decidim-core 0.7.4 → 0.8.0

data/app/models/decidim/messaging/message.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Messaging
+    #
+    # Holds a single message in a conversation. A message has a body, and sender
+    # and a set of receipts, which correspond to each user that will receive the
+    # message, namely, the interlocutors of the sender in the conversation.
+    #
+    class Message < ApplicationRecord
+      belongs_to :sender,
+                 foreign_key: :decidim_sender_id,
+                 class_name: "Decidim::User"
+
+      belongs_to :conversation,
+                 foreign_key: :decidim_conversation_id,
+                 class_name: "Decidim::Messaging::Conversation"
+
+      has_many :receipts,
+               dependent: :destroy,
+               foreign_key: :decidim_message_id,
+               inverse_of: :message
+
+      validates :sender, :body, presence: true
+      validates :body, length: { maximum: 1_000 }
+
+      validate :sender_is_participant
+
+      #
+      # Associates receipts for this message for each of the given users,
+      # including also a receipt for the remitent (sender) of the message.
+      # Receipts are unread by default, except for the sender's receipt.
+      #
+      # @param recipients [Array<Decidim::User>]
+      #
+      def envelope_for(recipients)
+        receipts.build(recipient: sender, read_at: Time.zone.now)
+
+        recipients.each { |recipient| receipts.build(recipient: recipient) }
+      end
+
+      private
+
+      def sender_is_participant
+        errors.add(:sender, :invalid) unless conversation.participants.include?(sender)
+      end
+    end
+  end
+end

data/app/models/decidim/messaging/participation.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Messaging
+    #
+    # Holds a many-to-many relationship between conversations and their participants
+    #
+    class Participation < ApplicationRecord
+      belongs_to :conversation,
+                 foreign_key: :decidim_conversation_id,
+                 class_name: "Decidim::Messaging::Conversation",
+                 inverse_of: :participations
+
+      belongs_to :participant,
+                 foreign_key: :decidim_participant_id,
+                 class_name: "Decidim::User"
+
+      validates :conversation, :participant, presence: true
+
+      validates :decidim_conversation_id, uniqueness: { scope: :decidim_participant_id }
+    end
+  end
+end

data/app/models/decidim/messaging/receipt.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Messaging
+    #
+    # Represents the reception of a message by a user. This model is supposed to
+    # hold any information about a message that is specific to each user, for
+    # example, the read/unread status, the deleted/undeleted status, and so on.
+    #
+    class Receipt < ApplicationRecord
+      belongs_to :recipient, foreign_key: "decidim_recipient_id", class_name: "Decidim::User"
+      belongs_to :message, foreign_key: "decidim_message_id", class_name: "Decidim::Messaging::Message"
+
+      validates :recipient, :message, presence: true
+
+      scope :recipient, ->(recipient) { where(recipient: recipient) }
+      scope :unread_by, ->(user) { recipient(user).unread }
+      scope :unread, -> { where(read_at: nil) }
+
+      # rubocop:disable Rails/SkipsModelValidations
+      def self.mark_as_read(user)
+        recipient(user).update_all(read_at: Time.zone.now)
+      end
+      # rubocop:enable Rails/SkipsModelValidations
+    end
+  end
+end

data/app/models/decidim/moderation.rb

@@ -5,7 +5,7 @@ module Decidim
   class Moderation < ApplicationRecord
     belongs_to :reportable, foreign_key: "decidim_reportable_id", foreign_type: "decidim_reportable_type", polymorphic: true
     belongs_to :participatory_space, foreign_key: "decidim_participatory_space_id", foreign_type: "decidim_participatory_space_type", polymorphic: true
-    has_many :reports, foreign_key: "decidim_moderation_id", class_name: "Decidim::Report"
+    has_many :reports, foreign_key: "decidim_moderation_id", class_name: "Decidim::Report", dependent: :destroy
 
     delegate :feature, :organization, to: :reportable
   end

data/app/models/decidim/organization.rb

@@ -7,12 +7,12 @@ module Decidim
   class Organization < ApplicationRecord
     SOCIAL_HANDLERS = [:twitter, :facebook, :instagram, :youtube, :github].freeze
 
-    has_many :static_pages, foreign_key: "decidim_organization_id", class_name: "Decidim::StaticPage", inverse_of: :organization
+    has_many :static_pages, foreign_key: "decidim_organization_id", class_name: "Decidim::StaticPage", inverse_of: :organization, dependent: :destroy
     has_many :scopes, -> { order(name: :asc) }, foreign_key: "decidim_organization_id", class_name: "Decidim::Scope", inverse_of: :organization
     has_many :scope_types, -> { order(name: :asc) }, foreign_key: "decidim_organization_id", class_name: "Decidim::ScopeType", inverse_of: :organization
     has_many :admins, -> { where(admin: true) }, foreign_key: "decidim_organization_id", class_name: "Decidim::User"
     has_many :users_with_any_role, -> { where.not(roles: []) }, foreign_key: "decidim_organization_id", class_name: "Decidim::User"
-    has_many :users, foreign_key: "decidim_organization_id", class_name: "Decidim::User"
+    has_many :users, foreign_key: "decidim_organization_id", class_name: "Decidim::User", dependent: :destroy
 
     validates :name, :host, uniqueness: true
     validates :reference_prefix, presence: true

data/app/models/decidim/scope.rb

@@ -25,7 +25,8 @@ module Decidim
     has_many :children,
              foreign_key: "parent_id",
              class_name: "Decidim::Scope",
-             inverse_of: :parent
+             inverse_of: :parent,
+             dependent: :destroy
 
     before_validation :update_part_of, on: :update
 

data/app/models/decidim/scope_type.rb

@@ -9,7 +9,7 @@ module Decidim
                class_name: "Decidim::Organization",
                inverse_of: :scope_types
 
-    has_many :scopes, foreign_key: "decidim_scope_type_id", class_name: "Decidim::Scope", inverse_of: :scope_type
+    has_many :scopes, foreign_key: "scope_type_id", class_name: "Decidim::Scope", inverse_of: :scope_type, dependent: :nullify
 
     validates :name, presence: true
   end

data/app/models/decidim/user.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require_dependency "devise/models/decidim_validatable"
+require "valid_email2"
 
 module Decidim
   # A User is a citizen that wants to join the platform to participate.
@@ -14,9 +15,8 @@ module Decidim
                           request_keys: [:env], reset_password_keys: [:decidim_organization_id, :email]
 
     belongs_to :organization, foreign_key: "decidim_organization_id", class_name: "Decidim::Organization"
-    has_many :authorizations, foreign_key: "decidim_user_id", class_name: "Decidim::Authorization", inverse_of: :user
-    has_many :identities, foreign_key: "decidim_user_id", class_name: "Decidim::Identity"
-    has_many :memberships, class_name: "Decidim::UserGroupMembership", foreign_key: :decidim_user_id
+    has_many :identities, foreign_key: "decidim_user_id", class_name: "Decidim::Identity", dependent: :destroy
+    has_many :memberships, class_name: "Decidim::UserGroupMembership", foreign_key: :decidim_user_id, dependent: :destroy
     has_many :user_groups, through: :memberships, class_name: "Decidim::UserGroup", foreign_key: :decidim_user_group_id
     has_many :follows, foreign_key: "decidim_user_id", class_name: "Decidim::Follow", dependent: :destroy
     has_many :notifications, foreign_key: "decidim_user_id", class_name: "Decidim::Notification", dependent: :destroy
@@ -26,6 +26,8 @@ module Decidim
     validates :tos_agreement, acceptance: true, allow_nil: false, on: :create
     validates :avatar, file_size: { less_than_or_equal_to: ->(_record) { Decidim.maximum_avatar_size } }
     validates :email, uniqueness: { scope: :organization }, unless: -> { deleted? || managed? }
+    validates :email, 'valid_email_2/email': { disposable: true }
+
     validate :all_roles_are_valid
 
     mount_uploader :avatar, Decidim::AvatarUploader
@@ -68,6 +70,10 @@ module Decidim
       Decidim::Follow.where(user: self, followable: followable).any?
     end
 
+    def unread_conversations
+      Decidim::Messaging::Conversation.unread_by(self)
+    end
+
     # Check if the user exists with the given email and the current organization
     #
     # warden_conditions - A hash with the authentication conditions
@@ -76,10 +82,10 @@ module Decidim
     # Returns a User.
     def self.find_for_authentication(warden_conditions)
       organization = warden_conditions.dig(:env, "decidim.current_organization")
-      where(
+      find_by(
         email: warden_conditions[:email],
         decidim_organization_id: organization.id
-      ).first
+      )
     end
 
     protected

data/app/models/decidim/user_group.rb

@@ -5,7 +5,7 @@ module Decidim
   class UserGroup < ApplicationRecord
     belongs_to :organization, foreign_key: "decidim_organization_id", class_name: "Decidim::Organization"
 
-    has_many :memberships, class_name: "Decidim::UserGroupMembership", foreign_key: :decidim_user_group_id
+    has_many :memberships, class_name: "Decidim::UserGroupMembership", foreign_key: :decidim_user_group_id, dependent: :destroy
     has_many :users, through: :memberships, class_name: "Decidim::User", foreign_key: :decidim_user_id
 
     validates :name, presence: true, uniqueness: { scope: :decidim_organization_id }

data/app/presenters/decidim/inline_menu_presenter.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module Decidim
+  # A presenter to render inline menus
+  class InlineMenuPresenter < MenuPresenter
+    def render
+      safe_join(menu_items)
+    end
+  end
+end

data/app/presenters/decidim/menu_presenter.rb

@@ -36,7 +36,7 @@ module Decidim
       end
     end
 
-    private
+    protected
 
     def menu_items
       items.map do |menu_item|

data/app/queries/decidim/messaging/user_conversations.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Messaging
+    # A class used to find the conversations a user is participating in.
+    class UserConversations < Rectify::Query
+      # Syntactic sugar to initialize the class and return the queried objects.
+      #
+      # user - a User that needs to find which processes can manage
+      def self.for(user)
+        new(user).query
+      end
+
+      def initialize(user)
+        @user = user
+      end
+
+      def query
+        Conversation
+          .joins(:participations)
+          .where(decidim_messaging_participations: { decidim_participant_id: user.id })
+      end
+
+      private
+
+      attr_reader :user
+    end
+  end
+end

data/app/scrubbers/decidim/user_input_scrubber.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Decidim
+  # Use this class as a scrubber to sanitize user input. The default
+  # scrubbed provided by Rails does not allow `iframe`s, and we're using
+  # them to embed videos, so we need to provide a whole new scrubber.
+  #
+  # Example:
+  #
+  #    sanitize(@page.body, scrubber: Decidim::UserInputScrubber.new)
+  #
+  # Lists of default tags and attributes are extracted from
+  # https://stackoverflow.com/a/35073814/2110884.
+  class UserInputScrubber < Rails::Html::PermitScrubber
+    def initialize
+      super
+      self.tags = custom_allowed_tags
+      self.attributes = custom_allowed_attributes
+    end
+
+    private
+
+    def custom_allowed_attributes
+      Loofah::HTML5::WhiteList::ALLOWED_ATTRIBUTES + %w(frameborder allowfullscreen)
+    end
+
+    def custom_allowed_tags
+      Loofah::HTML5::WhiteList::ALLOWED_ELEMENTS_WITH_LIBXML2 + %w(iframe)
+    end
+  end
+end

data/app/services/decidim/action_authorizer.rb

@@ -27,19 +27,31 @@ module Decidim
     #
     # Returns nil.
     def authorize
-      raise AuthorizationError, "Missing data" unless feature && action
-
-      return status(:ok) unless authorization_handler_name
-
-      return status(:missing) unless authorization
-      return status(:invalid, fields: unmatched_fields) if unmatched_fields.any?
-      return status(:incomplete, fields: missing_fields) if missing_fields.any?
+      status_code, fields = *status_data
 
-      status(:ok)
+      status(status_code, fields || {})
     end
 
     private
 
+    def status_data
+      raise AuthorizationError, "Missing data" unless feature && action
+
+      if !authorization_handler_name
+        :ok
+      elsif !authorization
+        :missing
+      elsif !authorization.granted?
+        :pending
+      elsif unmatched_fields.any?
+        [:invalid, fields: unmatched_fields]
+      elsif missing_fields.any?
+        [:incomplete, fields: missing_fields]
+      else
+        :ok
+      end
+    end
+
     def status(status_code, data = {})
       AuthorizationStatus.new(status_code, authorization_handler_name, data)
     end
@@ -52,9 +64,7 @@ module Decidim
       handler = permission["authorization_handler_name"]
       return nil unless handler
 
-      @authorization ||= user.authorizations.find do |authorization|
-        authorization.name == handler
-      end
+      @authorization ||= Verifications::Authorizations.new(user: user, name: handler).first
     end
 
     def unmatched_fields
@@ -87,7 +97,7 @@ module Decidim
     end
 
     class AuthorizationStatus
-      attr_reader :code, :handler_name, :data
+      attr_reader :code, :data
 
       def initialize(code, handler_name, data)
         @code = code.to_sym
@@ -95,9 +105,35 @@ module Decidim
         @data = data.symbolize_keys
       end
 
+      def auth_method
+        return unless @handler_name
+
+        @auth_method ||= Verifications::Adapter.from_element(@handler_name)
+      end
+
+      def current_path(redirect_url: nil)
+        return unless auth_method
+
+        if pending?
+          auth_method.resume_authorization_path(redirect_url: redirect_url)
+        else
+          auth_method.root_path(redirect_url: redirect_url)
+        end
+      end
+
+      def handler_name
+        return unless auth_method
+
+        auth_method.key
+      end
+
       def ok?
         @code == :ok
       end
+
+      def pending?
+        @code == :pending
+      end
     end
 
     class AuthorizationError < StandardError; end

data/app/services/decidim/traceability.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+module Decidim
+  # This class wraps the logic to trace resource changes and their authorship.
+  # It is expected to be used with classes implementing the `Decidim::Traceable`
+  # concern. Version authors can be retrieved using the methods in
+  # `Decidim::TraceabilityHelper`.
+  #
+  # Examples:
+  #
+  #     # consider MyResource implements Decidim::Traceable
+  #     resource = Decidim::Traceability.new.create!(MyResource, author, params)
+  #     resource.versions.count # => 1
+  #     resource.versions.last.whodunnit # => author.to_gid.to_s
+  #     resource.versions.last.event # => "create"
+  #     resource = Decidim::Traceability.new.update!(resource, author, params)
+  #     resource.versions.count # => 2
+  #     resource.versions.last.event # => "update"
+  #
+  # This class uses the `paper_trail` gem internally, so refer to its documentation
+  # for further info on how to interact with versions.
+  class Traceability
+    # Calls the `create` method to the given class and sets the author of the version.
+    #
+    # klass - An ActiveRecord class that implements `Decidim::Traceable`
+    # author - An object that implements `to_gid` or a String
+    # params - a Hash
+    #
+    # Returns an instance of `klass`.
+    def create(klass, author, params)
+      PaperTrail.whodunnit(gid(author)) do
+        klass.create(params)
+      end
+    end
+
+    # Calls the `create!` method to the given class and sets the author of the version.
+    #
+    # klass - An ActiveRecord class that implements `Decidim::Traceable`
+    # author - An object that implements `to_gid` or a String
+    # params - a Hash
+    #
+    # Returns an instance of `klass`.
+    def create!(klass, author, params)
+      PaperTrail.whodunnit(gid(author)) do
+        klass.create!(params)
+      end
+    end
+
+    # Updates the `resource` with `update_attributes!` and sets the author of the version.
+    #
+    # resource - An ActiveRecord instance that implements `Decidim::Traceable`
+    # author - An object that implements `to_gid` or a String
+    # params - a Hash
+    #
+    # Returns the updated `resource`.
+    def update!(resource, author, params)
+      PaperTrail.whodunnit(gid(author)) do
+        resource.update_attributes!(params)
+        resource
+      end
+    end
+
+    # Finds the author of the last version of the resource.
+    #
+    # resource - an object implementing `Decidim::Traceable`
+    #
+    # Returns an object identifiable via GlobalID or a String.
+    def last_editor(resource)
+      version_editor(resource.versions.last)
+    end
+
+    # Finds the author of the given version.
+    #
+    # version - an object that responds to `whodunnit` and returns a String.
+    #
+    # Returns an object identifiable via GlobalID or a String.
+    def version_editor(version)
+      ::GlobalID::Locator.locate(version.whodunnit) || version.whodunnit
+    end
+
+    private
+
+    # Calculates the GlobalID of the version author. If the object does not respond to
+    # `to_gid`, then it returns the object itself.
+    def gid(author)
+      return if author.blank?
+      return author.to_gid if author.respond_to?(:to_gid)
+      author
+    end
+  end
+end