Release 2024-10-11

Makefile

@@ -36,6 +36,27 @@ fe-up:
 up:
 	make -j 2 be-up fe-up
 
+# For testing different SSO methods
+be-up-claveunica:
+	docker compose down
+	BASE_DEV_URI=https://claveunica-h2dkc.loca.lt docker compose up -d
+	lt --print-requests --port 3000 --subdomain claveunica-h2dkc
+
+be-up-nemlogin:
+	docker compose down
+	BASE_DEV_URI=https://nemlogin-k3kd.loca.lt docker compose up -d
+	lt --print-requests --port 3000 --subdomain nemlogin-k3kd
+
+be-up-idaustria:
+	docker compose down
+	BASE_DEV_URI=https://idaustria-g3fy.loca.lt docker compose up -d
+	lt --print-requests --port 3000 --subdomain idaustria-g3fy
+
+be-up-keycloak:
+	docker compose down
+	BASE_DEV_URI=https://keycloak-r3tyu.loca.lt docker compose up -d
+	lt --print-requests --port 3000 --subdomain keycloak-r3tyu
+
 # Run it with:
 # make c
 # # or

back/Gemfile

@@ -233,6 +233,7 @@ commercial_engines = [
   'id_franceconnect',
   'id_gent_rrn',
   'id_id_card_lookup',
+  'id_keycloak',
   'id_nemlog_in',
   'id_oostende_rrn',
   # Some engines actually register an authentication method rather

back/Gemfile.lock

@@ -155,6 +155,14 @@ PATH
       savon (>= 2.12, < 2.15)
       verification
 
+PATH
+  remote: engines/commercial/id_keycloak
+  specs:
+    id_keycloak (0.1.0)
+      omniauth_openid_connect (~> 0.7.1)
+      rails (~> 7.0)
+      verification
+
 PATH
   remote: engines/commercial/id_nemlog_in
   specs:
@@ -1288,6 +1296,7 @@ DEPENDENCIES
   id_gent_rrn!
   id_hoplr!
   id_id_card_lookup!
+  id_keycloak!
   id_nemlog_in!
   id_oostende_rrn!
   id_vienna_saml!

back/app/controllers/web_api/v1/ideas_controller.rb

@@ -48,7 +48,7 @@ def index
   def index_mini
     ideas = IdeasFinder.new(
       params,
-      scope: policy_scope(Idea).where(publication_status: 'published'),
+      scope: policy_scope(Idea).submitted_or_published,
       current_user: current_user
     ).find_records
     ideas = paginate SortByParamsService.new.sort_ideas(ideas, params, current_user)
@@ -60,7 +60,7 @@ def index_mini
   def index_idea_markers
     ideas = IdeasFinder.new(
       params,
-      scope: policy_scope(Idea).where(publication_status: 'published'),
+      scope: policy_scope(Idea).submitted_or_published,
       current_user: current_user
     ).find_records
     ideas = paginate SortByParamsService.new.sort_ideas(ideas, params, current_user)
@@ -72,7 +72,7 @@ def index_idea_markers
   def index_xlsx
     ideas = IdeasFinder.new(
       params.merge(filter_can_moderate: true),
-      scope: policy_scope(Idea).where(publication_status: 'published'),
+      scope: policy_scope(Idea).submitted_or_published,
       current_user: current_user
     ).find_records
     ideas = SortByParamsService.new.sort_ideas(ideas, params, current_user)

back/app/policies/idea_policy.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 class IdeaPolicy < ApplicationPolicy
-  EXCLUDED_REASONS_FOR_UPDATE = %w[posting_disabled posting_limited_max_reached].freeze
   class Scope
     attr_reader :user, :scope
 
@@ -17,6 +16,7 @@ def resolve
         scope
           .submitted_or_published.where(author: user)
           .or(scope.published)
+          .or(scope.where(id: sponsored_ideas))
           .where(project: Pundit.policy_scope(user, Project))
       else
         scope
@@ -25,6 +25,16 @@ def resolve
           .where(projects: { visible_to: 'public', admin_publications: { publication_status: %w[published archived] } })
       end
     end
+
+    private
+
+    def sponsored_ideas
+      # Small optimization, where we check the feature flag to avoid the extra
+      # query, since this feature is turned off way more often than turned on
+      return [] unless AppConfiguration.instance.feature_activated?('input_cosponsorship')
+
+      Idea.joins(:cosponsorships).where(cosponsorships: { user_id: user.id })
+    end
   end
 
   def index_xlsx?
@@ -52,6 +62,7 @@ def show?
 
     project_show = ProjectPolicy.new(user, record.project).show?
     return true if project_show && %w[draft published].include?(record.publication_status)
+    return true if record.cosponsors.include?(user)
 
     active? && (owner? || UserRoleService.new.can_moderate_project?(record.project, user))
   end
@@ -67,16 +78,12 @@ def draft_by_phase?
   def update?
     return false if !record.participation_method_on_creation.supports_edits_after_publication? && record.published? && !record.will_be_published?
     return true if (record.draft? && owner?) || (user && UserRoleService.new.can_moderate_project?(record.project, user))
-    return false unless active? && owner? && ProjectPolicy.new(user, record.project).show?
-    return false if record.participation_method_on_creation.use_reactions_as_votes? && record.reactions.where.not(user_id: user.id).exists?
-    return false if record.creation_phase&.prescreening_enabled && record.published?
+    return false if !active? || !owner?
 
-    posting_denied_reason = Permissions::ProjectPermissionsService.new(record.project, user).denied_reason_for_action 'posting_idea'
+    permission_action = record.will_be_published? ? 'posting_idea' : 'editing_idea'
+    posting_denied_reason = Permissions::IdeaPermissionsService.new(record, user).denied_reason_for_action permission_action
+    raise_not_authorized(posting_denied_reason) if posting_denied_reason
 
-    if posting_denied_reason
-      ignored_reasons = record.will_be_published? ? [] : EXCLUDED_REASONS_FOR_UPDATE
-      raise_not_authorized(posting_denied_reason) unless posting_denied_reason.in?(ignored_reasons)
-    end
     true
   end
 

back/app/policies/project_policy.rb

@@ -80,15 +80,9 @@ def create?
   end
 
   def show?
-    active_moderator? || (
-      %w[published archived].include?(record.admin_publication.publication_status) && (
-        record.visible_to == 'public' || (
-          user &&
-          record.visible_to == 'groups' &&
-          user.in_any_groups?(record.groups)
-        )
-      )
-    )
+    return false if Permissions::ProjectPermissionsService.new(record, user).project_visible_disabled_reason
+
+    active_moderator? || %w[published archived].include?(record.admin_publication.publication_status)
   end
 
   def by_slug?

back/app/serializers/web_api/v1/idea_mini_serializer.rb

@@ -2,4 +2,5 @@
 
 class WebApi::V1::IdeaMiniSerializer < WebApi::V1::BaseSerializer
   attributes :title_multiloc
+  attributes :slug
 end

back/app/services/permissions/base_permissions_service.rb

@@ -1,6 +1,8 @@
 module Permissions
   class BasePermissionsService
     SUPPORTED_ACTIONS = %w[
+      following
+      visiting
       posting_initiative
       commenting_initiative
       reacting_initiative
@@ -32,6 +34,8 @@ def initialize(user, user_requirements_service: nil)
     end
 
     def denied_reason_for_action(action, scope: nil)
+      return unless supported_action? action
+
       permission = find_permission(action, scope: scope)
       user_denied_reason(permission)
     end
@@ -41,9 +45,7 @@ def denied_reason_for_action(action, scope: nil)
     attr_reader :user, :user_requirements_service
 
     def supported_action?(action)
-      return true if SUPPORTED_ACTIONS.include? action
-
-      raise "Unsupported action: #{action}"
+      SUPPORTED_ACTIONS.include? action
     end
 
     def find_permission(action, scope: nil)
@@ -58,8 +60,6 @@ def find_permission(action, scope: nil)
         end
       end
 
-      raise "Unknown action '#{action}' for scope: #{scope}" if !permission
-
       permission
     end
 

back/app/services/permissions/idea_permissions_service.rb

@@ -1,7 +1,10 @@
 module Permissions
   class IdeaPermissionsService < ProjectPermissionsService
     IDEA_DENIED_REASONS = {
-      idea_not_in_current_phase: 'idea_not_in_current_phase'
+      idea_not_in_current_phase: 'idea_not_in_current_phase',
+      votes_exist: 'votes_exist',
+      published_after_screening: 'published_after_screening',
+      not_author: 'not_author'
     }.freeze
 
     def initialize(idea, user, user_requirements_service: nil)
@@ -10,12 +13,33 @@ def initialize(idea, user, user_requirements_service: nil)
     end
 
     def denied_reason_for_action(action, reaction_mode: nil, delete_action: false)
-      reason = super
-      return reason if reason
+      case action
+      when 'editing_idea'
+        # We have different order of rules for editing_idea, in order to:
+        # 1) Support editing of ideas by admins/moderators, even if the project
+        #    is no longer active
+        # 2) Performance optimization for the active descriptor, first checking
+        #    whether user is the author before doing more heavier checks
+        #    involving permissions and votes
+        return if user && UserRoleService.new.can_moderate_project?(idea.project, user)
+        return IDEA_DENIED_REASONS[:not_author] if (idea.author_id != user&.id) || idea.author_id.nil? || !user&.active?
 
-      current_phase = @timeline_service.current_phase_not_archived project
-      if current_phase && !idea_in_current_phase?(current_phase)
-        IDEA_DENIED_REASONS[:idea_not_in_current_phase]
+        reason = super
+        return reason if reason
+
+        return IDEA_DENIED_REASONS[:votes_exist] if idea.participation_method_on_creation.use_reactions_as_votes? && idea.reactions.where.not(user_id: user&.id).exists?
+
+        IDEA_DENIED_REASONS[:published_after_screening] if idea.creation_phase&.prescreening_enabled && idea.published?
+      else
+        reason = super
+        return reason if reason
+        return if user && UserRoleService.new.can_moderate_project?(idea.project, user)
+
+        # The input does not need to be in the current phase for editing.
+        # We preserved the behaviour that was already there, but we're not
+        # sure if this is the desired behaviour.
+        current_phase = @timeline_service.current_phase_not_archived project
+        IDEA_DENIED_REASONS[:idea_not_in_current_phase] if current_phase && !idea_in_current_phase?(current_phase)
       end
     end
 
@@ -24,6 +48,7 @@ def denied_reason_for_reaction_mode(reaction_mode, delete_action: false)
     end
 
     def action_descriptors
+      editing_disabled_reason = denied_reason_for_action 'editing_idea'
       commenting_disabled_reason = denied_reason_for_action 'commenting_idea'
       liking_disabled_reason = denied_reason_for_action 'reacting_idea', reaction_mode: 'up'
       disliking_disabled_reason = denied_reason_for_action 'reacting_idea', reaction_mode: 'down'
@@ -32,6 +57,11 @@ def action_descriptors
       comment_reacting_disabled_reason = commenting_disabled_reason
 
       {
+        editing_idea: {
+          enabled: !editing_disabled_reason,
+          disabled_reason: editing_disabled_reason,
+          future_enabled_at: editing_disabled_reason && future_enabled_phase('editing_idea')&.start_at
+        },
         commenting_idea: {
           enabled: !commenting_disabled_reason,
           disabled_reason: commenting_disabled_reason,

back/app/services/permissions/phase_permissions_service.rb

@@ -58,6 +58,8 @@ def denied_reason_for_action(action, reaction_mode: nil, delete_action: false)
       phase_denied_reason = case action
       when 'posting_idea'
         posting_idea_denied_reason_for_action
+      when 'editing_idea'
+        editing_idea_denied_reason_for_action
       when 'commenting_idea'
         commenting_idea_denied_reason_for_action
       when 'reacting_idea'
@@ -73,12 +75,10 @@ def denied_reason_for_action(action, reaction_mode: nil, delete_action: false)
       when 'volunteering'
         volunteering_denied_reason_for_phase
       else
-        raise "Unsupported action: #{action}" unless SUPPORTED_ACTIONS.include?(action)
+        raise "Unsupported action: #{action}" if !supported_action? action
       end
       return phase_denied_reason if phase_denied_reason
 
-      return unless supported_action? action
-
       super(action, scope: phase)
     end
 
@@ -97,6 +97,12 @@ def posting_idea_denied_reason_for_action
       end
     end
 
+    def editing_idea_denied_reason_for_action
+      if !participation_method.supports_submission?
+        POSTING_DENIED_REASONS[:posting_not_supported] # TODO: Rename to sumbission_not_supported
+      end
+    end
+
     def commenting_idea_denied_reason_for_action
       if !participation_method.supports_commenting?
         COMMENTING_DENIED_REASONS[:commenting_not_supported]

back/app/services/permissions/project_permissions_service.rb

@@ -91,11 +91,6 @@ def action_descriptors
       }
     end
 
-    private
-
-    attr_reader :project
-
-    # Project methods
     def project_visible_disabled_reason
       user_can_moderate = user && UserRoleService.new.can_moderate?(project, user)
       return if user_can_moderate
@@ -106,6 +101,10 @@ def project_visible_disabled_reason
       end
     end
 
+    private
+
+    attr_reader :project
+
     def project_archived_disabled_reason
       return unless project.admin_publication.archived?
 

back/config/initializers/omniauth.rb

@@ -5,7 +5,9 @@
 end
 
 # See https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
+# TODO: Change all implementations to use POST requests
 OmniAuth.config.allowed_request_methods = %i[post get]
+OmniAuth.config.silence_get_warning = true
 
 OmniAuth.config.full_host = lambda { |_env|
   AppConfiguration.instance&.base_backend_uri

back/db/structure.sql

@@ -2122,7 +2122,7 @@ CREATE TABLE public.cosponsors_initiatives (
 --
 
 CREATE TABLE public.cosponsorships (
-    id uuid DEFAULT gen_random_uuid() NOT NULL,
+    id uuid DEFAULT shared_extensions.gen_random_uuid() NOT NULL,
     status character varying DEFAULT 'pending'::character varying NOT NULL,
     user_id uuid NOT NULL,
     idea_id uuid NOT NULL,

back/engines/commercial/id_keycloak/app/lib/id_keycloak/feature_specification.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require 'citizen_lab/mixins/feature_specification'
+
+module IdKeycloak
+  module FeatureSpecification
+    extend CitizenLab::Mixins::FeatureSpecification
+
+    def self.feature_name
+      'keycloak_login'
+    end
+
+    def self.feature_title
+      'Keycloak (ID-Porten) Login'
+    end
+
+    def self.feature_description
+      'Allow users to authenticate with a Norwegian ID-Porten (via Keycloak) account.'
+    end
+
+    def self.allowed_by_default
+      false
+    end
+
+    def self.enabled_by_default
+      false
+    end
+  end
+end