decidim-core 0.27.2 → 0.27.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 391ba34f55c860208f7644dd10b1b3e2b6465ed45b9e9f9fd194ce1036516995
-  data.tar.gz: 93636f8d556d73547fcdff45986fcc85ba4a22e9c399fdeca0c550ee6c241363
+  metadata.gz: d6577740d87b562e24f541c4723480ec774239f69a389d4434536ab72be3b116
+  data.tar.gz: 8366df277375b9fadc5c96b4a9e647a0300057d7148eafcb672f3a57d3abd55f
 SHA512:
-  metadata.gz: 157c005fbea98fe374586f91f15f17bc54450d6e4b6f7136d51582d5cae7af9442d250edbbf4fe2a4308aac902ba0eb28c49681153dcda6b6948f8589414e930
-  data.tar.gz: 8ebc9089ad86980956ded3024d490f419bf8015ae0dc4b3fe6e003d415010de8ed28751bd0c168cf526c8a17f5db50467c9223242c2150cf600304990e1eda04
+  metadata.gz: f6f4e9e7bcf14ccc5943ec41d4468338d1cf62aec7d37b296d0fa37a3c1c7bc97711b06579d10b32167ce291b8d664989f90eecfcba9a94f228ff60e7e8698e0
+  data.tar.gz: 4fcd0dacd12572c3a4b404709ec632dcc6c5cc964dfd9dc29d92a4dd03da2b10ddc3e5df57a6ed91cb3f90e0dac70c4668ba89040f8cf5788e34d1f8e857d3b8

data/app/cells/decidim/upload_modal/files.erb

@@ -30,6 +30,7 @@
           add_attribute: add_attribute,
           resource_name: resource_name,
           resource_class: resource_class,
+          required: required?,
           optional: optional,
           max_file_size: max_file_size,
           multiple: multiple,

data/app/cells/decidim/upload_modal_cell.rb

@@ -5,6 +5,7 @@ module Decidim
   class UploadModalCell < Decidim::ViewModel
     include Cell::ViewModel::Partial
     include ERB::Util
+    include Decidim::SanitizeHelper
 
     alias form model
 
@@ -29,7 +30,7 @@ module Decidim
     end
 
     def label
-      options[:label]
+      form.send(:custom_label, attribute, options[:label], { required: required?, for: nil })
     end
 
     def button_label
@@ -72,8 +73,17 @@ module Decidim
       options[:multiple] || false
     end
 
+    # @deprecated Please use `required?` instead.
+    #
+    # NOTE: When this is removed, also the `optional` option should be removed.
     def optional
-      options[:optional]
+      !required?
+    end
+
+    def required?
+      return !options[:optional] if options.has_key?(:optional)
+
+      options[:required] == true
     end
 
     # By default Foundation adds form errors next to input, but since input is in the modal
@@ -81,7 +91,7 @@ module Decidim
     # This should only be necessary when file is required by the form.
     def input_validation_field
       object_name = form.object.present? ? "#{form.object.model_name.param_key}[#{add_attribute}_validation]" : "#{add_attribute}_validation"
-      input = check_box_tag object_name, 1, attachments.present?, class: "hide", label: false, required: !optional
+      input = check_box_tag object_name, 1, attachments.present?, class: "hide", label: false, required: required?
       message = form.send(:abide_error_element, add_attribute) + form.send(:error_and_help_text, add_attribute)
       input + message
     end
@@ -142,7 +152,7 @@ module Decidim
     def title_for(attachment)
       return unless has_title?
 
-      translated_attribute(attachment.title)
+      decidim_html_escape(decidim_sanitize(translated_attribute(attachment.title)))
     end
 
     def truncated_file_name_for(attachment, max_length = 31)

data/app/commands/decidim/attachment_methods.rb

@@ -12,8 +12,8 @@ module Decidim
       @attachment = Attachment.new(
         title: { I18n.locale => @form.attachment.title },
         attached_to: attached_to,
-        file: @form.attachment.file, # Define attached_to before this
-        content_type: @form.attachment.file.content_type
+        file: signed_id_for(@form.attachment.file),
+        content_type: content_type_for(@form.attachment.file)
       )
     end
 
@@ -53,5 +53,23 @@ module Decidim
     def delete_attachment?
       @form.attachment&.delete_file.present?
     end
+
+    protected
+
+    def signed_id_for(attachment)
+      return attachment[:file] if attachment.is_a?(Hash)
+
+      attachment
+    end
+
+    def content_type_for(attachment)
+      return attachment.content_type if attachment.instance_of?(ActionDispatch::Http::UploadedFile)
+
+      blob(signed_id_for(attachment)).content_type
+    end
+
+    def blob(signed_id)
+      ActiveStorage::Blob.find_signed(signed_id)
+    end
   end
 end

data/app/commands/decidim/create_registration.rb

@@ -41,6 +41,7 @@ module Decidim
         nickname: form.nickname,
         password: form.password,
         password_confirmation: form.password_confirmation,
+        password_updated_at: Time.current,
         organization: form.current_organization,
         tos_agreement: form.tos_agreement,
         newsletter_notifications_at: form.newsletter_at,

data/app/commands/decidim/gallery_methods.rb

@@ -24,7 +24,7 @@ module Decidim
     end
 
     def update_attachment_title_for(photo)
-      Decidim::Attachment.find(photo[:id]).update(title: title_for(photo))
+      Decidim::Attachment.find(photo[:id]).update(title: photos_title(photo))
     end
 
     def image?(signed_id)

data/app/commands/decidim/update_account.rb

@@ -55,6 +55,7 @@ module Decidim
 
       @user.password = @form.password
       @user.password_confirmation = @form.password_confirmation
+      @user.password_updated_at = Time.current
     end
 
     def notify_followers

data/app/commands/decidim/update_password.rb

@@ -16,6 +16,8 @@ module Decidim
       return broadcast(:invalid) if form.invalid?
 
       user.password = form.password
+      user.password_confirmation = form.password
+      user.password_updated_at = Time.current
 
       if user.save
         broadcast(:ok)

data/app/controllers/decidim/devise/sessions_controller.rb

@@ -6,9 +6,25 @@ module Decidim
     class SessionsController < ::Devise::SessionsController
       include Decidim::DeviseControllers
 
-      # rubocop: disable Rails/LexicallyScopedActionFilter
       before_action :check_sign_in_enabled, only: :create
-      # rubocop: enable Rails/LexicallyScopedActionFilter
+
+      def create
+        super do |user|
+          if user.admin?
+            # Check that the admin password passes the validation and clear the
+            # `password_updated_at` field when the password is weak to force a
+            # password update on the user.
+            #
+            # Handles a case when the user registers through the registration
+            # form and they are promoted to an admin after that. In this case,
+            # the newly promoted admin user would otherwise have to change their
+            # password straight away even if they originally registered with a
+            # strong password.
+            validator = PasswordValidator.new({ attributes: :password })
+            user.update!(password_updated_at: nil) unless validator.validate_each(user, :password, sign_in_params[:password])
+          end
+        end
+      end
 
       def destroy
         current_user.invalidate_all_sessions!

data/app/controllers/decidim/links_controller.rb

@@ -21,24 +21,21 @@ module Decidim
 
     def invalid_url
       flash[:alert] = I18n.t("decidim.links.invalid_url")
-      redirect_to decidim.root_path
+      if request.xhr?
+        render "invalid_url"
+      else
+        redirect_to decidim.root_path
+      end
     end
 
     def parse_url
+      raise Decidim::InvalidUrlError if params[:external_url].blank?
       raise Decidim::InvalidUrlError unless external_url
-
-      parts = external_url.match %r{\A(([a-z]+):)?//([^/]+)(/.*)?\z}
-      raise Decidim::InvalidUrlError unless parts
-
-      @url_parts = {
-        protocol: parts[1],
-        domain: parts[3],
-        path: parts[4]
-      }
+      raise Decidim::InvalidUrlError unless %w(http https).include?(external_url.scheme)
     end
 
     def external_url
-      @external_url ||= URI.parse(params[:external_url]).to_s
+      @external_url ||= URI.parse(params[:external_url])
     end
   end
 end

data/app/helpers/decidim/cells_helper.rb

@@ -35,6 +35,7 @@ module Decidim
     end
 
     def user_flaggable?
+      return if (try(:profile_holder) || try(:profile_user) || try(:model)).try(:blocked)
       return unless context[:controller].try(:flaggable_controller?)
 
       true

data/app/helpers/decidim/external_domain_helper.rb

@@ -3,10 +3,21 @@
 module Decidim
   module ExternalDomainHelper
     def highlight_domain
+      highlighted_domain = [
+        external_url.host,
+        (external_url.port && [80, 443].include?(external_url.port) ? "" : ":#{external_url.port}")
+      ].join
+
+      path = [
+        external_url.path,
+        (external_url.query ? "?#{external_url.query}" : ""),
+        (external_url.fragment ? "##{external_url.fragment}" : "")
+      ].join
+
       tag.div do
-        content_tag(:span, "#{@url_parts[:protocol]}//") +
-          content_tag(:span, @url_parts[:domain], class: "alert") +
-          content_tag(:span, @url_parts[:path])
+        content_tag(:span, "#{external_url.scheme}://") +
+          content_tag(:span, highlighted_domain, class: "text-alert") +
+          content_tag(:span, path)
       end
     end
   end

data/app/helpers/decidim/sanitize_helper.rb

@@ -112,9 +112,10 @@ module Decidim
     #
     # @return ActiveSupport::SafeBuffer
     def render_sanitized_content(resource, method)
-      content = present(resource).send(method, links: true, strip_tags: !safe_content?)
+      content = present(resource).send(method, links: true, strip_tags: !try(:safe_content?))
 
-      return decidim_sanitize(content, {}) unless safe_content?
+      return decidim_sanitize(content, {}) unless try(:safe_content?)
+      return decidim_sanitize_editor_admin(content, {}) if try(:safe_content_admin?)
 
       decidim_sanitize_editor(content)
     end

data/app/models/decidim/scope_type.rb

@@ -17,8 +17,32 @@ module Decidim
 
     validates :name, presence: true
 
+    before_destroy :detach_dynamic_associations
+
     def self.log_presenter_class_for(_log)
       Decidim::AdminLog::ScopeTypePresenter
     end
+
+    private
+
+    # This method detaches all records that may have association with the scope
+    # type. This cannot be done directly using the `dependent` option in the
+    # `has_many` relation in order to avoid tight coupling between the modules.
+    #
+    # This logic does not have to be applied to any classes that have been
+    # defined as `has_many` associations within this model already as they are
+    # already handled by the `dependent` option.
+    def detach_dynamic_associations
+      ActiveRecord::Base.descendants.each do |cls|
+        next if cls.abstract_class? || !cls.name&.match?(/^Decidim::/)
+        next if cls == self.class || cls == Decidim::Scope
+
+        cls.reflect_on_all_associations(:belongs_to).each do |ref|
+          next unless ref.options[:class_name] == self.class.name
+
+          cls.where(ref.options[:foreign_key] => id).update_all(ref.options[:foreign_key] => nil) # rubocop:disable Rails/SkipsModelValidations
+        end
+      end
+    end
   end
 end

data/app/packs/src/decidim/direct_uploads/upload_modal.js

@@ -16,7 +16,6 @@ export default class UploadModal {
       // - addAttribute - Field name / attribute of resource (e.g. avatar)
       // - resourceName - The resource to which the attribute belongs (e.g. user)
       // - resourceClass - Ruby class of the resource (e.g. Decidim::User)
-      // - optional - Defines if file is optional
       // - multiple - Defines if multiple files can be uploaded
       // - titled - Defines if file(s) can have titles
       // - maxFileSize - Defines maximum file size in bytes

data/app/packs/src/decidim/editor/clipboard_override.js

@@ -70,7 +70,9 @@ export default class ClipboardOverride extends Clipboard {
     const text = ev.clipboardData.getData("text/plain");
     const files = Array.from(ev.clipboardData.files || []);
     if (!html && files.length > 0) {
-      this.quill.uploader.upload(range, files);
+      if (typeof this.quill.uploader !== "undefined") {
+        this.quill.uploader.upload(range, files);
+      }
       return;
     }
     if (html && files.length > 0) {
@@ -79,7 +81,9 @@ export default class ClipboardOverride extends Clipboard {
         doc.body.childElementCount === 1 &&
         doc.body.firstElementChild.tagName === "IMG"
       ) {
-        this.quill.uploader.upload(range, files);
+        if (typeof this.quill.uploader !== "undefined") {
+          this.quill.uploader.upload(range, files);
+        }
         return;
       }
     }

data/app/packs/src/decidim/editor.js

@@ -1,11 +1,25 @@
 /* eslint-disable require-jsdoc */
 
-import lineBreakButtonHandler from "src/decidim/editor/linebreak_module"
-import "src/decidim/editor/clipboard_override"
-import "src/decidim/vendor/image-resize.min"
-import "src/decidim/vendor/image-upload.min"
+import lineBreakButtonHandler from "src/decidim/editor/linebreak_module";
+import "src/decidim/editor/clipboard_override";
+import "src/decidim/vendor/image-resize.min";
+import "src/decidim/vendor/image-upload.min";
 
-const quillFormats = ["bold", "italic", "link", "underline", "header", "list", "video", "image", "alt", "break", "width", "style", "code", "blockquote", "indent"];
+const quillFormats = [
+  "bold",
+  "italic",
+  "link",
+  "underline",
+  "header",
+  "list",
+  "alt",
+  "break",
+  "width",
+  "style",
+  "code",
+  "blockquote",
+  "indent"
+];
 
 export default function createQuillEditor(container) {
   const toolbar = $(container).data("toolbar");
@@ -17,26 +31,28 @@ export default function createQuillEditor(container) {
     [{ list: "ordered" }, { list: "bullet" }],
     ["link", "clean"],
     ["code", "blockquote"],
-    [{ "indent": "-1"}, { "indent": "+1" }]
+    [{ indent: "-1" }, { indent: "+1" }]
   ];
 
-  let addImage = $(container).data("editorImages");
+  let addImage = false;
+  let addVideo = false;
 
-  if (toolbar === "full") {
+  /**
+   * - basic = only basic controls without titles
+   * - content = basic + headings
+   * - full = basic + headings + image + video
+   */
+  if (toolbar === "content") {
+    quillToolbar = [[{ header: [2, 3, 4, 5, 6, false] }], ...quillToolbar];
+  } else if (toolbar === "full") {
+    addImage = true;
+    addVideo = true;
     quillToolbar = [
       [{ header: [2, 3, 4, 5, 6, false] }],
       ...quillToolbar,
-      ["video"]
+      ["video"],
+      ["image"]
     ];
-  } else if (toolbar === "basic") {
-    quillToolbar = [
-      ...quillToolbar,
-      ["video"]
-    ];
-  }
-
-  if (addImage) {
-    quillToolbar.push(["image"]);
   }
 
   let modules = {
@@ -44,17 +60,26 @@ export default function createQuillEditor(container) {
     toolbar: {
       container: quillToolbar,
       handlers: {
-        "linebreak": lineBreakButtonHandler
+        linebreak: lineBreakButtonHandler
       }
     }
   };
   const $input = $(container).siblings('input[type="hidden"]');
   container.innerHTML = $input.val() || "";
   const token = $('meta[name="csrf-token"]').attr("content");
+
+  if (addVideo) {
+    quillFormats.push("video");
+  }
+
   if (addImage) {
+    // Attempt to allow images only if the image support is enabled at editor support.
+    // see: https://github.com/quilljs/quill/issues/1108
+    quillFormats.push("image");
+
     modules.imageResize = {
       modules: ["Resize", "DisplaySize"]
-    }
+    };
     modules.imageUpload = {
       url: $(container).data("uploadImagesPath"),
       method: "POST",
@@ -62,18 +87,23 @@ export default function createQuillEditor(container) {
       withCredentials: false,
       headers: { "X-CSRF-Token": token },
       callbackOK: (serverResponse, next) => {
-        $("div.ql-toolbar").last().removeClass("editor-loading")
+        $("div.ql-toolbar").last().removeClass("editor-loading");
         next(serverResponse.url);
       },
       callbackKO: (serverError) => {
-        $("div.ql-toolbar").last().removeClass("editor-loading")
+        $("div.ql-toolbar").last().removeClass("editor-loading");
         console.log(`Image upload error: ${serverError.message}`);
       },
       checkBeforeSend: (file, next) => {
-        $("div.ql-toolbar").last().addClass("editor-loading")
+        $("div.ql-toolbar").last().addClass("editor-loading");
         next(file);
       }
-    }
+    };
+
+    const text = $(container).data("dragAndDropHelpText");
+    $(container).after(
+      `<p class="help-text" style="margin-top:-1.5rem;">${text}</p>`
+    );
   }
   const quill = new Quill(container, {
     modules: modules,
@@ -81,6 +111,11 @@ export default function createQuillEditor(container) {
     theme: "snow"
   });
 
+  if (addImage === false) {
+    // Firefox natively implements image drop in contenteditable which is why we need to disable that
+    quill.root.addEventListener("drop", (ev) => ev.preventDefault());
+  }
+
   if (disabled) {
     quill.disable();
   }
@@ -95,7 +130,10 @@ export default function createQuillEditor(container) {
     });
     container.dispatchEvent(event);
 
-    if ((text === "\n" || text === "\n\n") && quill.root.querySelectorAll(allowedEmptyContentSelector).length === 0) {
+    if (
+      (text === "\n" || text === "\n\n") &&
+      quill.root.querySelectorAll(allowedEmptyContentSelector).length === 0
+    ) {
       $input.val("");
     } else {
       const emptyParagraph = "<p><br></p>";
@@ -109,13 +147,5 @@ export default function createQuillEditor(container) {
   // After editor is ready, linebreak_module deletes two extraneous new lines
   quill.emitter.emit("editor-ready");
 
-  if (addImage) {
-    const text = $(container).data("dragAndDropHelpText");
-    $(container).after(`<p class="help-text" style="margin-top:-1.5rem;">${text}</p>`);
-  }
-
-  // After editor is ready, linebreak_module deletes two extraneous new lines
-  quill.emitter.emit("editor-ready");
-
   return quill;
 }

data/app/packs/stylesheets/decidim/modules/_buttons.scss

@@ -123,6 +123,10 @@
     }
   }
 
+  &.primary{
+    @include button-hollow-variant(var(--primary));
+  }
+
   &.secondary{
     @include button-hollow-variant(var(--secondary));
   }
@@ -257,12 +261,12 @@
 
 .button--shadow{
   $shadows: (
-    primary: shade($primary, 50),
-    secondary: shade($secondary, 50),
-    success: shade($success, 50),
-    warning: shade($warning, 50),
-    alert: shade($alert, 50),
-    muted: shade($muted, 50),
+    primary: shade($primary, 50%),
+    secondary: shade($secondary, 50%),
+    success: shade($success, 50%),
+    warning: shade($warning, 50%),
+    alert: shade($alert, 50%),
+    muted: shade($muted, 50%),
   );
 
   @include modifiers(background-color, $shadows){

data/app/packs/stylesheets/decidim/modules/_cards.scss

@@ -934,7 +934,7 @@ a .card__title{
   @include modifiers(
     color,
     (
-      muted: tint($muted, 50),
+      muted: tint($muted, 50%),
     )
   ){
     margin-top: -$global-margin * .95;

data/app/packs/stylesheets/decidim/modules/_comments.scss

@@ -17,6 +17,30 @@ $comment-form-bg: $light-gray;
 
 .comment-thread{
   @extend .card;
+
+  .show-comment-replies{
+    display: none;
+  }
+
+  .hide-comment-replies{
+    display: inline;
+  }
+
+  .comment__hide{
+    float: left;
+    margin-bottom: 0;
+  }
+
+  .no-comments{
+    .show-comment-replies{
+      display: inline;
+    }
+
+    .hide-comment-replies,
+    .replies{
+      display: none;
+    }
+  }
 }
 
 .comment-thread__title{

data/app/packs/stylesheets/decidim/modules/_input-gallery.scss

@@ -26,7 +26,8 @@
       top: 2px;
       width: 2rem;
       height: 2rem;
-      background: rgba(var(--primary-rgb), .8);
+      background: var(--primary);
+      opacity: .8;
       color: $white;
       border-radius: 50%;
     }

data/app/packs/stylesheets/decidim/modules/_upload_modal.scss

@@ -32,10 +32,6 @@
         border-width: 2px;
         border-radius: 4px;
 
-        * >{
-          display: none;
-        }
-
         .form-error{
           margin: 0;
         }

data/app/packs/stylesheets/decidim/vizzs/_linechart.scss

@@ -36,8 +36,8 @@
   @mixin loop-colors-types($color, $max: 12){
     @for $i from 0 through ($max - 1){
       $interval: ($i % 4) * 24 + 1;
-      $tints: tint($color, $interval);
-      $shades: shade($color, $interval);
+      $tints: tint($color, $interval * 1%);
+      $shades: shade($color, $interval * 1%);
       $adjusts: adjust-color($color, $lightness: $interval * 1%, $hue: -$interval);
 
       .type-#{$i}:not(.legend){

data/app/packs/stylesheets/decidim/vizzs/_rowchart.scss

@@ -27,8 +27,8 @@
   @mixin loop-colors-types($color, $max: 12){
     @for $i from 0 through ($max - 1){
       $interval: ($i % 4) * 24 + 1;
-      $tints: tint($color, $interval);
-      $shades: shade($color, $interval);
+      $tints: tint($color, $interval * 1%);
+      $shades: shade($color, $interval * 1%);
       $adjusts: adjust-color($color, $lightness: $interval * 1%, $hue: -$interval);
 
       .type-#{$i}{

data/app/presenters/decidim/notification_presenter.rb

@@ -11,7 +11,7 @@ module Decidim
 
     def created_at_in_words
       if created_at.between?(1.month.ago, Time.current)
-        time_ago_in_words(created_at)
+        I18n.t("decidim.user_conversations.index.time_ago", time: time_ago_in_words(created_at))
       else
         format = created_at.year == Time.current.year ? :ddmm : :ddmmyyyy
         I18n.l(created_at, format: format)

data/app/presenters/decidim/notification_to_mailer_presenter.rb

@@ -27,6 +27,7 @@ module Decidim
       @event ||= event_class.constantize.new(
         resource: resource,
         user: user,
+        user_role: user_role,
         event_name: event_name,
         extra: extra
       )

data/app/presenters/decidim/user_group_presenter.rb

@@ -16,7 +16,7 @@ module Decidim
     end
 
     def can_be_contacted?
-      true
+      true unless blocked?
     end
 
     def officialization_text

data/app/presenters/decidim/user_presenter.rb

@@ -61,7 +61,7 @@ module Decidim
     end
 
     def can_be_contacted?
-      true
+      true unless blocked?
     end
 
     def officialization_text

data/app/scrubbers/decidim/admin_input_scrubber.rb

@@ -14,12 +14,14 @@ module Decidim
   class AdminInputScrubber < UserInputScrubber
     private
 
+    DECIDIM_ALLOWED_TAGS = %w(img video audio source comment iframe).freeze
+
     def custom_allowed_attributes
       super + %w(frameborder allowfullscreen) - %w(onerror)
     end
 
     def custom_allowed_tags
-      super + %w(comment iframe)
+      super + DECIDIM_ALLOWED_TAGS
     end
   end
 end