decidim-core 0.28.3 → 0.28.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7ed7b2e2e440e7ab68c508dc8242f6adbee52c292cfa8fd3fd43e42fc75e8f8f
-  data.tar.gz: ee75d95c1002bc872483de673a2e21e23c100d387d2bd50d86bb05ed5a91d1fa
+  metadata.gz: 30504edbc5451f226b04213804ae8b02392132d8f66f9d5ebe9ea58ad264031e
+  data.tar.gz: 0ff217364122ef3812f7aa950e4908364126ceca46f135d0d5dc049b1ee19537
 SHA512:
-  metadata.gz: d82a46910165f8510bec81d79677b26057d49e88ddc9ddd3fda2443b0d8529804faebb2eb8949313b4cf4c25fc8fd406da049dc2e33d172430d7614dc043b9cd
-  data.tar.gz: e86a808c22abc5db470d2bcf7d9427a2d8ea13588a73fcbde936fbd22c381d606f30b45353e3638f39150e16966cf75edcf6d81698164b3bdef9055b1881a02f
+  metadata.gz: 897aec8c06d1dd2110a5bd880e07061cab5e12495b707ed175afa81468c5ac162cf3d7a6643879eab83a82a9ca76232ff82dcb0d9b29ccf277d328fec6539a35
+  data.tar.gz: 88e9607861160a270e3604733a323fc2b1d359779c335ff8ccce97c9e587062c9c916d07682ad0ddda2b50abe2f718d3ce4baeb5bf77cbf3aab77ea231160014

data/app/cells/decidim/activity_cell.rb

@@ -106,10 +106,7 @@ module Decidim
       hash << id_prefix
       hash << I18n.locale.to_s
       hash << model.class.name.underscore
-      hash << model.cache_key_with_version
-      if (author_cell = author)
-        hash.push(Digest::MD5.hexdigest(author_cell.send(:cache_hash)))
-      end
+      hash << model.cache_key_with_version if model.respond_to?(:cache_key_with_version)
 
       hash.join(Decidim.cache_key_separator)
     end

data/app/cells/decidim/author/show.erb

@@ -1,6 +1,7 @@
-<% data = has_tooltip? ? { tooltip: render(:profile_minicard).html_safe } : nil %>
-<span class="author" data-author>
-  <%= content_tag :span, class: "author__container#{" is-compact" if layout == :compact}", data: do %>
+<%# If the options hash has the demo key it means we are in the decidim-design engine, so it is not a real-world scenario with actual users %>
+<% tooltip = options.has_key?(:demo) ? { tooltip: render(:profile_minicard).html_safe } : nil %>
+<%= content_tag(:span, class: :author, data: ) do %>
+  <%= content_tag :span, class: "author__container#{" is-compact" if layout == :compact}", data: tooltip do %>
     <% if layout == :compact %>
       <%= render :avatar %>
 
@@ -24,4 +25,4 @@
       <%= render action %>
     <% end %>
   <% end %>
-</span>
+<% end %>

data/app/cells/decidim/author_cell.rb

@@ -49,8 +49,26 @@ module Decidim
       @context_actions_options ||= options[:context_actions].map(&:to_sym)
     end
 
+    def profile_minicard
+      render
+    end
+
     private
 
+    # If the options hash has the demo key it means we are in the decidim-design engine,
+    # so it is not a real-world scenario with actual users
+    def data
+      @data ||= begin
+        internal_data = { author: true }
+        if has_tooltip? && !options.has_key?(:demo)
+          internal_data["remote_tooltip"] = true
+          internal_data["tooltip-url"] = decidim.profile_tooltip_path(raw_model.nickname)
+        end
+
+        internal_data
+      end
+    end
+
     def layout
       @layout ||= LAYOUTS.include?(options[:layout]) ? options[:layout] : :default
     end
@@ -162,5 +180,13 @@ module Decidim
     def resource_name
       @resource_name ||= from_context.class.name.demodulize.underscore
     end
+
+    def has_tooltip?
+      return false if model.deleted?
+      return false if model.respond_to?(:blocked?) && model.blocked?
+      return true if options.has_key?(:tooltip)
+
+      model.has_tooltip?
+    end
   end
 end

data/app/cells/decidim/card_s/show.erb

@@ -1,10 +1,12 @@
-<%= link_to resource_path, class: "card__search", id: dom_id(resource) do %>
+<%= content_tag :div, id: dom_id(resource), class: "card__search" do %>
   <%= content_tag title_tag, class: "h4 card__search-title" do %>
-    <%= title %>
+    <%= link_to resource_path, class: "card__search" do %>
+      <%= title %>
+    <% end %>
   <% end %>
   <% if metadata_cell.present? %>
     <div class="card__search-metadata">
-      <%= cell metadata_cell, resource, links: false %>
+     <%= cell metadata_cell, resource, links: false %>
     </div>
   <% end %>
 <% end %>

data/app/cells/decidim/content_blocks/stats_cell.rb

@@ -17,7 +17,7 @@ module Decidim
       end
 
       def cache_expiry_time
-        10.minutes
+        Decidim.stats_cache_expiry_time
       end
     end
   end

data/app/cells/decidim/diff_cell.rb

@@ -71,6 +71,10 @@ module Decidim
 
     # DiffRenderer class for the current_version's item; falls back to `BaseDiffRenderer`.
     def diff_renderer_class
+      renderer_class = "#{current_version.item_type}DiffRenderer".safe_constantize
+
+      return renderer_class if renderer_class
+
       if current_version.item_type.deconstantize == "Decidim"
         "#{current_version.item_type.pluralize}::DiffRenderer".constantize
       else

data/app/cells/decidim/endorsement_buttons_cell.rb

@@ -77,7 +77,7 @@ module Decidim
     end
 
     def user_has_verified_groups?
-      current_user && Decidim::UserGroups::ManageableUserGroups.for(current_user).verified.any?
+      current_user && current_organization.user_groups_enabled? && Decidim::UserGroups::ManageableUserGroups.for(current_user).verified.any?
     end
 
     def endorse_translated

data/app/cells/decidim/nav_links/show.erb

@@ -1,12 +1,12 @@
 <div class="participatory-space__nav-container">
-  <button id="dropdown-trigger-participatory-space" data-component="dropdown" data-target="dropdown-menu-participatory-space" data-auto-close="true" data-scroll-to-menu="true">
+  <button id="dropdown-trigger-participatory-space" data-component="dropdown" data-target="dropdown-menu-participatory-space" data-auto-close="true" data-scroll-to-menu="true" data-open-md="true">
     <span><%= t("decidim.searches.filters.jump_to") %></span>
     <%= icon "arrow-down-s-line" %>
     <%= icon "arrow-up-s-line" %>
   </button>
-  <ul id="dropdown-menu-participatory-space" class="participatory-space__nav" aria-hidden="true">
+  <ul id="dropdown-menu-participatory-space" class="participatory-space__nav">
     <% model.each do |item| %>
-      <li>
+      <li role="menuitem">
         <%= link_to item[:url], class: "participatory-space__nav-item" do %>
           <%= item[:name] %>
           <%= icon "arrow-right-line" %>

data/app/cells/decidim/newsletter_templates/image_text_cta_cell.rb

@@ -50,7 +50,7 @@ module Decidim
       end
 
       def main_image_url
-        newsletter.template.images_container.attached_uploader(:main_image).url(host: organization.host)
+        newsletter.template.images_container.attached_uploader(:main_image).url
       end
 
       def organization_primary_color

data/app/cells/decidim/resource_types_filter/show.erb

@@ -1,5 +1,5 @@
 <div id="<%= id %>" class="filter-container">
-  <button id="dropdown-trigger-resource" data-component="dropdown" data-target="dropdown-menu-resource" data-auto-close="true">
+  <button id="dropdown-trigger-resource" data-component="dropdown" data-target="dropdown-menu-resource" data-open-md="true">
     <% resource_types.each do |resource_type| %>
       <span data-value="<%= resource_type[0] %>" class="<%= "is-active" if filter_param == resource_type[0] %>">
         <%= text_with_resource_icon(*resource_type) %>
@@ -8,15 +8,14 @@
     <%= icon "arrow-down-s-line" %>
     <%= icon "arrow-up-s-line" %>
   </button>
-  <%= filter_form_for filter, form_path, :class => "new_filter", :id => "dropdown-menu-resource", "aria-hidden" => true do |form| %>
-    <%= form.collection_radio_buttons(
-          filter_param_key,
-          resource_types,
-          :first,
-          :last,
-          { checked: filter_param }
-        ) do |builder|
-            builder.label { builder.radio_button(class: "reset-defaults", hidden: true) + content_tag(:span, text_with_resource_icon(builder.value, builder.text), class: "filter") }
-      end %>
-  <% end %>
+  <ul id="dropdown-menu-resource">
+    <% resource_types.each do |resource_type| %>
+      <li role="menuitem">
+        <%= link_to decidim.last_activities_path(filter: { with_resource_type: resource_type[0] } ), class: "filter#{" is-active" if filter_param == resource_type[0]}" do %>
+          <span class="sr-only"><%= resource_type[1] %></span>
+          <%= text_with_resource_icon(*resource_type) %>
+        <% end %>
+      </li>
+    <% end %>
+  </ul>
 </div>

data/app/cells/decidim/translation_bar/show.erb

@@ -1,6 +1,6 @@
-<div class="wrapper-mini translation-bar">
-  <div class="row column">
+<div>
+  <div class="pt-4 pb-4 text-center bg-background">
     <%= link %>
-    <span class="translation-button-help"><%= help_text %></span>
+    <span class="translation-button-help ml-4"><%= help_text %></span>
   </div>
 </div>

data/app/cells/decidim/translation_bar_cell.rb

@@ -34,7 +34,7 @@ module Decidim
       parsed_url.query = new_query
       url = parsed_url.to_s
 
-      link_to button_text, url, class: "button small hollow"
+      link_to button_text, url, class: "button button__sm button__transparent-secondary"
     end
 
     def button_text

data/app/commands/decidim/amendable/create_draft.rb

@@ -53,6 +53,7 @@ module Decidim
             emendation.body = { I18n.locale => form.emendation_params.with_indifferent_access[:body] }
             emendation.component = amendable.component
             emendation.add_author(current_user, user_group)
+            emendation.category = amendable.category if amendable.respond_to?(:category)
             emendation.save!
             emendation
           end

data/app/commands/decidim/destroy_account.rb

@@ -35,6 +35,9 @@ module Decidim
       @user.name = ""
       @user.nickname = ""
       @user.email = ""
+      @user.personal_url = ""
+      @user.about = ""
+      @user.notifications_sending_frequency = "none"
       @user.delete_reason = @form.delete_reason
       @user.admin = false if @user.admin?
       @user.deleted_at = Time.current

data/app/controllers/concerns/decidim/devise_authentication_methods.rb

@@ -12,7 +12,7 @@ module Decidim
         if user.present? && user.blocked?
           check_user_block_status(user)
         elsif user.needs_password_update?
-          change_password_path
+          decidim.change_password_path
         elsif first_login_and_not_authorized?(user) && !user.admin? && !pending_redirect?(user)
           decidim_verifications.first_login_authorizations_path
         else

data/app/controllers/concerns/decidim/direct_upload.rb

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+
+module Decidim
+  module DirectUpload
+    extend ActiveSupport::Concern
+
+    included do
+      include Decidim::NeedsOrganization
+      skip_before_action :verify_organization
+
+      before_action :check_organization!,
+                    :check_authenticated!,
+                    :check_user_belongs_to_organization,
+                    :validate_direct_upload
+    end
+
+    protected
+
+    def validate_direct_upload
+      # We skip the validation if we are in system panel. `current_admin` refers to the main system admin user.
+      return if current_admin.present?
+
+      head :unprocessable_entity unless [
+        maximum_allowed_size.try(:to_i) >= blob_args[:byte_size].try(:to_i),
+        content_types.any? { |pattern| pattern.match?(blob_args[:content_type]) },
+        content_types.any? { |pattern| pattern.match?(MiniMime.lookup_by_extension(extension)&.content_type) },
+        allowed_extensions.any? { |pattern| pattern.match?(extension) }
+      ].all?
+    rescue NoMethodError
+      head :unprocessable_entity
+    end
+
+    def extension
+      File.extname(blob_args[:filename]).delete(".")
+    end
+
+    def maximum_allowed_size
+      current_organization.settings.upload_maximum_file_size
+    end
+
+    def check_organization!
+      head :unauthorized if current_organization.blank? && current_admin.blank?
+    end
+
+    def check_authenticated!
+      head :unauthorized if current_user.blank? && current_admin.blank?
+    end
+
+    def check_user_belongs_to_organization
+      return if current_admin.present?
+
+      head :unauthorized unless current_organization == current_user.organization
+    end
+
+    def allowed_extensions
+      if user_has_elevated_role?
+        current_organization.settings.upload_allowed_file_extensions_admin
+      else
+        current_organization.settings.upload_allowed_file_extensions
+      end
+    end
+
+    def content_types
+      if user_has_elevated_role?
+        current_organization.settings.upload_allowed_content_types_admin
+      else
+        current_organization.settings.upload_allowed_content_types
+      end
+    end
+
+    private
+
+    def user_has_elevated_role?
+      [
+        current_user&.admin?,
+        defined?(Decidim::Assemblies::AssembliesWithUserRole) && Decidim::Assemblies::AssembliesWithUserRole.for(current_user).any?,
+        defined?(Decidim::Conferences::ConferencesWithUserRole) && Decidim::Conferences::ConferencesWithUserRole.for(current_user).any?,
+        defined?(Decidim::ParticipatoryProcessesWithUserRole) && Decidim::ParticipatoryProcessesWithUserRole.for(current_user).any?
+      ].any?
+    end
+  end
+end

data/app/controllers/decidim/doorkeeper/credentials_controller.rb

@@ -28,7 +28,7 @@ module Decidim
       end
 
       def avatar_url
-        avatar_url = current_resource_owner.attached_uploader(:avatar).url(host: current_resource_owner.organization.host)
+        avatar_url = current_resource_owner.attached_uploader(:avatar).url
         return unless avatar_url
 
         unless %r{^https?://}.match? avatar_url

data/app/controllers/decidim/links_controller.rb

@@ -41,7 +41,7 @@ module Decidim
     end
 
     def escape_url(external_url)
-      before_fragment, fragment = external_url.split("#", 2)
+      before_fragment, fragment = URI.decode_www_form_component(external_url).split("#", 2)
       escaped_before_fragment = URI::Parser.new.escape(before_fragment)
 
       if fragment

data/app/controllers/decidim/profiles_controller.rb

@@ -27,6 +27,10 @@ module Decidim
       redirect_to profile_activity_path(nickname: params[:nickname])
     end
 
+    def tooltip
+      render json: { data: cell("decidim/author", profile_holder.presenter).profile_minicard }
+    end
+
     def following
       @content_cell = "decidim/following"
       @title_key = "following"

data/app/forms/decidim/upload_validation_form.rb

@@ -10,7 +10,7 @@ module Decidim
     # Property is named as attribute in upload modal and passthru validator, but
     # it cannot be named as attribute here.
     attribute :property, String
-    attribute :blob, String
+    attribute :blob, Decidim::Attributes::Blob
     attribute :form_class, String
 
     validates :resource_class, presence: true

data/app/helpers/concerns/decidim/user_role_checker.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+module Decidim
+  module UserRoleChecker
+    # Shared behaviour for signed_in admins
+    extend ActiveSupport::Concern
+
+    private
+
+    def user_has_any_role?(user, participatory_space = nil, broad_check: false)
+      return false unless user
+
+      [
+        user.admin,
+        user.roles.any?,
+        participatory_process_user_role?(user, participatory_space, broad_check:),
+        assembly_user_role?(user, participatory_space, broad_check:),
+        conference_user_role?(user, participatory_space, broad_check:)
+      ].any?
+    end
+
+    def participatory_process_user_role?(user, participatory_process = nil, broad_check: false)
+      return false unless Decidim.module_installed?(:participatory_processes)
+      return Decidim::ParticipatoryProcessUserRole.exists?(user:) if broad_check
+      return false unless participatory_process.is_a?(Decidim::ParticipatoryProcess)
+
+      Decidim::ParticipatoryProcessUserRole.exists?(user:, participatory_process:)
+    end
+
+    def assembly_user_role?(user, assembly = nil, broad_check: false)
+      return false unless Decidim.module_installed?(:assemblies)
+      return Decidim::AssemblyUserRole.exists?(user:) if broad_check
+      return false unless assembly.is_a?(Decidim::Assembly)
+
+      Decidim::AssemblyUserRole.exists?(user:, assembly:)
+    end
+
+    def conference_user_role?(user, conference = nil, broad_check: false)
+      return false unless Decidim.module_installed?(:conferences)
+      return Decidim::ConferenceUserRole.exists?(user:) if broad_check
+      return false unless conference.is_a?(Decidim::Conference)
+
+      Decidim::ConferenceUserRole.exists?(user:, conference:)
+    end
+  end
+end

data/app/helpers/decidim/cta_button_helper.rb

@@ -16,7 +16,7 @@ module Decidim
     # Finds the CTA button path to reuse it in other places.
     def cta_button_path
       if current_organization.cta_button_path.present?
-        current_organization.cta_button_path
+        "/#{current_organization.cta_button_path}"
       elsif Decidim::ParticipatoryProcess.where(organization: current_organization).published.any?
         decidim_participatory_processes.participatory_processes_path
       elsif current_user

data/app/helpers/decidim/layout_helper.rb

@@ -169,6 +169,20 @@ module Decidim
                                           end
     end
 
+    def current_url(params = request.parameters)
+      return url_for(params) if respond_to?(:current_participatory_space) || respond_to?(:current_component)
+
+      each_decidim_engine do |helpers|
+        return helpers.url_for(params)
+      rescue ActionController::UrlGenerationError
+        # Continue to next engine in case the URL is not available.
+      end
+
+      main_app.url_for(params)
+    rescue ActionController::UrlGenerationError
+      "#{request.base_url}#{"?#{params.to_query}" unless params.empty?}"
+    end
+
     private
 
     def empty_organization_description?
@@ -177,6 +191,20 @@ module Decidim
       organization_description.blank? || organization_description == "<p></p>"
     end
 
+    def each_decidim_engine
+      Rails.application.railties.each do |engine|
+        next unless engine.is_a?(Rails::Engine)
+        next unless engine.isolated?
+        next unless engine.engine_name.start_with?("decidim_")
+        next unless respond_to?(engine.engine_name)
+
+        yield public_send(engine.engine_name)
+      end
+      return unless respond_to?(:decidim)
+
+      yield decidim
+    end
+
     def tag_builder
       @tag_builder ||= ActionView::Helpers::TagHelper::TagBuilder.new(self)
     end

data/app/helpers/decidim/map_helper.rb

@@ -35,7 +35,12 @@ module Decidim
             data: { "external-link": "text-only" }
           }.merge(map_html_options)
           return link_to(map_url, html_options) do
-            image_tag decidim.static_map_path(sgid: resource.to_sgid.to_s), alt: "#{map_service_brand} - #{address_text}"
+            # We also add the latitude and the longitude to prevent the Workbox cache to be overly aggressive when updating a map
+            image_tag decidim.static_map_path(
+              sgid: resource.to_sgid.to_s,
+              latitude: resource.latitude,
+              longitude: resource.longitude
+            ), alt: "#{map_service_brand} - #{address_text}"
           end
         end
       end

data/app/helpers/decidim/menu_helper.rb

@@ -49,7 +49,7 @@ module Decidim
         self,
         element_class: "font-semibold underline",
         active_class: "is-active",
-        container_options: { class: "space-y-4 break-inside-avoid" },
+        container_options: { class: "space-y-4 break-inside-avoid", role: :menu },
         label: t("layouts.decidim.footer.decidim_title")
       )
     end

data/app/helpers/decidim/sanitize_helper.rb

@@ -37,13 +37,22 @@ module Decidim
       end
     end
 
+    # Converts the blob and blob variant references to blob URLs.
+    def decidim_rich_text(html, options = {})
+      renderer = Decidim::ContentProcessor.renderer_klass(:blob).constantize.new(html)
+      renderer.render(options)
+    end
+
     def decidim_sanitize_editor(html, options = {})
       content_tag(:div, decidim_sanitize(html, options), class: %w(rich-text-display))
     end
 
     def decidim_sanitize_editor_admin(html, options = {})
       html = Decidim::IframeDisabler.new(html, options).perform
-      decidim_sanitize_editor(html, { scrubber: Decidim::AdminInputScrubber.new }.merge(options))
+      decidim_sanitize_editor(
+        decidim_rich_text(html),
+        { scrubber: Decidim::AdminInputScrubber.new }.merge(options)
+      )
     end
 
     def decidim_html_escape(text)
@@ -51,7 +60,7 @@ module Decidim
     end
 
     def decidim_url_escape(text)
-      decidim_html_escape(text).sub(/^javascript:/, "")
+      decidim_html_escape(text).sub(/^\s*javascript:/, "")
     end
 
     def decidim_sanitize_translated(text)

data/app/helpers/decidim/scopes_helper.rb

@@ -53,11 +53,14 @@ module Decidim
     # options       - An optional Hash with options:
     #
     # Returns nothing.
-    def scopes_select_field(form, name, root: false, options: {})
+    def scopes_select_field(form, name, root: false, options: {}, html_options: {})
+      options = options.merge(include_blank: I18n.t("decidim.scopes.prompt")) unless options.has_key?(:include_blank)
+
       form.select(
         name,
         ordered_scopes_descendants_for_select(root),
-        options.merge(include_blank: I18n.t("decidim.scopes.prompt"))
+        options,
+        html_options
       )
     end
 

data/app/models/decidim/action_log.rb

@@ -138,6 +138,7 @@ module Decidim
         Decidim::Proposals::Proposal
         Decidim::Surveys::Survey
         Decidim::Assembly
+        Decidim::Conference
         Decidim::Initiative
         Decidim::ParticipatoryProcess
       ).select do |klass|
@@ -154,7 +155,16 @@ module Decidim
     end
 
     def self.publicable_public_resource_types
-      @publicable_public_resource_types ||= public_resource_types.select { |klass| klass.constantize.column_names.include?("published_at") }
+      @publicable_public_resource_types ||= public_resource_types
+                                            .select { |klass| klass.constantize.column_names.include?("published_at") } - publicable_exceptions
+    end
+
+    def self.publicable_exceptions
+      @publicable_exceptions = %w(
+        Decidim::Blogs::Post
+      ).select do |klass|
+        klass.safe_constantize.present?
+      end
     end
 
     def self.ransackable_scopes(auth_object = nil)

data/app/models/decidim/attachment.rb

@@ -65,7 +65,7 @@ module Decidim
     #
     # Returns String.
     def file_type
-      url&.split(".")&.last&.downcase
+      url&.split(".")&.last&.split("&")&.first&.downcase
     end
 
     def url

data/app/packs/src/decidim/a11y.js

@@ -59,7 +59,6 @@ const createDropdown = (component) => {
   const dropdownOptions = {};
   dropdownOptions.dropdown = component.dataset.target;
   dropdownOptions.hover = component.dataset.hover === "true";
-  dropdownOptions.isOpen = component.dataset.open === "true";
   dropdownOptions.autoClose = component.dataset.autoClose === "true";
 
   // This snippet allows to disable the dropdown based on the current viewport
@@ -78,6 +77,17 @@ const createDropdown = (component) => {
     return
   }
 
+  dropdownOptions.isOpen = component.dataset.open === "true";
+
+  const isOpen = Object.keys(screens).some((key) => {
+    if (!isScreenSize(key)) {
+      return false;
+    }
+    return Boolean(component.dataset[`open-${key}`.replace(/-([a-z])/g, (str) => str[1].toUpperCase())]);
+  });
+
+  dropdownOptions.isOpen = dropdownOptions.isOpen || isOpen;
+
   if (!component.id) {
     // when component has no id, we enforce to have it one
     component.id = `dropdown-${Math.random().toString(36).substring(7)}`
@@ -104,20 +114,6 @@ const createDropdown = (component) => {
     });
   }
 
-  // Disable focus on children elements so we can pass the AXE accessibility tests
-  const dropdownMenu = document.getElementById(dropdownOptions.dropdown);
-  if (dropdownMenu.getAttribute("aria-hidden") === "true") {
-    dropdownMenu.
-      querySelectorAll("a, input, button").
-      forEach((element) => { element.tabIndex = -1 })
-  }
-
-  component.addEventListener("click", () => {
-    dropdownMenu.
-      querySelectorAll("a, input, button").
-      forEach((element) => { element.tabIndex = 0 })
-  })
-
   Dropdowns.render(component.id, dropdownOptions);
 }