Merge branch 'master' into feature/#1919_abo-filter

.github/workflows/tests.yml

@@ -14,11 +14,17 @@ on:
       - 'doc/**'
       - '**.md'
   workflow_dispatch: # Allow triggering manually
+    inputs:
+      core_ref:
+        description: Use a specific version of the core for the workflow run. Defaults to master.
+        type: string
+        default: 'master'
 jobs:
   wagon_tests:
     uses: hitobito/hitobito/.github/workflows/wagon-tests.yml@master
     with:
       wagon_repository: ${{ github.event.repository.name }}
+      core_ref: ${{ inputs.core_ref }}
     secrets:
       HEARTBEAT_URL: ${{ secrets.HEARTBEAT_URL }}
       HEARTBEAT_TOKEN: ${{ secrets.HEARTBEAT_TOKEN }}

.gitignore

@@ -16,10 +16,14 @@ zeus.json
 Gemfile.lock
 
 # reports
+/coverage
 spec/coverage
 spec/reports
 brakeman-output.tabs
 rubocop-results.xml
 config/environment.rb
+
 .envrc
 .tool-versions
+.nvimrc
+tags

.rubocop.yml

@@ -1,4 +1,6 @@
-inherit_from: ../hitobito/.rubocop.yml
+inherit_from:
+  - ../hitobito/.rubocop.yml
+  - .rubocop_todo.yml
 
 AllCops:
   Exclude:

.rubocop_todo.yml

@@ -0,0 +1,27 @@
+# This configuration was generated by
+# `rubocop --auto-gen-config --auto-gen-only-exclude --no-exclude-limit`
+# on 2024-07-10 12:25:37 UTC using RuboCop version 1.64.0.
+# The point is for the user to remove these configuration records
+# one by one as the offenses are removed from the code base.
+# Note that changes in the inspected code, or installation of new
+# versions of RuboCop, may require this file to be generated again.
+
+# Offense count: 1
+# Configuration parameters: Include, AllowReads, AllowWrites.
+# Include: app/**/*.rb, config/initializers/**/*.rb, lib/**/*.rb
+Rails/EnvironmentVariableAccess:
+  Exclude:
+    - 'lib/hitobito_youth/wagon.rb'
+
+# Offense count: 2
+# Configuration parameters: IgnoreScopes, Include.
+# Include: app/models/**/*.rb
+Rails/InverseOf:
+  Exclude:
+    - 'app/models/youth/person.rb'
+
+# Offense count: 1
+# This cop supports unsafe autocorrection (--autocorrect-all).
+Rails/RedundantPresenceValidationOnBelongsTo:
+  Exclude:
+    - 'app/models/people_manager.rb'

.ruby-version

@@ -1 +1 @@
-3.0.6
+3.2.3

.tool-versions

@@ -1,3 +1,3 @@
-ruby 3.0.6
-nodejs 14.18.1
+ruby 3.2.3
+nodejs 16.15.0
 yarn 1.22.19

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Hitobito Changelog
 
+## Unreleased
+
+* AHV-Nummern wurde als globale Frage für alle Anlässe hinzugefügt. Es muss für jeden neuen Anlass ausgewählt werden, ob die Antwort auf diese Frage obligatorisch, optional oder versteckt sein soll. Diese Antworten dafür werden im NDS-Export des jeweiligen Anlasses berücksichtigt. (hitobito_youth#58)
+
 ## Version 1.30
 
 * Es können neu die eigenen Kinder direkt am Anlass angemeldet werden. Kinder werden entweder auf der Person hinterlegt oder können bei der Anlass-Anmeldung direkt neu angelegt werden. (#1969)

Gemfile

@@ -1,15 +1,14 @@
-# encoding: utf-8
-load File.expand_path('../app_root.rb', __FILE__)
+load File.expand_path("../app_root.rb", __FILE__)
 
-source 'https://rubygems.org'
+source "https://rubygems.org"
 
 # Declare your gem's dependencies in hitobito_youth.gemspec.
 # Bundler will treat runtime dependencies like base dependencies, and
 # development dependencies will be added by default to the :development group.
 gemspec
 
 # Load application Gemfile for all application dependencies.
-eval File.read(File.expand_path('Gemfile', ENV['APP_ROOT']))
+eval File.read(File.expand_path("Gemfile", ENV["APP_ROOT"])) # rubocop:disable Security/Eval
 
 group :development, :test do
   # Explicitly define the path for dependencies on other wagons.

Rakefile

@@ -17,5 +17,3 @@ load 'rspec/rails/tasks/rspec.rake'
 require 'ci/reporter/rake/rspec' unless Rails.env.production?
 
 HitobitoYouth::Wagon.load_tasks
-
-task 'test:prepare' => 'db:test:prepare'

app/abilities/ability_without_manager_abilities.rb

@@ -11,7 +11,6 @@
 # ability class to take the inherited abilities into account. This ability class here
 # allows us to revert back to the core behaviour in the few places where we need it.
 class AbilityWithoutManagerAbilities < Ability
-
   private
 
   def define_user_abilities(current_store, current_user_context)

app/abilities/people_manager_ability.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+#  Copyright (c) 2024, Schweizer Alpen-Club. This file is part of
+#  hitobito and licensed under the Affero General Public License version 3
+#  or later. See the COPYING file at the top-level directory or at
+#  https://github.com/hitobito/hitobito_youth.
+
+class PeopleManagerAbility < AbilityDsl::Base
+  on(PeopleManager) do
+    class_side(:index).everybody
+    permission(:any).may(:new_managed, :new_manager).everybody
+    permission(:any).may(:create_managed, :destroy_managed).if_can_change_managed
+    permission(:any).may(:create_manager, :destroy_manager).if_can_change_manager
+  end
+
+  def if_can_change_manager
+    can?(:change_managers, subject.managed) || creating_new_managed_person?
+  end
+
+  def if_can_change_managed
+    can?(:update, subject.manager)
+  end
+
+  private
+
+  def creating_new_managed_person?
+    subject.managed&.new_record? &&
+      FeatureGate.enabled?("people.people_managers.self_service_managed_creation")
+  end
+
+  def can?(action, person)
+    ability.can?(action, person)
+  end
+
+  def ability
+    @ability ||= Ability.new(user)
+  end
+end

app/abilities/youth/ability.rb

@@ -19,7 +19,6 @@
 # generating additional "can :foo, :bar" statements (but only the ones which
 # originate inside a for_self_or_manageds block in the ability DSL).
 module Youth::Ability
-
   private
 
   def define_user_abilities(current_store, current_user_context, include_manageds = true)

app/abilities/youth/ability_dsl/config.rb

@@ -8,12 +8,10 @@
 # Extends the ability configs from core with the possibility
 # to add options.
 module Youth::AbilityDsl::Config
-
   attr_reader :options
 
   def initialize(permission, subject_class, action, ability_class, constraint, options = {})
     super(permission, subject_class, action, ability_class, constraint)
     @options = options
   end
-
 end

app/abilities/youth/ability_dsl/recorder.rb

@@ -11,7 +11,6 @@
 # In other words, if the abilities defined in a for_self_or_manageds block are granted
 # to my child, I automatically get the same abilities.
 module Youth::AbilityDsl::Recorder
-
   def for_self_or_manageds
     return unless block_given?
 
@@ -32,13 +31,12 @@ module Base
 
       def add_config(permission, action, constraint)
         @store.add(AbilityDsl::Config.new(permission,
-                                          @subject_class,
-                                          action,
-                                          @ability_class,
-                                          constraint,
-                                          { include_manageds: self.include_manageds }))
+          @subject_class,
+          action,
+          @ability_class,
+          constraint,
+          {include_manageds: include_manageds}))
       end
     end
   end
-
 end

app/abilities/youth/ability_dsl/store.rb

@@ -9,13 +9,11 @@
 # stored ability configs and keep only the ones which a manager can inherit from their
 # manageds (children).
 module Youth::AbilityDsl::Store
-
   def only_manager_inheritable
     filtered_configs = configs.select { |_, config| config.options[:include_manageds] }
     AbilityDsl::Store.new.tap do |clone|
       clone.instance_variable_set(:@ability_classes, ability_classes)
       clone.instance_variable_set(:@configs, filtered_configs)
     end
   end
-
 end

app/abilities/youth/event/application_ability.rb

@@ -1,5 +1,3 @@
-# encoding: utf-8
-
 #  Copyright (c) 2023, Pfadibewegung Schweiz. This file is part of
 #  hitobito_youth and licensed under the Affero General Public License version 3
 #  or later. See the COPYING file at the top-level directory or at

app/abilities/youth/event/invitation_ability.rb

@@ -1,5 +1,3 @@
-# encoding: utf-8
-
 #  Copyright (c) 2023, Pfadibewegung Schweiz. This file is part of
 #  hitobito_youth and licensed under the Affero General Public License version 3
 #  or later. See the COPYING file at the top-level directory or at

app/abilities/youth/event/participation_ability.rb

@@ -1,5 +1,3 @@
-# encoding: utf-8
-
 #  Copyright (c) 2012-2023, Pfadibewegung Schweiz. This file is part of
 #  hitobito_youth and licensed under the Affero General Public License version 3
 #  or later. See the COPYING file at the top-level directory or at
@@ -12,8 +10,8 @@ module Youth::Event::ParticipationAbility
     on(Event::Participation) do
       # abilities which managers inherit from their managed children
       permission(:any).may(:show).her_own_or_manager_or_for_participations_read_events
-      permission(:any).may(:show_details, :print).
-        her_own_or_manager_or_for_participations_full_events
+      permission(:any).may(:show_details, :print)
+        .her_own_or_manager_or_for_participations_full_events
 
       for_self_or_manageds do
         permission(:any).may(:create).her_own_if_application_possible
@@ -23,12 +21,12 @@ module Youth::Event::ParticipationAbility
 
       permission(:any).may(:cancel, :absent, :assign, :attend).for_participations_full_events
       permission(:group_full).may(:cancel, :reject, :absent, :assign, :attend).in_same_group
-      permission(:group_and_below_full).
-        may(:cancel, :reject, :absent, :assign, :attend).
-        in_same_group_or_below
+      permission(:group_and_below_full)
+        .may(:cancel, :reject, :absent, :assign, :attend)
+        .in_same_group_or_below
       permission(:layer_full).may(:cancel, :reject, :absent, :assign, :attend).in_same_layer
-      permission(:layer_and_below_full).may(:cancel, :reject, :absent, :assign, :attend).
-        in_same_layer
+      permission(:layer_and_below_full).may(:cancel, :reject, :absent, :assign, :attend)
+        .in_same_layer
 
       permission(:layer_full).may(:create_tentative).person_in_same_layer
       permission(:layer_and_below_full).may(:create_tentative).person_in_same_layer_or_visible_below
@@ -92,5 +90,4 @@ def visible_below
   def tentative_group_ids
     event.groups.flat_map { |g| g.self_and_descendants.pluck(:id) + g.hierarchy.pluck(:id) }
   end
-
 end

app/abilities/youth/event/participation_contact_data_ability.rb

@@ -1,5 +1,3 @@
-# encoding: utf-8
-
 #  Copyright (c) 2023, Pfadibewegung Schweiz. This file is part of
 #  hitobito_youth and licensed under the Affero General Public License version 3
 #  or later. See the COPYING file at the top-level directory or at

app/abilities/youth/event_ability.rb

@@ -1,5 +1,3 @@
-# encoding: utf-8
-
 #  Copyright (c) 2012-2023, Pfadibewegung Schweiz. This file is part of
 #  hitobito_youth and licensed under the Affero General Public License version 3
 #  or later. See the COPYING file at the top-level directory or at
@@ -18,28 +16,27 @@ module Youth::EventAbility
     end
 
     on(Event::Course) do
-
       for_self_or_manageds do
         # abilities which managers inherit from their managed children
         class_side(:list_available).if_any_role
         permission(:any).may(:show).in_same_layer_or_globally_visible_or_participating_or_public
       end
 
-      permission(:any).
-        may(:index_revoked_participations, :list_tentatives).
-        for_participations_full_events
-      permission(:group_full).
-        may(:index_revoked_participations, :list_tentatives).
-        in_same_group
-      permission(:group_and_below_full).
-        may(:index_revoked_participations, :list_tentatives).
-        in_same_group_or_below
-      permission(:layer_full).
-        may(:index_revoked_participations, :list_tentatives).
-        in_same_layer
-      permission(:layer_and_below_full).
-        may(:index_revoked_participations, :list_tentatives).
-        in_same_layer_or_below
+      permission(:any)
+        .may(:index_revoked_participations, :list_tentatives)
+        .for_participations_full_events
+      permission(:group_full)
+        .may(:index_revoked_participations, :list_tentatives)
+        .in_same_group
+      permission(:group_and_below_full)
+        .may(:index_revoked_participations, :list_tentatives)
+        .in_same_group_or_below
+      permission(:layer_full)
+        .may(:index_revoked_participations, :list_tentatives)
+        .in_same_layer
+      permission(:layer_and_below_full)
+        .may(:index_revoked_participations, :list_tentatives)
+        .in_same_layer_or_below
 
       general(:list_tentatives).if_tentative_applications?
     end

app/abilities/youth/group_ability.rb

@@ -1,5 +1,3 @@
-# encoding: utf-8
-
 #  Copyright (c) 2012-2014, Pfadibewegung Schweiz. This file is part of
 #  hitobito_youth and licensed under the Affero General Public License version 3
 #  or later. See the COPYING file at the top-level directory or at

app/abilities/youth/person_ability.rb

@@ -14,25 +14,33 @@ module Youth::PersonAbility
     on(Person) do
       # Managers have almost all base permissions on the managed person
       for_self_or_manageds do
-        permission(:any).
-          may(:show, :show_details, :show_full, :history, :update, :update_email, :primary_group,
-              :log, :totp_reset).
-          herself
+        permission(:any)
+          .may(:show, :show_details, :show_full, :history, :update, :update_email, :primary_group,
+            :log, :totp_reset)
+          .herself
+
+        class_side(:create_households).if_any_writing_permission_or_any_manageds
       end
 
       # People with update permission on a managed person also have the permission to update the
       # managers of that managed person
-      permission(:group_full).may(:change_managers).
-        non_restricted_in_same_group_except_self
-      permission(:group_and_below_full).may(:change_managers).
-        non_restricted_in_same_group_or_below_except_self
-      permission(:layer_full).may(:change_managers).
-        non_restricted_in_same_layer_except_self
-      permission(:layer_and_below_full).may(:change_managers).
-        non_restricted_in_same_layer_or_visible_below_except_self
+      permission(:group_full).may(:change_managers)
+        .non_restricted_in_same_group_except_self
+      permission(:group_and_below_full).may(:change_managers)
+        .non_restricted_in_same_group_or_below_except_self
+      permission(:layer_full).may(:change_managers)
+        .non_restricted_in_same_layer_except_self
+      permission(:layer_and_below_full).may(:change_managers)
+        .non_restricted_in_same_layer_or_visible_below_except_self
+
+      class_side(:lookup_manageds).if_any_writing_permissions
     end
   end
 
+  def if_any_writing_permission_or_any_manageds
+    if_any_writing_permissions || user_context.user.manageds.any?
+  end
+
   def non_restricted_in_same_group_except_self
     non_restricted_in_same_group && !herself
   end
@@ -48,5 +56,4 @@ def non_restricted_in_same_layer_except_self
   def non_restricted_in_same_layer_or_visible_below_except_self
     non_restricted_in_same_layer_or_visible_below && !herself
   end
-
 end