Merge branch 'develop' into fix/xss_vulnerability_on_initiatives

OpenSourcePolitics · Oct 9, 2024 · 59b3510 · 59b3510
2 parents 8668d3d + c89380d
commit 59b3510
Show file tree

Hide file tree

Showing 16 changed files with 843 additions and 21 deletions.
diff --git a/.env-example b/.env-example
@@ -102,4 +102,7 @@ RAILS_LOG_LEVEL=warn
 
 # Automatically save AH metadata to user extended data
 # Format : comma separated list of auhtorization handler names
-# AUTO_EXPORT_AUTHORIZATIONS_DATA_TO_USER_DATA_ENABLED_FOR="authorization1,authorization2"
+# AUTO_EXPORT_AUTHORIZATIONS_DATA_TO_USER_DATA_ENABLED_FOR="authorization1,authorization2"
+
+# Sort participatory processes by date
+SORT_PROCESSES_BY_DATE=false
diff --git a/Gemfile b/Gemfile
@@ -4,7 +4,8 @@ source "https://rubygems.org"
 
 DECIDIM_VERSION = "0.27"
 DECIDIM_BRANCH = "release/#{DECIDIM_VERSION}-stable".freeze
-DECIDIM_ANONYMOUS_PROPOSALS_VERSION = { git: "https://github.com/PopulateTools/decidim-module-anonymous_proposals", branch: "anonymous_proposals_for_registered_users" }.freeze
+DECIDIM_ANONYMOUS_PROPOSALS_VERSION = { git: "https://github.com/OpenSourcePolitics/decidim-module-anonymous_proposals",
+                                        branch: "feat/disable_override_from_index_proposals" }.freeze
 
 ruby RUBY_VERSION
 

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,3 +1,12 @@
+GIT
+  remote: https://github.com/OpenSourcePolitics/decidim-module-anonymous_proposals
+  revision: ea7c828c82fabb1c35e161095082f15ba63b6eaf
+  branch: feat/disable_override_from_index_proposals
+  specs:
+    decidim-anonymous_proposals (0.27.0)
+      decidim-core (>= 0.27.0)
+      deface (~> 1.5)
+
 GIT
   remote: https://github.com/OpenSourcePolitics/decidim-module-extended_socio_demographic_authorization_handler.git
   revision: adec5e66cd07b5e5fdce5562453a7e8d6de88013
@@ -112,15 +121,6 @@ GIT
       omniauth (~> 2.0)
       omniauth-oauth2 (>= 1.7.2, < 2.0)
 
-GIT
-  remote: https://github.com/PopulateTools/decidim-module-anonymous_proposals
-  revision: b44a938500716dbfd99e8615769045701137c82e
-  branch: anonymous_proposals_for_registered_users
-  specs:
-    decidim-anonymous_proposals (0.27.0)
-      decidim-core (>= 0.27.0)
-      deface (~> 1.5)
-
 GIT
   remote: https://github.com/alecslupu-pfa/decidim-budget_category_voting.git
   revision: e059d392d6468a0fff556a458589685a047032d6
@@ -135,7 +135,7 @@ GIT
 
 GIT
   remote: https://github.com/alecslupu-pfa/decidim-module-custom_proposal_states
-  revision: 66bc4d1a9f00eb66356e583365597e737e1d6917
+  revision: 848eb550d44d9bebc9e72c458c4e3aab79203d9e
   branch: release/0.27-stable
   specs:
     decidim-custom_proposal_states (0.27.5)

diff --git a/OVERLOADS.md b/OVERLOADS.md
@@ -2,6 +2,15 @@
 * `app/cells/decidim/version_cell.rb`
 This override the default `VersionCell` from `decidim-core`, by adding sanitization for `version_number` to prevent XSS attacks.
 
+* `app/controllers/decidim/assemblies/assemblies_controller.rb`
+This override the default `AssembliesController` from `decidim-assemblies`, by adding custom sort for assembly_participatory_processes
+
+* `app/helpers/decidim/assemblies/assemblies_helper.rb`
+This override the default `AssembliesHelpler` from `decidim-assemblies`, by adding custom html for sorted assembly_participatory_processes
+
+* `app/controllers/decidim/participatory_processes/participatory_processes_controller.rb`
+This override the default `ParticipatoryProcessesController` from `decidim-participatory_processes`, by adding custom sort for participatory_processes
+
 ## Initiative form
 * `lib/extends/forms/decidim/initiatives/initiative_form_extends.rb`
 This adds a validation to form's description.

diff --git a/app/controllers/decidim/assemblies/assemblies_controller.rb b/app/controllers/decidim/assemblies/assemblies_controller.rb
@@ -0,0 +1,106 @@
+# frozen_string_literal: true
+
+module Decidim
+  module Assemblies
+    # A controller that holds the logic to show Assemblies in a public layout.
+    class AssembliesController < Decidim::Assemblies::ApplicationController
+      include ParticipatorySpaceContext
+      participatory_space_layout only: :show
+      include FilterResource
+
+      helper_method :parent_assemblies, :promoted_assemblies, :stats, :assembly_participatory_processes, :current_assemblies_settings
+
+      def index
+        enforce_permission_to :list, :assembly
+
+        respond_to do |format|
+          format.html do
+            raise ActionController::RoutingError, "Not Found" if published_assemblies.none?
+
+            render "index"
+          end
+
+          format.js do
+            raise ActionController::RoutingError, "Not Found" if published_assemblies.none?
+
+            render "index"
+          end
+
+          format.json do
+            render json: published_assemblies.query.includes(:children).where(parent: nil).collect { |assembly|
+              {
+                name: assembly.title[I18n.locale.to_s],
+                children: assembly.children.collect do |child|
+                  {
+                    name: child.title[I18n.locale.to_s],
+                    children: child.children.collect { |child_of_child| { name: child_of_child.title[I18n.locale.to_s] } }
+                  }
+                end
+              }
+            }
+          end
+        end
+      end
+
+      def show
+        enforce_permission_to :read, :assembly, assembly: current_participatory_space
+      end
+
+      private
+
+      def search_collection
+        Assembly.where(organization: current_organization).published.visible_for(current_user)
+      end
+
+      def default_filter_params
+        {
+          with_scope: nil,
+          with_area: nil,
+          type_id_eq: nil
+        }
+      end
+
+      def current_participatory_space
+        return unless params[:slug]
+
+        @current_participatory_space ||= OrganizationAssemblies.new(current_organization).query.where(slug: params[:slug]).or(
+          OrganizationAssemblies.new(current_organization).query.where(id: params[:slug])
+        ).first!
+      end
+
+      def published_assemblies
+        @published_assemblies ||= OrganizationPublishedAssemblies.new(current_organization, current_user)
+      end
+
+      def promoted_assemblies
+        @promoted_assemblies ||= published_assemblies | PromotedAssemblies.new
+      end
+
+      def parent_assemblies
+        search.result.parent_assemblies.order(weight: :asc, promoted: :desc)
+      end
+
+      def stats
+        @stats ||= AssemblyStatsPresenter.new(assembly: current_participatory_space)
+      end
+
+      def assembly_participatory_processes
+        if Rails.application.secrets.dig(:decidim, :participatory_processes, :sort_by_date) == false
+          @assembly_participatory_processes ||= @current_participatory_space.linked_participatory_space_resources(:participatory_processes, "included_participatory_processes")
+        else
+          @assembly_participatory_processes = @current_participatory_space.linked_participatory_space_resources(:participatory_processes, "included_participatory_processes")
+          sorted_by_date = {
+            active: @assembly_participatory_processes.active_spaces.sort_by(&:end_date),
+            future: @assembly_participatory_processes.future_spaces.sort_by(&:start_date),
+            past: @assembly_participatory_processes.past_spaces.sort_by(&:end_date).reverse
+          }
+          @assembly_participatory_processes = sorted_by_date
+        end
+      end
+
+      def current_assemblies_settings
+        @current_assemblies_settings ||= Decidim::AssembliesSetting.find_or_create_by(decidim_organization_id: current_organization.id)
+      end
+    end
+  end
+end
diff --git a/app/controllers/decidim/participatory_processes/participatory_processes_controller.rb b/app/controllers/decidim/participatory_processes/participatory_processes_controller.rb
@@ -0,0 +1,159 @@
+# frozen_string_literal: true
+
+module Decidim
+  module ParticipatoryProcesses
+    # A controller that holds the logic to show ParticipatoryProcesses in a
+    # public layout.
+    class ParticipatoryProcessesController < Decidim::ParticipatoryProcesses::ApplicationController
+      include ParticipatorySpaceContext
+      participatory_space_layout only: [:show, :all_metrics]
+      include FilterResource
+
+      helper_method :collection,
+                    :promoted_collection,
+                    :participatory_processes,
+                    :stats,
+                    :metrics,
+                    :participatory_process_group,
+                    :default_date_filter,
+                    :related_processes,
+                    :linked_assemblies
+
+      def index
+        raise ActionController::RoutingError, "Not Found" if published_processes.none?
+
+        enforce_permission_to :list, :process
+        enforce_permission_to :list, :process_group
+      end
+
+      def show
+        enforce_permission_to :read, :process, process: current_participatory_space
+      end
+
+      def all_metrics
+        if current_participatory_space.show_statistics
+          enforce_permission_to :read, :process, process: current_participatory_space
+        else
+          render status: :not_found
+        end
+      end
+
+      private
+
+      def search_collection
+        ParticipatoryProcess.where(organization: current_organization).published.visible_for(current_user).includes(:area)
+      end
+
+      def default_filter_params
+        {
+          with_scope: nil,
+          with_area: nil,
+          with_type: nil,
+          with_date: default_date_filter
+        }
+      end
+
+      def organization_participatory_processes
+        @organization_participatory_processes ||= OrganizationParticipatoryProcesses.new(current_organization).query
+      end
+
+      def current_participatory_space
+        return unless params["slug"]
+
+        @current_participatory_space ||= organization_participatory_processes.where(slug: params["slug"]).or(
+          organization_participatory_processes.where(id: params["slug"])
+        ).first!
+      end
+
+      def published_processes
+        @published_processes ||= OrganizationPublishedParticipatoryProcesses.new(current_organization, current_user)
+      end
+
+      def promoted_participatory_processes
+        @promoted_participatory_processes ||= published_processes | PromotedParticipatoryProcesses.new
+      end
+
+      def promoted_participatory_process_groups
+        @promoted_participatory_process_groups ||= OrganizationPromotedParticipatoryProcessGroups.new(current_organization)
+      end
+
+      def promoted_collection
+        @promoted_collection ||= promoted_participatory_processes.query + promoted_participatory_process_groups.query
+      end
+
+      def collection
+        @collection ||= participatory_processes + participatory_process_groups
+      end
+
+      def filtered_processes
+        search.result
+      end
+
+      def participatory_processes
+        @participatory_processes ||= filtered_processes.groupless.includes(attachments: :file_attachment)
+        return @participatory_processes if Rails.application.secrets.dig(:decidim, :participatory_processes, :sort_by_date) == false
+
+        custom_sort(search.with_date)
+      end
+
+      def participatory_process_groups
+        @participatory_process_groups ||= OrganizationParticipatoryProcessGroups.new(current_organization).query
+                                                                                .where(id: filtered_processes.grouped.group_ids)
+      end
+
+      def stats
+        @stats ||= ParticipatoryProcessStatsPresenter.new(participatory_process: current_participatory_space)
+      end
+
+      def metrics
+        @metrics ||= ParticipatoryProcessMetricChartsPresenter.new(participatory_process: current_participatory_space, view_context: view_context)
+      end
+
+      def participatory_process_group
+        @participatory_process_group ||= current_participatory_space.participatory_process_group
+      end
+
+      def default_date_filter
+        return "active" if published_processes.any?(&:active?)
+        return "upcoming" if published_processes.any?(&:upcoming?)
+        return "past" if published_processes.any?(&:past?)
+
+        "all"
+      end
+
+      def related_processes
+        @related_processes ||=
+          current_participatory_space
+          .linked_participatory_space_resources(:participatory_processes, "related_processes")
+          .published
+          .all
+      end
+
+      def linked_assemblies
+        @linked_assemblies ||= current_participatory_space.linked_participatory_space_resources(:assembly, "included_participatory_processes").public_spaces
+      end
+
+      def custom_sort(date)
+        case date
+        when "active"
+          @participatory_processes.sort_by(&:end_date)
+        when "past"
+          @participatory_processes.sort_by(&:end_date).reverse
+        when "upcoming"
+          @participatory_processes.sort_by(&:start_date)
+        when "all"
+          @participatory_processes = sort_all_processes
+        else
+          @participatory_processes
+        end
+      end
+
+      def sort_all_processes
+        actives = @participatory_processes.select(&:active?).sort_by(&:end_date)
+        pasts = @participatory_processes.select(&:past?).sort_by(&:end_date).reverse
+        upcomings = @participatory_processes.select(&:upcoming?).sort_by(&:start_date)
+        (actives + upcomings + pasts)
+      end
+    end
+  end
+end