decidim-system 0.30.1 → 0.31.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6d3dacf0cec990b7db9bf8bf33ae725d7f1816ce26122f694c21a755aaae584b
-  data.tar.gz: 84824b6cb6dae9122288b1fc5dcb3407d011d4caf048bc88872e2e8c77f0d25d
+  metadata.gz: 05fe2090e59a09f9d9daa1fc7c3d8b2d99fb7c3b449c2f74ce37ce0ee1a48e8e
+  data.tar.gz: bfedfc1597c406c88e5f4e453467c7fcec963bd9e65b5212f3158526560ad9e3
 SHA512:
-  metadata.gz: e3ffa16972672a9766bad4d19f2d3c3f80bd93edce3ce1670182a78b41c43f2169bdbfaf1e01c9c4017643e69f93020c413625739d24ba35a138670277c99579
-  data.tar.gz: 85463b678a52a88f57b6993e91adc9d3db189578cf791cf5d1e2731e94f3c2288d13074bc92bda6e0d3b871078d7365fa297e20689d5806cf55a4cef96174f66
+  metadata.gz: 117e8c702ae168d93f319eab9eaa2825e8234d94893659ab0db0cf07fa39482a5d3f984eb161ffa95ad2dd563ee9a522d58dad865ca7da1f167a517a015f5203
+  data.tar.gz: 2f431ec56287f729ebae1019c6bda1aadaf1ebf0a856ec7e8bd31ea41d75c2d33d3a3afa0edf48f04e524cde3bc59442d87eaef3e4036c5c59f45e01caa9e23f

data/app/commands/decidim/system/create_api_user.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+module Decidim
+  module System
+    class CreateApiUser < Decidim::Command
+      def initialize(form, current_admin)
+        @form = form
+        @current_admin = current_admin
+      end
+
+      def call
+        return broadcast(:invalid) unless @form.valid?
+
+        transaction do
+          create_api_user
+        end
+
+        broadcast(:ok, @api_user, @api_secret)
+      end
+
+      private
+
+      attr_reader :form, :current_admin
+
+      def create_api_user
+        @api_user = Decidim.traceability.create!(
+          ::Decidim::Api::ApiUser,
+          current_admin,
+          **api_user_attributes
+        )
+      end
+
+      def api_user_attributes
+        {
+          decidim_organization_id: form.organization,
+          name: form.name,
+          nickname: ::Decidim::UserBaseEntity.nicknamize(form.name, organization: form.organization),
+          api_key:,
+          api_secret:,
+          admin: true,
+          admin_terms_accepted_at: Time.current
+        }.tap do |attrs|
+          attrs[:published_at] = Time.current if ::Decidim::Api::ApiUser.column_names.include?("published_at")
+        end
+      end
+
+      def api_key
+        @api_key ||= generate_unique_key
+      end
+
+      def api_secret
+        @api_secret ||= SecureRandom.alphanumeric(Decidim::System.api_users_secret_length)
+      end
+
+      def generate_unique_key
+        loop do
+          key = SecureRandom.alphanumeric(32)
+          return key unless Decidim::Api::ApiUser.exists?(api_key: key)
+        end
+      end
+    end
+  end
+end

data/app/commands/decidim/system/create_oauth_application.rb

@@ -35,7 +35,9 @@ module Decidim
           organization_url: @form.organization_url,
           organization_logo: @form.organization_logo,
           redirect_uri: @form.redirect_uri,
-          scopes: "public"
+          scopes: @form.scopes.join(" "),
+          confidential: @form.confidential?,
+          refresh_tokens_enabled: @form.refresh_tokens_enabled?
         }.tap do |attrs|
           attrs[:organization_logo] = @form.organization_logo if @form.organization_logo.present?
         end

data/app/commands/decidim/system/create_organization.rb

@@ -63,7 +63,6 @@ module Decidim
           users_registration_mode: form.users_registration_mode,
           force_users_to_authenticate_before_access_organization: form.force_users_to_authenticate_before_access_organization,
           badges_enabled: true,
-          user_groups_enabled: true,
           default_locale: form.default_locale,
           omniauth_settings: form.encrypted_omniauth_settings,
           smtp_settings: form.encrypted_smtp_settings,

data/app/commands/decidim/system/refresh_api_user_secret.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module Decidim
+  module System
+    class RefreshApiUserSecret < Decidim::Command
+      def initialize(api_user, current_admin)
+        @api_user = api_user
+        @current_admin = current_admin
+      end
+
+      def call
+        return broadcast(:invalid) if @api_user.blank?
+        return broadcast(:invalid) if @current_admin.blank?
+
+        transaction do
+          refresh_secret
+        end
+
+        broadcast(:ok, @api_secret)
+      end
+
+      private
+
+      def refresh_secret
+        Decidim.traceability.update!(
+          @api_user,
+          @current_admin,
+          api_secret:
+        )
+      end
+
+      def api_secret
+        @api_secret ||= SecureRandom.alphanumeric(Decidim::System.api_users_secret_length)
+      end
+    end
+  end
+end

data/app/commands/decidim/system/update_oauth_application.rb

@@ -36,7 +36,10 @@ module Decidim
           decidim_organization_id: @form.decidim_organization_id,
           organization_name: @form.organization_name,
           organization_url: @form.organization_url,
-          redirect_uri: @form.redirect_uri
+          redirect_uri: @form.redirect_uri,
+          scopes: @form.scopes.join(" "),
+          confidential: @form.confidential?,
+          refresh_tokens_enabled: @form.refresh_tokens_enabled?
         }.tap do |attrs|
           attrs[:organization_logo] = @form.organization_logo if @form.organization_logo.present?
         end

data/app/commands/decidim/system/update_organization.rb

@@ -54,6 +54,7 @@ module Decidim
         organization.smtp_settings = form.encrypted_smtp_settings
         organization.file_upload_settings = form.file_upload_settings.final
         organization.content_security_policy = form.content_security_policy
+        organization.header_snippets = form.header_snippets if Decidim.enable_html_header_snippets
 
         organization.save!
       end

data/app/controllers/decidim/system/admins_controller.rb

@@ -24,7 +24,7 @@ module Decidim
 
           on(:invalid) do
             flash.now[:alert] = I18n.t("admins.create.error", scope: "decidim.system")
-            render :new
+            render :new, status: :unprocessable_entity
           end
         end
       end
@@ -46,7 +46,7 @@ module Decidim
 
           on(:invalid) do
             flash.now[:alert] = I18n.t("admins.update.error", scope: "decidim.system")
-            render :edit
+            render :edit, status: :unprocessable_entity
           end
         end
       end

data/app/controllers/decidim/system/api_users_controller.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+module Decidim
+  module System
+    class ApiUsersController < Decidim::System::ApplicationController
+      helper ::Decidim::MetaTagsHelper
+      helper ::Decidim::Admin::IconLinkHelper
+
+      def index
+        @api_users = api_users
+        @secret_user = session.delete(:api_user)&.with_indifferent_access
+      end
+
+      def new
+        @form = form(::Decidim::System::ApiUserForm).instance
+      end
+
+      def destroy
+        Decidim.traceability.perform_action!("delete", api_user, current_admin) do
+          api_user.destroy!
+        end
+
+        flash[:notice] = I18n.t("api_user.destroy.success", scope: "decidim.system")
+
+        redirect_to action: :index
+      end
+
+      def update
+        RefreshApiUserSecret.call(api_user, current_admin) do
+          on(:ok) do |secret|
+            flash[:notice] = I18n.t("api_user.refresh.success", scope: "decidim.system", user: api_user.api_key)
+            session[:api_user] = { id: api_user.id, secret: secret }
+            redirect_to action: :index
+          end
+
+          on(:invalid) do
+            flash[:notice] = I18n.t("api_user.refresh.error", scope: "decidim.system")
+            redirect_to action: :index
+          end
+        end
+      end
+
+      def create
+        @form = ::Decidim::System::ApiUserForm.from_params(params.merge!(name: params[:admin][:name], organization: organization))
+        CreateApiUser.call(@form, current_admin) do
+          on(:ok) do |api_user, secret|
+            flash[:notice] = I18n.t("api_user.create.success", scope: "decidim.system", user: api_user.api_key)
+            session[:api_user] = { id: api_user.id, secret: secret }
+            redirect_to action: :index
+          end
+
+          on(:invalid) do
+            flash[:error] = I18n.t("api_user.create.error", scope: "decidim.system")
+            render :new, status: :unprocessable_entity
+          end
+        end
+      end
+
+      private
+
+      def api_users
+        ::Decidim::Api::ApiUser.order(:decidim_organization_id, :id)
+      end
+
+      def api_user
+        return unless params[:id]
+
+        @api_user ||= ::Decidim::Api::ApiUser.find(params[:id])
+      end
+
+      def organization
+        ::Decidim::Organization.find(params[:admin][:organization])
+      end
+    end
+  end
+end

data/app/controllers/decidim/system/application_controller.rb

@@ -9,6 +9,7 @@ module Decidim
       include Headers::HttpCachingDisabler
       include DisableRedirectionToExternalHost
       include ActiveStorage::SetCurrent
+      include NeedsRtlDirection
 
       protect_from_forgery with: :exception, prepend: true
 

data/app/controllers/decidim/system/oauth_applications_controller.rb

@@ -30,7 +30,7 @@ module Decidim
 
           on(:invalid) do
             flash.now[:alert] = I18n.t("oauth_applications.create.error", scope: "decidim.system")
-            render :new
+            render :new, status: :unprocessable_entity
           end
         end
       end
@@ -55,7 +55,7 @@ module Decidim
           on(:invalid) do |application|
             @oauth_application = application
             flash.now[:error] = I18n.t("oauth_applications.update.error", scope: "decidim.system")
-            render action: :edit
+            render action: :edit, status: :unprocessable_entity
           end
         end
       end

data/app/controllers/decidim/system/organizations_controller.rb

@@ -24,12 +24,12 @@ module Decidim
 
           on(:invalid_invitation) do
             flash.now[:alert] = t("organizations.create.error_invitation", scope: "decidim.system")
-            render :new
+            render :new, status: :unprocessable_entity
           end
 
           on(:invalid) do
             flash.now[:alert] = t("organizations.create.error", scope: "decidim.system")
-            render :new
+            render :new, status: :unprocessable_entity
           end
         end
       end
@@ -55,7 +55,7 @@ module Decidim
 
           on(:invalid) do
             flash.now[:alert] = I18n.t("organizations.update.error", scope: "decidim.system")
-            render :edit
+            render :edit, status: :unprocessable_entity
           end
         end
       end
@@ -96,7 +96,7 @@ module Decidim
       end
 
       def provider_enabled?(provider)
-        Rails.application.secrets.dig(:omniauth, provider, :enabled)
+        Decidim.omniauth_providers.dig(provider, :enabled)
       end
     end
   end

data/app/forms/decidim/system/api_user_form.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Decidim
+  module System
+    class ApiUserForm < Form
+      mimic :admin
+
+      attribute :name, String
+      attribute :organization, ::Decidim::Organization
+
+      validate :name, :name_uniqueness
+      validates :name, presence: true
+      validates :organization, presence: true
+
+      private
+
+      def name_uniqueness
+        return unless ::Decidim::Api::ApiUser.where(name:).where(organization:).any?
+
+        errors.add(:name, I18n.t("models.api_user.validations.name_uniqueness", scope: "decidim.system"))
+      end
+    end
+  end
+end

data/app/forms/decidim/system/base_organization_form.rb

@@ -18,6 +18,7 @@ module Decidim
       attribute :available_authorizations, Array[String]
       attribute :users_registration_mode, String
       attribute :default_locale, String
+      attribute :header_snippets, String
 
       jsonb_attribute :smtp_settings, [
         [:from, String],
@@ -46,7 +47,7 @@ module Decidim
       attribute :file_upload_settings, FileUploadSettingsForm
 
       OMNIATH_PROVIDERS_ATTRIBUTES = Decidim::OmniauthProvider.available.keys.map do |provider|
-        Rails.application.secrets.dig(:omniauth, provider).keys.map do |setting|
+        Decidim.omniauth_providers[provider].keys.map do |setting|
           if setting == :enabled
             [:"omniauth_settings_#{provider}_enabled", Boolean]
           else

data/app/forms/decidim/system/oauth_application_form.rb

@@ -9,30 +9,57 @@ module Decidim
       mimic :oauth_application
 
       attribute :name, String
+      attribute :application_type, String
       attribute :decidim_organization_id, Integer
       attribute :organization_name, String
       attribute :organization_url, String
       attribute :organization_logo
       attribute :redirect_uri, String
+      attribute :scopes, Array[String], default: ::Doorkeeper.config.default_scopes.all
+      attribute :refresh_tokens_enabled, Boolean, default: false
 
       validates :name, :redirect_uri, :decidim_organization_id, :organization_name, :organization_url, presence: true
-      validates :redirect_uri, :organization_url, url: true
+      validates :application_type, inclusion: { in: :application_types }
+      validates :organization_url, url: true
       validates :organization_logo, presence: true, unless: :persisted?
       validates :organization_logo, passthru: { to: Decidim::OAuthApplication }
+      validates :scopes, inclusion: { in: ::Doorkeeper.config.scopes.all }
       validate :redirect_uri_is_ssl
 
+      def map_model(model)
+        self.application_type = model.confidential? ? "confidential" : "public"
+      end
+
       def organization
         current_organization || Decidim::Organization.find_by(id: decidim_organization_id)
       end
 
+      def application_types
+        %w(confidential public)
+      end
+
+      def confidential?
+        application_type == "confidential"
+      end
+
       private
 
       def redirect_uri_is_ssl
         return if redirect_uri.blank?
 
         uri = URI.parse(redirect_uri)
+        return if local_uri?(uri)
+
+        # We assume confidential clients need to always connect through `https`.
+        #
+        # For public clients, we display the error only if the scheme is `http`
+        # because e.g. iOS application redirect URI may require to use a
+        # different scheme.
+        errors.add(:redirect_uri, :must_be_ssl) if (confidential? && uri.scheme != "https") || uri.scheme == "http"
+      end
 
-        errors.add(:redirect_uri, :must_be_ssl) if uri.host != "localhost" && uri.scheme != "https"
+      def local_uri?(uri)
+        %w(localhost 10.0.2.2).include?(uri.host)
       end
     end
   end

data/app/helpers/decidim/system/api_users_helper.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Decidim
+  module System
+    module ApiUsersHelper
+      def fresh_token?(api_user)
+        @secret_user.present? &&
+          @secret_user[:id].present? &&
+          @secret_user[:id] == api_user.id
+      end
+
+      def organizations
+        Decidim::Organization.all
+      end
+    end
+  end
+end

data/app/packs/entrypoints/decidim_system_overrides.scss

@@ -1,2 +1,2 @@
 // Application specific styles: https://docs.decidim.org/en/customize/styles/
-@import "stylesheets/decidim/system/decidim_application";
+@use "stylesheets/decidim/system/decidim_application";

data/app/packs/stylesheets/decidim/system/application.scss

@@ -1,4 +1,4 @@
-@import "tom-select/dist/scss/tom-select";
+@use "tom-select/dist/scss/tom-select";
 
 :root {
   --primary: #e02d2d;
@@ -52,7 +52,10 @@ table {
   tr:nth-child(even) td {
     @apply bg-gray-3;
   }
+}
 
+table,
+.text-content {
   a {
     @apply text-primary underline;
   }
@@ -164,3 +167,15 @@ dl {
 .tabs-panel[aria-hidden="true"] {
   @apply hidden;
 }
+
+.input-group__password {
+  @apply w-full relative;
+
+  input {
+    @apply w-full;
+  }
+
+  button {
+    @apply absolute ltr:right-2 rtl:left-2 top-4;
+  }
+}

data/app/views/decidim/system/api_users/index.html.erb

@@ -0,0 +1,13 @@
+<% add_decidim_page_title(t(".manage")) %>
+
+<% provide :title do %>
+  <h1 class="h1"><%= t ".manage" %></h1>
+<% end %>
+
+<div class="text-content space-y-4">
+  <%= t ".explanation_html", oauth_link: decidim_system.oauth_applications_path %>
+</div>
+
+<%= link_to t("new", scope:"decidim.system.actions.api_users"), [:new, :api_user], class: "button button__sm md:button__lg button__primary" %>
+
+<%= render partial: "decidim/system/shared/api_users", locals: { api_users: @api_users } %>

data/app/views/decidim/system/api_users/new.html.erb

@@ -0,0 +1,15 @@
+<% add_decidim_page_title(t(".title")) %>
+
+<% provide :title do %>
+  <h1 class="h1"><%= t ".title" %></h1>
+<% end %>
+<%= decidim_form_for(@form, url: api_users_path, method: :post, class: "api-user", html: { id: "new_api_user" }) do |f| %>
+  <div class="form__wrapper">
+    <%= f.select :organization, organizations.map { |organization| ["#{organization_name(organization)} (#{organization.host})", organization.id] }, prompt: t(".select_organization") %>
+    <%= f.text_field :name, autofocus: true %>
+
+    <div class="form__wrapper-block">
+      <%= f.submit t("decidim.system.actions.api_users.create"), class: "button button__sm md:button__lg button__primary" %>
+    </div>
+  </div>
+<% end %>

data/app/views/decidim/system/oauth_applications/_form.html.erb

@@ -1,5 +1,23 @@
 <div class="form__wrapper">
   <%= form.text_field :name %>
+
+  <%= field_set_tag form.label(:application_type, nil, for: nil) do %>
+    <span class="help-text"><%= t(".application_type_help_html", client_type_link: "https://datatracker.ietf.org/doc/html/rfc6749#section-2.1", pkce_link: "https://datatracker.ietf.org/doc/html/rfc7636") %></span>
+    <%=
+    form.collection_radio_buttons(
+      :application_type,
+      form.object.application_types,
+      :to_s,
+      ->(type) { t(".application_type.#{type}.name") }
+    ) do |builder|
+      builder.label(for: nil, class: "form__wrapper-checkbox-label") do
+        explanation = t(".application_type.#{builder.value}.explanation")
+        builder.radio_button(id: nil) + %(#{sanitize(builder.text)}<br><span class="help-text">#{sanitize(explanation)}</span>).html_safe
+      end
+    end
+    %>
+  <% end %>
+
   <%= form.text_field :redirect_uri %>
   <%= form.select :decidim_organization_id,
                   Decidim::Organization.all.map { |o| [organization_name(o), o.id] },
@@ -8,4 +26,21 @@
   <%= form.text_field :organization_name %>
   <%= form.text_field :organization_url %>
   <%= form.upload :organization_logo, required: true, button_class: "button button__lg button__transparent-primary" %>
+
+  <%= field_set_tag form.label(:refresh_tokens, nil, for: nil) do %>
+    <span class="help-text"><%= t(".refresh_tokens_help_html") %></span>
+    <%= form.check_box :refresh_tokens_enabled, label_options: { class: "form__wrapper-checkbox-label" } %>
+  <% end %>
+
+  <%= field_set_tag form.label(:scopes, nil, for: nil) do %>
+    <%=
+      form.collection_check_boxes :scopes, Doorkeeper.config.scopes.all, :to_s, :to_s, include_hidden: false, help_text: t(".scopes_help_html") do |option|
+        option.label(class: "form__wrapper-checkbox-label") do
+          option.check_box(checked: form.object.scopes.include?(option.value)) +
+            option.text +
+            content_tag(:div, class: "help-text") { t(".scopes_explanation.#{option.value}") }
+        end
+      end
+    %>
+  <% end %>
 </div>

data/app/views/decidim/system/organizations/_advanced_settings.html.erb

@@ -1,4 +1,4 @@
-<button id="advanced-settings-trigger" data-component="dropdown" data-target="advanced-settings-panel" type="button" class="button button__sm md:button__lg button__primary w-fit" aria-expanded="false">
+<button id="advanced-settings-trigger" data-controller="dropdown" data-target="advanced-settings-panel" type="button" class="button button__sm md:button__lg button__primary w-fit" aria-expanded="false">
   <span><%= t(".show") %></span>
   <span><%= t(".hide") %></span>
 </button>

data/app/views/decidim/system/organizations/_file_upload_settings.erb

@@ -6,9 +6,9 @@
     <% i18n_scope = "#{f.object.class.i18n_scope}.attributes.#{settings_form.object.model_name.i18n_key}.allowed_file_extensions" %>
 
     <%= field_set_tag f.label(t(".file_extensions.title"), nil, for: nil), class: "border-2 border-background p-4 form__wrapper" do %>
-      <%= extensions_form.text_field :default, class: "js-tags-container mt-4", label: t("default", scope: i18n_scope), help_text: t(".file_extensions.default_hint") %>
-      <%= extensions_form.text_field :image, class: "js-tags-container mt-4", label: t("image", scope: i18n_scope), help_text: t(".file_extensions.image_hint") %>
-      <%= extensions_form.text_field :admin, class: "js-tags-container mt-4", label: t("admin", scope: i18n_scope), help_text: t(".file_extensions.admin_hint") %>
+      <%= extensions_form.text_field :default, data: { controller: "input-tags" }, class: "mt-4", label: t("default", scope: i18n_scope), help_text: t(".file_extensions.default_hint") %>
+      <%= extensions_form.text_field :image, data: { controller: "input-tags" }, class: "mt-4", label: t("image", scope: i18n_scope), help_text: t(".file_extensions.image_hint") %>
+      <%= extensions_form.text_field :admin, data: { controller: "input-tags" }, class: "mt-4", label: t("admin", scope: i18n_scope), help_text: t(".file_extensions.admin_hint") %>
     <% end %>
   <% end %>
 
@@ -17,8 +17,8 @@
 
     <%= field_set_tag f.label(t(".content_types.title"), nil, for: nil), class: "border-2 border-background p-4 form__wrapper" do %>
       <p class="help-text"><%= t(".content_types.intro_html") %></p>
-      <%= extensions_form.text_field :default, class: "js-tags-container mt-4", label: t("default", scope: i18n_scope), help_text: t(".content_types.default_hint") %>
-      <%= extensions_form.text_field :admin, class: "js-tags-container mt-4", label: t("admin", scope: i18n_scope), help_text: t(".content_types.admin_hint") %>
+      <%= extensions_form.text_field :default, data: { controller: "input-tags" }, class: "mt-4", label: t("default", scope: i18n_scope), help_text: t(".content_types.default_hint") %>
+      <%= extensions_form.text_field :admin, data: { controller: "input-tags" }, class: "mt-4", label: t("admin", scope: i18n_scope), help_text: t(".content_types.admin_hint") %>
     <% end %>
   <% end %>
 

data/app/views/decidim/system/organizations/_omniauth_provider.html.erb

@@ -11,7 +11,7 @@
     label_options: { class: "form__wrapper-checkbox-label" }
   ) %>
 
-  <% Rails.application.secrets.dig(:omniauth, provider.to_sym).keys.select { |k| k != :enabled }.each do |setting| %>
+  <% Decidim.omniauth_providers.dig(provider.to_sym).keys.select { |k| k != :enabled }.each do |setting| %>
   <%= f.text_field("omniauth_settings_#{provider}_#{setting}", label: I18n.t(
         ".#{setting}",
         scope: [:icon, :icon_path].include?(setting) ? i18n_scope : "#{i18n_scope}.#{provider}"

data/app/views/decidim/system/organizations/edit.html.erb

@@ -33,6 +33,10 @@
       end %>
     <% end %>
 
+    <% if Decidim.enable_html_header_snippets %>
+      <%= f.text_area :header_snippets, help_text: t("decidim.system.organizations.header_snippets_help_html"), rows: 10 %>
+    <% end %>
+
     <%= render partial: "advanced_settings", locals: { f: } %>
   </div>