decidim-system 0.28.1 → 0.29.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3a35646cb8914a3d098676b0ed5ca18bc5d77a3112d96e483287a99fae05362c
-  data.tar.gz: 3e57b2bbefb5309281431d8960af134285e3926cf351add494969511c773e0d2
+  metadata.gz: 947a58b195365e516146ac29a1b1ccf623416523defcc0fe31ae44e3fd697a36
+  data.tar.gz: 713c800019aebcf933159515236a8c5c4dd5c79543f2822e1ac75059b0ddf293
 SHA512:
-  metadata.gz: 3ffa69136fa5dad543b2ae62b60938ed0f7d50bdb9592c8abc0326d99dd0fec08942a8069c4797ee008601bc4141a8c3fe418edd5d990714c052617ea29a2b0d
-  data.tar.gz: d04818e42d0651f8b70933a7758122cb13de4ae3b5c267a4fea821d6a037c49c9e438818ac60fc8a95cb539c5ac46c81164d1c4a8d1bd063efdb8bc645c7e8ae
+  metadata.gz: f88a26f5fdd1527aafaaadf95c4a6e450e08846d2852277a17c4fac539cd55b5311d7d8d5d71b6399b225194d7668bd2cb6d1993df265e86aec9fc29ba2e19c1
+  data.tar.gz: 675c8a7bf6cd5eb07ef01aba70ba8423673c5c4e4a624d49bc3b6dbe6548444e3c690b27b4afc8f96fcb3e597334947d3f1e85432dd7f9503be4b5008063748f

data/README.md

@@ -49,7 +49,7 @@ bin/rails decidim_system:create_admin
 You will be asked for an email and a password. For security, the password will not get displayed back at you and you will need to confirm it.
 
 Once you have created your first admin you can access the system dashboard at `/system`. For instance, if you have Decidim running at `https://example.org`, this URL would be `https://example.org/system`.
-You will be able to login with your newly created user.
+You will be able to log in with your newly created user.
 
 From the system dashboard you can add new admins.
 
@@ -73,11 +73,11 @@ system_admin.save
 
 ## Managing organizations
 
-Once you have your system admin setup you can also start managing the organizations in your deploy. To do it, login at the system dashboard and create a new organization
+Once you have your system admin setup you can also start managing the organizations in your deploy. To do it, log in at the system dashboard and create a new organization
 following the form instructions. After creating it, a new admin user will be created and invited to start managing it.
 
 Remember that System admins and regular Admins are completely different users (they do not even share the same database table), so you cannot use your
-system user to login in as an organization admin.
+system user to log in in as an organization admin.
 
 ## Contributing
 

data/app/cells/decidim/system/system_checks/show.erb

@@ -0,0 +1,13 @@
+<ul>
+  <% checks.each do |key, check| %>
+    <li>
+      <% if check[:check_method] %>
+        <%= icon "checkbox-circle-line", class: "fill-success inline" %>
+        <%= t("#{key}.success", scope: "decidim.system.system_checks") %>
+      <% else %>
+        <%= icon "close-circle-line", class: "fill-alert inline" %>
+        <%= t("#{key}.error", scope: "decidim.system.system_checks", error_extra: check[:error_extra]) %>
+      <% end %>
+    </li>
+  <% end %>
+</ul>

data/app/cells/decidim/system/system_checks_cell.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module Decidim
+  module System
+    class SystemChecksCell < Decidim::ViewModel
+      def show
+        render
+      end
+
+      private
+
+      def checks
+        {
+          secret_key: {
+            check_method: correct_secret_key_base?,
+            error_extra: generated_secret_key
+          },
+          active_job_queue: {
+            check_method: correct_active_job_queue?,
+            error_extra: active_job_queue_link
+          }
+        }
+      end
+
+      def correct_secret_key_base?
+        Rails.application.secrets.secret_key_base&.length == 128
+      end
+
+      def generated_secret_key
+        SecureRandom.hex(64)
+      end
+
+      def correct_active_job_queue?
+        # The default ActiveJob queue is not recommended for production environments,
+        # as it can lose jobs when restarting
+        Rails.application.config.active_job.queue_adapter != :async
+      end
+
+      def active_job_queue_link
+        link_to(t("active_job_queue.decidim_documentation", scope: "decidim.system.system_checks"),
+                "https://docs.decidim.org/en/develop/services/activejob",
+                class: "underline text-primary",
+                target: "_blank",
+                rel: "nofollow noopener noreferrer")
+      end
+    end
+  end
+end

data/app/commands/decidim/system/create_default_content_blocks.rb

@@ -5,9 +5,6 @@ module Decidim
     # A command with all the business logic to create the default content blocks
     # for a newly-created organization.
     class CreateDefaultContentBlocks < Decidim::Command
-      DEFAULT_CONTENT_BLOCKS =
-        [:hero, :sub_hero, :highlighted_content_banner, :how_to_participate, :stats, :metrics, :footer_sub_hero].freeze
-
       # Public: Initializes the command.
       #
       # form - A form object with the params.

data/app/commands/decidim/system/{populate_help.rb → create_default_help_pages.rb}

@@ -3,7 +3,9 @@
 module Decidim
   module System
     # A command that will create default help pages for an organization.
-    class PopulateHelp < Decidim::Command
+    class CreateDefaultHelpPages < Decidim::Command
+      include Decidim::TranslatableAttributes
+
       # Public: Initializes the command.
       #
       # organization - An organization
@@ -17,16 +19,17 @@ module Decidim
       def call
         ActiveRecord::Base.transaction do
           topic = Decidim::StaticPageTopic.create!(
-            title: multi_translation("decidim.help.main_topic.title", organization: @organization.name),
-            description: multi_translation("decidim.help.main_topic.description", organization: @organization.name),
+            title: multi_translation("decidim.help.main_topic.title", organization: organization_name),
+            description: multi_translation("decidim.help.main_topic.description", organization: organization_name),
             organization: @organization,
+            show_in_footer: true,
             weight: 0
           )
 
           Decidim::StaticPage.create!(
             slug: "help",
-            title: multi_translation("decidim.help.main_topic.default_page.title", organization: @organization.name),
-            content: multi_translation("decidim.help.main_topic.default_page.content", organization: @organization.name),
+            title: multi_translation("decidim.help.main_topic.default_page.title", organization: organization_name),
+            content: multi_translation("decidim.help.main_topic.default_page.content", organization: organization_name),
             topic:,
             organization: @organization,
             weight: 0
@@ -49,8 +52,12 @@ module Decidim
         end
       end
 
-      def multi_translation(key, **arguments)
-        Decidim::TranslationsHelper.multi_translation(key, @organization.available_locales, **arguments)
+      def multi_translation(key, **)
+        Decidim::TranslationsHelper.multi_translation(key, @organization.available_locales, **)
+      end
+
+      def organization_name
+        translated_attribute(@organization.name)
       end
     end
   end

data/app/commands/decidim/system/create_default_pages.rb

@@ -23,7 +23,6 @@ module Decidim
             translated_slug = I18n.t(slug, scope: "decidim.system.default_pages")
             page.title = localized_attribute(translated_slug, :title)
             page.content = localized_attribute(translated_slug, :content)
-            page.show_in_footer = true
             page.allow_public_access = true if slug == "terms-of-service"
           end
 

data/app/commands/decidim/system/{register_organization.rb → create_organization.rb}

@@ -2,10 +2,14 @@
 
 module Decidim
   module System
+    class InvitationFailedError < ActiveRecord::RecordInvalid
+    end
+
     # A command with all the business logic when creating a new organization in
     # the system. It creates the organization and invites the admin to the
     # system.
-    class RegisterOrganization < Decidim::Command
+
+    class CreateOrganization < Decidim::Command
       # Public: Initializes the command.
       #
       # form - A form object with the params.
@@ -24,21 +28,21 @@ module Decidim
 
         @organization = nil
         invite_form = nil
-        invitation_failed = false
 
         transaction do
           @organization = create_organization
           CreateDefaultPages.call(@organization)
-          PopulateHelp.call(@organization)
+          CreateDefaultHelpPages.call(@organization)
           CreateDefaultContentBlocks.call(@organization)
           invite_form = invite_user_form(@organization)
-          invitation_failed = invite_form.invalid?
+          raise InvitationFailedError if invite_form.invalid?
         end
-        return broadcast(:invalid) if invitation_failed
 
         Decidim::InviteUser.call(invite_form) if @organization && invite_form
 
         broadcast(:ok)
+      rescue InvitationFailedError
+        broadcast(:invalid_invitation)
       rescue ActiveRecord::RecordInvalid, ActiveRecord::RecordNotUnique
         broadcast(:invalid)
       end
@@ -49,13 +53,13 @@ module Decidim
 
       def create_organization
         Decidim::Organization.create!(
-          name: form.name,
+          name: { form.default_locale => form.name },
           host: form.host,
           secondary_hosts: form.clean_secondary_hosts,
           reference_prefix: form.reference_prefix,
           available_locales: form.available_locales,
           available_authorizations: form.clean_available_authorizations,
-          external_domain_whitelist: ["decidim.org", "github.com"],
+          external_domain_allowlist: ["decidim.org", "github.com"],
           users_registration_mode: form.users_registration_mode,
           force_users_to_authenticate_before_access_organization: form.force_users_to_authenticate_before_access_organization,
           badges_enabled: true,
@@ -72,10 +76,7 @@ module Decidim
 
       def default_colors
         {
-          alert: "#ec5840",
           primary: "#53bf40",
-          success: "#57d685",
-          warning: "#ffae00",
           tertiary: "#bf4053",
           secondary: "#4053bf"
         }

data/app/controllers/decidim/system/dashboard_controller.rb

@@ -10,6 +10,8 @@ module Decidim
         @admins = Admin.all
       end
 
+      private
+
       def check_organizations_presence
         return if Organization.exists?
 

data/app/controllers/decidim/system/organizations_controller.rb

@@ -16,12 +16,17 @@ module Decidim
       def create
         @form = form(RegisterOrganizationForm).from_params(params)
 
-        RegisterOrganization.call(@form) do
+        CreateOrganization.call(@form) do
           on(:ok) do
             flash[:notice] = t("organizations.create.success_html", scope: "decidim.system", host: @form.host, email: @form.organization_admin_email)
             redirect_to organizations_path
           end
 
+          on(:invalid_invitation) do
+            flash.now[:alert] = t("organizations.create.error_invitation", scope: "decidim.system")
+            render :new
+          end
+
           on(:invalid) do
             flash.now[:alert] = t("organizations.create.error", scope: "decidim.system")
             render :new
@@ -39,6 +44,7 @@ module Decidim
       end
 
       def update
+        @organization = Organization.find(params[:id])
         @form = form(UpdateOrganizationForm).from_params(params)
 
         UpdateOrganization.call(params[:id], @form) do

data/app/forms/decidim/system/base_organization_form.rb

@@ -0,0 +1,127 @@
+# frozen_string_literal: true
+
+require "decidim/translatable_attributes"
+
+module Decidim
+  module System
+    # A form object to be inherited to create and update organizations from the system dashboard.
+    #
+    class BaseOrganizationForm < Form
+      include TranslatableAttributes
+      include JsonbAttributes
+
+      mimic :organization
+
+      attribute :host, String
+      attribute :secondary_hosts, String
+      attribute :force_users_to_authenticate_before_access_organization, Boolean
+      attribute :available_authorizations, Array[String]
+      attribute :users_registration_mode, String
+      attribute :default_locale, String
+
+      jsonb_attribute :smtp_settings, [
+        [:from, String],
+        [:from_email, String],
+        [:from_label, String],
+        [:user_name, String],
+        [:encrypted_password, String],
+        [:address, String],
+        [:port, Integer],
+        [:authentication, String],
+        [:enable_starttls_auto, Boolean]
+      ]
+
+      jsonb_attribute :content_security_policy, [
+        [:"default-src", String],
+        [:"img-src", String],
+        [:"media-src", String],
+        [:"script-src", String],
+        [:"style-src", String],
+        [:"frame-src", String],
+        [:"font-src", String],
+        [:"connect-src", String]
+      ]
+
+      attribute :password, String
+      attribute :file_upload_settings, FileUploadSettingsForm
+
+      OMNIATH_PROVIDERS_ATTRIBUTES = Decidim::OmniauthProvider.available.keys.map do |provider|
+        Rails.application.secrets.dig(:omniauth, provider).keys.map do |setting|
+          if setting == :enabled
+            ["omniauth_settings_#{provider}_enabled".to_sym, Boolean]
+          else
+            ["omniauth_settings_#{provider}_#{setting}".to_sym, String]
+          end
+        end
+      end.flatten(1)
+
+      jsonb_attribute :omniauth_settings, OMNIATH_PROVIDERS_ATTRIBUTES
+
+      validates :host, :users_registration_mode, presence: true
+      validate :validate_organization_uniqueness
+      validate :validate_secret_key_base_for_encryption
+      validates :users_registration_mode, inclusion: { in: Decidim::Organization.users_registration_modes }
+
+      def map_model(model)
+        self.default_locale = model.default_locale
+        self.secondary_hosts = model.secondary_hosts.join("\n")
+        self.omniauth_settings = (model.omniauth_settings || {}).transform_values do |v|
+          Decidim::OmniauthProvider.value_defined?(v) ? Decidim::AttributeEncryptor.decrypt(v) : v
+        end
+        self.file_upload_settings = FileUploadSettingsForm.from_model(model.file_upload_settings)
+      end
+
+      def clean_secondary_hosts
+        return unless secondary_hosts
+
+        secondary_hosts.split("\n").map(&:chomp).select(&:present?)
+      end
+
+      def clean_available_authorizations
+        return unless available_authorizations
+
+        available_authorizations.select(&:present?)
+      end
+
+      def password
+        encrypted_password.nil? ? super : Decidim::AttributeEncryptor.decrypt(encrypted_password)
+      end
+
+      def encrypted_smtp_settings
+        smtp_settings["from"] = set_from
+
+        encrypted = smtp_settings.merge(encrypted_password: Decidim::AttributeEncryptor.encrypt(password))
+        # if all are empty, nil is returned so it does not break ENV vars configuration
+        encrypted.values.all?(&:blank?) ? nil : encrypted
+      end
+
+      def set_from
+        return from_email if from_label.blank?
+
+        "#{from_label} <#{from_email}>"
+      end
+
+      def encrypted_omniauth_settings
+        encrypted = omniauth_settings.transform_values do |v|
+          Decidim::OmniauthProvider.value_defined?(v) ? Decidim::AttributeEncryptor.encrypt(v) : v
+        end
+        # if all are empty, nil is returned so it does not break ENV vars configuration
+        encrypted.values.all?(&:blank?) ? nil : encrypted
+      end
+
+      private
+
+      # We need a valid secret key base for encrypting the SMTP password with it
+      # It is also necessary for other things in Rails (like Cookies encryption)
+      def validate_secret_key_base_for_encryption
+        return if Rails.application.secrets.secret_key_base&.length == 128
+
+        errors.add(:password, I18n.t("activemodel.errors.models.organization.attributes.password.secret_key"))
+      end
+
+      def validate_organization_uniqueness
+        raise "#{self.class.name} is expected to implement #validate_organization_uniqueness"
+      end
+    end
+  end
+end

data/app/forms/decidim/system/register_organization_form.rb

@@ -6,10 +6,12 @@ module Decidim
   module System
     # A form object used to create organizations from the system dashboard.
     #
-    class RegisterOrganizationForm < UpdateOrganizationForm
+    class RegisterOrganizationForm < BaseOrganizationForm
       include JsonbAttributes
       mimic :organization
 
+      attribute :name, String
+
       attribute :organization_admin_email, String
       attribute :organization_admin_name, String
       attribute :available_locales, Array
@@ -18,11 +20,29 @@ module Decidim
       attribute :users_registration_mode, String
       attribute :force_users_to_authenticate_before_access_organization, Boolean
 
-      validates :organization_admin_email, :organization_admin_name, :name, :host, :reference_prefix, :users_registration_mode, presence: true
+      validates :organization_admin_email, :organization_admin_name, :name, :reference_prefix, presence: true
+      validates :name, presence: true
       validates :available_locales, presence: true
       validates :default_locale, presence: true
       validates :default_locale, inclusion: { in: :available_locales }
-      validates :users_registration_mode, inclusion: { in: Decidim::Organization.users_registration_modes }
+
+      private
+
+      def validate_organization_uniqueness
+        base_query = Decidim::Organization.pluck(:name)
+
+        organization_names = []
+
+        base_query.each do |value|
+          organization_names += value.except("machine_translations").values
+          organization_names += value.fetch("machine_translations", {}).values
+        end
+
+        organization_names = organization_names.map(&:downcase)
+
+        errors.add(:name, :taken) if organization_names.include?(name&.downcase)
+        errors.add(:host, :taken) if Decidim::Organization.where(host:).where.not(id:).exists?
+      end
     end
   end
 end

data/app/forms/decidim/system/update_organization_form.rb

@@ -6,106 +6,36 @@ module Decidim
   module System
     # A form object used to update organizations from the system dashboard.
     #
-    class UpdateOrganizationForm < Form
-      include TranslatableAttributes
-      include JsonbAttributes
+    class UpdateOrganizationForm < BaseOrganizationForm
+      translatable_attribute :name, String
 
-      mimic :organization
+      validate :validate_organization_name_presence
 
-      attribute :name, String
-      attribute :host, String
-      attribute :secondary_hosts, String
-      attribute :force_users_to_authenticate_before_access_organization, Boolean
-      attribute :available_authorizations, Array[String]
-      attribute :users_registration_mode, String
-      jsonb_attribute :smtp_settings, [
-        [:from, String],
-        [:from_email, String],
-        [:from_label, String],
-        [:user_name, String],
-        [:encrypted_password, String],
-        [:address, String],
-        [:port, Integer],
-        [:authentication, String],
-        [:enable_starttls_auto, Boolean]
-      ]
-
-      jsonb_attribute :content_security_policy, [
-        [:"default-src", String],
-        [:"img-src", String],
-        [:"media-src", String],
-        [:"script-src", String],
-        [:"style-src", String],
-        [:"frame-src", String],
-        [:"font-src", String],
-        [:"connect-src", String]
-      ]
-
-      attribute :password, String
-      attribute :file_upload_settings, FileUploadSettingsForm
-
-      OMNIATH_PROVIDERS_ATTRIBUTES = Decidim::OmniauthProvider.available.keys.map do |provider|
-        Rails.application.secrets.dig(:omniauth, provider).keys.map do |setting|
-          if setting == :enabled
-            ["omniauth_settings_#{provider}_enabled".to_sym, Boolean]
-          else
-            ["omniauth_settings_#{provider}_#{setting}".to_sym, String]
-          end
-        end
-      end.flatten(1)
-
-      jsonb_attribute :omniauth_settings, OMNIATH_PROVIDERS_ATTRIBUTES
-
-      validates :name, :host, :users_registration_mode, presence: true
-      validate :validate_organization_uniqueness
-      validates :users_registration_mode, inclusion: { in: Decidim::Organization.users_registration_modes }
-
-      def map_model(model)
-        self.secondary_hosts = model.secondary_hosts.join("\n")
-        self.omniauth_settings = (model.omniauth_settings || {}).transform_values do |v|
-          Decidim::OmniauthProvider.value_defined?(v) ? Decidim::AttributeEncryptor.decrypt(v) : v
-        end
-        self.file_upload_settings = FileUploadSettingsForm.from_model(model.file_upload_settings)
-      end
-
-      def clean_secondary_hosts
-        return unless secondary_hosts
-
-        secondary_hosts.split("\n").map(&:chomp).select(&:present?)
-      end
-
-      def clean_available_authorizations
-        return unless available_authorizations
+      private
 
-        available_authorizations.select(&:present?)
+      def validate_organization_name_presence
+        translated_attr = "name_#{current_organization.try(:default_locale) || Decidim.default_locale.to_s}".to_sym
+        errors.add(translated_attr, :blank) if send(translated_attr).blank?
       end
 
-      def password
-        encrypted_password.nil? ? super : Decidim::AttributeEncryptor.decrypt(encrypted_password)
-      end
+      def validate_organization_uniqueness
+        base_query = persisted? ? Decidim::Organization.where.not(id:).all : Decidim::Organization.all
 
-      def encrypted_smtp_settings
-        smtp_settings["from"] = set_from
+        organization_names = []
 
-        smtp_settings.merge(encrypted_password: Decidim::AttributeEncryptor.encrypt(password))
-      end
+        base_query.pluck(:name).each do |value|
+          organization_names += value.except("machine_translations").values
+          organization_names += value.fetch("machine_translations", {}).values
+        end
 
-      def set_from
-        return from_email if from_label.blank?
+        organization_names = organization_names.map(&:downcase).compact_blank
 
-        "#{from_label} <#{from_email}>"
-      end
+        name.each do |language, value|
+          next if value.is_a?(Hash)
 
-      def encrypted_omniauth_settings
-        omniauth_settings.transform_values do |v|
-          Decidim::OmniauthProvider.value_defined?(v) ? Decidim::AttributeEncryptor.encrypt(v) : v
+          errors.add("name_#{language}", :taken) if organization_names.include?(value.downcase)
         end
-      end
 
-      private
-
-      def validate_organization_uniqueness
-        errors.add(:name, :taken) if Decidim::Organization.where(name:).where.not(id:).exists?
         errors.add(:host, :taken) if Decidim::Organization.where(host:).where.not(id:).exists?
       end
     end

data/app/models/decidim/system/admin.rb

@@ -13,8 +13,8 @@ module Decidim
       private
 
       # Changes default Devise behaviour to use ActiveJob to send async emails.
-      def send_devise_notification(notification, *args)
-        devise_mailer.send(notification, self, *args).deliver_later
+      def send_devise_notification(notification, *)
+        devise_mailer.send(notification, self, *).deliver_later
       end
     end
   end

data/app/packs/stylesheets/decidim/system/application.scss

@@ -107,3 +107,60 @@ dl {
 .ts-dropdown {
   margin: 0;
 }
+
+.tabs--lang {
+  @apply bg-transparent flex items-center gap-x-1;
+
+  li {
+    @apply p-0.5 rounded-t-sm text-secondary text-xs;
+
+    background-color: rgba(243, 244, 247, 1);
+
+    &.is-active,
+    &:hover {
+      @apply border-b border-secondary;
+    }
+
+    &:hover {
+      background-color: rgba(243, 244, 247, 1);
+    }
+  }
+
+  a {
+    @apply text-xs p-0;
+
+    &::before {
+      @apply content-[''] w-2 h-2 inline-block bg-white rounded-full mr-2 border;
+
+      border-color: rgba(116, 129, 144, 1);
+    }
+  }
+
+  .tabs-title > a[aria-selected="true"] {
+    @apply font-bold text-secondary;
+
+    background-color: rgba(243, 244, 247, 1);
+
+    &::before {
+      @apply border-white;
+
+      background-color: rgba(40, 167, 69, 1);
+    }
+  }
+
+  a.is-tab-error {
+    color: red;
+  }
+}
+
+.label--tabs {
+  @apply flex justify-between items-end;
+
+  label {
+    @apply inline-block;
+  }
+}
+
+.tabs-panel[aria-hidden="true"] {
+  @apply hidden;
+}

data/app/views/decidim/system/dashboard/show.html.erb

@@ -4,6 +4,10 @@
   <h1 class="h1"><%= t("decidim.system.titles.dashboard") %></h1>
 <% end %>
 
+<h2 class="h3"><%= t ".system_checks" %></h2>
+
+<%= cell "decidim/system/system_checks", nil %>
+
 <h2 class="h3"><%= t ".current_organizations" %></h2>
 
 <%= link_to t("actions.new_organization", scope: "decidim.system"), [:new, :organization], class: "button button__sm md:button__lg button__primary" %>

data/app/views/decidim/system/oauth_applications/_form.html.erb

@@ -2,7 +2,7 @@
   <%= form.text_field :name %>
   <%= form.text_field :redirect_uri %>
   <%= form.select :decidim_organization_id,
-                  Decidim::Organization.pluck(:name, :id),
+                  Decidim::Organization.all.map { |o| [organization_name(o), o.id] },
                   { include_blank: t(".select_organization") },
                   { multiple: false } %>
   <%= form.text_field :organization_name %>