From 1e0db8afb720241d3985ec39f8d448d7a97742db Mon Sep 17 00:00:00 2001
From: pabois <pierreandre.boissinot@noesya.coop>
Date: Fri, 8 Dec 2023 10:43:24 +0100
Subject: [PATCH 1/4] add csp

---
 app/assets/javascripts/leaflet.js             |  1 +
 .../stylesheets/admin/commons/sidebar.sass    |  2 +
 app/assets/stylesheets/leaflet.sass           |  1 +
 .../admin/communication/blocks/edit.html.erb  |  2 +-
 .../templates/organizations/_show.html.erb    |  8 +-
 .../communication/extranets/_sidebar.html.erb |  2 +-
 .../photo_imports/_selector.html.erb          |  2 +-
 .../communication/websites/_sidebar.html.erb  |  2 +-
 app/views/admin/layouts/application.html.erb  |  2 +-
 app/views/admin/layouts/preview.html.erb      |  5 ++
 .../admin/research/journals/_sidebar.html.erb |  2 +-
 app/views/application/_bugsnag.html.erb       |  2 +-
 .../extranet/layouts/application.html.erb     |  4 +
 app/views/server/layouts/application.html.erb |  2 +-
 .../server/universities/_sso_mapping.html.erb |  2 +-
 .../initializers/content_security_policy.rb   | 77 ++++++++++++++-----
 db/schema.rb                                  | 75 +++++++++---------
 package.json                                  |  1 +
 yarn.lock                                     |  5 ++
 19 files changed, 125 insertions(+), 72 deletions(-)
 create mode 100644 app/assets/javascripts/leaflet.js
 create mode 100644 app/assets/stylesheets/admin/commons/sidebar.sass
 create mode 100644 app/assets/stylesheets/leaflet.sass

diff --git a/app/assets/javascripts/leaflet.js b/app/assets/javascripts/leaflet.js
new file mode 100644
index 000000000..afba78aec
--- /dev/null
+++ b/app/assets/javascripts/leaflet.js
@@ -0,0 +1 @@
+//= require leaflet/dist/leaflet.js
\ No newline at end of file
diff --git a/app/assets/stylesheets/admin/commons/sidebar.sass b/app/assets/stylesheets/admin/commons/sidebar.sass
new file mode 100644
index 000000000..dd8be5699
--- /dev/null
+++ b/app/assets/stylesheets/admin/commons/sidebar.sass
@@ -0,0 +1,2 @@
+.sidebar-icon
+    min-width: 30px
\ No newline at end of file
diff --git a/app/assets/stylesheets/leaflet.sass b/app/assets/stylesheets/leaflet.sass
new file mode 100644
index 000000000..95cd15cc0
--- /dev/null
+++ b/app/assets/stylesheets/leaflet.sass
@@ -0,0 +1 @@
+@import 'leaflet/dist/leaflet'
\ No newline at end of file
diff --git a/app/views/admin/communication/blocks/edit.html.erb b/app/views/admin/communication/blocks/edit.html.erb
index 202ced7c8..c5c82ac02 100644
--- a/app/views/admin/communication/blocks/edit.html.erb
+++ b/app/views/admin/communication/blocks/edit.html.erb
@@ -43,7 +43,7 @@
 <%# Include vue.js before call Vue.createApp %>
 <%= javascript_include_tag 'vue' %>
 
-<script>
+<script nonce=<%= request.content_security_policy_nonce %>>
   var app = Vue.createApp({
     components: {
       draggable: VueDraggableNext.VueDraggableNext,
diff --git a/app/views/admin/communication/blocks/templates/organizations/_show.html.erb b/app/views/admin/communication/blocks/templates/organizations/_show.html.erb
index da0688f65..775a2426b 100644
--- a/app/views/admin/communication/blocks/templates/organizations/_show.html.erb
+++ b/app/views/admin/communication/blocks/templates/organizations/_show.html.erb
@@ -25,14 +25,8 @@
       <% if block.template.layout == "grid" %>
         <div class="organizations grid">
       <% else # Map %>
+        <% content_for :leaflet_required, true %>
         <div class="map" data-marker-icon="<%= image_path 'map-marker.svg' %>">
-          <link   rel="stylesheet"
-                  href="https://unpkg.com/leaflet@1.9.3/dist/leaflet.css"
-                  integrity="sha256-kLaT2GOSpHechhsozzB+flnD+zUyjE2LlfWPgU04xyI="
-                  crossorigin=""/>
-          <script src="https://unpkg.com/leaflet@1.9.3/dist/leaflet.js"
-                  integrity="sha256-WBkoXOwTeyKclOHuWtc+i2uENFpDZ9YPdf5Hf+D7ewM="
-                  crossorigin=""></script>
       <% end %>
         <% block.template.elements.each do |element| %>
           <article  class="organization"
diff --git a/app/views/admin/communication/extranets/_sidebar.html.erb b/app/views/admin/communication/extranets/_sidebar.html.erb
index be24c414d..8fee9f927 100644
--- a/app/views/admin/communication/extranets/_sidebar.html.erb
+++ b/app/views/admin/communication/extranets/_sidebar.html.erb
@@ -25,7 +25,7 @@
       %>
         <li class="mb-3">
           <a class="d-block py-1 <%= active ? 'text-black' : 'text-muted' %>" href="<%= object[:path] %>">
-            <i class="<%= object[:icon] %>" style="min-width: 30px"></i>
+            <i class="sidebar-icon <%= object[:icon] %>"></i>
             <%= object[:title].html_safe %>
           </a>
         </li>
diff --git a/app/views/admin/communication/photo_imports/_selector.html.erb b/app/views/admin/communication/photo_imports/_selector.html.erb
index 318a89a28..71aaadff2 100644
--- a/app/views/admin/communication/photo_imports/_selector.html.erb
+++ b/app/views/admin/communication/photo_imports/_selector.html.erb
@@ -157,7 +157,7 @@ pexels_path = admin_communication_pexels_path(website_id: nil, extranet_id: nil,
 <%# Include vue.js before call Vue.createApp %>
 <%= javascript_include_tag 'vue' %>
 
-<script>
+<script nonce=<%= request.content_security_policy_nonce %>>
   var app = Vue.createApp({
     data() {
       return {
diff --git a/app/views/admin/communication/websites/_sidebar.html.erb b/app/views/admin/communication/websites/_sidebar.html.erb
index 16b0a106a..9572cc260 100644
--- a/app/views/admin/communication/websites/_sidebar.html.erb
+++ b/app/views/admin/communication/websites/_sidebar.html.erb
@@ -52,7 +52,7 @@
       %>
         <li class="mb-3">
           <a class="d-block py-1 <%= active ? 'text-black' : 'text-muted' %>" href="<%= object[:path] %>">
-            <i class="<%= object[:icon] %>" style="min-width: 30px"></i>
+            <i class="sidebar-icon <%= object[:icon] %>"></i>
             <%= object[:title].html_safe %>
           </a>
         </li>
diff --git a/app/views/admin/layouts/application.html.erb b/app/views/admin/layouts/application.html.erb
index e87875475..d5a2bf8d9 100644
--- a/app/views/admin/layouts/application.html.erb
+++ b/app/views/admin/layouts/application.html.erb
@@ -6,7 +6,7 @@
     <title><%= content_for?(:title) ? raw("#{yield(:title)} ∙ Osuny") : 'Osuny' %></title>
     <%= csrf_meta_tags %>
     <%= csp_meta_tag %>
-    <script>
+    <script nonce=<%= request.content_security_policy_nonce %>>
     // Avoid opening menu on load
     </script>
     <%= stylesheet_link_tag "admin/#{current_admin_theme}", media: 'all' %>
diff --git a/app/views/admin/layouts/preview.html.erb b/app/views/admin/layouts/preview.html.erb
index 0e4d2be82..b85a4e9f9 100644
--- a/app/views/admin/layouts/preview.html.erb
+++ b/app/views/admin/layouts/preview.html.erb
@@ -18,6 +18,10 @@
       padding-top: 0;
     }
     </style>
+    <% if content_for?(:leaflet_required) %>
+      <%= stylesheet_link_tag 'leaflet', media: 'all' %>
+      <%= javascript_include_tag 'leaflet' %>%
+    <% end %>
   </head>
   <body class="full-width">
     <header class="hero <%= 'hero--with-image hero--image-square' if yield(:image).present? %>">
@@ -40,4 +44,5 @@
     </main>
   </body>
   <script src="https://example.osuny.org/js/preview.js"></script>
+  
 </html>
diff --git a/app/views/admin/research/journals/_sidebar.html.erb b/app/views/admin/research/journals/_sidebar.html.erb
index 3c5e1f64e..39fff2df7 100644
--- a/app/views/admin/research/journals/_sidebar.html.erb
+++ b/app/views/admin/research/journals/_sidebar.html.erb
@@ -29,7 +29,7 @@
       %>
         <li class="mb-3">
           <a class="d-block py-1 <%= active ? 'text-black' : 'text-muted' %>" href="<%= object[:path] %>">
-            <i class="<%= object[:icon] %>" style="min-width: 30px"></i>
+            <i class="sidebar-icon <%= object[:icon] %>"></i>
             <%= object[:title].html_safe %>
           </a>
         </li>
diff --git a/app/views/application/_bugsnag.html.erb b/app/views/application/_bugsnag.html.erb
index 9847d93b6..b154798d2 100644
--- a/app/views/application/_bugsnag.html.erb
+++ b/app/views/application/_bugsnag.html.erb
@@ -1,6 +1,6 @@
 <% unless Rails.env.development? %>
   <script src="//d2wy8f7a9ursnm.cloudfront.net/v7/bugsnag.min.js"></script>
-  <script type="text/javascript">
+  <script type="text/javascript" nonce=<%= request.content_security_policy_nonce %>>
     Bugsnag.start({
       apiKey: "<%= j ENV['BUGSNAG_JAVASCRIPT_KEY'] %>",
       releaseStage: "<%= j ENV['APPLICATION_ENV'] %>"
diff --git a/app/views/extranet/layouts/application.html.erb b/app/views/extranet/layouts/application.html.erb
index 1a43b0f03..b192c5fee 100644
--- a/app/views/extranet/layouts/application.html.erb
+++ b/app/views/extranet/layouts/application.html.erb
@@ -2,6 +2,10 @@
 <html>
   <head>
     <%= render 'extranet/application/head' %>
+    <% if content_for?(:leaflet_required) %>
+      <%= stylesheet_link_tag 'leaflet', media: 'all' %>
+      <%= javascript_include_tag 'leaflet' %>%
+    <% end %>
   </head>
   <body class="extranet <%= body_classes %> full-width">
     <%= render 'application/notice' %>
diff --git a/app/views/server/layouts/application.html.erb b/app/views/server/layouts/application.html.erb
index 11b3a9e84..7711d67e1 100644
--- a/app/views/server/layouts/application.html.erb
+++ b/app/views/server/layouts/application.html.erb
@@ -6,7 +6,7 @@
     <title><%= content_for?(:title) ? raw("#{yield(:title)} ∙ Osuny") : 'Osuny' %></title>
     <%= csrf_meta_tags %>
     <%= csp_meta_tag %>
-    <script>
+    <script nonce=<%= request.content_security_policy_nonce %>>
     // Avoid opening menu on load
     </script>
     <%= stylesheet_link_tag 'admin/pure', media: 'all' %>
diff --git a/app/views/server/universities/_sso_mapping.html.erb b/app/views/server/universities/_sso_mapping.html.erb
index a353ec6e6..d9adb36d4 100644
--- a/app/views/server/universities/_sso_mapping.html.erb
+++ b/app/views/server/universities/_sso_mapping.html.erb
@@ -74,7 +74,7 @@ end
 
 </div>
 
-<script>
+<script nonce=<%= request.content_security_policy_nonce %>>
   var app = Vue.createApp({
     components: {
       draggable: VueDraggableNext.VueDraggableNext,
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index b3076b38f..bac151f3b 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -4,22 +4,61 @@
 # See the Securing Rails Applications Guide for more information:
 # https://guides.rubyonrails.org/security.html#content-security-policy-header
 
-# Rails.application.configure do
-#   config.content_security_policy do |policy|
-#     policy.default_src :self, :https
-#     policy.font_src    :self, :https, :data
-#     policy.img_src     :self, :https, :data
-#     policy.object_src  :none
-#     policy.script_src  :self, :https
-#     policy.style_src   :self, :https
-#     # Specify URI for violation reports
-#     # policy.report_uri "/csp-violation-report-endpoint"
-#   end
-#
-#   # Generate session nonces for permitted importmap, inline scripts, and inline styles.
-#   config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
-#   config.content_security_policy_nonce_directives = %w(script-src style-src)
-#
-#   # Report violations without enforcing the policy.
-#   # config.content_security_policy_report_only = true
-# end
+Rails.application.configure do
+
+  style_urls = %w[
+  ]
+  img_urls = %w[
+  ]
+  script_urls = %w[
+    https://example.osuny.org/js/
+    https://plausible.io
+    https//d2wy8f7a9ursnm.cloudfront.net/v7/
+  ]
+  script_urls << "https://cdn.jsdelivr.net/npm/summernote@#{SummernoteRails::Rails::VERSION.split('.').take(3).join('.')}/dist/lang/"
+  
+  font_urls = %w[
+  ]
+  media_urls = %w[
+  ]
+  frame_urls = %w[
+  ]
+  child_urls = %w[
+  ]
+  connect_urls = %w[
+  ]
+  form_action_urls = %w[
+  ]
+
+  defaults = %i[self https]
+
+  config.content_security_policy do |policy|
+    policy.base_uri    :none
+    policy.default_src *defaults
+    policy.font_src    *defaults, :data, *font_urls
+    policy.img_src     *defaults, :data, *img_urls
+    policy.media_src   *defaults, *media_urls
+    policy.frame_src   *defaults, *frame_urls
+    policy.child_src   *defaults, *child_urls
+    policy.object_src  :none
+    # We specify :unsafe_inline for browsers which not support nonce.
+    # Unsafe eval is required for Vue scripts
+    policy.script_src  :self, :unsafe_inline, :unsafe_eval, *script_urls
+    policy.style_src   :self, :unsafe_inline, *style_urls
+    # If you are using webpack-dev-server then specify webpack-dev-server host
+    # policy.connect_src :self, :https, "http://localhost:3035", "ws://localhost:3035" if Rails.env.development?
+    policy.connect_src *defaults, *connect_urls
+    policy.form_action *defaults, *form_action_urls
+
+    # Specify URI for violation reports
+    # policy.report_uri "/csp-violation-report-endpoint"
+  end
+
+
+  # Generate session nonces for permitted importmap, inline scripts, and inline styles.
+  config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
+  config.content_security_policy_nonce_directives = %w(script-src)
+
+  # Report violations without enforcing the policy.
+  # config.content_security_policy_report_only = true
+end
diff --git a/db/schema.rb b/db/schema.rb
index 273908059..3b4f4d4bf 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -16,7 +16,7 @@
   enable_extension "plpgsql"
   enable_extension "unaccent"
 
-  create_table "action_text_rich_texts", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "action_text_rich_texts", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.string "name", null: false
     t.text "body"
     t.string "record_type", null: false
@@ -26,7 +26,7 @@
     t.index ["record_type", "record_id", "name"], name: "index_action_text_rich_texts_uniqueness", unique: true
   end
 
-  create_table "active_storage_attachments", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "active_storage_attachments", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.string "name", null: false
     t.string "record_type", null: false
     t.uuid "record_id", null: false
@@ -36,7 +36,7 @@
     t.index ["record_type", "record_id", "name", "blob_id"], name: "index_active_storage_attachments_uniqueness", unique: true
   end
 
-  create_table "active_storage_blobs", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "active_storage_blobs", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.string "key", null: false
     t.string "filename", null: false
     t.string "content_type"
@@ -50,13 +50,13 @@
     t.index ["university_id"], name: "index_active_storage_blobs_on_university_id"
   end
 
-  create_table "active_storage_variant_records", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "active_storage_variant_records", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.uuid "blob_id", null: false
     t.string "variation_digest", null: false
     t.index ["blob_id", "variation_digest"], name: "index_active_storage_variant_records_uniqueness", unique: true
   end
 
-  create_table "administration_qualiopi_criterions", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "administration_qualiopi_criterions", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.integer "number"
     t.text "name"
     t.text "description"
@@ -64,7 +64,7 @@
     t.datetime "updated_at", null: false
   end
 
-  create_table "administration_qualiopi_indicators", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "administration_qualiopi_indicators", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.uuid "criterion_id", null: false
     t.integer "number"
     t.text "name"
@@ -95,7 +95,7 @@
     t.index ["university_id"], name: "index_communication_block_headings_on_university_id"
   end
 
-  create_table "communication_blocks", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "communication_blocks", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.uuid "university_id", null: false
     t.string "about_type"
     t.uuid "about_id"
@@ -106,8 +106,8 @@
     t.datetime "updated_at", null: false
     t.string "title"
     t.boolean "published", default: true
-    t.uuid "heading_id"
     t.uuid "communication_website_id"
+    t.uuid "heading_id"
     t.string "migration_identifier"
     t.index ["about_type", "about_id"], name: "index_communication_website_blocks_on_about"
     t.index ["communication_website_id"], name: "index_communication_blocks_on_communication_website_id"
@@ -201,7 +201,7 @@
     t.index ["university_id"], name: "index_communication_extranet_posts_on_university_id"
   end
 
-  create_table "communication_extranets", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "communication_extranets", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.string "name"
     t.uuid "university_id", null: false
     t.string "host"
@@ -229,6 +229,7 @@
     t.text "home_sentence"
     t.text "sass"
     t.text "css"
+    t.boolean "allow_experiences_modification", default: true
     t.index ["about_type", "about_id"], name: "index_communication_extranets_on_about"
     t.index ["university_id"], name: "index_communication_extranets_on_university_id"
   end
@@ -311,7 +312,7 @@
     t.index ["website_id"], name: "index_communication_website_connections_on_website_id"
   end
 
-  create_table "communication_website_git_files", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "communication_website_git_files", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.string "previous_path"
     t.string "about_type", null: false
     t.uuid "about_id", null: false
@@ -323,7 +324,7 @@
     t.index ["website_id"], name: "index_communication_website_git_files_on_website_id"
   end
 
-  create_table "communication_website_menu_items", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "communication_website_menu_items", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.uuid "university_id", null: false
     t.uuid "website_id", null: false
     t.uuid "menu_id", null: false
@@ -343,7 +344,7 @@
     t.index ["website_id"], name: "index_communication_website_menu_items_on_website_id"
   end
 
-  create_table "communication_website_menus", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "communication_website_menus", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.uuid "university_id", null: false
     t.uuid "communication_website_id", null: false
     t.string "title"
@@ -359,7 +360,7 @@
     t.index ["university_id"], name: "index_communication_website_menus_on_university_id"
   end
 
-  create_table "communication_website_pages", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "communication_website_pages", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.uuid "university_id", null: false
     t.uuid "communication_website_id", null: false
     t.string "title"
@@ -373,10 +374,10 @@
     t.boolean "published", default: false
     t.string "featured_image_alt"
     t.text "text"
+    t.text "summary"
     t.string "breadcrumb_title"
     t.text "header_text"
     t.integer "kind"
-    t.text "summary"
     t.string "bodyclass"
     t.uuid "language_id", null: false
     t.text "featured_image_credit"
@@ -406,7 +407,7 @@
     t.index ["website_id"], name: "index_communication_website_permalinks_on_website_id"
   end
 
-  create_table "communication_website_post_categories", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "communication_website_post_categories", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.uuid "university_id", null: false
     t.uuid "communication_website_id", null: false
     t.string "name"
@@ -433,7 +434,7 @@
     t.index ["university_id"], name: "index_communication_website_post_categories_on_university_id"
   end
 
-  create_table "communication_website_posts", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "communication_website_posts", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.uuid "university_id", null: false
     t.uuid "communication_website_id", null: false
     t.string "title"
@@ -460,7 +461,7 @@
     t.index ["university_id"], name: "index_communication_website_posts_on_university_id"
   end
 
-  create_table "communication_websites", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "communication_websites", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.uuid "university_id", null: false
     t.string "name"
     t.string "url"
@@ -531,7 +532,7 @@
     t.index ["priority", "run_at"], name: "delayed_jobs_priority"
   end
 
-  create_table "education_academic_years", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "education_academic_years", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.uuid "university_id", null: false
     t.integer "year"
     t.datetime "created_at", null: false
@@ -546,7 +547,7 @@
     t.index ["university_person_id", "education_academic_year_id"], name: "index_person_academic_year"
   end
 
-  create_table "education_cohorts", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "education_cohorts", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.uuid "university_id", null: false
     t.uuid "program_id", null: false
     t.uuid "academic_year_id", null: false
@@ -567,7 +568,7 @@
     t.index ["university_person_id", "education_cohort_id"], name: "index_person_cohort"
   end
 
-  create_table "education_diplomas", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "education_diplomas", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.string "name"
     t.string "short_name"
     t.integer "level", default: 0
@@ -582,7 +583,7 @@
     t.index ["university_id"], name: "index_education_diplomas_on_university_id"
   end
 
-  create_table "education_programs", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "education_programs", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.uuid "university_id", null: false
     t.string "name"
     t.integer "capacity"
@@ -643,7 +644,7 @@
     t.index ["education_program_id", "user_id"], name: "index_education_programs_users_on_program_id_and_user_id"
   end
 
-  create_table "education_schools", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "education_schools", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.uuid "university_id", null: false
     t.string "name"
     t.string "address"
@@ -674,7 +675,7 @@
     t.index ["university_id"], name: "index_emergency_messages_on_university_id", where: "(university_id IS NOT NULL)"
   end
 
-  create_table "imports", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "imports", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.integer "number_of_lines"
     t.jsonb "processing_errors"
     t.integer "kind"
@@ -687,7 +688,7 @@
     t.index ["user_id"], name: "index_imports_on_user_id"
   end
 
-  create_table "languages", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "languages", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.string "name"
     t.string "iso_code"
     t.datetime "created_at", null: false
@@ -763,7 +764,7 @@
     t.index ["university_id"], name: "index_research_journal_paper_kinds_on_university_id"
   end
 
-  create_table "research_journal_papers", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "research_journal_papers", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.string "title"
     t.datetime "published_at", precision: nil
     t.uuid "university_id", null: false
@@ -801,7 +802,7 @@
     t.index ["researcher_id"], name: "index_research_journal_papers_researchers_on_researcher_id"
   end
 
-  create_table "research_journal_volumes", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "research_journal_volumes", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.uuid "university_id", null: false
     t.uuid "research_journal_id", null: false
     t.string "title"
@@ -822,7 +823,7 @@
     t.index ["university_id"], name: "index_research_journal_volumes_on_university_id"
   end
 
-  create_table "research_journals", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "research_journals", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.uuid "university_id", null: false
     t.string "title"
     t.text "meta_description"
@@ -833,7 +834,7 @@
     t.index ["university_id"], name: "index_research_journals_on_university_id"
   end
 
-  create_table "research_laboratories", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "research_laboratories", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.uuid "university_id", null: false
     t.string "name"
     t.string "address"
@@ -852,7 +853,7 @@
     t.index ["university_person_id", "research_laboratory_id"], name: "person_laboratory"
   end
 
-  create_table "research_laboratory_axes", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "research_laboratory_axes", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.uuid "university_id", null: false
     t.uuid "research_laboratory_id", null: false
     t.string "name"
@@ -866,7 +867,7 @@
     t.index ["university_id"], name: "index_research_laboratory_axes_on_university_id"
   end
 
-  create_table "research_theses", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "research_theses", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.uuid "university_id", null: false
     t.uuid "research_laboratory_id", null: false
     t.uuid "author_id", null: false
@@ -884,7 +885,7 @@
     t.index ["university_id"], name: "index_research_theses_on_university_id"
   end
 
-  create_table "universities", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "universities", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.string "name"
     t.string "identifier"
     t.string "address"
@@ -931,7 +932,7 @@
     t.index ["university_id"], name: "index_university_organization_categories_on_university_id"
   end
 
-  create_table "university_organizations", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "university_organizations", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.uuid "university_id", null: false
     t.string "name"
     t.string "long_name"
@@ -974,7 +975,7 @@
     t.index ["organization_id"], name: "index_university_organizations_categories_on_organization_id"
   end
 
-  create_table "university_people", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "university_people", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.uuid "university_id", null: false
     t.uuid "user_id"
     t.string "last_name"
@@ -1031,7 +1032,7 @@
     t.index ["university_id"], name: "index_university_person_categories_on_university_id"
   end
 
-  create_table "university_person_experiences", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "university_person_experiences", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.uuid "university_id", null: false
     t.uuid "person_id", null: false
     t.uuid "organization_id", null: false
@@ -1045,7 +1046,7 @@
     t.index ["university_id"], name: "index_university_person_experiences_on_university_id"
   end
 
-  create_table "university_person_involvements", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "university_person_involvements", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.uuid "university_id", null: false
     t.uuid "person_id", null: false
     t.integer "kind"
@@ -1060,7 +1061,7 @@
     t.index ["university_id"], name: "index_university_person_involvements_on_university_id"
   end
 
-  create_table "university_roles", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "university_roles", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.uuid "university_id", null: false
     t.string "target_type"
     t.uuid "target_id"
@@ -1082,7 +1083,7 @@
     t.index ["user_id"], name: "index_user_favorites_on_user_id"
   end
 
-  create_table "users", id: :uuid, default: -> { "gen_random_uuid()" }, force: :cascade do |t|
+  create_table "users", id: :uuid, default: -> { "public.gen_random_uuid()" }, force: :cascade do |t|
     t.uuid "university_id", null: false
     t.string "first_name"
     t.string "last_name"
diff --git a/package.json b/package.json
index 11690b06b..df5127b10 100644
--- a/package.json
+++ b/package.json
@@ -5,6 +5,7 @@
     "codemirror": "5",
     "cropperjs": "^1.5.12",
     "jquery-cropper": "^1.0.1",
+    "leaflet": "^1.9.4",
     "notyf": "^3.10.0",
     "slug": "^5.1.0",
     "sortablejs": "^1.14.0",
diff --git a/yarn.lock b/yarn.lock
index fd10b729c..19e102a7f 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -137,6 +137,11 @@ jquery-cropper@^1.0.1:
   resolved "https://registry.yarnpkg.com/jquery-cropper/-/jquery-cropper-1.0.1.tgz#6ba9faf1c2c86c0ac3c648d40554ba53673113cf"
   integrity sha512-KGlY8b0IJQi2Bxe3lqMKmd5Z2Ce4GrnDE5O8Iciza9xCzXISkL6EqX/jFHwnLL1H6Q4FGjoRguuv3lxezsbKJQ==
 
+leaflet@^1.9.4:
+  version "1.9.4"
+  resolved "https://registry.yarnpkg.com/leaflet/-/leaflet-1.9.4.tgz#23fae724e282fa25745aff82ca4d394748db7d8d"
+  integrity sha512-nxS1ynzJOmOlHp+iL3FyWqK89GtNL8U8rvlMOsQdTTssxZwCXh8N2NB3GDQOL+YR3XnWyZAxwQixURb+FA74PA==
+
 magic-string@^0.30.0:
   version "0.30.4"
   resolved "https://registry.yarnpkg.com/magic-string/-/magic-string-0.30.4.tgz#c2c683265fc18dda49b56fc7318d33ca0332c98c"

From b34d24ee9f6d8a49909d2c899b6621fd79597001 Mon Sep 17 00:00:00 2001
From: pabois <pierreandre.boissinot@noesya.coop>
Date: Fri, 8 Dec 2023 11:11:45 +0100
Subject: [PATCH 2/4] structure

---
 .../initializers/content_security_policy.rb   | 30 +++++++------------
 1 file changed, 11 insertions(+), 19 deletions(-)

diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index bac151f3b..6d2f55b94 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -6,29 +6,21 @@
 
 Rails.application.configure do
 
-  style_urls = %w[
-  ]
-  img_urls = %w[
-  ]
-  script_urls = %w[
+  style_urls = %w()
+  img_urls = %w()
+  script_urls = %w(
     https://example.osuny.org/js/
     https://plausible.io
     https//d2wy8f7a9ursnm.cloudfront.net/v7/
-  ]
+  )
   script_urls << "https://cdn.jsdelivr.net/npm/summernote@#{SummernoteRails::Rails::VERSION.split('.').take(3).join('.')}/dist/lang/"
   
-  font_urls = %w[
-  ]
-  media_urls = %w[
-  ]
-  frame_urls = %w[
-  ]
-  child_urls = %w[
-  ]
-  connect_urls = %w[
-  ]
-  form_action_urls = %w[
-  ]
+  font_urls = %w()
+  media_urls = %w()
+  frame_urls = %w()
+  child_urls = %w()
+  connect_urls = %w()
+  form_action_urls = %w()
 
   defaults = %i[self https]
 
@@ -43,7 +35,7 @@
     policy.object_src  :none
     # We specify :unsafe_inline for browsers which not support nonce.
     # Unsafe eval is required for Vue scripts
-    policy.script_src  :self, :unsafe_inline, :unsafe_eval, *script_urls
+    policy.script_src  :self, :unsafe_eval, *script_urls
     policy.style_src   :self, :unsafe_inline, *style_urls
     # If you are using webpack-dev-server then specify webpack-dev-server host
     # policy.connect_src :self, :https, "http://localhost:3035", "ws://localhost:3035" if Rails.env.development?

From bee2459c44dfa8b27a993b2d102feb79431422f4 Mon Sep 17 00:00:00 2001
From: pabois <pierreandre.boissinot@noesya.coop>
Date: Fri, 8 Dec 2023 11:16:49 +0100
Subject: [PATCH 3/4] nonce with quotes

---
 app/views/admin/communication/blocks/edit.html.erb             | 2 +-
 app/views/admin/communication/photo_imports/_selector.html.erb | 2 +-
 app/views/admin/layouts/application.html.erb                   | 2 +-
 app/views/admin/layouts/preview.html.erb                       | 2 +-
 app/views/application/_bugsnag.html.erb                        | 2 +-
 app/views/server/layouts/application.html.erb                  | 2 +-
 app/views/server/universities/_sso_mapping.html.erb            | 2 +-
 7 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/app/views/admin/communication/blocks/edit.html.erb b/app/views/admin/communication/blocks/edit.html.erb
index c5c82ac02..53c851c49 100644
--- a/app/views/admin/communication/blocks/edit.html.erb
+++ b/app/views/admin/communication/blocks/edit.html.erb
@@ -43,7 +43,7 @@
 <%# Include vue.js before call Vue.createApp %>
 <%= javascript_include_tag 'vue' %>
 
-<script nonce=<%= request.content_security_policy_nonce %>>
+<script nonce="<%= request.content_security_policy_nonce %>">
   var app = Vue.createApp({
     components: {
       draggable: VueDraggableNext.VueDraggableNext,
diff --git a/app/views/admin/communication/photo_imports/_selector.html.erb b/app/views/admin/communication/photo_imports/_selector.html.erb
index 71aaadff2..45aca8d0f 100644
--- a/app/views/admin/communication/photo_imports/_selector.html.erb
+++ b/app/views/admin/communication/photo_imports/_selector.html.erb
@@ -157,7 +157,7 @@ pexels_path = admin_communication_pexels_path(website_id: nil, extranet_id: nil,
 <%# Include vue.js before call Vue.createApp %>
 <%= javascript_include_tag 'vue' %>
 
-<script nonce=<%= request.content_security_policy_nonce %>>
+<script nonce="<%= request.content_security_policy_nonce %>">
   var app = Vue.createApp({
     data() {
       return {
diff --git a/app/views/admin/layouts/application.html.erb b/app/views/admin/layouts/application.html.erb
index d5a2bf8d9..cf5d4b6c5 100644
--- a/app/views/admin/layouts/application.html.erb
+++ b/app/views/admin/layouts/application.html.erb
@@ -6,7 +6,7 @@
     <title><%= content_for?(:title) ? raw("#{yield(:title)} ∙ Osuny") : 'Osuny' %></title>
     <%= csrf_meta_tags %>
     <%= csp_meta_tag %>
-    <script nonce=<%= request.content_security_policy_nonce %>>
+    <script nonce="<%= request.content_security_policy_nonce %>">
     // Avoid opening menu on load
     </script>
     <%= stylesheet_link_tag "admin/#{current_admin_theme}", media: 'all' %>
diff --git a/app/views/admin/layouts/preview.html.erb b/app/views/admin/layouts/preview.html.erb
index b85a4e9f9..5c348032a 100644
--- a/app/views/admin/layouts/preview.html.erb
+++ b/app/views/admin/layouts/preview.html.erb
@@ -20,7 +20,7 @@
     </style>
     <% if content_for?(:leaflet_required) %>
       <%= stylesheet_link_tag 'leaflet', media: 'all' %>
-      <%= javascript_include_tag 'leaflet' %>%
+      <%= javascript_include_tag 'leaflet' %>
     <% end %>
   </head>
   <body class="full-width">
diff --git a/app/views/application/_bugsnag.html.erb b/app/views/application/_bugsnag.html.erb
index b154798d2..435d2667b 100644
--- a/app/views/application/_bugsnag.html.erb
+++ b/app/views/application/_bugsnag.html.erb
@@ -1,6 +1,6 @@
 <% unless Rails.env.development? %>
   <script src="//d2wy8f7a9ursnm.cloudfront.net/v7/bugsnag.min.js"></script>
-  <script type="text/javascript" nonce=<%= request.content_security_policy_nonce %>>
+  <script type="text/javascript" nonce="<%= request.content_security_policy_nonce %>">
     Bugsnag.start({
       apiKey: "<%= j ENV['BUGSNAG_JAVASCRIPT_KEY'] %>",
       releaseStage: "<%= j ENV['APPLICATION_ENV'] %>"
diff --git a/app/views/server/layouts/application.html.erb b/app/views/server/layouts/application.html.erb
index 7711d67e1..bf62d98d8 100644
--- a/app/views/server/layouts/application.html.erb
+++ b/app/views/server/layouts/application.html.erb
@@ -6,7 +6,7 @@
     <title><%= content_for?(:title) ? raw("#{yield(:title)} ∙ Osuny") : 'Osuny' %></title>
     <%= csrf_meta_tags %>
     <%= csp_meta_tag %>
-    <script nonce=<%= request.content_security_policy_nonce %>>
+    <script nonce="<%= request.content_security_policy_nonce %>">
     // Avoid opening menu on load
     </script>
     <%= stylesheet_link_tag 'admin/pure', media: 'all' %>
diff --git a/app/views/server/universities/_sso_mapping.html.erb b/app/views/server/universities/_sso_mapping.html.erb
index d9adb36d4..1c51ceb03 100644
--- a/app/views/server/universities/_sso_mapping.html.erb
+++ b/app/views/server/universities/_sso_mapping.html.erb
@@ -74,7 +74,7 @@ end
 
 </div>
 
-<script nonce=<%= request.content_security_policy_nonce %>>
+<script nonce="<%= request.content_security_policy_nonce %>">
   var app = Vue.createApp({
     components: {
       draggable: VueDraggableNext.VueDraggableNext,

From 51d89d4028f1ea90a355b16eee1722f6d4178d34 Mon Sep 17 00:00:00 2001
From: pabois <pierreandre.boissinot@noesya.coop>
Date: Fri, 8 Dec 2023 11:18:24 +0100
Subject: [PATCH 4/4] oups

---
 app/views/extranet/layouts/application.html.erb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/views/extranet/layouts/application.html.erb b/app/views/extranet/layouts/application.html.erb
index b192c5fee..f6f93c0fb 100644
--- a/app/views/extranet/layouts/application.html.erb
+++ b/app/views/extranet/layouts/application.html.erb
@@ -4,7 +4,7 @@
     <%= render 'extranet/application/head' %>
     <% if content_for?(:leaflet_required) %>
       <%= stylesheet_link_tag 'leaflet', media: 'all' %>
-      <%= javascript_include_tag 'leaflet' %>%
+      <%= javascript_include_tag 'leaflet' %>
     <% end %>
   </head>
   <body class="extranet <%= body_classes %> full-width">