RubyGems - decidim-core - Versions diffs - 0.29.4 → 0.30.0.rc1 - Mend

decidim-core 0.29.4 → 0.30.0.rc1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (562) hide show

data/app/controllers/concerns/decidim/ajax_permission_handler.rb ADDED Viewed

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+require "active_support/concern"
+module Decidim
+  module AjaxPermissionHandler
+    extend ActiveSupport::Concern
+    included do
+      rescue_from Decidim::ActionForbidden, with: :ajax_user_has_no_permission
+    end
+    private
+    def ajax_user_has_no_permission
+      return user_has_no_permission unless request.xhr?
+      render json: { message: I18n.t("actions.unauthorized", scope: "decidim.core") }, status: :unprocessable_entity
+    end
+  end
+end

data/app/controllers/concerns/decidim/devise_authentication_methods.rb CHANGED Viewed

@@ -6,6 +6,7 @@ module Decidim
   module DeviseAuthenticationMethods
     extend ActiveSupport::Concern
     include Decidim::UserBlockedChecker
+    include Decidim::OnboardingActionMethods
     included do
       def after_sign_in_path_for(user)
@@ -13,8 +14,8 @@ module Decidim
           check_user_block_status(user)
         elsif user.needs_password_update?
           decidim.change_password_path
-        elsif first_login_and_not_authorized?(user) && !user.admin? && !pending_redirect?(user)
-          decidim_verifications.first_login_authorizations_path
+        elsif pending_onboarding_action?(user)
+          decidim_verifications.onboarding_pending_authorizations_path
         else
           super
         end
@@ -27,10 +28,6 @@ module Decidim
       def pending_redirect?(user)
         store_location_for(user, stored_location_for(user))
       end
-      def first_login_and_not_authorized?(user)
-        user.is_a?(User) && user.sign_in_count == 1 && current_organization.available_authorizations.any? && user.verifiable?
-      end
     end
   end
 end

data/app/controllers/concerns/decidim/devise_controllers.rb CHANGED Viewed

@@ -22,6 +22,7 @@ module Decidim
       include NeedsSnippets
       include UserBlockedChecker
       include ActiveStorage::SetCurrent
+      include Decidim::OnboardingActionMethods
       helper Decidim::TranslationsHelper
       helper Decidim::MetaTagsHelper
@@ -36,6 +37,7 @@ module Decidim
       helper Decidim::SocialShareButtonHelper
       helper Decidim::SanitizeHelper
       helper Decidim::ApplicationHelper
+      helper Decidim::OnboardingActionHelper
       layout "layouts/decidim/application"

data/app/controllers/concerns/decidim/disable_redirection_to_external_host.rb CHANGED Viewed

@@ -8,7 +8,7 @@ module Decidim
     included do
       def redirect_back(fallback_location:, allow_other_host: true, **args) # rubocop:disable Lint/UnusedMethodArgument
-        super fallback_location:, allow_other_host: Decidim.allow_open_redirects, **args
+        super(fallback_location:, allow_other_host: Decidim.allow_open_redirects, **args)
       end
     end
   end

data/app/controllers/concerns/decidim/ephemeral_session_checker.rb ADDED Viewed

@@ -0,0 +1,87 @@
+# frozen_string_literal: true
+require "active_support/concern"
+module Decidim
+  module EphemeralSessionChecker
+    extend ActiveSupport::Concern
+    included do
+      before_action :check_ephemeral_user_session, if: :ephemeral_user_signed_in?
+      helper_method :onboarding_manager
+    end
+    private
+    def ephemeral_user_signed_in?
+      user_signed_in? && current_user.ephemeral?
+    end
+    def onboarding_manager
+      @onboarding_manager ||= Decidim::OnboardingManager.new(current_user)
+    end
+    def check_ephemeral_user_session
+      return true unless request.format.html?
+      return destroy_ephemeral_session && redirect_to(decidim.root_path) if onboarding_manager.expired?
+      if onboarding_manager.valid?
+        authorizations = action_authorized_to(onboarding_manager.action, **onboarding_manager.action_authorized_resources)
+        return redirect_to decidim_verifications.onboarding_pending_authorizations_path unless authorizations_permitted_paths?(authorizations, onboarding_manager)
+        if authorizations.global_code == :unauthorized
+          flash[:alert] = t("unauthorized", scope: "decidim.core.actions")
+          return destroy_ephemeral_session && redirect_to(decidim.root_path)
+        end
+      end
+      return true
+    end
+    def destroy_ephemeral_session
+      Decidim::DestroyEphemeralUser.call(current_user) do
+        on(:ok) do
+          sign_out(current_user)
+          flash[:notice] = t("ephemeral_session_closed", scope: "decidim.devise.sessions.user")
+        end
+        on(:invalid) do
+          flash[:alert] = t("account.destroy.error", scope: "decidim")
+        end
+      end
+    end
+    # This method determines which paths are allowed to the user based on the
+    # onboarding manager data and the associated authorizations. In all cases
+    # the user is allowed to visit the onboarding pending and the terms of
+    # service pages. In addition:
+    # * If the user is pending to complete an authorization is also allowed to
+    #   navigate in the pages to complete the authorizations and the
+    #   authorizations path to send the request.
+    # * If the user is authorized is also allowed to visit the paths determined
+    #   by the onboarding manager after finishing the authorization flow and
+    #   the associated component.
+    # The method checks the request path and checks if the path starts with one
+    # of the paths of the allowlist
+    def authorizations_permitted_paths?(authorizations, onboarding_manager)
+      paths_list = if authorizations.user_pending?
+                     authorizations.statuses.map(&:current_path).compact.prepend(
+                       decidim_verifications.authorizations_path
+                     )
+                   elsif authorizations.ok?
+                     [onboarding_manager.finished_redirect_path, onboarding_manager.component_path].compact
+                   else
+                     []
+                   end
+      paths_list.prepend(
+        decidim_verifications.onboarding_pending_authorizations_path,
+        decidim.page_path(terms_of_service_page)
+      )
+      paths_list.find { |el| /\A#{URI.parse(el).path}/.match?(request.path) }
+    end
+  end
+end

data/app/controllers/concerns/decidim/filter_resource.rb CHANGED Viewed

@@ -16,11 +16,13 @@ module Decidim
       end
       def method_missing(method_name, *_arguments)
-        @filter.present? && @filter.has_key?(method_name) ? @filter[method_name] : super
+        method = method_name.to_s.gsub(/\[[0-9]+\]$/, "").to_sym
+        @filter.present? && @filter.has_key?(method) ? @filter[method] : super
       end
       def respond_to_missing?(method_name, include_private = false)
-        (@filter.present? && @filter.has_key?(method_name)) || super
+        method = method_name.to_s.gsub(/\[[0-9]+\]$/, "").to_sym
+        (@filter.present? && @filter.has_key?(method)) || super
       end
     end

data/app/controllers/concerns/decidim/has_members_page.rb ADDED Viewed

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+require "active_support/concern"
+module Decidim
+  module HasMembersPage
+    extend ActiveSupport::Concern
+    included do
+      helper_method :collection
+      private
+      def can_visit_index?
+        current_user_can_visit_space? && current_participatory_space.members_public_page?
+      end
+      def members
+        @members ||= current_participatory_space.participatory_space_private_users.published
+      end
+      alias_method :collection, :members
+    end
+  end
+end

data/app/controllers/concerns/decidim/headers/browser_feature_permissions.rb ADDED Viewed

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+require "active_support/concern"
+module Decidim
+  module Headers
+    # This module controls the "Permissions-Policy" header to define the
+    # specific sets of browser features that the website is able to use.
+    module BrowserFeaturePermissions
+      extend ActiveSupport::Concern
+      included do
+        after_action :define_permissions_policy
+      end
+      private
+      def define_permissions_policy
+        return if response.media_type != "text/html"
+        return if response.headers["Permissions-Policy"].present?
+        # Allow the "unload" and "onbeforeunload" events to be used at the
+        # current domain to prevent the user unintentionally changing the page
+        # when they have something important to do on the page, such as an
+        # unsaved form.
+        #
+        # This header is required because Chrome is phasing this event out due
+        # to some performance issues with the back/forward cache feature of the
+        # browser. However, currently there are no alternative events that would
+        # allow preventing accidental page reloads, tab closing or window
+        # closing.
+        #
+        # For further information, see:
+        # https://developer.chrome.com/docs/web-platform/deprecating-unload
+        # https://github.com/fergald/docs/blob/master/explainers/permissions-policy-unload.md
+        #
+        # Note that even Google suggests using the "beforeunload" for this
+        # particular use case:
+        # https://developer.chrome.com/docs/web-platform/page-lifecycle-api#events
+        #
+        # beforeunload
+        #   Important: the beforeunload event should only be used to alert the
+        #   user of unsaved changes. Once those changes are saved, the event
+        #   should be removed. It should never be added unconditionally to the
+        #   page, as doing so can hurt performance in some cases.
+        response.headers["Permissions-Policy"] = "unload=(self)"
+      end
+    end
+  end
+end

data/app/controllers/concerns/decidim/locale_switcher.rb CHANGED Viewed

@@ -46,14 +46,14 @@ module Decidim
       #
       # Returns an Array of Strings.
       def available_locales
-        @available_locales ||= (current_organization || Decidim).public_send(:available_locales)
+        @available_locales ||= (current_organization || Decidim).available_locales
       end
       # The default locale of this organization.
       #
       # Returns a String with the default locale.
       def default_locale
-        @default_locale ||= (current_organization || Decidim).public_send(:default_locale)
+        @default_locale ||= (current_organization || Decidim).default_locale
       end
       # Detects the locale priority: query string, user saved, session, browser

data/app/controllers/concerns/decidim/needs_password_change.rb CHANGED Viewed

@@ -28,7 +28,6 @@ module Decidim
                          decidim.accept_tos_path,
                          decidim.download_your_data_path,
                          decidim.export_download_your_data_path,
-                         decidim.download_file_download_your_data_path,
                          decidim.change_password_path].compact
       # ensure that path with or without query string pass
       permitted_paths.find { |el| el.split("?").first == target_path }

data/app/controllers/concerns/decidim/needs_permission.rb CHANGED Viewed

@@ -40,7 +40,8 @@ module Decidim
           current_settings: try(:current_settings),
           component_settings: try(:component_settings),
           current_organization: try(:current_organization),
-          current_component: try(:current_component)
+          current_component: try(:current_component),
+          share_token: try(:store_share_token)
         }
       end

data/app/controllers/concerns/decidim/needs_tos_accepted.rb CHANGED Viewed

@@ -15,7 +15,7 @@ module Decidim
     def tos_accepted_by_user
       return true unless request.format.html?
       return true unless current_user
-      return if current_user.tos_accepted?
+      return if current_user.tos_accepted? || current_user.ephemeral?
       return if permitted_paths?
       redirect_to_tos
@@ -33,12 +33,11 @@ module Decidim
     end
     def permitted_paths?
+      return true if request.path.starts_with?(decidim.download_your_data_path)
       permitted_paths = [tos_path,
                          decidim.delete_account_path,
-                         decidim.accept_tos_path,
-                         decidim.download_your_data_path,
-                         decidim.export_download_your_data_path,
-                         decidim.download_file_download_your_data_path]
+                         decidim.accept_tos_path]
       # ensure that path with or without query string pass
       permitted_paths.find { |el| el.split("?").first == request.path }
     end

data/app/controllers/concerns/decidim/onboarding_action_methods.rb ADDED Viewed

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+require "active_support/concern"
+module Decidim
+  module OnboardingActionMethods
+    extend ActiveSupport::Concern
+    included do
+      helper_method :pending_onboarding_action?
+      # Returns true if there is a pending onboarding action for the user.
+      # The check if skipped for admins, users that are not verifiable of
+      # organizations that have no available authorizations.
+      def pending_onboarding_action?(user)
+        return false if user.blank?
+        return false if user.admin?
+        return false unless user.verifiable?
+        return false if current_organization.available_authorizations.empty?
+        OnboardingManager.new(user).pending_action?
+      end
+      def store_onboarding_cookie_data!(user)
+        data = onboarding_cookie_data
+        return if data.nil?
+        if data.present?
+          user.extended_data = user.extended_data.merge(data)
+          user.save!
+        end
+        cookies.delete(OnboardingManager::DATA_KEY)
+      end
+      def onboarding_cookie_data
+        data_key = OnboardingManager::DATA_KEY
+        return unless cookies[data_key]
+        { data_key => JSON.parse(cookies[data_key]).transform_keys(&:underscore) }
+      rescue JSON::ParserError
+        {}
+      end
+      def clear_onboarding_data!(user)
+        return if user.ephemeral?
+        user.extended_data = user.extended_data.except(OnboardingManager::DATA_KEY)
+        user.save!
+      end
+    end
+  end
+end

data/app/controllers/concerns/decidim/participatory_space_context.rb CHANGED Viewed

@@ -9,7 +9,6 @@ module Decidim
     included do
       include Decidim::NeedsOrganization
-      include Decidim::UserRoleChecker
       helper ParticipatorySpaceHelpers, IconHelper, ContextualHelpHelper
       helper_method :current_participatory_space
@@ -82,10 +81,8 @@ module Decidim
       return true unless current_participatory_space.try(:private_space?) &&
                          !current_participatory_space.try(:is_transparent?)
       return false unless current_user
-      return true if current_user.admin?
-      return true if user_has_any_role?(current_user, current_participatory_space, broad_check: true)
-      current_participatory_space.users.include?(current_user)
+      current_user.admin || current_participatory_space.users.include?(current_user)
     end
     def help_section

data/app/controllers/decidim/application_controller.rb CHANGED Viewed

@@ -16,6 +16,7 @@ module Decidim
     include NeedsTosAccepted
     include Headers::HttpCachingDisabler
     include Headers::ContentSecurityPolicy
+    include Headers::BrowserFeaturePermissions
     include ActionAuthorization
     include ForceAuthentication
     include SafeRedirect
@@ -25,6 +26,8 @@ module Decidim
     include NeedsPasswordChange
     include LinkedResourceReference
     include ActiveStorage::SetCurrent
+    include OnboardingActionMethods
+    include EphemeralSessionChecker
     helper Decidim::MetaTagsHelper
     helper Decidim::DecidimFormHelper
@@ -41,6 +44,7 @@ module Decidim
     helper Decidim::TwitterSearchHelper
     helper Decidim::SocialShareButtonHelper
     helper Decidim::FiltersHelper
+    helper Decidim::OnboardingActionHelper
     register_permissions(::Decidim::ApplicationController,
                          ::Decidim::Admin::Permissions,
@@ -56,6 +60,12 @@ module Decidim
     skip_before_action :disable_http_caching, unless: :user_signed_in?
+    def store_share_token
+      session[:share_token] = params[:share_token] if params.has_key?(:share_token)
+      session[:share_token].presence
+    end
     private
     # This overrides Devise's method for extracting the path from the URL. We

data/app/controllers/decidim/authorization_modals_controller.rb CHANGED Viewed

@@ -5,10 +5,12 @@ module Decidim
     helper_method :authorizations, :authorize_action_path
     layout false
-    def show; end
+    def show
+      store_onboarding_cookie_data!(current_user)
+    end
     def authorize_action_path(handler_name)
-      authorizations.status_for(handler_name).current_path(redirect_url: URI(request.referer).path)
+      authorizations.status_for(handler_name).current_path(redirect_url:)
     end
     private
@@ -31,5 +33,9 @@ module Decidim
     def authorizations
       @authorizations ||= action_authorized_to(authorization_action, resource:)
     end
+    def redirect_url
+      pending_onboarding_action?(current_user) ? decidim_verifications.onboarding_pending_authorizations_path : URI(request.referer).path
+    end
   end
 end

data/app/controllers/decidim/components/base_controller.rb CHANGED Viewed

@@ -19,7 +19,7 @@ module Decidim
       helper Decidim::TranslationsHelper
       helper Decidim::IconHelper
       helper Decidim::ResourceHelper
-      helper Decidim::ScopesHelper
+      helper Decidim::TaxonomiesHelper
       helper Decidim::ActionAuthorizationHelper
       helper Decidim::AttachmentsHelper
       helper Decidim::SanitizeHelper
@@ -30,7 +30,7 @@ module Decidim
                     :current_manifest
       before_action do
-        enforce_permission_to :read, :component, component: current_component, share_token:
+        enforce_permission_to :read, :component, component: current_component
       end
       before_action :redirect_unless_feature_private
@@ -49,10 +49,6 @@ module Decidim
         @current_manifest ||= current_component.manifest
       end
-      def share_token
-        params[:share_token]
-      end
       def permission_scope
         :public
       end
@@ -73,7 +69,7 @@ module Decidim
       def set_component_breadcrumb_item
         context_breadcrumb_items << {
           label: current_component.name,
-          url: root_path,
+          url: Decidim::EngineRouter.main_proxy(current_component).root_path,
           active: false,
           resource: current_component
         }

data/app/controllers/decidim/devise/confirmations_controller.rb CHANGED Viewed

@@ -5,6 +5,7 @@ module Decidim
     # Custom Devise ConfirmationsController to avoid namespace problems.
     class ConfirmationsController < ::Devise::ConfirmationsController
       include Decidim::DeviseControllers
+      include Decidim::OnboardingActionMethods
       helper_method :new_user_group_session_path
@@ -33,6 +34,9 @@ module Decidim
         sign_in(resource)
+        store_onboarding_cookie_data!(resource)
+        return decidim_verifications.onboarding_pending_authorizations_path if pending_onboarding_action?(resource)
         super
       end
     end

data/app/controllers/decidim/devise/omniauth_registrations_controller.rb CHANGED Viewed

@@ -7,6 +7,7 @@ module Decidim
       include FormFactory
       include Decidim::DeviseControllers
       include Decidim::DeviseAuthenticationMethods
+      include NeedsTosAccepted
       def new
         @form = form(OmniauthRegistrationForm).from_params(params[:user])
@@ -36,6 +37,12 @@ module Decidim
             render :new
           end
+          on(:add_tos_errors) do
+            set_flash_message :alert, :add_tos_errors if @form.valid_tos?
+            session[:verified_email] = verified_email
+            render :new_tos_fields
+          end
           on(:error) do |user|
             if user.errors[:email]
               set_flash_message :alert, :failure, kind: @form.provider.capitalize, reason: t("decidim.devise.omniauth_registrations.create.email_already_exists")
@@ -75,7 +82,7 @@ module Decidim
       end
       def verified_email
-        @verified_email ||= oauth_data.dig(:info, :email)
+        @verified_email ||= oauth_data.dig(:info, :email).presence || session[:verified_email]
       end
       def oauth_hash

data/app/controllers/decidim/devise/registrations_controller.rb CHANGED Viewed

@@ -57,7 +57,7 @@ module Decidim
       # Called before resource.save
       def build_resource(hash = nil)
-        super(hash)
+        super
         resource.organization = current_organization
       end

data/app/controllers/decidim/devise/sessions_controller.rb CHANGED Viewed

@@ -24,6 +24,8 @@ module Decidim
             validator = PasswordValidator.new({ attributes: :password })
             user.update!(password_updated_at: nil) unless validator.validate_each(user, :password, sign_in_params[:password])
           end
+          store_onboarding_cookie_data!(user)
         end
       end

data/app/controllers/decidim/download_your_data_controller.rb CHANGED Viewed

@@ -6,11 +6,29 @@ module Decidim
   # The controller to handle the user's download_my_data page.
   class DownloadYourDataController < Decidim::ApplicationController
     include Decidim::UserProfile
+    include Decidim::Paginable
+    helper_method :help_definitions
+    # i18n-tasks-use t('decidim.download_your_data.show.answers')
+    # i18n-tasks-use t('decidim.download_your_data.show.assemblies')
+    # i18n-tasks-use t('decidim.download_your_data.show.debate_comments')
+    # i18n-tasks-use t('decidim.download_your_data.show.debates')
+    # i18n-tasks-use t('decidim.download_your_data.show.initiatives')
+    # i18n-tasks-use t('decidim.download_your_data.show.meeting_comments')
+    # i18n-tasks-use t('decidim.download_your_data.show.meetings')
+    # i18n-tasks-use t('decidim.download_your_data.show.participatory_processes')
+    # i18n-tasks-use t('decidim.download_your_data.show.projects')
+    # i18n-tasks-use t('decidim.download_your_data.show.proposal_comments')
+    # i18n-tasks-use t('decidim.download_your_data.show.proposals')
+    # i18n-tasks-use t('decidim.download_your_data.show.result_comments')
+    # i18n-tasks-use t('decidim.download_your_data.show.results')
+    # i18n-tasks-use t('decidim.download_your_data.show.survey_user_answers')
     def show
       enforce_permission_to(:show, :user, current_user:)
       @account = form(AccountForm).from_model(current_user)
+      @exports = paginate(current_user.private_exports)
     end
     def export
@@ -25,12 +43,25 @@ module Decidim
     def download_file
       enforce_permission_to(:download, :user, current_user:)
-      if current_user.download_your_data_file.attached?
-        redirect_to Rails.application.routes.url_helpers.rails_blob_url(current_user.download_your_data_file.blob, only_path: true)
+      if private_export.expired?
+        flash[:error] = t("decidim.account.download_your_data_export.export_expired")
+        redirect_to download_your_data_path
+      elsif private_export.file.attached?
+        redirect_to Rails.application.routes.url_helpers.rails_blob_url(private_export.file.blob, only_path: true)
       else
         flash[:error] = t("decidim.account.download_your_data_export.file_no_exists")
         redirect_to download_your_data_path
       end
     end
+    private
+    def private_export
+      @private_export ||= current_user.private_exports.find(params[:uuid])
+    end
+    def help_definitions
+      @help_definitions ||= Decidim::DownloadYourDataSerializers.help_definitions_for(current_user)
+    end
   end
 end

data/app/controllers/decidim/editor_images_controller.rb CHANGED Viewed

@@ -3,9 +3,7 @@
 module Decidim
   class EditorImagesController < Decidim::ApplicationController
     include FormFactory
-    # overwrite original rescue_from to ensure we print messages from ajax methods (update)
-    rescue_from Decidim::ActionForbidden, with: :ajax_user_has_no_permission
+    include AjaxPermissionHandler
     def create
       enforce_permission_to :create, :editor_image
@@ -25,14 +23,6 @@ module Decidim
     private
-    # Rescue ajax calls and print the update.js view which prints the info on the message ajax form
-    # Only if the request is AJAX, otherwise behave as Decidim standards
-    def ajax_user_has_no_permission
-      return user_has_no_permission unless request.xhr?
-      render json: { message: I18n.t("actions.unauthorized", scope: "decidim.core") }, status: :unprocessable_entity
-    end
     def form_values
       {
         file: params[:image],

data/app/controllers/decidim/follows_controller.rb CHANGED Viewed

@@ -47,7 +47,7 @@ module Decidim
     end
     def button_cell_mobile
-      @button_cell_mobile ||= cell("decidim/follow_button", resource, **button_options.merge(mobile: true))
+      @button_cell_mobile ||= cell("decidim/follow_button", resource, **button_options, mobile: true)
     end
     def button_cell