decidim-core 0.30.7 → 0.30.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5110ff22ed67aef95bf387023ec7d18d9602a92944c82c2ab9373e786c04393c
-  data.tar.gz: b754a2b2ddb4a72ae07dcd384203d61454ced7f6a3a41a4f80a5bb501b3dc310
+  metadata.gz: a5817376e17111569ffa304fd748355de958fdb6020c5fec8f49d913707b43e9
+  data.tar.gz: '0785c351a8efe4e5740a7551bf6994a98db61257e29b8df325823a790061385b'
 SHA512:
-  metadata.gz: 3659a2a34d2531735e1a03710329261952c724361d0661bb9cf02c7a2acc76c2516266e8030a82e4dcc40789361d67845f1421addfcbf0f1fe4e0743a1288572
-  data.tar.gz: 9ec948751168cd3f4a8cc2b768be6a118cd22b47aecb0712fa64a1c01d58a5cdf2b7f2f20963fdd0eec2384a41753bbaec558016f533bfab7176227df6f3cadd
+  metadata.gz: cf18599b257a5ffea8442bcba6ea817eddecfa48e7a2150fb0ccf00ee024c267da283c333ee5c2eedb89441c7deea081bc89fe3f5af3ce55d5e27b13ab3a3484
+  data.tar.gz: f56a6474372376c00de0e4589d9dcc733a311a5302aedc4384064cdb4ec7048b0761360f616d5bd0d515068757776691c0bb951aec53df944742015678287042

data/app/cells/decidim/content_blocks/html_cell.rb

@@ -8,7 +8,7 @@ module Decidim
       end
 
       def html_content
-        translated_attribute(model.settings.html_content).html_safe
+        decidim_sanitize_editor_admin(translated_attribute(model.settings.html_content))
       end
     end
   end

data/app/cells/decidim/content_blocks/static_page/section_cell.rb

@@ -5,7 +5,7 @@ module Decidim
     module StaticPage
       class SectionCell < Decidim::ViewModel
         def content
-          translated_attribute(model.settings.content).html_safe
+          decidim_sanitize_editor_admin(translated_attribute(model.settings.content))
         end
       end
     end

data/app/cells/decidim/content_blocks/static_page/summary_cell.rb

@@ -5,7 +5,7 @@ module Decidim
     module StaticPage
       class SummaryCell < Decidim::ViewModel
         def content
-          translated_attribute(model.settings.summary).html_safe
+          decidim_sanitize_editor_admin(translated_attribute(model.settings.summary))
         end
       end
     end

data/app/cells/decidim/content_blocks/static_page/two_pane_section_cell.rb

@@ -5,11 +5,11 @@ module Decidim
     module StaticPage
       class TwoPaneSectionCell < Decidim::ViewModel
         def left_column
-          translated_attribute(model.settings.left_column).html_safe
+          decidim_sanitize_editor_admin(translated_attribute(model.settings.left_column))
         end
 
         def right_column
-          translated_attribute(model.settings.right_column).html_safe
+          decidim_sanitize_editor_admin(translated_attribute(model.settings.right_column))
         end
       end
     end

data/app/cells/decidim/data_consent/category.erb

@@ -13,12 +13,12 @@
       <%= icon "close-line", class: "cookies__category-toggle-icon" %>
     </label>
 
-    <div id="accordion-trigger-<%= category[:slug] %>" data-controls="accordion-panel-<%= category[:slug] %>" aria-labelledby="accordion-title-<%= category[:slug] %>">
-      <h3 id="accordion-title-<%= category[:slug] %>" class="cookies__category-trigger-title">
-        <%= category[:title] %>
-      </h3>
+    <h3 id="accordion-title-<%= category[:slug] %>" class="cookies__category-trigger-title">
+      <%= category[:title] %>
+    </h3>
 
-      <span>
+    <div id="accordion-trigger-<%= category[:slug] %>" role="group" data-controls="accordion-panel-<%= category[:slug] %>" aria-labelledby="accordion-title-<%= category[:slug] %>">
+      <span aria-hidden="true">
         <%= icon "arrow-down-s-line", class: "cookies__category-trigger-arrow" %>
         <%= icon "arrow-up-s-line", class: "cookies__category-trigger-arrow" %>
       </span>

data/app/cells/decidim/upload_modal_cell.rb

@@ -177,6 +177,11 @@ module Decidim
 
     def file_attachment_path(attachment)
       return unless attachment
+
+      if attachment.respond_to?(:record) && attachment.record.is_a?(Decidim::Authorization) && attachment.name.to_s == "verification_attachment"
+        return decidim.private_download_path(Decidim::PrivateDownload.for(attachment.record, attachment_name: attachment.name).token)
+      end
+
       return Rails.application.routes.url_helpers.rails_blob_url(attachment, only_path: true) if attachment.is_a? ActiveStorage::Blob
 
       if attachment.try(:attached?)

data/app/controllers/decidim/download_your_data_controller.rb

@@ -50,7 +50,7 @@ module Decidim
         flash[:error] = t("decidim.account.download_your_data_export.export_expired")
         redirect_to download_your_data_path
       elsif private_export.file.attached?
-        redirect_to Rails.application.routes.url_helpers.rails_blob_url(private_export.file.blob, only_path: true)
+        redirect_to private_download_path(Decidim::PrivateDownload.for(private_export, attachment_name: :file).token)
       else
         flash[:error] = t("decidim.account.download_your_data_export.file_no_exists")
         redirect_to download_your_data_path

data/app/controllers/decidim/notifications_subscriptions_controller.rb

@@ -3,6 +3,8 @@
 module Decidim
   # The controller to handle the subscriptions to push notifications
   class NotificationsSubscriptionsController < Decidim::ApplicationController
+    rescue_from Decidim::NotificationsSubscriptionsPersistor::UnsupportedPushSubscriptionEndpointError, with: :unsupported_browser
+
     def create
       Decidim::NotificationsSubscriptionsPersistor.new(current_user).add_subscription(params)
       head :ok
@@ -12,5 +14,11 @@ module Decidim
       Decidim::NotificationsSubscriptionsPersistor.new(current_user).delete_subscription(params[:auth])
       head :ok
     end
+
+    private
+
+    def unsupported_browser
+      render json: { error: I18n.t("notifications_settings.show.push_notifications_unsupported_browser", scope: "decidim") }, status: :unprocessable_entity
+    end
   end
 end

data/app/controllers/decidim/private_downloads_controller.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module Decidim
+  class PrivateDownloadsController < Decidim::ApplicationController
+    before_action :authenticate_user!
+
+    def show
+      return head :not_found unless private_download.attached?
+      return head :not_found unless private_download.authorized_for?(current_user)
+
+      disposition = private_download.attachment.content_type.start_with?("image/") ? :inline : :attachment
+
+      send_data(
+        private_download.attachment.download,
+        filename: private_download.attachment.filename.to_s,
+        type: private_download.attachment.content_type,
+        disposition:
+      )
+    rescue Decidim::PrivateDownload::InvalidTokenError
+      head :not_found
+    end
+
+    private
+
+    def private_download
+      @private_download ||= Decidim::PrivateDownload.from_token(params[:id])
+    end
+  end
+end

data/app/helpers/decidim/mailer_helper.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module Decidim
+  # Helper that provides methods to render order selector and links
+  module MailerHelper
+    # Transforms relative image URLs in HTML content to absolute URLs using the provided host.
+    # This is used in emails (newsletters and notifications) to ensure images display correctly
+    # in email clients.
+    #
+    # @param content [String] - HTML content with img tags
+    # @param host [String] - the Decidim::Organization host to use for the root URL
+    #
+    # @return [String] - the content with transformed image URLs
+    def decidim_transform_image_urls(content, host)
+      return content if host.blank? || content.blank?
+
+      root_url = if Rails.application.secrets.dig(:storage, :cdn_host).present?
+                   Rails.application.secrets.dig(:storage, :cdn_host).chomp("/")
+                 else
+                   Decidim::EngineRouter.new("decidim", {}).root_url(host:).chomp("/")
+                 end
+
+      content.gsub(/src\s*=\s*(['"])([^'"]*)\1/) do
+        quote = Regexp.last_match(1)
+        src_value = Regexp.last_match(2)
+
+        if src_value.blank? || src_value.start_with?("http://", "https://", "data:", "//", "cid:")
+          %(src=#{quote}#{src_value}#{quote})
+        else
+          normalized_src = src_value.start_with?("/") ? src_value : "/#{src_value}"
+          %(src=#{quote}#{root_url}#{normalized_src}#{quote})
+        end
+      end
+    end
+  end
+end

data/app/helpers/decidim/menu_helper.rb

@@ -57,7 +57,8 @@ module Decidim
         self,
         element_class: "font-semibold underline",
         active_class: "is-active",
-        container_options: { class: "space-y-4 break-inside-avoid", role: :menu },
+        role: false,
+        container_options: { class: "space-y-4 break-inside-avoid" },
         label: t("layouts.decidim.footer.decidim_title")
       )
     end

data/app/helpers/decidim/newsletters_helper.rb

@@ -3,6 +3,9 @@
 module Decidim
   # Helper that provides methods to render links with utm codes, and replaced name
   module NewslettersHelper
+    include Decidim::SanitizeHelper
+    include Decidim::MailerHelper
+
     # If the newsletter body there are some links and the Decidim.track_newsletter_links = true
     # it will be replaced with the utm_codes method described below.
     # for example transform "https://es.lipsum.com/" to "https://es.lipsum.com/?utm_source=localhost&utm_campaign=newsletter_11"
@@ -19,7 +22,7 @@ module Decidim
 
       content = interpret_name(content, user)
       content = track_newsletter_links(content, id, host)
-      transform_image_urls(content, host)
+      decidim_transform_image_urls(content, host)
     end
 
     # this method is used to generate the root link on mail with the utm_codes
@@ -67,27 +70,6 @@ module Decidim
       content.gsub("%{name}", user.name)
     end
 
-    # Find each img HTML tag with relative path in src attribute
-    # For each URL, prepends the decidim.root_url
-    #   If host is not defined it returns full content
-    #
-    # @param content [String] - the string to convert
-    # @param host [String] - the Decidim::Organization host to replace
-    #
-    # @return [String] - the content converted
-    #
-    def transform_image_urls(content, host)
-      return content if host.blank?
-
-      content.scan(/src\s*=\s*"([^"]*)"/).each do |src|
-        root_url = decidim.root_url(host:)[0..-2]
-        src_replaced = "#{root_url}#{src.first}"
-        content = content.gsub(/src\s*=\s*"([^"]*#{src.first})"/, %(src="#{src_replaced}"))
-      end
-
-      content
-    end
-
     # Add tracking query params to each links
     #
     # @param content [String] - the string to convert

data/app/mailers/decidim/application_mailer.rb

@@ -7,9 +7,13 @@ module Decidim
     include LocalisedMailer
     include MultitenantAssetHost
     include Decidim::SanitizeHelper
+    include Decidim::MailerHelper
     include Decidim::OrganizationHelper
     helper_method :organization_name, :decidim_escape_translated, :decidim_sanitize_translated, :translated_attribute, :decidim_sanitize, :decidim_sanitize_newsletter
 
+    helper Decidim::SanitizeHelper
+    helper Decidim::MailerHelper
+
     after_action :set_smtp
     after_action :set_from
 

data/app/models/decidim/attachment.rb

@@ -88,7 +88,7 @@ module Decidim
     # Returns String.
     def file_type
       if file?
-        url&.split(".")&.last&.split("&")&.first&.downcase
+        file.filename.extension&.downcase
       elsif link?
         "link"
       end
@@ -100,7 +100,13 @@ module Decidim
     def url
       @url ||=
         if file?
-          attached_uploader(:file).url
+          if private_download_required?
+            Decidim::Core::Engine.routes.url_helpers.private_download_path(
+              Decidim::PrivateDownload.for(self, attachment_name: :file).token
+            )
+          else
+            attached_uploader(:file).url
+          end
         elsif link?
           link
         end
@@ -144,5 +150,17 @@ module Decidim
 
       attached_to.can_participate?(user)
     end
+
+    def private_download_authorized?(user, requested_attachment_name)
+      return false unless requested_attachment_name.to_s == "file"
+
+      can_participate?(user)
+    end
+
+    def private_download_required?
+      return attached_to.private_space? if attached_to.respond_to?(:private_space?)
+
+      attached_to.respond_to?(:component) && attached_to.component&.private_non_transparent_space?
+    end
   end
 end

data/app/models/decidim/authorization.rb

@@ -91,6 +91,13 @@ module Decidim
       Decidim::AuthorizationTransfer.perform!(self, handler)
     end
 
+    def private_download_authorized?(user, requested_attachment_name)
+      return false unless requested_attachment_name.to_s == "verification_attachment"
+      return true if user&.admin? && user.organization == organization
+
+      user == self.user
+    end
+
     private
 
     def active_handler?

data/app/models/decidim/private_download.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+module Decidim
+  class PrivateDownload
+    class InvalidTokenError < StandardError; end
+
+    VERIFIER_PURPOSE = :private_download
+
+    def self.for(record, attachment_name:)
+      new(record:, attachment_name:)
+    end
+
+    def self.from_token(token)
+      payload = verifier.verify(token, purpose: VERIFIER_PURPOSE).with_indifferent_access
+      record = GlobalID::Locator.locate(payload[:gid])
+
+      raise InvalidTokenError if record.blank?
+
+      new(record:, attachment_name: payload[:attachment_name])
+    rescue ActiveSupport::MessageVerifier::InvalidSignature, TypeError
+      raise InvalidTokenError
+    end
+
+    def self.verifier
+      @verifier ||= ActiveSupport::MessageVerifier.new(Rails.application.secret_key_base, serializer: JSON)
+    end
+
+    def initialize(record:, attachment_name:)
+      @record = record
+      @attachment_name = attachment_name.to_s
+    end
+
+    def token
+      self.class.verifier.generate(
+        {
+          gid: record.to_global_id.to_s,
+          attachment_name:
+        },
+        purpose: VERIFIER_PURPOSE
+      )
+    end
+
+    def attachment
+      record.public_send(attachment_name)
+    end
+
+    def attached?
+      attachment.respond_to?(:attached?) && attachment.attached?
+    end
+
+    def authorized_for?(user)
+      return false unless record.respond_to?(:private_download_authorized?)
+
+      record.private_download_authorized?(user, attachment_name)
+    end
+
+    private
+
+    attr_reader :record, :attachment_name
+  end
+end

data/app/models/decidim/private_export.rb

@@ -24,5 +24,11 @@ module Decidim
       self.content_type = file.content_type
       self.file_size = file.byte_size
     end
+
+    def private_download_authorized?(user, requested_attachment_name)
+      return false unless requested_attachment_name.to_s == "file"
+
+      attached_to == user
+    end
   end
 end

data/app/packs/src/decidim/datepicker/datepicker_functions.js

@@ -1,5 +1,31 @@
 // Utility helper functions for the date and time picker functionality
 
+export const adjustPickerPosition = (input, datePickerContainer, selector) => {
+  const parent = input.closest(selector);
+
+  if (getComputedStyle(parent).position === "static") {
+    parent.style.position = "relative";
+  }
+
+  const rect = input.getBoundingClientRect();
+  const calendarHeight = datePickerContainer.offsetHeight;
+  const spaceAbove = rect.top;
+  const spaceBelow = window.innerHeight - rect.bottom;
+  const openBelow = spaceBelow >= calendarHeight || spaceBelow >= spaceAbove;
+
+  if (openBelow) {
+    // Open below
+    datePickerContainer.style.top = `${input.offsetHeight}px`;
+    datePickerContainer.style.bottom = "";
+  } else {
+    // Open above
+    datePickerContainer.style.top = "";
+    datePickerContainer.style.bottom = `${input.offsetHeight}px`;
+  }
+
+  datePickerContainer.style.right = "0px";
+};
+
 export const setHour = (value, format) => {
   const hour = value.split(":")[0];
   if (format === 12) {

data/app/packs/src/decidim/datepicker/generate_datepicker.js

@@ -1,6 +1,6 @@
 /* eslint-disable require-jsdoc */
 import icon from "src/decidim/icon"
-import { dateToPicker, formatDate, displayDate, formatTime, calculateDatepickerPos } from "src/decidim/datepicker/datepicker_functions"
+import { dateToPicker, formatDate, displayDate, formatTime, calculateDatepickerPos, adjustPickerPosition } from "src/decidim/datepicker/datepicker_functions"
 import { dateKeyDownListener, dateBeforeInputListener } from "src/decidim/datepicker/datepicker_listeners"
 import { getDictionary } from "src/decidim/i18n"
 
@@ -130,6 +130,7 @@ export default function generateDatePicker(input, row, formats) {
     };
     pickedDate = null;
     datePickerContainer.style.display = "block";
+    adjustPickerPosition(date, datePickerContainer, ".datepicker__date-column");
 
     document.addEventListener("click", datePickerDisplay);
 

data/app/packs/src/decidim/datepicker/generate_timepicker.js

@@ -1,6 +1,8 @@
 /* eslint-disable require-jsdoc */
+/* eslint max-lines: ["error", 310] */
+
 import icon from "src/decidim/icon"
-import { changeHourDisplay, changeMinuteDisplay, formatDate, hourDisplay, minuteDisplay, formatTime, setHour, setMinute, updateTimeValue, updateInputValue } from "src/decidim/datepicker/datepicker_functions"
+import { changeHourDisplay, changeMinuteDisplay, formatDate, hourDisplay, minuteDisplay, formatTime, setHour, setMinute, updateTimeValue, updateInputValue, adjustPickerPosition } from "src/decidim/datepicker/datepicker_functions"
 import { timeKeyDownListener, timeBeforeInputListener } from "src/decidim/datepicker/datepicker_listeners";
 import { getDictionary } from "src/decidim/i18n";
 
@@ -21,6 +23,10 @@ export default function generateTimePicker(input, row, formats) {
   clock.setAttribute("type", "button");
   clock.setAttribute("aria-label", input.dataset.buttonTimeLabel);
 
+  if (input.attributes.disabled) {
+    clock.setAttribute("disabled", input.attributes.disabled);
+  };
+
   timeColumn.appendChild(time);
   timeColumn.appendChild(clock);
 
@@ -270,6 +276,8 @@ export default function generateTimePicker(input, row, formats) {
     event.preventDefault();
     timePicker.style.display = "block";
     document.addEventListener("click", timePickerDisplay);
+    adjustPickerPosition(time, timePicker, ".datepicker__time-column")
+
     hours.value = hourDisplay(hour);
     minutes.value = minuteDisplay(minute);
   });