decidim-core 0.27.5 → 0.27.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c9b09dc6caf48cd1318acfd39efaef6e9aa95ed3527ff40c3974a56f409eeff7
-  data.tar.gz: bb6ca8ea6d9b57a37d6793757cd8a12bbcffdf63afd27924216f67af1d8acb14
+  metadata.gz: 71d8e583cc9dcd7338a03de09eb24a8a06a913f5e411b74bf16e5c42d9802639
+  data.tar.gz: c7028f8e3b04ab7c04afb94e6c74cbc114af7f734b5e65ff53d6a31bc0b6683e
 SHA512:
-  metadata.gz: 4003252d8eeae3f86cb4056380f4fb7aefe8a8e97f3935e97a970513ccdd05e9d6b9ca8658b56147b7bff0e306608472e656db871eae5bbb50ab9cfc1e629d4b
-  data.tar.gz: ce5aec4bd84ee34b87b5b7cc3f1afb08a1e6bcc3c34ff5cf1afa87d3ded13fe012f29a6a882fead250413f64db4a9b643770ca2c0e643e186ea51bb57a2e6c87
+  metadata.gz: f7df735fa2c671d915577eee036cb64b06c3ef85f4ecd1c95a65e22affb625f2a136c1596e55a7250f473397165f2364db867bad3287ecc3ffe5231e234cdc44
+  data.tar.gz: fd264b6e1db71ec2e9b1fb0cc31a73ddadf7c3e2a3dbe7209001f87f52a3840bae8f4bd406f5c84767460fea73fbcbf18a9f950b82d91d5b23c47b1bd02f60fa

data/app/cells/decidim/activity_cell.rb

@@ -38,9 +38,9 @@ module Decidim
 
       case resource_title
       when String
-        resource_title
+        decidim_html_escape(resource_title)
       when Hash
-        translated_attribute(resource_title)
+        decidim_escape_translated(resource_title)
       end
     end
 

data/app/cells/decidim/card_cell.rb

@@ -28,11 +28,11 @@ module Decidim
     end
 
     def title
-      model.try(:title) || model.try(:name) || ""
+      decidim_escape_translated(model.try(:title) || model.try(:name) || "")
     end
 
     def body
-      model.try(:body) || model.try(:about) || ""
+      decidim_escape_translated(model.try(:body) || model.try(:about) || "")
     end
 
     def resource_manifest

data/app/cells/decidim/card_m/top.erb

@@ -1,7 +1,7 @@
 <div class="card__top">
   <% if render_space? %>
     <div class="card__content text-small">
-      <span class="muted"><%= searchable_resource_human_name(model.participatory_space.class, count: 1) %>:</span>&nbsp;<%= link_to translated_attribute(model.participatory_space.title), Decidim::ResourceLocatorPresenter.new(model.participatory_space).path, class: "card__link text-ellipsis" %>
+      <span class="muted"><%= searchable_resource_human_name(model.participatory_space.class, count: 1) %>:</span>&nbsp;<%= link_to decidim_escape_translated(model.participatory_space.title), Decidim::ResourceLocatorPresenter.new(model.participatory_space).path, class: "card__link text-ellipsis" %>
     </div>
   <% end %>
 </div>

data/app/cells/decidim/card_m_cell.rb

@@ -57,7 +57,7 @@ module Decidim
     end
 
     def title
-      decidim_html_escape(translated_attribute(model.title))
+      decidim_escape_translated(model.title)
     end
 
     def description

data/app/cells/decidim/follow_button_cell.rb

@@ -46,7 +46,7 @@ module Decidim
 
     def render_screen_reader_title_for(resource)
       content_tag :span, class: "show-for-sr" do
-        decidim_html_escape(resource_title(resource))
+        decidim_sanitize_translated(resource_title(resource))
       end
     end
 

data/app/cells/decidim/notification/moderated.erb

@@ -0,0 +1,24 @@
+<div class="card card--widget">
+  <ul class="card-data">
+    <li class="card-data__item">
+      <div class="card__link text-center">
+        <%= resource_icon notification.resource, class: "icon--large" %>
+        <span class="text-medium mt-xs" title="<%= l(notification.created_at) %>" data-tooltip="true" data-disable-hover="false">
+          <%= notification.created_at_in_words %>
+        </span>
+      </div>
+    </li>
+    <li class="card-data__item card-data__item--expand absolutes">
+      <div class="mr-s">
+        <span class="text-small"><%= notification.event_class.constantize.model_name.human %></span>
+        <br>
+        <%= t("decidim.notifications.show.moderated") %>
+      </div>
+      <div class="right center mr-s">
+        <%= link_to model, remote: true, method: :delete, class: "mark-as-read-button" do %>
+          <%= icon "circle-x", class: "card__link", aria_label: t("mark_as_read", scope: "layouts.decidim.notifications_dashboard"), role: "img" %>
+        <% end %>
+      </div>
+    </li>
+  </ul>
+</div>

data/app/cells/decidim/notification_cell.rb

@@ -8,7 +8,11 @@ module Decidim
     include Decidim::Core::Engine.routes.url_helpers
 
     def show
-      render :show
+      if notification.event_class_instance.try(:hidden_resource?)
+        render :moderated
+      else
+        render :show
+      end
     end
 
     def notification_title

data/app/cells/decidim/scopes_picker/scope_picker_values.erb

@@ -1,5 +1,5 @@
 <div class="picker-values">
   <%- scopes.each do |scope, params| %>
-    <div><%= link_to params[:text], params[:url], data: { picker_value: scope.id } %></div>
+    <div><%= link_to decidim_html_escape(params[:text]), params[:url], data: { picker_value: scope.id } %></div>
   <% end %>
 </div>

data/app/cells/decidim/tags_cell.rb

@@ -9,6 +9,8 @@ module Decidim
   #   <%= cell("decidim/category", model.category, context: {resource: model}) %>
   #
   class TagsCell < Decidim::ViewModel
+    include Decidim::SanitizeHelper
+
     def show
       render if category? || scope?
     end
@@ -51,7 +53,7 @@ module Decidim
     end
 
     def category_name
-      model.category.translated_name
+      decidim_html_escape model.category.translated_name
     end
 
     def category_path

data/app/cells/decidim/user_profile_cell.rb

@@ -29,7 +29,7 @@ module Decidim
     delegate :badge, to: :presented_resource
 
     def description
-      html_truncate(decidim_html_escape(user.about.to_s), length: 100)
+      html_truncate(decidim_escape_translated(user.about), length: 100)
     end
 
     def avatar

data/app/commands/decidim/create_omniauth_registration.rb

@@ -57,14 +57,12 @@ module Decidim
         # to be marked confirmed.
         @user.skip_confirmation! if !@user.confirmed? && @user.email == verified_email
       else
-        generated_password = SecureRandom.hex
-
         @user.email = (verified_email || form.email)
         @user.name = form.name
         @user.nickname = form.normalized_nickname
         @user.newsletter_notifications_at = nil
-        @user.password = generated_password
-        @user.password_confirmation = generated_password
+        @user.password = SecureRandom.hex
+        @user.password_confirmation = @user.password
         if form.avatar_url.present?
           url = URI.parse(form.avatar_url)
           filename = File.basename(url.path)

data/app/commands/decidim/messaging/reply_to_conversation.rb

@@ -54,11 +54,13 @@ module Decidim
               notify(manager) do
                 ConversationMailer.new_group_message(sender, manager, conversation, message, recipient).deliver_later
               end
+              Decidim::PushNotificationMessageSender.new.new_group_message(sender, manager, conversation, message, recipient).deliver
             end
           else
             notify(recipient) do
               ConversationMailer.new_message(sender, recipient, conversation, message).deliver_later
             end
+            Decidim::PushNotificationMessageSender.new.new_message(sender, recipient, conversation, message).deliver
           end
         end
       end
@@ -68,6 +70,7 @@ module Decidim
           notify(recipient) do
             ConversationMailer.comanagers_new_message(sender, recipient, conversation, message, form.context.current_user).deliver_later
           end
+          Decidim::PushNotificationMessageSender.new.comanagers_new_message(sender, recipient, conversation, message, form.context.current_user).deliver
         end
       end
 

data/app/commands/decidim/messaging/start_conversation.rb

@@ -54,11 +54,13 @@ module Decidim
               notify(manager) do
                 ConversationMailer.new_group_conversation(originator, manager, conversation, recipient).deliver_later
               end
+              Decidim::PushNotificationMessageSender.new.new_group_conversation(originator, manager, conversation, recipient).deliver
             end
           else
             notify(recipient) do
               ConversationMailer.new_conversation(originator, recipient, conversation).deliver_later
             end
+            Decidim::PushNotificationMessageSender.new.new_conversation(originator, recipient, conversation).deliver
           end
         end
       end
@@ -68,6 +70,7 @@ module Decidim
           notify(recipient) do
             ConversationMailer.comanagers_new_conversation(originator, recipient, conversation, form.context.current_user).deliver_later
           end
+          Decidim::PushNotificationMessageSender.new.comanagers_new_conversation(originator, recipient, conversation, form.context.current_user).deliver
         end
       end
 

data/app/controllers/concerns/decidim/devise_authentication_methods.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require "active_support/concern"
+
+module Decidim
+  module DeviseAuthenticationMethods
+    extend ActiveSupport::Concern
+    include Decidim::UserBlockedChecker
+
+    included do
+      def after_sign_in_path_for(user)
+        if user.present? && user.blocked?
+          check_user_block_status(user)
+        elsif user.needs_password_update?
+          change_password_path
+        elsif first_login_and_not_authorized?(user) && !user.admin? && !pending_redirect?(user)
+          decidim_verifications.first_login_authorizations_path
+        else
+          super
+        end
+      end
+
+      # Calling the `stored_location_for` method removes the key, so in order
+      # to check if there is any pending redirect after login I need to call
+      # this method and use the value to set a pending redirect. This is the
+      # only way to do this without checking the session directly.
+      def pending_redirect?(user)
+        store_location_for(user, stored_location_for(user))
+      end
+
+      def first_login_and_not_authorized?(user)
+        user.is_a?(User) && user.sign_in_count == 1 && current_organization.available_authorizations.any? && user.verifiable?
+      end
+    end
+  end
+end

data/app/controllers/concerns/decidim/force_authentication.rb

@@ -17,7 +17,7 @@ module Decidim
     # Breaks the request lifecycle, if user is not authenticated.
     # Otherwise returns.
     def ensure_authenticated!
-      return true unless current_organization.force_users_to_authenticate_before_access_organization
+      return true unless current_organization&.force_users_to_authenticate_before_access_organization
 
       # Next stop: Let's check whether auth is ok
       unless user_signed_in?

data/app/controllers/concerns/decidim/paginable.rb

@@ -19,7 +19,7 @@ module Decidim
 
       def per_page
         if OPTIONS.include?(params[:per_page])
-          params[:per_page]
+          params[:per_page].to_i
         elsif params[:per_page]
           sorted = OPTIONS.sort
           params[:per_page].to_i.clamp(sorted.first, sorted.last)

data/app/controllers/concerns/decidim/use_organization_time_zone.rb

@@ -25,7 +25,7 @@ module Decidim
       #
       # Returns a String.
       def organization_time_zone
-        @organization_time_zone ||= current_organization.time_zone
+        @organization_time_zone ||= current_organization&.time_zone
       end
     end
   end

data/app/controllers/decidim/devise/omniauth_registrations_controller.rb

@@ -6,6 +6,7 @@ module Decidim
     class OmniauthRegistrationsController < ::Devise::OmniauthCallbacksController
       include FormFactory
       include Decidim::DeviseControllers
+      include Decidim::DeviseAuthenticationMethods
 
       def new
         @form = form(OmniauthRegistrationForm).from_params(params[:user])
@@ -45,28 +46,6 @@ module Decidim
         end
       end
 
-      def after_sign_in_path_for(user)
-        if user.present? && user.blocked?
-          check_user_block_status(user)
-        elsif !pending_redirect?(user) && first_login_and_not_authorized?(user)
-          decidim_verifications.authorizations_path
-        else
-          super
-        end
-      end
-
-      # Calling the `stored_location_for` method removes the key, so in order
-      # to check if there's any pending redirect after login I need to call
-      # this method and use the value to set a pending redirect. This is the
-      # only way to do this without checking the session directly.
-      def pending_redirect?(user)
-        store_location_for(user, stored_location_for(user))
-      end
-
-      def first_login_and_not_authorized?(user)
-        user.is_a?(User) && user.sign_in_count == 1 && Decidim::Verifications.workflows.any? && user.verifiable?
-      end
-
       def action_missing(action_name)
         return send(:create) if devise_mapping.omniauthable? && current_organization.enabled_omniauth_providers.keys.include?(action_name.to_sym)
 

data/app/controllers/decidim/devise/sessions_controller.rb

@@ -5,6 +5,7 @@ module Decidim
     # Custom Devise SessionsController to avoid namespace problems.
     class SessionsController < ::Devise::SessionsController
       include Decidim::DeviseControllers
+      include Decidim::DeviseAuthenticationMethods
 
       before_action :check_sign_in_enabled, only: :create
 
@@ -35,30 +36,6 @@ module Decidim
         end
       end
 
-      def after_sign_in_path_for(user)
-        if user.present? && user.blocked?
-          check_user_block_status(user)
-        elsif user.needs_password_update?
-          change_password_path
-        elsif first_login_and_not_authorized?(user) && !user.admin? && !pending_redirect?(user)
-          decidim_verifications.first_login_authorizations_path
-        else
-          super
-        end
-      end
-
-      # Calling the `stored_location_for` method removes the key, so in order
-      # to check if there's any pending redirect after login I need to call
-      # this method and use the value to set a pending redirect. This is the
-      # only way to do this without checking the session directly.
-      def pending_redirect?(user)
-        store_location_for(user, stored_location_for(user))
-      end
-
-      def first_login_and_not_authorized?(user)
-        user.is_a?(User) && user.sign_in_count == 1 && current_organization.available_authorizations.any? && user.verifiable?
-      end
-
       def after_sign_out_path_for(user)
         request.referer || super
       end

data/app/controllers/decidim/links_controller.rb

@@ -35,7 +35,19 @@ module Decidim
     end
 
     def external_url
-      @external_url ||= URI.parse(URI::Parser.new.escape(params[:external_url]))
+      @external_url ||= URI.parse(escape_url(params[:external_url]))
+    end
+
+    def escape_url(external_url)
+      before_fragment, fragment = external_url.split("#", 2)
+      escaped_before_fragment = URI::Parser.new.escape(before_fragment)
+
+      if fragment
+        escaped_fragment = URI::Parser.new.escape(fragment)
+        "#{escaped_before_fragment}##{escaped_fragment}"
+      else
+        escaped_before_fragment
+      end
     end
   end
 end

data/app/controllers/decidim/widgets_controller.rb

@@ -11,6 +11,8 @@ module Decidim
     helper_method :model, :iframe_url, :current_participatory_space
 
     def show
+      raise ActionController::RoutingError, "Not Found" if model.nil?
+
       respond_to do |format|
         format.js { render "decidim/widgets/show" }
         format.html
@@ -19,6 +21,10 @@ module Decidim
 
     private
 
+    def current_component
+      @current_component ||= request.env["decidim.current_component"]
+    end
+
     def current_participatory_space
       @current_participatory_space ||= model.component.participatory_space
     end

data/app/events/decidim/welcome_notification_event.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "mustache"
-
 module Decidim
   class WelcomeNotificationEvent < Decidim::Events::BaseEvent
     include Decidim::Events::EmailEvent
@@ -46,13 +44,12 @@ module Decidim
     private
 
     def interpolate(template)
-      Mustache.render(
-        template.to_s,
-        organization: organization.name,
-        name: user.name,
-        help_url: url_helpers.pages_url(host: organization.host),
-        badges_url: url_helpers.gamification_badges_url(host: organization.host)
-      ).html_safe
+      template
+        .gsub("{{name}}", user.name)
+        .gsub("{{organization}}", organization.name)
+        .gsub("{{help_url}}", url_helpers.pages_url(host: organization.host))
+        .gsub("{{badges_url}}", url_helpers.gamification_badges_url(host: organization.host))
+        .html_safe
     end
   end
 end

data/app/helpers/decidim/cells_paginate_helper.rb

@@ -14,7 +14,7 @@ module Decidim
     end
 
     def per_page
-      params[:per_page] || Decidim::Paginable::OPTIONS.first
+      params[:per_page].to_i || Decidim::Paginable::OPTIONS.first
     end
   end
 end

data/app/helpers/decidim/check_boxes_tree_helper.rb

@@ -50,20 +50,20 @@ module Decidim
       organization = current_participatory_space.organization
 
       sorted_main_categories = current_participatory_space.categories.first_class.includes(:subcategories).sort_by do |category|
-        [category.weight, translated_attribute(category.name, organization)]
+        [category.weight, decidim_html_escape(translated_attribute(category.name, organization))]
       end
 
       categories_values = sorted_main_categories.flat_map do |category|
         sorted_descendant_categories = category.descendants.includes(:subcategories).sort_by do |subcategory|
-          [subcategory.weight, translated_attribute(subcategory.name, organization)]
+          [subcategory.weight, decidim_html_escape(translated_attribute(subcategory.name, organization))]
         end
 
         subcategories = sorted_descendant_categories.flat_map do |subcategory|
-          TreePoint.new(subcategory.id.to_s, translated_attribute(subcategory.name, organization))
+          TreePoint.new(subcategory.id.to_s, decidim_html_escape(translated_attribute(subcategory.name, organization)))
         end
 
         TreeNode.new(
-          TreePoint.new(category.id.to_s, translated_attribute(category.name, organization)),
+          TreePoint.new(category.id.to_s, decidim_html_escape(translated_attribute(category.name, organization))),
           subcategories
         )
       end

data/app/helpers/decidim/newsletters_helper.rb

@@ -8,28 +8,28 @@ module Decidim
     # for example transform "https://es.lipsum.com/" to "https://es.lipsum.com/?utm_source=localhost&utm_campaign=newsletter_11"
     # And replace "%{name}" on the subject or content of newsletter to the user Name
     # for example transform "%{name}" to "User Name"
+    #
+    # @param content [String] - the string to convert
+    # @param user [Decidim::User] - the user to replace
+    # @param id [Integer] - the id of the newsletter to change
+    #
+    # @return [String] - the content converted
     def parse_interpolations(content, user = nil, id = nil)
-      if Decidim.config.track_newsletter_links && id.present? && user.present?
-        host = user.organization.host.to_s
-        campaign = "newsletter_#{id}"
+      host = user&.organization&.host&.to_s
 
-        links = content.scan(/href\s*=\s*"([^"]*)"/)
-
-        links.each do |link|
-          link_replaced = link.first + utm_codes(host, campaign)
-          content = content.gsub(/href\s*=\s*"([^"]*#{link.first})"/, %(href="#{link_replaced}"))
-        end
-      end
-
-      if user.present?
-        content.gsub("%{name}", user.name)
-      else
-        content.gsub("%{name}", "")
-      end
+      content = interpret_name(content, user)
+      content = track_newsletter_links(content, id, host)
+      transform_image_urls(content, host)
     end
 
     # this method is used to generate the root link on mail with the utm_codes
     # If the newsletter_id is nil, it returns the root_url
+    #
+    # @param organization [Decidim::Organization] - the Organization of this newsletter
+    # @param newsletter_id [Integer] - the id of the newsletter
+    #
+    # @return [String] - the root_url converted
+    #
     def custom_url_for_mail_root(organization, newsletter_id = nil)
       decidim = EngineRouter.new("decidim", {})
       if newsletter_id.present?
@@ -39,10 +39,77 @@ module Decidim
       end
     end
 
+    private
+
     # Method to specify the utm_codes.
     # You can change or add utm_codes for track
+    #
+    # @param host [String] - the Decidim::Organization host add to the URL
+    # @param newsletter_id [String] - the ID of the newsletter
+    #
+    # @return [String] - the UTM codes to be added
+    #
     def utm_codes(host, newsletter_id)
       "?utm_source=#{host}&utm_campaign=#{newsletter_id}"
     end
+
+    # Interpret placeholder '%{name}' and replace by the user name
+    # If user is not define, it returns content with blank instead of the placeholder
+    #
+    # @param content [String] - the string to convert
+    # @param user [Decidim::User] - the user to replace
+    #
+    # @return [String] - the content converted
+    #
+    def interpret_name(content, user)
+      return content.gsub("%{name}", "") if user.blank?
+
+      content.gsub("%{name}", user.name)
+    end
+
+    # Find each img HTML tag with relative path in src attribute
+    # For each URL, prepends the decidim.root_url
+    #   If host is not defined it returns full content
+    #
+    # @param content [String] - the string to convert
+    # @param host [String] - the Decidim::Organization host to replace
+    #
+    # @return [String] - the content converted
+    #
+    def transform_image_urls(content, host)
+      return content if host.blank?
+
+      content.scan(/src\s*=\s*"([^"]*)"/).each do |src|
+        root_url = decidim.root_url(host: host)[0..-2]
+        src_replaced = "#{root_url}#{src.first}"
+        content = content.gsub(/src\s*=\s*"([^"]*#{src.first})"/, %(src="#{src_replaced}"))
+      end
+
+      content
+    end
+
+    # Add tracking query params to each links
+    #
+    # @param content [String] - the string to convert
+    # @param id [Integer] - the id of the newsletter
+    # @param host [String] - the Decidim::Organization host
+    #
+    # @return [String] - the content converted
+    #
+    def track_newsletter_links(content, id, host)
+      return content unless Decidim.config.track_newsletter_links
+      return content if id.blank?
+      return content if host.blank?
+
+      campaign = "newsletter_#{id}"
+      links = content.scan(/href\s*=\s*"([^"]*)"/)
+
+      links.each do |link|
+        link_replaced = link.first + utm_codes(host, campaign)
+        content = content.gsub(/href\s*=\s*"([^"]*#{link.first})"/, %(href="#{link_replaced}"))
+      end
+
+      content
+    end
   end
 end

data/app/helpers/decidim/resource_helper.rb

@@ -75,7 +75,7 @@ module Decidim
     # Returns a descriptive title for the resource
     def resource_title(resource)
       title = resource.try(:title) || resource.try(:name) || resource.try(:subject) || "#{resource.model_name.human} ##{resource.id}"
-      title = translated_attribute(title) if title.is_a?(Hash)
+      title = decidim_escape_translated(title) if title.is_a?(Hash)
       title
     end
   end

data/app/helpers/decidim/sanitize_helper.rb

@@ -6,6 +6,7 @@ module Decidim
     def self.included(base)
       base.include ActionView::Helpers::SanitizeHelper
       base.include ActionView::Helpers::TagHelper
+      base.include Decidim::TranslatableAttributes
     end
 
     # Public: It sanitizes a user-inputted string with the
@@ -53,6 +54,14 @@ module Decidim
       decidim_html_escape(text).sub(/^javascript:/, "")
     end
 
+    def decidim_sanitize_translated(text)
+      decidim_sanitize(translated_attribute(text))
+    end
+
+    def decidim_escape_translated(text)
+      decidim_html_escape(translated_attribute(text))
+    end
+
     private
 
     # Maintains the paragraphs and lists separations with their bullet points and

data/app/helpers/decidim/user_profile_helper.rb

@@ -14,9 +14,14 @@ module Decidim
     #
     # Returns a String with the menu tab.
     def user_profile_tab(text, link, options = {})
-      active = is_active_link?(link, (options[:aria_link_type] || :inclusive))
+      aria = {}
+      cls = %w(tabs-title)
+      if is_active_link?(link, (options[:aria_link_type] || :inclusive))
+        cls << "is-active"
+        aria[:current] = "page"
+      end
 
-      content_tag(:li, class: "tabs-title#{active ? " is-active" : nil}") do
+      content_tag(:li, class: cls.join(" "), aria: aria) do
         link_to(text, link, options)
       end
     end