Rebase Develop branch into feature/redesign (#10322)

* Fix dependency resolver trying to fetch gem paths from lazy specifications (#10220)

* Ensure we are not returning lazy specifications

The lazy specification is not responding to the `#full_gem_path`
method which causes the dependency resolving to fail under newer
bundler versions and also in the situation that the newest
installed bundler version differs from the locked bundler version.

* Fix the expecation in the dependency resolver spec

* Added Reporting time in Global Moderation / Users (#10213)

* added-reported-time-to-user-moderations

* deleted-extra-line

* locale-changes

* fields reorder/contentmoderations - localizations revert

* fixed tests

* Removed "disabled" status from proposals' main categories (#10216)

* removed-main-category-disabling

* fixed-a-typo

* Fix double parentheses in the titled upload modal with existing attachment (#10221)

* Fix pipeline asset absolute URLs (#9597)

* Rename Decidim::AssetRouter to Decidim::AssetRouter::Storage

* Implement pipeline asset router

* Fetch the avatar default URLs through Decidim::AssetRouter::Pipeline

* Add specs for the avatar uploader

* Fix failing spec for NilPresenter

* Rubocop

* Fix spec after merge

* Fix the pipeline spec after merge

* Improve link handling of the redirect engine (#10235)

* Added links and nickname fields to User Group Admin panel (#10236)

* added-nickname-field-to-usergroups

* Added missing localizations (#10210)

* added-missing-localizations

* test-fixes

* additional-localizations-added

* comment-edit/date-format

* Switch to GitHub concurrency in CI (#10133)

* Switch to GitHub concurrency

* Rename the API CI workflow name

* Revert "Rename the API CI workflow name"

This reverts commit defe599.

* send notifications after transaction (#10211)

* Fix Pipeline after #10211 (#10240)

* Fix initiatives count in initiatives index page (#10150)

* Multi content blocks with the same manifest for the same page and section content block for ToS (#10166)

* Multiple content blocks for landing page and add sections to static page

* Fix two-pane section view

* Fix rubocop offense and normalize locales

* Fix static page update method

* Add class to content blocks card

* Fix spec/system/admin_manages_static_page_content_blocks_spec.rb tests

* Fix spec/system/admin_manages_organization_homepage_spec.rb tests

* Fix spec/commands/decidim/admin/reorder_content_blocks_spec.rb tests

* Fix spec/forms/static_page_form_spec.rb tests

* Fix spec/system/admin/admin_manages_participatory_process_group_landing_page_spec.rb tests

* Add new tests for deleting content blocks and creating multiple with the same manifest on the same page

* Fix unused argument

* Suggestions after review applied

* Remove unused i18n keys

* Add summary content block seed only for terms-and-conditions page

* Fix where to show content blocks on tabbed view

* Configuration to allow content blocks on specific pages

* Move commands and concern into a new Decidim::Admin::ContentBlocks namespace

* Fix spec/commands/decidim/admin/reorder_content_blocks_spec.rb tests

* Fix spec/commands/decidim/admin/create_newsletter_spec.rb tests

* Fix commands tests

* Move content of page_blocks config_accessor to decidim-generators

* User's group endorsement no longer disappears after personal endorsement removed (#10223)

* Fixed group endorsement removal when personal endorsement removed & tests

* test-fixes

* Add Backports documentation process explanation (#10248)

* Add Backports documentation process explanation

* Add link to backporter script

* Fix typo

Suggested by code review

* Add example and documentation for backporter script

* Sync release branch with remote before backporting (#10222)

* Fix notifications page when vapid is not available (#10286)

* User's group endorsement no longer disappears after personal endorsement removed

* Fixed group endorsement removal when personal endorsement removed & tests

* test-fixes

* Fix the notification settings when vapid keys are not present

---------

Co-authored-by: JoonasAapro <110532525+JoonasAapro@users.noreply.github.com>

* Update picmo to 5.7.3 (#10291)

* Replace webpush with web-push to support OpenSSL V3 (#10207)

* Replace webpush with web-push to support OpenSSL V3

* Restore Ruby version

* Export proposal body without HTML tags (#9913)

* Remove HTML tags in proposal body in exports

* Light proposal serializer specs refactor

* Remove proposal body HTML tags using decidim_sanitize

* Implement HTMLToPlainText in proposal serializer

* Remove SanitizeHelper from proposal serializer

* Refactor proposal serializer spec

* Strip tags recursively for proposal body

* Refactor specs file

* Refactor proposal serializer service

* Prevent aria-describedby attribute being added to hidden inputs (#10022)

* Add ability to pass extra attributes for authorization creation (#10320)

---------

Co-authored-by: Antti Hukkanen <antti.hukkanen@mainiotech.fi>
Co-authored-by: JoonasAapro <110532525+JoonasAapro@users.noreply.github.com>
Co-authored-by: Ivan Vergés <ivan@platoniq.net>
Co-authored-by: Heiner Sameisky <hei.sam@gmail.com>
Co-authored-by: Fran Bolívar <francisco.bolivar@nazaries.com>
Co-authored-by: Andrés Pereira de Lucena <andreslucena@users.noreply.github.com>
Co-authored-by: Quentin Champenois <26109239+Quentinchampenois@users.noreply.github.com>

Gemfile.lock

@@ -106,8 +106,8 @@ PATH
       seven_zip_ruby (~> 1.3)
       turbo-rails (~> 1.3.0)
       valid_email2 (~> 4.0)
+      web-push (~> 3.0)
       webpacker (= 6.0.0.rc.5)
-      webpush (~> 1.1)
       wisper (~> 2.0)
     decidim-debates (0.28.0.dev)
       decidim-comments (= 0.28.0.dev)
@@ -445,7 +445,7 @@ GEM
     hashdiff (1.0.1)
     hashie (5.0.0)
     highline (2.0.3)
-    hkdf (0.3.0)
+    hkdf (1.0.0)
     html-pipeline (2.14.2)
       activesupport (>= 2)
       nokogiri (>= 1.4)
@@ -565,6 +565,7 @@ GEM
     omniauth-twitter (1.4.0)
       omniauth-oauth (~> 1.1)
       rack
+    openssl (3.1.0)
     origami (2.1.0)
       colorize (~> 0.7)
     orm_adapter (0.5.0)
@@ -783,6 +784,10 @@ GEM
       activemodel (>= 6.0.0)
       bindex (>= 0.4.0)
       railties (>= 6.0.0)
+    web-push (3.0.0)
+      hkdf (~> 1.0)
+      jwt (~> 2.0)
+      openssl (~> 3.0)
     webmock (3.14.0)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
@@ -792,9 +797,6 @@ GEM
       rack-proxy (>= 0.6.1)
       railties (>= 5.2)
       semantic_range (>= 2.3.0)
-    webpush (1.1.0)
-      hkdf (~> 0.2)
-      jwt (~> 2.0)
     websocket-driver (0.7.5)
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)

SECURITY.adoc

@@ -2,7 +2,7 @@
 
 == Supported Versions
 
-Until we have the version 1.0 we support only the last minor and major version with security updates.
+Until we have the version 1.0 we support only the last two minor versions with security updates.
 
 |===
 | Version | Supported

decidim-core/app/forms/decidim/notifications_settings_form.rb

@@ -53,7 +53,7 @@ def user_is_moderator?(user)
     end
 
     def meet_push_notifications_requirements?
-      Rails.application.secrets.vapid[:enabled]
+      Rails.application.secrets.dig(:vapid, :enabled) || false
     end
   end
 end

decidim-core/app/models/decidim/authorization.rb

@@ -37,10 +37,7 @@ def self.create_or_update_from(handler)
         name: handler.handler_name
       )
 
-      authorization.attributes = {
-        unique_id: handler.unique_id,
-        metadata: handler.metadata
-      }
+      authorization.attributes = handler.authorization_attributes
 
       authorization.grant!
     end

decidim-core/app/packs/src/decidim/input_character_counter.js

@@ -33,7 +33,7 @@ export default class InputCharacterCounter {
     this.$target = $(this.$input.data("remaining-characters"));
     this.minCharacters = parseInt(this.$input.attr("minlength"), 10);
     this.maxCharacters = parseInt(this.$input.attr("maxlength"), 10);
-    this.describeByCounter = typeof this.$input.attr("aria-describedby") === "undefined";
+    this.describeByCounter = this.$input.attr("type") !== "hidden" && typeof this.$input.attr("aria-describedby") === "undefined";
 
     // Define the closest length for the input "gaps" defined by the threshold.
     if (this.maxCharacters > 10) {

decidim-core/app/packs/src/decidim/redesigned_input_character_counter.js

@@ -33,7 +33,7 @@ export default class InputCharacterCounter {
     this.$target = $(this.$input.data("remaining-characters"));
     this.minCharacters = parseInt(this.$input.attr("minlength"), 10);
     this.maxCharacters = parseInt(this.$input.attr("maxlength"), 10);
-    this.describeByCounter = typeof this.$input.attr("aria-describedby") === "undefined";
+    this.describeByCounter = this.$input.attr("type") !== "hidden" && typeof this.$input.attr("aria-describedby") === "undefined";
 
     // Define the closest length for the input "gaps" defined by the threshold.
     if (this.maxCharacters > 10) {

decidim-core/app/services/decidim/send_push_notification.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require "webpush"
+require "web-push"
 
 module Decidim
   # This class generates a notification based on the given event, for the given
@@ -16,7 +16,7 @@ class SendPushNotification
     #
     # Returns the result of the dispatch or nil if user or subscription are empty
     def perform(notification)
-      return unless Rails.application.secrets.vapid[:enabled]
+      return unless Rails.application.secrets.dig(:vapid, :enabled)
 
       I18n.with_locale(notification.user.locale || notification.user.organization.default_locale) do
         notification.user.notifications_subscriptions.values.map do |subscription|
@@ -25,8 +25,8 @@ def perform(notification)
           # Capture webpush exceptions in order to avoid this call to be repeated by the background job runner
           # Webpush::Error class is the parent class of all defined errors
           begin
-            Webpush.payload_send(**payload)
-          rescue Webpush::Error => e
+            WebPush.payload_send(**payload)
+          rescue WebPush::Error => e
             Rails.logger.warn("[ERROR] Push notification delivery failed due to #{e.message}")
             nil
           end

decidim-core/decidim-core.gemspec

@@ -76,7 +76,7 @@ Gem::Specification.new do |s|
   s.add_dependency "turbo-rails", "~> 1.3.0"
   s.add_dependency "valid_email2", "~> 4.0"
   s.add_dependency "webpacker", "= 6.0.0.rc.5"
-  s.add_dependency "webpush", "~> 1.1"
+  s.add_dependency "web-push", "~> 3.0"
   s.add_dependency "wisper", "~> 2.0"
 
   s.add_dependency "decidim-api", Decidim::Core.version

decidim-core/lib/decidim/core/test/shared_examples/comments_examples.rb

@@ -344,11 +344,11 @@
             within ".add-comment form" do
               find(:css, "textarea:enabled").set("toto")
             end
-            expect(page).not_to have_selector(".picmo-picker.picker")
+            expect(page).not_to have_selector(".picmo__picker.picmo__picker")
             within ".add-comment form" do
               find(".emoji__button").click
             end
-            expect(page).to have_selector(".picmo-picker.picker")
+            expect(page).to have_selector(".picmo__picker.picmo__picker")
           end
         end
 
@@ -361,7 +361,7 @@
               find(:css, "textarea:enabled").set("0123456789012345678901234567")
               find(".emoji__button").click
             end
-            expect(page).not_to have_selector(".picmo-picker.picker")
+            expect(page).not_to have_selector(".picmo__picker.picmo__picker")
           end
         end
       end

decidim-core/lib/tasks/decidim_pwa_tasks.rake

@@ -1,12 +1,12 @@
 # frozen_string_literal: true
 
-require "webpush"
+require "web-push"
 
 namespace :decidim do
   namespace :pwa do
     desc "Generates VAPID keys for push notifications"
     task :generate_vapid_keys do
-      vapid_key = Webpush.generate_key
+      vapid_key = WebPush.generate_key
 
       puts("VAPID keys correctly generated.")
       puts("*******************************")

decidim-core/spec/forms/notifications_settings_form_spec.rb

@@ -188,17 +188,27 @@ module Decidim
     describe "#meet_push_notifications_requirements?" do
       context "when the notifications requirements are met" do
         before do
-          allow(Rails.application.secrets).to receive("vapid").and_return({ enabled: true })
+          Rails.application.secrets[:vapid] = { enabled: true }
         end
 
         it "returns true" do
           expect(subject.meet_push_notifications_requirements?).to be true
         end
       end
 
+      context "when vapid secrets are not present" do
+        before do
+          Rails.application.secrets.delete(:vapid)
+        end
+
+        it "returns false" do
+          expect(subject.meet_push_notifications_requirements?).to be false
+        end
+      end
+
       context "when the notifications requirements aren't met" do
         before do
-          allow(Rails.application.secrets).to receive("vapid").and_return({ enabled: false })
+          Rails.application.secrets[:vapid] = { enabled: false }
         end
 
         it "returns false" do

decidim-core/spec/models/decidim/authorization_spec.rb

@@ -114,5 +114,32 @@ module Decidim
         let(:authorization_status) { :pending }
       end
     end
+
+    describe ".create_or_update_from" do
+      subject { described_class.create_or_update_from(handler) }
+
+      let(:user) { create(:user) }
+      let(:handler_class) do
+        Class.new(Decidim::AuthorizationHandler) do
+          def authorization_attributes
+            super.merge(created_at: Time.zone.local(2022, 1, 31, 16, 21))
+          end
+
+          def handler_name
+            "foobar"
+          end
+        end
+      end
+      let(:handler) { handler_class.from_params(user:) }
+
+      let(:authorization) { Decidim::Authorization.last }
+
+      context "when the handler provides additional arguments for the authorization" do
+        it "adds the extra attributes for the created authorization" do
+          expect(subject).to be(true)
+          expect(authorization.created_at).to eq(Time.zone.local(2022, 1, 31, 16, 21))
+        end
+      end
+    end
   end
 end

decidim-core/spec/services/decidim/send_push_notification_spec.rb

@@ -15,12 +15,27 @@
   end
 
   before do
-    allow(Rails.application.secrets).to receive("vapid").and_return({ enabled: true, public_key: "public_key", private_key: "private_key" })
+    Rails.application.secrets[:vapid] = { enabled: true, public_key: "public_key", private_key: "private_key" }
   end
 
   context "without vapid settings config" do
     before do
-      allow(Rails.application.secrets).to receive("vapid").and_return({ enabled: false })
+      Rails.application.secrets.delete(:vapid)
+    end
+
+    describe "#perform" do
+      let(:user) { create(:user) }
+      let(:notification) { create :notification, user: }
+
+      it "returns false" do
+        expect(subject.perform(notification)).to be_falsy
+      end
+    end
+  end
+
+  context "without vapid enabled" do
+    before do
+      Rails.application.secrets[:vapid] = { enabled: false }
     end
 
     describe "#perform" do
@@ -88,9 +103,9 @@
             private_key: "private_key"
           )
         }
-        expect(Webpush).to receive(:payload_send).with(first_notification_payload).ordered.and_return(double("result", message: "Created", code: "201"))
-        expect(Webpush).to receive(:payload_send).with(second_notification_payload).ordered.and_return(double("result", message: "Created", code: "201"))
-        expect(Webpush).to receive(:payload_send).with(third_notification_payload).ordered.and_raise(Webpush::Error)
+        expect(WebPush).to receive(:payload_send).with(first_notification_payload).ordered.and_return(double("result", message: "Created", code: "201"))
+        expect(WebPush).to receive(:payload_send).with(second_notification_payload).ordered.and_return(double("result", message: "Created", code: "201"))
+        expect(WebPush).to receive(:payload_send).with(third_notification_payload).ordered.and_raise(WebPush::Error)
 
         responses = subject.perform(notification)
         expect(responses.size).to eq(2)
@@ -123,7 +138,7 @@
           )
         }
 
-        allow(Webpush).to receive(:payload_send).with(notification_payload).and_return(double("result", message: "Created", code: "201"))
+        allow(WebPush).to receive(:payload_send).with(notification_payload).and_return(double("result", message: "Created", code: "201"))
 
         responses = subject.perform(notification)
         expect(responses.all? { |response| response.code == "201" }).to be(true)
@@ -145,7 +160,7 @@
                                   })
 
           notification_payload = a_hash_including(message:)
-          expect(Webpush).to receive(:payload_send).with(notification_payload).ordered.and_return(double("result", message: "Created", code: "201"))
+          expect(WebPush).to receive(:payload_send).with(notification_payload).ordered.and_return(double("result", message: "Created", code: "201"))
         end
 
         responses = subject.perform(notification)

decidim-core/spec/system/account_spec.rb

@@ -322,7 +322,7 @@
 
     context "when VAPID keys are set" do
       before do
-        allow(Rails.application.secrets).to receive("vapid").and_return(vapid_keys)
+        Rails.application.secrets[:vapid] = vapid_keys
         driven_by(:pwa_chrome)
         switch_to_host(organization.host)
         login_as user, scope: :user
@@ -353,9 +353,23 @@
       end
     end
 
+    context "when VAPID is disabled" do
+      before do
+        Rails.application.secrets[:vapid] = { enabled: false }
+        driven_by(:pwa_chrome)
+        switch_to_host(organization.host)
+        login_as user, scope: :user
+        visit decidim.notifications_settings_path
+      end
+
+      it "does not show the push notifications switch" do
+        expect(page).to have_no_selector(".push-notifications")
+      end
+    end
+
     context "when VAPID keys are not set" do
       before do
-        allow(Rails.application.secrets).to receive("vapid").and_return({})
+        Rails.application.secrets.delete(:vapid)
         driven_by(:pwa_chrome)
         switch_to_host(organization.host)
         login_as user, scope: :user

decidim-generators/Gemfile.lock

@@ -106,8 +106,8 @@ PATH
       seven_zip_ruby (~> 1.3)
       turbo-rails (~> 1.3.0)
       valid_email2 (~> 4.0)
+      web-push (~> 3.0)
       webpacker (= 6.0.0.rc.5)
-      webpush (~> 1.1)
       wisper (~> 2.0)
     decidim-debates (0.28.0.dev)
       decidim-comments (= 0.28.0.dev)
@@ -445,7 +445,7 @@ GEM
     hashdiff (1.0.1)
     hashie (5.0.0)
     highline (2.0.3)
-    hkdf (0.3.0)
+    hkdf (1.0.0)
     html-pipeline (2.14.2)
       activesupport (>= 2)
       nokogiri (>= 1.4)
@@ -565,6 +565,7 @@ GEM
     omniauth-twitter (1.4.0)
       omniauth-oauth (~> 1.1)
       rack
+    openssl (3.1.0)
     origami (2.1.0)
       colorize (~> 0.7)
     orm_adapter (0.5.0)
@@ -783,6 +784,10 @@ GEM
       activemodel (>= 6.0.0)
       bindex (>= 0.4.0)
       railties (>= 6.0.0)
+    web-push (3.0.0)
+      hkdf (~> 1.0)
+      jwt (~> 2.0)
+      openssl (~> 3.0)
     webmock (3.14.0)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
@@ -792,9 +797,6 @@ GEM
       rack-proxy (>= 0.6.1)
       railties (>= 5.2)
       semantic_range (>= 2.3.0)
-    webpush (1.1.0)
-      hkdf (~> 0.2)
-      jwt (~> 2.0)
     websocket-driver (0.7.5)
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)