decidim-kids 0.1.0

data/app/commands/decidim/kids/impersonate_minor.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Kids
+    # A command with all the business logic to impersonate a minor.
+    class ImpersonateMinor < Decidim::Command
+      # Public: Initializes the command.
+      #
+      # current_user       - The user impersonating a minor
+      # minor_user         - The user to impersonate
+      # form               - The form with the authorization info
+      def initialize(minor_user, current_user, form)
+        @current_user = current_user
+        @minor_user = minor_user
+        @form = form
+      end
+
+      def call
+        return broadcast(:invalid) if form.invalid?
+
+        transaction do
+          impersonation_log = create_impersonation_log
+          create_action_log(impersonation_log)
+        end
+
+        enqueue_expire_job
+
+        broadcast(:ok)
+      end
+
+      private
+
+      attr :form, :minor_user, :current_user
+
+      def create_impersonation_log
+        Decidim::Kids::ImpersonationMinorLog.create!(
+          tutor: current_user,
+          minor: minor_user,
+          started_at: Time.current
+        )
+      end
+
+      def create_action_log(impersonation_log)
+        Decidim.traceability.perform_action!(
+          "manage",
+          impersonation_log,
+          current_user,
+          resource: {
+            id: minor_user.id,
+            name: minor_user.name,
+            nickname: minor_user.nickname
+          },
+          visibility: "public-only"
+        )
+      end
+
+      def enqueue_expire_job
+        Decidim::Kids::ExpireImpersonationJob
+          .set(wait: Decidim::Kids::ImpersonationMinorLog::SESSION_TIME_IN_MINUTES.minutes)
+          .perform_later(minor_user, current_user)
+      end
+    end
+  end
+end

data/app/commands/decidim/kids/update_minor_account.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Kids
+    class UpdateMinorAccount < Decidim::Command
+      def initialize(form, minor_user)
+        @form = form
+        @minor_user = minor_user
+      end
+
+      def call
+        return broadcast(:invalid) if form.invalid?
+
+        old_minor_email = minor_user.email
+
+        update_minor
+
+        minor_user.save!
+
+        minor_user.minor_data.update!(attributes_data)
+
+        minor_user.invite!(invited_by, invitation_instructions: "invite_minor") unless old_minor_email == form.email
+
+        broadcast(:ok)
+      end
+
+      private
+
+      attr_reader :form, :minor_user, :invited_by
+
+      def update_minor
+        minor_user.skip_reconfirmation!
+        minor_user.email = form.email
+      end
+
+      def attributes_data
+        {
+          birthday: form.birthday,
+          email: form.email,
+          name: form.name
+        }
+      end
+    end
+  end
+end

data/app/controllers/concerns/decidim/kids/disable_minors_participation.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Kids
+    # Controllers implementing this concern will be able to restrict access to user's that are not minors.
+    module DisableMinorsParticipation
+      extend ActiveSupport::Concern
+      include HasDecidimKidsPermissions
+
+      included do
+        before_action do
+          enforce_permission_to :all, :authorizations
+        end
+      end
+    end
+  end
+end

data/app/controllers/concerns/decidim/kids/has_decidim_kids_permissions.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Kids
+    module HasDecidimKidsPermissions
+      extend ActiveSupport::Concern
+
+      included do
+        def permission_class_chain
+          super + [::Decidim::Kids::Permissions]
+        end
+      end
+    end
+  end
+end

data/app/controllers/concerns/decidim/kids/has_minor_activities_as_own.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Kids
+    module HasMinorActivitiesAsOwn
+      extend ActiveSupport::Concern
+
+      included do
+        alias_method :user_own_activities?, :own_activities?
+
+        def own_activities?
+          user_own_activities? || (current_organization.minors_participation_enabled? && current_user&.minors&.include?(user))
+        end
+      end
+    end
+  end
+end

data/app/controllers/concerns/decidim/kids/impersonate_minors.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Kids
+    module ImpersonateMinors
+      extend ActiveSupport::Concern
+
+      included do
+        helper_method :impersonation_log_minor
+
+        def current_user
+          @current_user ||= managed_minor || managed_user || real_user
+        end
+
+        def impersonation_session_ends_at
+          @impersonation_session_ends_at ||= minor_session_ends_at || user_session_ends_at
+        end
+
+        private
+
+        # Returns the minor user impersonated by an tutor if exists
+        def managed_minor
+          return if impersonation_log_minor.blank?
+
+          @managed_minor ||= begin
+            impersonation_log_minor.ensure_not_expired!
+            impersonation_log_minor.minor
+          end
+        end
+
+        def impersonation_log_minor
+          @impersonation_log_minor ||= Decidim::Kids::ImpersonationMinorLog.where(tutor: real_user).active.first
+        end
+
+        def current_user_impersonated?
+          current_user && (impersonation_log_minor.present? || impersonation_log.present?)
+        end
+
+        def minor_session_ends_at
+          return if impersonation_log_minor.blank?
+
+          impersonation_log_minor.started_at + Decidim::Kids::ImpersonationMinorLog::SESSION_TIME_IN_MINUTES.minutes
+        end
+
+        def user_session_ends_at
+          return if impersonation_log.blank?
+
+          impersonation_log.started_at + Decidim::ImpersonationLog::SESSION_TIME_IN_MINUTES.minutes
+        end
+      end
+    end
+  end
+end

data/app/controllers/concerns/decidim/kids/needs_adult_permission.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Kids
+    module NeedsAdultPermission
+      extend ActiveSupport::Concern
+      include HasDecidimKidsPermissions
+
+      included do
+        before_action do
+          enforce_permission_to :all, :authorizations
+        end
+      end
+    end
+  end
+end

data/app/controllers/concerns/decidim/kids/needs_tutor_authorization.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Kids
+    module NeedsTutorAuthorization
+      extend ActiveSupport::Concern
+      include HasDecidimKidsPermissions
+
+      included do
+        before_action do
+          if tutor_adapter.blank?
+            flash[:alert] = t("user_minors.no_tutor_authorization", scope: "decidim.kids")
+            redirect_to decidim.account_path
+          end
+        end
+
+        before_action except: [:unverified] do
+          enforce_permission_to :index, :minor_accounts
+          redirect_to unverified_user_minors_path unless tutor_verified?
+        end
+
+        helper_method :minors, :tutor_adapter
+
+        private
+
+        def tutor_verified?
+          @tutor_verified ||= tutor_authorization.present? && !tutor_authorization.expired?
+        end
+
+        def tutor_adapter
+          @tutor_adapter ||= Decidim::Verifications::Adapter.from_element(current_organization.tutors_authorization)
+        rescue Decidim::Verifications::UnregisteredVerificationManifest
+          nil
+        end
+
+        def tutor_authorization
+          @tutor_authorization ||= granted_authorizations(current_user).find_by(name: current_organization.tutors_authorization)
+        end
+
+        def minor_authorization(user)
+          granted_authorizations(user).find_by(name: current_organization.minors_authorization)
+        end
+
+        def granted_authorizations(user)
+          Decidim::Verifications::Authorizations.new(organization: current_organization, user: user, granted: true).query
+        end
+
+        def minors
+          current_user.minors
+        end
+      end
+    end
+  end
+end

data/app/controllers/concerns/decidim/kids/participatory_space_context_override.rb

@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Kids
+    # This module contains all the domain logic associated to restrict operations depending on the user's age/minors configuration.
+    module ParticipatorySpaceContextOverride
+      extend ActiveSupport::Concern
+      include AgeMethods
+
+      included do
+        class ::Decidim::Kids::ActionForbidden < ::Decidim::ActionForbidden
+        end
+
+        rescue_from Decidim::Kids::ActionForbidden, with: :no_minor_user_has_no_permission
+
+        def no_minor_user_has_no_permission
+          flash[:alert] = t("actions.unauthorized", scope: "decidim.kids")
+          redirect_to(user_has_no_permission_referer || user_has_no_permission_path)
+        end
+
+        before_action do
+          enforce_space_for_minors! if space_minors_config.access_type == "minors"
+        end
+      end
+
+      def space_minors_config
+        @space_minors_config ||= MinorsSpaceConfig.for(current_participatory_space)
+      end
+
+      private
+
+      def enforce_space_for_minors!
+        return unless current_organization.minors_participation_enabled?
+
+        if current_user
+          # Allow admins and any other role with access to the admin dashboard
+          return if allowed_to?(:read, :admin_dashboard, current_participatory_space: current_participatory_space)
+          # Allow minors
+          return if current_user.minor?
+
+          return if current_user_is_a_valid_tutor?
+          # users with authorization to access minors spaces, check the age if possible
+          return if current_user_has_a_valid_authorization?
+        end
+
+        raise Decidim::Kids::ActionForbidden
+      end
+
+      def current_user_is_a_valid_tutor?
+        return unless current_user.tutor?
+        return unless current_user.confirmed?
+
+        # only tutors with readonly access are allowed
+        return if request.post? || request.patch? || request.put? || request.delete?
+
+        # check for having at least one minor confirmed
+        current_user.minors.detect(&:confirmed?)
+      end
+
+      def current_user_has_a_valid_authorization?
+        return unless space_authorization
+
+        return true if space_minors_config.max_age.blank? || space_minors_config.max_age.zero?
+
+        authorization_has_a_valid_age?
+      end
+
+      def authorization_has_a_valid_age?
+        Decidim::Kids.minor_authorization_age_attributes.detect do |attr|
+          age = age_from_date(space_authorization.metadata[attr.to_s])
+          next unless age
+
+          age <= space_minors_config.max_age
+        end
+      end
+
+      def space_authorization
+        @space_authorization ||= current_user_authorizations.find_by(name: space_minors_config.authorization)
+      end
+
+      def current_user_authorizations
+        Decidim::Verifications::Authorizations.new(organization: current_organization, user: current_user, granted: true).query
+      end
+    end
+  end
+end

data/app/controllers/concerns/decidim/kids/writes_minor_log.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Kids
+    module WritesMinorLog
+      extend ActiveSupport::Concern
+
+      included do
+        before_action do
+          Rails.logger.tagged("MINOR-ACTIVITY").info(log_params) if current_user.present? && current_user.minor?
+        end
+
+        private
+
+        def log_params
+          {
+            remote_ip: request.remote_ip,
+            method: request.method,
+            path: request.fullpath,
+            params: request.params,
+            format: request.format&.to_s || "*/*",
+            user_id: current_user.id
+          }
+        end
+      end
+    end
+  end
+end

data/app/controllers/decidim/assemblies/admin/minors_space_controller.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Assemblies
+    module Admin
+      # Controller that allows managing minors limited access for assemblies
+      class MinorsSpaceController < Decidim::Kids::Admin::MinorsSpaceController
+        include Concerns::AssemblyAdmin
+      end
+    end
+  end
+end

data/app/controllers/decidim/kids/admin/application_controller.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Kids
+    module Admin
+      class ApplicationController < Decidim::Admin::ApplicationController
+      end
+    end
+  end
+end

data/app/controllers/decidim/kids/admin/minors_space_controller.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Kids
+    module Admin
+      # Base Controller that specific participatory spaces should inherit from to limit access to minors.
+      class MinorsSpaceController < Decidim::Admin::ApplicationController
+        before_action do
+          enforce_permission_to :manage, :space_minors_configuration
+        end
+
+        helper_method :access_types, :authorization_handlers, :authorization_method_error
+
+        def index
+          @form = form(MinorsSpaceForm).from_model(current_participatory_space_config)
+        end
+
+        def create
+          @form = form(MinorsSpaceForm).from_params(params)
+
+          SaveParticipatorySpaceConfig.call(@form, current_participatory_space) do
+            on(:ok) do
+              flash[:notice] = I18n.t("minors_space.save.success", scope: "decidim.kids.admin")
+              redirect_to action: :index
+            end
+
+            on(:invalid) do
+              flash.now[:alert] = I18n.t("minors_space.save.error", scope: "decidim.kids.admin", errors: @form&.errors&.messages&.values&.flatten&.first)
+              render :index
+            end
+          end
+        end
+
+        private
+
+        def current_participatory_space_config
+          @current_participatory_space_config ||= MinorsSpaceConfig.for(current_participatory_space)
+        end
+
+        def authorization_handlers
+          Decidim::Kids.valid_minor_workflows.pluck(:description, :name)
+        end
+
+        def authorization_method_error(handler)
+          form_class = Decidim::Verifications.find_workflow_manifest(handler)&.form&.safe_constantize
+          return :invalid unless form_class
+
+          dummy = form_class.new
+          return :metadata unless dummy.respond_to? :metadata
+
+          :metadata unless Decidim::Kids.minor_authorization_age_attributes.detect { |attr| dummy.metadata.has_key?(attr.to_sym) }
+        end
+
+        def access_types
+          {
+            t("minors_space.form.all", scope: "decidim.kids.admin") => "all",
+            t("minors_space.form.minors", scope: "decidim.kids.admin") => "minors"
+          }
+        end
+      end
+    end
+  end
+end

data/app/controllers/decidim/kids/application_controller.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Kids
+    class ApplicationController < Decidim::ApplicationController
+    end
+  end
+end

data/app/controllers/decidim/kids/authorizations_controller.rb

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Kids
+    class AuthorizationsController < Decidim::Verifications::AuthorizationsController
+      include Decidim::UserProfile
+      include NeedsTutorAuthorization
+
+      layout "layouts/decidim/user_profile"
+
+      helper_method :authorizations_path, :minor_user
+
+      def authorizations_path(prs = {})
+        decidim_kids.user_minor_authorizations_path(prs)
+      end
+
+      def index
+        if minor_authorized?
+          # TODO: unblock user, update personal data
+          flash[:notice] = t("authorizations.authorize.success", scope: "decidim.kids")
+        else
+          flash[:alert] = t("authorizations.authorize.error", scope: "decidim.kids")
+        end
+        redirect_to decidim_kids.user_minors_path
+      end
+
+      def new
+        if minor_authorized?
+          flash[:notice] = t("authorizations.authorize.already_authorized", scope: "decidim.kids")
+          redirect_to decidim_kids.user_minors_path
+        else
+          super
+        end
+      end
+
+      def create
+        if minor_authorized?
+          flash[:notice] = t("authorizations.authorize.already_authorized", scope: "decidim.kids")
+          return redirect_to decidim_kids.user_minors_path
+        end
+
+        AuthorizeMinor.call(handler) do
+          on(:ok) do
+            flash[:notice] = t("authorizations.authorize.success", scope: "decidim.kids")
+            redirect_to redirect_url || authorizations_path
+          end
+
+          on(:transferred) do
+            flash[:notice] = t("authorizations.authorize.success", scope: "decidim.kids")
+            redirect_to redirect_url || authorizations_path
+          end
+
+          on(:invalid_age) do
+            flash[:alert] = t("authorizations.create.invalid_age", scope: "decidim.kids")
+            render action: :new
+          end
+
+          on(:invalid) do
+            flash[:alert] = t("authorizations.authorize.error", scope: "decidim.kids")
+            render action: :new
+          end
+        end
+      end
+
+      def handler_params
+        (params[:authorization_handler] || {}).merge(user: minor_user)
+      end
+
+      def handler_name
+        current_organization.minors_authorization
+      end
+
+      def minor_user
+        current_user.minors.find(params[:user_minor_id])
+      end
+
+      def minor_authorized?
+        minor_authorization(minor_user).present?
+      end
+    end
+  end
+end

data/app/controllers/decidim/kids/minor_impersonations_controller.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Kids
+    # Controller that allows impersonating managed minors.
+    class MinorImpersonationsController < ApplicationController
+      include Decidim::UserProfile
+
+      layout "layouts/decidim/user_profile"
+
+      helper_method :minor_user
+
+      def permission_class_chain
+        [::Decidim::Kids::Permissions] + super
+      end
+
+      def new
+        enforce_permission_to :impersonate, :minor_accounts, minor_user: minor_user
+
+        @form = form(ImpersonateMinorForm).from_params(params)
+      end
+
+      def create
+        enforce_permission_to :impersonate, :minor_accounts, minor_user: minor_user
+
+        @form = form(ImpersonateMinorForm).from_params(params)
+
+        ImpersonateMinor.call(minor_user, current_user, @form) do
+          on(:ok) do
+            flash[:notice] = I18n.t("impersonations.create.success", scope: "decidim.kids")
+            redirect_to decidim.root_path
+          end
+
+          on(:invalid) do
+            flash.now[:alert] = I18n.t("impersonations.create.error", scope: "decidim.kids")
+            render :new
+          end
+        end
+      end
+
+      def close_session
+        CloseSessionManagedMinor.call(current_user, real_user) do
+          on(:ok) do
+            flash[:notice] = I18n.t("impersonations.close_session.success", scope: "decidim.kids")
+            redirect_to decidim.root_path
+          end
+        end
+      end
+
+      private
+
+      def minor_user
+        current_user.minors.find(params[:user_minor_id])
+      end
+    end
+  end
+end