decidim-verifications 0.21.0 → 0.22.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9c914bf8725d476212afdde6db64fc538308bae0b39cef0d96e835be16e6a92d
-  data.tar.gz: 19845e9b6f88a45489af575d42865e4c17eb7a8db4bc1c5b21fc84319d9e205e
+  metadata.gz: ee208339d39a5f1b778599a3c9645999e76475fb1f413e72a78c276e5fe09e1a
+  data.tar.gz: 48d43893269f7caf25a6cad9d9139e140f9f746b298e776e05d50dc8469bea35
 SHA512:
-  metadata.gz: b406e8086b02340cca468b7cf4d3f018de59f3330b98d28976a4aa6c5bc939b87dd35376310279b44ec41831c8468dfbb9a20da4d974293a468024764f637894
-  data.tar.gz: 55461cef2fd47cc4e5d3de10654bc90c985020c0f857b807f8800af3de06bcfe7cc9a5c2b145b8a509f0865c90c1471d337707357a4c650948c4cdbe168cb59a
+  metadata.gz: ae51a4e909b47ff69057eef77063336fd8a3e31a27cb94d03761199558d5fddf4be312b583257b3d9d8be8d962e413fbadd57a567d9e20a1308cb34f78e4e29b
+  data.tar.gz: 2f483e0bace8f874d488e47148b3041d078fcea5cb60ee10ece631e38697cd14cb6e9c4ee5ce0887f6619e98357d771688afd0815ba526f6b65cba9ee4ffd0d6

data/README.md

@@ -62,7 +62,7 @@ Decidim implements two type of authorization methods:
   # config/initializers/decidim.rb
 
   Decidim::Verifications.register_workflow(:census) do |workflow|
-    workflow.form = "<myAuthorizationHandlerClass"
+    workflow.form = "<myAuthorizationHandlerClass>"
   end
   ```
 
@@ -97,6 +97,22 @@ Decidim implements two type of authorization methods:
   * `edit_authorization_path`: This is the entry point to resume an existing
     authorization process.
 
+* _Renewable authorizations_.  
+  By default a participant can't renew its authorization, but this can be enabled when registering the workflow, the time between renewals can be configured (one day by default).
+
+  Optionally to change the renew modal content part of the data stored, you can set a new value for the cell used to render the metadata.
+
+  ```ruby
+  # config/initializers/decidim.rb
+
+  Decidim::Verifications.register_workflow(:census) do |workflow|
+    workflow.form = "myAuthorizationHandlerClass"
+    workflow.renewable = true
+    workflow.time_between_renewals = 1.day
+    workflow.metadata_cell = "decidim/verifications/authorization_metadata"
+  end
+  ```
+
 ### SMS verification
 
 Decidim comes with a verification workflow designed to verify users by sending

data/app/cells/decidim/verifications/authorization_metadata/show.erb

@@ -0,0 +1,13 @@
+<p>
+  <%= t("authorization_metadata.info", scope: "decidim.verifications.authorizations") %>
+</p>
+
+<ul>
+  <% if model.metadata.present? %>
+    <% model.metadata.symbolize_keys.except(:extras).each do |data| %>
+        <%= metadata(data) %>
+    <% end %>
+  <% else %>
+    <li> <%= t("authorization_metadata.no_data_stored", scope: "decidim.verifications.authorizations") %></li>
+  <% end %>
+</ul>

data/app/cells/decidim/verifications/authorization_metadata_cell.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Verifications
+    # This cell is to render the authorization metadata in the renew modal
+    class AuthorizationMetadataCell < Decidim::ViewModel
+      private
+
+      def metadata(data)
+        "<li>#{metadata_key(data)} <strong>#{metadata_value(data)}</strong></li>"
+      end
+
+      def metadata_key(data)
+        "#{t("#{model.name}.fields.#{data.first}", scope: "decidim.authorization_handlers")}:"
+      end
+
+      def metadata_value(data)
+        data.second
+      end
+    end
+  end
+end

data/app/cells/decidim/verifications/revocations/show.erb

@@ -0,0 +1,40 @@
+<div class="card-divider">
+  <h2 class="card-title">
+    <%= t("decidim.admin.menu.authorization_revocation.title") %>
+  </h2>
+</div>
+<div class="card-section">
+  <% if model.count > 0 %>
+    <div class="revoke_all_box">
+      <p><%= t("decidim.admin.menu.authorization_revocation.info", count: model.count ) %></p>
+      <%= link_to t("decidim.admin.menu.authorization_revocation.button"),
+        decidim_verifications.admin_verifications_destroy_all_path,
+        method: :delete,
+        class: "button",
+        data: { confirm: t("decidim.admin.menu.authorization_revocation.destroy.confirm_all") } %>
+    </div>
+    <br>
+    <div class="revoke_before_date_box">
+      <%= decidim_form_for(@form, url: decidim_verifications.admin_verifications_destroy_before_date_path, html: { class: "form" } ) do |form| %>
+        <div class="card">
+          <div class="card-section">
+            <div class="row column">
+              <%= form.check_box :impersonated_only %>
+            </div>
+            <div class="row column">
+              <%= form.date_field :before_date, value: Date.today.prev_month.strftime("%d/%m/%Y"), autocomplete: "off" %>
+              <%= label_tag(:before_date_info, t("decidim.admin.menu.authorization_revocation.before_date_info")) %>
+            </div>
+            <div class="button--double">
+              <%= form.submit t("decidim.admin.menu.authorization_revocation.button_before"), data: { confirm: t("decidim.admin.menu.authorization_revocation.destroy.confirm") } %>
+            </div>
+          </div>
+        </div>
+      <% end %>
+    </div>
+  <% else %>
+    <div class="revoke_no_data">
+      <%= t("decidim.admin.menu.authorization_revocation.no_data") %>
+    </div>
+  <% end %>
+</div>

data/app/cells/decidim/verifications/revocations_cell.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Verifications
+    # This cell renders revocation options - Revoke all or Revoke before date
+    class RevocationsCell < Decidim::ViewModel
+      def show
+        @form = Decidim::Verifications::Admin::RevocationsBeforeDateForm.from_params(params)
+        render
+      end
+
+      protected
+
+      def decidim_verifications
+        Decidim::Verifications::Engine.routes.url_helpers
+      end
+    end
+  end
+end

data/app/commands/decidim/verifications/confirm_user_authorization.rb

@@ -4,13 +4,17 @@ module Decidim
   module Verifications
     # A command to confirm a previous partial authorization.
     class ConfirmUserAuthorization < Rectify::Command
+      # Number of failed confirmation attempts before throttling.
+      MAX_FAILED_ATTEMPTS = 2
+
       # Public: Initializes the command.
       #
       # authorization - An Authorization to be confirmed.
       # form - A form object with the verification data to confirm it.
-      def initialize(authorization, form)
+      def initialize(authorization, form, session)
         @authorization = authorization
         @form = form
+        @session = session
       end
 
       # Executes the command. Broadcasts these events:
@@ -20,19 +24,19 @@ module Decidim
       #
       # Returns nothing.
       def call
-        return broadcast(:already_confirmed) if authorization.granted?
+        return already_confirmed! if authorization.granted?
 
-        return broadcast(:invalid) unless form.valid?
+        return invalid! unless form.valid?
 
-        if confirmation_successful?
-          authorization.grant!
+        throttle! if too_many_failed_attempts?
 
-          broadcast(:ok)
+        if confirmation_successful?
+          valid!
         else
-          broadcast(:invalid)
+          invalid!
         end
       rescue StandardError => e
-        broadcast(:invalid, e.message)
+        invalid!(e.message)
       end
 
       protected
@@ -45,7 +49,43 @@ module Decidim
 
       private
 
-      attr_reader :authorization, :form
+      def valid!
+        authorization.grant!
+        reset_failed_attempts!
+        broadcast(:ok)
+      end
+
+      def invalid!(message = nil)
+        record_failed_attempt!
+        broadcast(:invalid, message)
+      end
+
+      def already_confirmed!
+        reset_failed_attempts!
+        broadcast(:already_confirmed)
+      end
+
+      def too_many_failed_attempts?
+        failed_attempts > MAX_FAILED_ATTEMPTS
+      end
+
+      def failed_attempts
+        session[:failed_attempts] ||= 0
+      end
+
+      def reset_failed_attempts!
+        session[:failed_attempts] = 0
+      end
+
+      def record_failed_attempt!
+        session[:failed_attempts] = failed_attempts + 1
+      end
+
+      def throttle!
+        sleep rand * failed_attempts
+      end
+
+      attr_reader :authorization, :form, :session
     end
   end
 end

data/app/commands/decidim/verifications/destroy_user_authorization.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Verifications
+    # A command to Destroy the Authorization of a user.
+    class DestroyUserAuthorization < Rectify::Command
+      def initialize(authorization)
+        @authorization = authorization
+      end
+
+      def call
+        return broadcast(:invalid) unless authorization
+
+        authorization.destroy!
+
+        broadcast(:ok, authorization)
+      end
+
+      private
+
+      attr_reader :authorization
+    end
+  end
+end

data/app/commands/decidim/verifications/revoke_all_authorizations.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Verifications
+    # A command to revoke authorizations
+    class RevokeAllAuthorizations < Rectify::Command
+      # Public: Initializes the command.
+      #
+      # organization - Organization object.
+      # current_user - The current user.
+      def initialize(organization, current_user)
+        @organization = organization
+        @current_user = current_user
+      end
+
+      # Executes the command. Broadcasts these events:
+      #
+      # - :ok when everything is valid.
+      # - :invalid if the handler wasn't valid and we couldn't proceed.
+      #
+      # Returns nothing.
+      def call
+        return broadcast(:invalid) unless @organization
+
+        auths = Decidim::Verifications::Authorizations.new(
+          organization: organization,
+          granted: true
+        ).query
+
+        auths.find_each do |auth|
+          Decidim.traceability.perform_action!(
+            :destroy,
+            auth,
+            current_user
+          ) do
+            auth.destroy
+          end
+        end
+
+        broadcast(:ok)
+      end
+
+      private
+
+      attr_reader :organization, :current_user
+    end
+  end
+end

data/app/commands/decidim/verifications/revoke_by_condition_authorizations.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Verifications
+    # A command to revoke authorizations with filter
+    class RevokeByConditionAuthorizations < Rectify::Command
+      # Public: Initializes the command.
+      #
+      # organization - Organization object.
+      # current_user - The current user.
+      # form - A form object with the verification data to confirm it.
+      def initialize(organization, current_user, form)
+        @organization = organization
+        @current_user = current_user
+        @form = form
+      end
+
+      # Executes the command. Broadcasts these events:
+      #
+      # - :ok when everything is valid.
+      # - :invalid if the handler wasn't valid and we couldn't proceed.
+      #
+      # Returns nothing.
+      def call
+        return broadcast(:invalid) unless @organization
+        return broadcast(:invalid) unless @form.valid?
+
+        # Check before date
+        if @form.before_date.present?
+          authorizations_to_revoke = if @form.impersonated_only?
+                                       Decidim::Verifications::AuthorizationsBeforeDate.new(
+                                         organization: organization,
+                                         date: @form.before_date,
+                                         granted: true,
+                                         impersonated_only: @form.impersonated_only
+                                       )
+                                     else
+                                       Decidim::Verifications::AuthorizationsBeforeDate.new(
+                                         organization: organization,
+                                         date: @form.before_date,
+                                         granted: true
+                                       )
+                                     end
+
+          auths = authorizations_to_revoke.query
+          auths.find_each do |auth|
+            Decidim.traceability.perform_action!(
+              :destroy,
+              auth,
+              current_user
+            ) do
+              auth.destroy
+            end
+          end
+
+          broadcast(:ok)
+
+        else
+          broadcast(:invalid)
+        end
+      end
+
+      private
+
+      attr_reader :organization, :current_user, :form
+    end
+  end
+end

data/app/controllers/concerns/decidim/verifications/renewable.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require "active_support/concern"
+
+module Decidim
+  module Verifications
+    # Common logic to renew authorizations
+    module Renewable
+      extend ActiveSupport::Concern
+      included do
+        def renew
+          enforce_permission_to :renew, :authorization, authorization: authorization
+
+          DestroyUserAuthorization.call(authorization) do
+            on(:ok, authorization) do
+              flash[:notice] = t("authorizations.destroy.success", scope: "decidim.verifications")
+              redirect_to new_authorization_path(handler: authorization.name)
+            end
+
+            on(:invalid) do
+              flash[:alert] = t("authorizations.destroy.error", scope: "decidim.verifications")
+              redirect_to authorizations_path
+            end
+          end
+        end
+
+        def renew_modal
+          enforce_permission_to :renew, :authorization, authorization: authorization
+
+          respond_to do |format|
+            format.html { render layout: nil }
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/decidim/verifications/admin/verifications_controller.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Verifications
+    module Admin
+      class VerificationsController < Decidim::Admin::ApplicationController
+        def destroy_before_date
+          enforce_permission_to :destroy, :authorization
+          return unless params.has_key?(:revocations_before_date)
+
+          form = RevocationsBeforeDateForm.from_params(params[:revocations_before_date])
+          RevokeByConditionAuthorizations.call(current_organization, current_user, form) do
+            on(:ok) do
+              flash[:notice] = t("authorization_revocation.destroy_ok", scope: "decidim.admin.menu")
+              redirect_to decidim_admin.authorization_workflows_url
+            end
+            on(:invalid) do
+              flash.now[:alert] = t("authorization_revocation.destroy_nok", scope: "decidim.admin.menu")
+              redirect_to decidim_admin.authorization_workflows_url
+            end
+          end
+        end
+
+        def destroy_all
+          enforce_permission_to :destroy, :authorization
+          RevokeAllAuthorizations.call(current_organization, current_user) do
+            on(:ok) do
+              flash[:notice] = t("authorization_revocation.destroy_ok", scope: "decidim.admin.menu")
+              redirect_to decidim_admin.authorization_workflows_url
+            end
+            on(:invalid) do
+              flash.now[:alert] = t("authorization_revocation.destroy_nok", scope: "decidim.admin.menu")
+              redirect_to decidim_admin.authorization_workflows_url
+            end
+          end
+        end
+      end
+    end
+  end
+end