: Decidim::User }

data/app/forms/decidim/notifications_settings_form.rb

@@ -44,14 +44,6 @@ module Decidim
       allow_public_contact ? "all" : "followed-only"
     end
 
-    def user_is_moderator?(user)
-      Decidim.participatory_space_manifests.map do |manifest|
-        participatory_space_type = manifest.model_class_name.constantize
-        return true if participatory_space_type.moderators(user.organization).exists?(id: user.id)
-      end
-      false
-    end
-
     def meet_push_notifications_requirements?
       Rails.application.secrets.dig(:vapid, :enabled) || false
     end

data/app/forms/decidim/registration_form.rb

@@ -17,7 +17,7 @@ module Decidim
     validates :name, presence: true, format: { with: Decidim::User::REGEXP_NAME }
     validates :nickname, presence: true, format: { with: Decidim::User::REGEXP_NICKNAME }, length: { maximum: Decidim::User.nickname_max_length }
     validates :email, presence: true, "valid_email_2/email": { disposable: true }
-    validates :password, confirmation: true
+    validates :password, confirmation: { message: I18n.t("errors.messages.password_confirmation_message") }
     validates :password, password: { name: :name, email: :email, username: :nickname }
     validates :password_confirmation, presence: true
     validates :tos_agreement, allow_nil: false, acceptance: true

data/app/helpers/decidim/cells_paginate_helper.rb

@@ -14,7 +14,7 @@ module Decidim
     end
 
     def per_page
-      params[:per_page] || Decidim::Paginable::OPTIONS.first
+      params[:per_page].to_i || Decidim::Paginable::OPTIONS.first
     end
   end
 end

data/app/helpers/decidim/check_boxes_tree_helper.rb

@@ -50,20 +50,20 @@ module Decidim
       organization = current_participatory_space.organization
 
       sorted_main_categories = current_participatory_space.categories.first_class.includes(:subcategories).sort_by do |category|
-        [category.weight, translated_attribute(category.name, organization)]
+        [category.weight, decidim_html_escape(translated_attribute(category.name, organization))]
       end
 
       categories_values = sorted_main_categories.flat_map do |category|
         sorted_descendant_categories = category.descendants.includes(:subcategories).sort_by do |subcategory|
-          [subcategory.weight, translated_attribute(subcategory.name, organization)]
+          [subcategory.weight, decidim_html_escape(translated_attribute(subcategory.name, organization))]
         end
 
         subcategories = sorted_descendant_categories.flat_map do |subcategory|
-          TreePoint.new(subcategory.id.to_s, translated_attribute(subcategory.name, organization))
+          TreePoint.new(subcategory.id.to_s, decidim_html_escape(translated_attribute(subcategory.name, organization)))
         end
 
         TreeNode.new(
-          TreePoint.new(category.id.to_s, translated_attribute(category.name, organization)),
+          TreePoint.new(category.id.to_s, decidim_html_escape(translated_attribute(category.name, organization))),
           subcategories
         )
       end

data/app/helpers/decidim/decidim_form_helper.rb

@@ -84,6 +84,7 @@ module Decidim
 
       template = ""
       template += render("decidim/scopes/scopes_picker_input",
+                         values_options: { delete_button: false },
                          picker_options: picker_options,
                          prompt_params: prompt_params,
                          scopes: scopes,