decidim-core 0.29.2 → 0.30.0.rc2

data/app/controllers/concerns/decidim/ephemeral_session_checker.rb

@@ -0,0 +1,87 @@
+# frozen_string_literal: true
+
+require "active_support/concern"
+
+module Decidim
+  module EphemeralSessionChecker
+    extend ActiveSupport::Concern
+
+    included do
+      before_action :check_ephemeral_user_session, if: :ephemeral_user_signed_in?
+
+      helper_method :onboarding_manager
+    end
+
+    private
+
+    def ephemeral_user_signed_in?
+      user_signed_in? && current_user.ephemeral?
+    end
+
+    def onboarding_manager
+      @onboarding_manager ||= Decidim::OnboardingManager.new(current_user)
+    end
+
+    def check_ephemeral_user_session
+      return true unless request.format.html?
+
+      return destroy_ephemeral_session && redirect_to(decidim.root_path) if onboarding_manager.expired?
+
+      if onboarding_manager.valid?
+        authorizations = action_authorized_to(onboarding_manager.action, **onboarding_manager.action_authorized_resources)
+
+        return redirect_to decidim_verifications.onboarding_pending_authorizations_path unless authorizations_permitted_paths?(authorizations, onboarding_manager)
+
+        if authorizations.global_code == :unauthorized
+          flash[:alert] = t("unauthorized", scope: "decidim.core.actions")
+          return destroy_ephemeral_session && redirect_to(decidim.root_path)
+        end
+      end
+
+      return true
+    end
+
+    def destroy_ephemeral_session
+      Decidim::DestroyEphemeralUser.call(current_user) do
+        on(:ok) do
+          sign_out(current_user)
+          flash[:notice] = t("ephemeral_session_closed", scope: "decidim.devise.sessions.user")
+        end
+
+        on(:invalid) do
+          flash[:alert] = t("account.destroy.error", scope: "decidim")
+        end
+      end
+    end
+
+    # This method determines which paths are allowed to the user based on the
+    # onboarding manager data and the associated authorizations. In all cases
+    # the user is allowed to visit the onboarding pending and the terms of
+    # service pages. In addition:
+    # * If the user is pending to complete an authorization is also allowed to
+    #   navigate in the pages to complete the authorizations and the
+    #   authorizations path to send the request.
+    # * If the user is authorized is also allowed to visit the paths determined
+    #   by the onboarding manager after finishing the authorization flow and
+    #   the associated component.
+    # The method checks the request path and checks if the path starts with one
+    # of the paths of the allowlist
+    def authorizations_permitted_paths?(authorizations, onboarding_manager)
+      paths_list = if authorizations.user_pending?
+                     authorizations.statuses.map(&:current_path).compact.prepend(
+                       decidim_verifications.authorizations_path
+                     )
+                   elsif authorizations.ok?
+                     [onboarding_manager.finished_redirect_path, onboarding_manager.component_path].compact
+                   else
+                     []
+                   end
+      paths_list.prepend(
+        decidim_verifications.onboarding_pending_authorizations_path,
+        decidim.page_path(terms_of_service_page)
+      )
+
+      paths_list.find { |el| /\A#{URI.parse(el).path}/.match?(request.path) }
+    end
+  end
+end

data/app/controllers/concerns/decidim/filter_resource.rb

@@ -16,11 +16,13 @@ module Decidim
       end
 
       def method_missing(method_name, *_arguments)
-        @filter.present? && @filter.has_key?(method_name) ? @filter[method_name] : super
+        method = method_name.to_s.gsub(/\[[0-9]+\]$/, "").to_sym
+        @filter.present? && @filter.has_key?(method) ? @filter[method] : super
       end
 
       def respond_to_missing?(method_name, include_private = false)
-        (@filter.present? && @filter.has_key?(method_name)) || super
+        method = method_name.to_s.gsub(/\[[0-9]+\]$/, "").to_sym
+        (@filter.present? && @filter.has_key?(method)) || super
       end
     end
 

data/app/controllers/concerns/decidim/has_members_page.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require "active_support/concern"
+
+module Decidim
+  module HasMembersPage
+    extend ActiveSupport::Concern
+
+    included do
+      helper_method :collection
+
+      private
+
+      def can_visit_index?
+        current_user_can_visit_space? && current_participatory_space.members_public_page?
+      end
+
+      def members
+        @members ||= current_participatory_space.participatory_space_private_users.published
+      end
+
+      alias_method :collection, :members
+    end
+  end
+end

data/app/controllers/concerns/decidim/headers/browser_feature_permissions.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require "active_support/concern"
+
+module Decidim
+  module Headers
+    # This module controls the "Permissions-Policy" header to define the
+    # specific sets of browser features that the website is able to use.
+    module BrowserFeaturePermissions
+      extend ActiveSupport::Concern
+
+      included do
+        after_action :define_permissions_policy
+      end
+
+      private
+
+      def define_permissions_policy
+        return if response.media_type != "text/html"
+        return if response.headers["Permissions-Policy"].present?
+
+        # Allow the "unload" and "onbeforeunload" events to be used at the
+        # current domain to prevent the user unintentionally changing the page
+        # when they have something important to do on the page, such as an
+        # unsaved form.
+        #
+        # This header is required because Chrome is phasing this event out due
+        # to some performance issues with the back/forward cache feature of the
+        # browser. However, currently there are no alternative events that would
+        # allow preventing accidental page reloads, tab closing or window
+        # closing.
+        #
+        # For further information, see:
+        # https://developer.chrome.com/docs/web-platform/deprecating-unload
+        # https://github.com/fergald/docs/blob/master/explainers/permissions-policy-unload.md
+        #
+        # Note that even Google suggests using the "beforeunload" for this
+        # particular use case:
+        # https://developer.chrome.com/docs/web-platform/page-lifecycle-api#events
+        #
+        # beforeunload
+        #   Important: the beforeunload event should only be used to alert the
+        #   user of unsaved changes. Once those changes are saved, the event
+        #   should be removed. It should never be added unconditionally to the
+        #   page, as doing so can hurt performance in some cases.
+        response.headers["Permissions-Policy"] = "unload=(self)"
+      end
+    end
+  end
+end

data/app/controllers/concerns/decidim/locale_switcher.rb

@@ -46,14 +46,14 @@ module Decidim
       #
       # Returns an Array of Strings.
       def available_locales
-        @available_locales ||= (current_organization || Decidim).public_send(:available_locales)
+        @available_locales ||= (current_organization || Decidim).available_locales
       end
 
       # The default locale of this organization.
       #
       # Returns a String with the default locale.
       def default_locale
-        @default_locale ||= (current_organization || Decidim).public_send(:default_locale)
+        @default_locale ||= (current_organization || Decidim).default_locale
       end
 
       # Detects the locale priority: query string, user saved, session, browser

data/app/controllers/concerns/decidim/needs_password_change.rb

@@ -28,7 +28,6 @@ module Decidim
                          decidim.accept_tos_path,
                          decidim.download_your_data_path,
                          decidim.export_download_your_data_path,
-                         decidim.download_file_download_your_data_path,
                          decidim.change_password_path].compact
       # ensure that path with or without query string pass
       permitted_paths.find { |el| el.split("?").first == target_path }

data/app/controllers/concerns/decidim/needs_permission.rb

@@ -40,7 +40,8 @@ module Decidim
           current_settings: try(:current_settings),
           component_settings: try(:component_settings),
           current_organization: try(:current_organization),
-          current_component: try(:current_component)
+          current_component: try(:current_component),
+          share_token: try(:store_share_token)
         }
       end
 

data/app/controllers/concerns/decidim/needs_tos_accepted.rb

@@ -15,7 +15,7 @@ module Decidim
     def tos_accepted_by_user
       return true unless request.format.html?
       return true unless current_user
-      return if current_user.tos_accepted?
+      return if current_user.tos_accepted? || current_user.ephemeral?
       return if permitted_paths?
 
       redirect_to_tos
@@ -33,12 +33,11 @@ module Decidim
     end
 
     def permitted_paths?
+      return true if request.path.starts_with?(decidim.download_your_data_path)
+
       permitted_paths = [tos_path,
                          decidim.delete_account_path,
-                         decidim.accept_tos_path,
-                         decidim.download_your_data_path,
-                         decidim.export_download_your_data_path,
-                         decidim.download_file_download_your_data_path]
+                         decidim.accept_tos_path]
       # ensure that path with or without query string pass
       permitted_paths.find { |el| el.split("?").first == request.path }
     end

data/app/controllers/concerns/decidim/onboarding_action_methods.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+require "active_support/concern"
+
+module Decidim
+  module OnboardingActionMethods
+    extend ActiveSupport::Concern
+
+    included do
+      helper_method :pending_onboarding_action?
+
+      # Returns true if there is a pending onboarding action for the user.
+      # The check if skipped for admins, users that are not verifiable of
+      # organizations that have no available authorizations.
+      def pending_onboarding_action?(user)
+        return false if user.blank?
+        return false if user.admin?
+        return false unless user.verifiable?
+        return false if current_organization.available_authorizations.empty?
+
+        OnboardingManager.new(user).pending_action?
+      end
+
+      def store_onboarding_cookie_data!(user)
+        data = onboarding_cookie_data
+        return if data.nil?
+
+        if data.present?
+          user.extended_data = user.extended_data.merge(data)
+          user.save!
+        end
+        cookies.delete(OnboardingManager::DATA_KEY)
+      end
+
+      def onboarding_cookie_data
+        data_key = OnboardingManager::DATA_KEY
+        return unless cookies[data_key]
+
+        { data_key => JSON.parse(cookies[data_key]).transform_keys(&:underscore) }
+      rescue JSON::ParserError
+        {}
+      end
+
+      def clear_onboarding_data!(user)
+        return if user.ephemeral?
+
+        user.extended_data = user.extended_data.except(OnboardingManager::DATA_KEY)
+        user.save!
+      end
+    end
+  end
+end

data/app/controllers/decidim/application_controller.rb

@@ -16,6 +16,7 @@ module Decidim
     include NeedsTosAccepted
     include Headers::HttpCachingDisabler
     include Headers::ContentSecurityPolicy
+    include Headers::BrowserFeaturePermissions
     include ActionAuthorization
     include ForceAuthentication
     include SafeRedirect
@@ -25,6 +26,8 @@ module Decidim
     include NeedsPasswordChange
     include LinkedResourceReference
     include ActiveStorage::SetCurrent
+    include OnboardingActionMethods
+    include EphemeralSessionChecker
 
     helper Decidim::MetaTagsHelper
     helper Decidim::DecidimFormHelper
@@ -41,6 +44,7 @@ module Decidim
     helper Decidim::TwitterSearchHelper
     helper Decidim::SocialShareButtonHelper
     helper Decidim::FiltersHelper
+    helper Decidim::OnboardingActionHelper
 
     register_permissions(::Decidim::ApplicationController,
                          ::Decidim::Admin::Permissions,
@@ -56,6 +60,12 @@ module Decidim
 
     skip_before_action :disable_http_caching, unless: :user_signed_in?
 
+    def store_share_token
+      session[:share_token] = params[:share_token] if params.has_key?(:share_token)
+
+      session[:share_token].presence
+    end
+
     private
 
     # This overrides Devise's method for extracting the path from the URL. We

data/app/controllers/decidim/authorization_modals_controller.rb

@@ -5,10 +5,12 @@ module Decidim
     helper_method :authorizations, :authorize_action_path
     layout false
 
-    def show; end
+    def show
+      store_onboarding_cookie_data!(current_user)
+    end
 
     def authorize_action_path(handler_name)
-      authorizations.status_for(handler_name).current_path(redirect_url: URI(request.referer).path)
+      authorizations.status_for(handler_name).current_path(redirect_url:)
     end
 
     private
@@ -31,5 +33,9 @@ module Decidim
     def authorizations
       @authorizations ||= action_authorized_to(authorization_action, resource:)
     end
+
+    def redirect_url
+      pending_onboarding_action?(current_user) ? decidim_verifications.onboarding_pending_authorizations_path : URI(request.referer).path
+    end
   end
 end

data/app/controllers/decidim/components/base_controller.rb

@@ -19,7 +19,7 @@ module Decidim
       helper Decidim::TranslationsHelper
       helper Decidim::IconHelper
       helper Decidim::ResourceHelper
-      helper Decidim::ScopesHelper
+      helper Decidim::TaxonomiesHelper
       helper Decidim::ActionAuthorizationHelper
       helper Decidim::AttachmentsHelper
       helper Decidim::SanitizeHelper
@@ -30,7 +30,7 @@ module Decidim
                     :current_manifest
 
       before_action do
-        enforce_permission_to :read, :component, component: current_component, share_token:
+        enforce_permission_to :read, :component, component: current_component
       end
 
       before_action :redirect_unless_feature_private
@@ -49,10 +49,6 @@ module Decidim
         @current_manifest ||= current_component.manifest
       end
 
-      def share_token
-        params[:share_token]
-      end
-
       def permission_scope
         :public
       end
@@ -73,7 +69,7 @@ module Decidim
       def set_component_breadcrumb_item
         context_breadcrumb_items << {
           label: current_component.name,
-          url: root_path,
+          url: Decidim::EngineRouter.main_proxy(current_component).root_path,
           active: false,
           resource: current_component
         }

data/app/controllers/decidim/devise/confirmations_controller.rb

@@ -5,6 +5,7 @@ module Decidim
     # Custom Devise ConfirmationsController to avoid namespace problems.
     class ConfirmationsController < ::Devise::ConfirmationsController
       include Decidim::DeviseControllers
+      include Decidim::OnboardingActionMethods
 
       helper_method :new_user_group_session_path
 
@@ -33,6 +34,9 @@ module Decidim
 
         sign_in(resource)
 
+        store_onboarding_cookie_data!(resource)
+        return decidim_verifications.onboarding_pending_authorizations_path if pending_onboarding_action?(resource)
+
         super
       end
     end

data/app/controllers/decidim/devise/omniauth_registrations_controller.rb

@@ -7,6 +7,7 @@ module Decidim
       include FormFactory
       include Decidim::DeviseControllers
       include Decidim::DeviseAuthenticationMethods
+      include NeedsTosAccepted
 
       def new
         @form = form(OmniauthRegistrationForm).from_params(params[:user])
@@ -36,6 +37,12 @@ module Decidim
             render :new
           end
 
+          on(:add_tos_errors) do
+            set_flash_message :alert, :add_tos_errors if @form.valid_tos?
+            session[:verified_email] = verified_email
+            render :new_tos_fields
+          end
+
           on(:error) do |user|
             if user.errors[:email]
               set_flash_message :alert, :failure, kind: @form.provider.capitalize, reason: t("decidim.devise.omniauth_registrations.create.email_already_exists")
@@ -75,7 +82,7 @@ module Decidim
       end
 
       def verified_email
-        @verified_email ||= oauth_data.dig(:info, :email)
+        @verified_email ||= oauth_data.dig(:info, :email).presence || session[:verified_email]
       end
 
       def oauth_hash

data/app/controllers/decidim/devise/registrations_controller.rb

@@ -57,7 +57,7 @@ module Decidim
 
       # Called before resource.save
       def build_resource(hash = nil)
-        super(hash)
+        super
         resource.organization = current_organization
       end
 

data/app/controllers/decidim/devise/sessions_controller.rb

@@ -24,6 +24,8 @@ module Decidim
             validator = PasswordValidator.new({ attributes: :password })
             user.update!(password_updated_at: nil) unless validator.validate_each(user, :password, sign_in_params[:password])
           end
+
+          store_onboarding_cookie_data!(user)
         end
       end
 

data/app/controllers/decidim/download_your_data_controller.rb

@@ -6,11 +6,29 @@ module Decidim
   # The controller to handle the user's download_my_data page.
   class DownloadYourDataController < Decidim::ApplicationController
     include Decidim::UserProfile
+    include Decidim::Paginable
 
+    helper_method :help_definitions
+
+    # i18n-tasks-use t('decidim.download_your_data.show.answers')
+    # i18n-tasks-use t('decidim.download_your_data.show.assemblies')
+    # i18n-tasks-use t('decidim.download_your_data.show.debate_comments')
+    # i18n-tasks-use t('decidim.download_your_data.show.debates')
+    # i18n-tasks-use t('decidim.download_your_data.show.initiatives')
+    # i18n-tasks-use t('decidim.download_your_data.show.meeting_comments')
+    # i18n-tasks-use t('decidim.download_your_data.show.meetings')
+    # i18n-tasks-use t('decidim.download_your_data.show.participatory_processes')
+    # i18n-tasks-use t('decidim.download_your_data.show.projects')
+    # i18n-tasks-use t('decidim.download_your_data.show.proposal_comments')
+    # i18n-tasks-use t('decidim.download_your_data.show.proposals')
+    # i18n-tasks-use t('decidim.download_your_data.show.result_comments')
+    # i18n-tasks-use t('decidim.download_your_data.show.results')
+    # i18n-tasks-use t('decidim.download_your_data.show.survey_user_answers')
     def show
       enforce_permission_to(:show, :user, current_user:)
 
       @account = form(AccountForm).from_model(current_user)
+      @exports = paginate(current_user.private_exports)
     end
 
     def export
@@ -25,12 +43,25 @@ module Decidim
     def download_file
       enforce_permission_to(:download, :user, current_user:)
 
-      if current_user.download_your_data_file.attached?
-        redirect_to Rails.application.routes.url_helpers.rails_blob_url(current_user.download_your_data_file.blob, only_path: true)
+      if private_export.expired?
+        flash[:error] = t("decidim.account.download_your_data_export.export_expired")
+        redirect_to download_your_data_path
+      elsif private_export.file.attached?
+        redirect_to Rails.application.routes.url_helpers.rails_blob_url(private_export.file.blob, only_path: true)
       else
         flash[:error] = t("decidim.account.download_your_data_export.file_no_exists")
         redirect_to download_your_data_path
       end
     end
+
+    private
+
+    def private_export
+      @private_export ||= current_user.private_exports.find(params[:uuid])
+    end
+
+    def help_definitions
+      @help_definitions ||= Decidim::DownloadYourDataSerializers.help_definitions_for(current_user)
+    end
   end
 end

data/app/controllers/decidim/editor_images_controller.rb

@@ -3,9 +3,7 @@
 module Decidim
   class EditorImagesController < Decidim::ApplicationController
     include FormFactory
-
-    # overwrite original rescue_from to ensure we print messages from ajax methods (update)
-    rescue_from Decidim::ActionForbidden, with: :ajax_user_has_no_permission
+    include AjaxPermissionHandler
 
     def create
       enforce_permission_to :create, :editor_image
@@ -25,14 +23,6 @@ module Decidim
 
     private
 
-    # Rescue ajax calls and print the update.js view which prints the info on the message ajax form
-    # Only if the request is AJAX, otherwise behave as Decidim standards
-    def ajax_user_has_no_permission
-      return user_has_no_permission unless request.xhr?
-
-      render json: { message: I18n.t("actions.unauthorized", scope: "decidim.core") }, status: :unprocessable_entity
-    end
-
     def form_values
       {
         file: params[:image],

data/app/controllers/decidim/follows_controller.rb

@@ -47,7 +47,7 @@ module Decidim
     end
 
     def button_cell_mobile
-      @button_cell_mobile ||= cell("decidim/follow_button", resource, **button_options.merge(mobile: true))
+      @button_cell_mobile ||= cell("decidim/follow_button", resource, **button_options, mobile: true)
     end
 
     def button_cell

data/app/controllers/decidim/geolocation_controller.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Decidim
+  class GeolocationController < Decidim::ApplicationController
+    include Decidim::AjaxPermissionHandler
+
+    def locate
+      enforce_permission_to :locate, :geolocation
+
+      unless Decidim::Map.configured?
+        return render(json: { message: I18n.t("not_configured", scope: "decidim.application.geocoding"), found: false }, status: :unprocessable_entity)
+      end
+
+      geocoder = Decidim::Map.utility(:geocoding, organization: current_organization)
+      address = geocoder.address([params[:latitude], params[:longitude]])
+      render json: { address:, found: address.present? }
+    end
+  end
+end

data/app/controllers/decidim/homepage_controller.rb

@@ -3,7 +3,6 @@
 module Decidim
   class HomepageController < Decidim::ApplicationController
     skip_before_action :store_current_location
-
     def show; end
   end
 end

data/app/controllers/decidim/open_data_controller.rb

@@ -2,24 +2,49 @@
 
 module Decidim
   class OpenDataController < Decidim::ApplicationController
+    helper_method :open_data_component_manifests, :open_data_participatory_space_manifests, :open_data_core_manifests
+
+    def index; end
+
     def download
-      if uploader.attached?
-        redirect_to uploader.path
+      resource = params[:resource] || nil
+
+      if open_data_file_for_resource(resource)
+        file = open_data_file_for_resource(resource)
+        send_data file.download, filename: file.blob.filename.to_s, type: file.blob.content_type
       else
-        schedule_open_data_generation
+        schedule_open_data_generation(resource)
         flash[:alert] = t("decidim.open_data.not_available_yet")
-        redirect_back fallback_location: root_path
+        redirect_back fallback_location: open_data_path
       end
     end
 
     private
 
-    def uploader
-      @uploader ||= Decidim::ApplicationUploader.new(current_organization, :open_data_file)
+    def open_data_core_manifests
+      @open_data_core_manifests ||= Decidim.open_data_manifests.select(&:include_in_open_data)
+    end
+
+    def open_data_component_manifests
+      @open_data_component_manifests ||= Decidim.component_manifests
+                                                .flat_map(&:export_manifests)
+                                                .select(&:include_in_open_data?)
+    end
+
+    def open_data_participatory_space_manifests
+      @open_data_participatory_space_manifests ||= Decidim.participatory_space_manifests
+                                                          .flat_map(&:export_manifests)
+                                                          .select(&:include_in_open_data?)
+    end
+
+    def open_data_file_for_resource(resource)
+      current_organization.open_data_files.all.find do |file|
+        file.blob.filename == current_organization.open_data_file_path(resource)
+      end
     end
 
-    def schedule_open_data_generation
-      OpenDataJob.perform_later(current_organization)
+    def schedule_open_data_generation(resource = nil)
+      OpenDataJob.perform_later(current_organization, resource)
     end
   end
 end