Merge branch 'develop' of github.com:decidim/decidim into chore/remov…

…e-secrets
decidim · Sep 20, 2024 · 516c4e6 · 516c4e6
2 parents 54df9ea + 0604956
commit 516c4e6
Show file tree

Hide file tree

Showing 70 changed files with 605 additions and 235 deletions.
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -91,7 +91,7 @@ PATH
       rack-attack (~> 6.0)
       rails (~> 7.0.8)
       rails-i18n (~> 7.0)
-      ransack (~> 3.2.1)
+      ransack (~> 4.2.0)
       redis (~> 4.1)
       request_store (~> 1.5.0)
       rubyXL (~> 3.4)
@@ -614,7 +614,7 @@ GEM
       zeitwerk (~> 2.5)
     rainbow (3.1.1)
     rake (13.2.1)
-    ransack (3.2.1)
+    ransack (4.2.0)
       activerecord (>= 6.1.5)
       activesupport (>= 6.1.5)
       i18n

diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
@@ -69,14 +69,36 @@ As of [#13380](https://github.com/decidim/decidim/pull/13380), the task named `d
 
 You can read more about this change on PR [#13380](https://github.com/decidim/decidim/pull/13380).
 
-### 2.4
+### 2.4 Cells expiration time
 
 Now the cache expiration time is configurable via initializers/ENV variables.
 
 Decidim uses cache in some HTML views (usually under the `cells/` folder). In the past the cache had no expiration time, now it is configurable using the ENV var `DECIDIM_CACHE_EXPIRATION_TIME` (this var expects an integer specifying the number of minutes for which the cache is valid).
 
 Also note, that now it comes with a default value of 24 hours (1440 minutes).
 
+You can read more about this change on PR [#13402](https://github.com/decidim/decidim/pull/13402).
+
+### 2.5. Ransack upgrade
+
+As part of Rails upgrade to version 7.1, we upgraded Ransack gem to version 4.2. Ransack has introduced a new security policy that requires mandatory allowlisting for the attributes and associations needed by search engine. If you have a regular Decidim installation, you can skip this step.
+
+If you are a plugin developer, you may need to add the following methods to your searchable models.
+
+If your plugins are extending the filters or search, you may need to override the following methods.
+
+```ruby
+def self.ransackable_attributes(_auth_object = nil)
+  []
+end
+
+def self.ransackable_associations(_auth_object = nil)
+  []
+end
+```
+
+You can read more about this change on PR [#13196](https://github.com/decidim/decidim/pull/13196).
+
 ## 3. One time actions
 
 These are one time actions that need to be done after the code is updated in the production database.

diff --git a/decidim-accountability/app/models/decidim/accountability/result.rb b/decidim-accountability/app/models/decidim/accountability/result.rb
@@ -94,6 +94,20 @@ def self.ransackable_scopes(_auth_object = nil)
       # Create the :search_text ransacker alias for searching from both of these.
       ransacker_i18n_multi :search_text, [:title, :description]
 
+      def self.ransackable_attributes(auth_object = nil)
+        base = %w(search_text title description)
+
+        return base unless auth_object&.admin?
+
+        base + %w(id_string created_at id progress)
+      end
+
+      def self.ransackable_associations(auth_object = nil)
+        return [] unless auth_object&.admin?
+
+        %w(category status scope)
+      end
+
       private
 
       # Private: When a row uses weight 1 and there is more than one, weight should not be considered

diff --git a/decidim-accountability/app/models/decidim/accountability/status.rb b/decidim-accountability/app/models/decidim/accountability/status.rb
@@ -22,6 +22,10 @@ class Status < Accountability::ApplicationRecord
       # Allow ransacker to search for a key in a hstore column (`name`.`en`)
       ransacker_i18n :name
 
+      def self.ransackable_attributes(_auth_object = nil)
+        %w(id name)
+      end
+
       def self.log_presenter_class_for(_log)
         Decidim::Accountability::AdminLog::StatusPresenter
       end

diff --git a/decidim-admin/app/packs/stylesheets/decidim/admin/_table-list.scss b/decidim-admin/app/packs/stylesheets/decidim/admin/_table-list.scss
@@ -115,7 +115,11 @@
     }
 
     .dragging-handle {
-      @apply cursor-move;
+      @apply cursor-ns-resize align-top p-3;
+
+      .dragger {
+        @apply text-2xl;
+      }
     }
   }
 }

diff --git a/decidim-admin/app/packs/stylesheets/decidim/admin/_taxonomies.scss b/decidim-admin/app/packs/stylesheets/decidim/admin/_taxonomies.scss
@@ -10,11 +10,11 @@
   }
 
   .dragger {
-    @apply text-2xl cursor-ns-resize;
+    @apply text-2xl;
   }
 
   td {
-    @apply align-top;
+    @apply align-top cursor-ns-resize;
 
     &.js-drag-handle .dragger {
       @apply mt-1;

diff --git a/decidim-admin/app/views/decidim/admin/components/_component.html.erb b/decidim-admin/app/views/decidim/admin/components/_component.html.erb
@@ -1,7 +1,7 @@
 <% if user_role_config.component_is_accessible?(component.manifest_name) %>
   <tr class="draggable-content component-<%= component.id %>" draggable="true" data-record-id="<%= component.id %>">
     <td class="text-center dragging-handle">
-      <span><%= icon "draggable", class: "fill-black" %></span>
+      <%= icon("draggable", class: "dragger") %>
     </td>
     <td>
       <% if component.manifest.admin_engine %>

diff --git a/decidim-admin/app/views/decidim/admin/taxonomies/_table.html.erb b/decidim-admin/app/views/decidim/admin/taxonomies/_table.html.erb
@@ -12,6 +12,18 @@
       </th>
     </tr>
     </thead>
+    <%#
+     If you ever reach this template as source of inspiration for a table row drag and drop functionality,
+     please take in to account that this is intended to manage a complex case, as it has the capability of nesting elements (a draggable within a draggable) so that you can reorder parents and children.
+     In Decidim there are two ways to implement a sortable (but both use the same library html5sortable.es).
+
+     The simpler one is just to add the [data-draggable-table] attribute in the parent element, it requires to also add the [data-sort-url] attribute. This URL will be used to send a PUT request and ignore the result.
+      This implementation is used for instance in admin components table.
+
+     For cases when you need more control you can use the second implementation, which is the one used here.
+     It uses the "js-sortable" class to initialize the element and allows you to use all the options documented in https://github.com/lukasoppermann/html5sortable as [data-sortable-OPTION] in the html.
+     Take into account, that, if using the second option, you need to implement the "sortupdate" event by yourself (see this file for an example). This allows you to control the return of the request for instance.
+    %>
     <tbody class="js-sortable js-draggable-root" data-draggable-handle=".js-drag-handle" data-draggable-accept-from=".js-draggable-root" data-sort-url="<%= reorder_taxonomies_path %>" role="rowgroup">
       <% if path = path_to_prev_page(collection) %>
         <tr class="draggable-taxonomy change-page" data-prev-page="<%= path %>" data-taxonomy-id="<%= collection.page(collection.prev_page).per(per_page).last&.id %>"><td colspan="2"><%= t(".to_prev_page") %></td></tr>

diff --git a/decidim-assemblies/app/models/decidim/assembly.rb b/decidim-assemblies/app/models/decidim/assembly.rb
@@ -164,6 +164,18 @@ def self.ransackable_scopes(_auth_object = nil)
       [:with_any_area, :with_any_scope, :with_any_type]
     end
 
+    def self.ransackable_attributes(auth_object = nil)
+      base = %w(title short_description description id)
+
+      return base unless auth_object&.admin?
+
+      base + %w(published_at private_space parent_id decidim_assemblies_type_id)
+    end
+
+    def self.ransackable_associations(_auth_object = nil)
+      %w(area assembly_type scope parent children categories)
+    end
+
     private
 
     # When an assembly changes their parent, we need to update the parents_path attribute

diff --git a/decidim-assemblies/app/models/decidim/assembly_member.rb b/decidim-assemblies/app/models/decidim/assembly_member.rb
@@ -30,5 +30,15 @@ def self.log_presenter_class_for(_log)
     def remove_non_user_avatar
       false
     end
+
+    def self.ransackable_attributes(auth_object = nil)
+      return [] unless auth_object&.admin?
+
+      %w(full_name ceased_date)
+    end
+
+    def self.ransackable_associations(_auth_object = nil)
+      %w(user)
+    end
   end
 end
diff --git a/decidim-blogs/app/packs/stylesheets/blogs.scss b/decidim-blogs/app/packs/stylesheets/blogs.scss
@@ -7,26 +7,6 @@
     }
   }
 
-  &__actions {
-    @apply flex flex-col md:flex-row justify-between items-center gap-10 pt-10;
-
-    &-left {
-      @apply flex items-center gap-2;
-    }
-
-    &-right {
-      @apply flex items-center gap-4;
-
-      button {
-        @apply flex items-center gap-1;
-      }
-    }
-
-    .is-active span:last-child {
-      @apply text-white bg-secondary border-secondary;
-    }
-  }
-
   &__endorsers {
     @apply space-y-3;
 

diff --git a/decidim-blogs/app/views/decidim/blogs/posts/_actions.html.erb b/decidim-blogs/app/views/decidim/blogs/posts/_actions.html.erb
@@ -1,15 +1,13 @@
-<div class="blog__actions">
-  <div class="blog__actions-left">
-    <% if endorsements_enabled? %>
-      <%= endorsement_buttons_cell(post) %>
-    <% end %>
+<section class="layout-main__section layout-main__buttons  pt-10" data-buttons>
+  <% if endorsements_enabled? %>
+    <%= endorsement_buttons_cell(post) %>
+  <% end %>
 
-    <%= cell "decidim/comments_button", nil %>
-  </div>
+  <%= cell "decidim/comments_button", nil %>
 
-  <div class="blog__actions-right">
+  <div class="ml-auto lg:ml-0">
     <%= cell "decidim/share_button", nil %>
   </div>
-</div>
+</section>
 
 <%= cell "decidim/endorsers_list", post, layout: :full %>
diff --git a/decidim-blogs/lib/decidim/blogs/test/factories.rb b/decidim-blogs/lib/decidim/blogs/test/factories.rb
@@ -14,6 +14,22 @@
     name { generate_component_name(participatory_space.organization.available_locales, :blogs, skip_injection:) }
     manifest_name { :blogs }
     participatory_space { create(:participatory_process, :with_steps, skip_injection:, organization:) }
+
+    trait :with_endorsements_enabled do
+      step_settings do
+        {
+          participatory_space.active_step.id => { endorsements_enabled: true }
+        }
+      end
+    end
+
+    trait :with_endorsements_disabled do
+      step_settings do
+        {
+          participatory_space.active_step.id => { endorsements_enabled: false }
+        }
+      end
+    end
   end
 
   factory :post, class: "Decidim::Blogs::Post" do

diff --git a/decidim-blogs/spec/system/endorse_posts_spec.rb b/decidim-blogs/spec/system/endorse_posts_spec.rb
@@ -6,99 +6,16 @@
   include_context "with a component"
   let(:manifest_name) { "blogs" }
   let(:organization) { create(:organization) }
-  let(:author) { create(:user, :confirmed, name: "Tester", organization:) }
-  let!(:post) { create(:post, component:, title: { en: "Blog post title" }) }
-
-  before do
-    sign_in author
-  end
-
-  context "when liking the post without belonging to a user group" do
-    it "likes the post" do
-      visit_component
-      click_on "Blog post title"
-      click_on "Like"
-
-      expect(page).to have_content("Dislike")
-    end
+  let!(:post) { create(:post, author: user, component:, title: { en: "Blog post title" }) }
+  let!(:resource) { post }
+  let!(:resource_name) { translated(post.title) }
+
+  let!(:component) do
+    create(:post_component,
+           *component_traits,
+           manifest:,
+           participatory_space:)
   end
 
-  context "when liking the post while being a part of a group" do
-    let!(:user_group) do
-      create(
-        :user_group,
-        :verified,
-        name: "Tester's Organization",
-        nickname: "test_org",
-        email: "t.mail.org@example.org",
-        users: [author],
-        organization:
-      )
-    end
-
-    before do
-      visit_component
-      click_on "Blog post title"
-    end
-
-    it "opens a modal where you select identity as a user or a group" do
-      click_on "Like"
-      expect(page).to have_content("Select identity")
-      expect(page).to have_content("Tester's Organization")
-      expect(page).to have_content("Tester")
-    end
-
-    def add_likes
-      click_on "Like"
-      click_on "Tester's Organization"
-      click_on "Tester"
-      click_on "Done"
-      visit current_path
-      click_on "Dislike"
-    end
-
-    context "when both identities picked" do
-      it "likes the post as a group and a user" do
-        add_likes
-
-        within ".identities-modal__list" do
-          expect(page).to have_css(".is-selected", count: 2)
-        end
-      end
-    end
-
-    context "when like cancelled as a user" do
-      it "does not cancel group like" do
-        add_likes
-        find(".is-selected", match: :first).click
-        click_on "Done"
-        visit current_path
-        click_on "Like"
-
-        within ".identities-modal__list" do
-          expect(page).to have_css(".is-selected", count: 1)
-          within ".is-selected" do
-            expect(page).to have_content("Tester's Organization")
-          end
-        end
-      end
-    end
-
-    context "when like cancelled as a group" do
-      it "does not cancel user like" do
-        add_likes
-        page.all(".is-selected")[1].click
-        click_on "Done"
-        visit current_path
-        click_on "Dislike"
-
-        within ".identities-modal__list" do
-          expect(page).to have_css(".is-selected", count: 1)
-          within ".is-selected" do
-            expect(page).to have_text("Tester", exact: true)
-          end
-        end
-      end
-    end
-  end
+  it_behaves_like "Endorse resource system specs"
 end
diff --git a/decidim-budgets/app/models/decidim/budgets/project.rb b/decidim-budgets/app/models/decidim/budgets/project.rb
@@ -141,6 +141,18 @@ def attachment_context
       def self.ransackable_scopes(_auth_object = nil)
         [:with_any_status, :with_any_scope, :with_any_category]
       end
+
+      def self.ransackable_attributes(auth_object = nil)
+        base = %w(search_text description title)
+
+        return base unless auth_object&.admin?
+
+        base + %w(id_string id selected selected_at confirmed_orders_count)
+      end
+
+      def self.ransackable_associations(_auth_object = nil)
+        %w(category scope)
+      end
     end
   end
 end