Merge branch 'main' into fix-backlinks

Gemfile

@@ -44,7 +44,7 @@ gem "i18n_date_range"
 gem "image_processing"
 gem "jbuilder"
 gem "jquery-rails"
-gem "jquery-ui-rails", "~> 6.0.1"
+gem "jquery-ui-rails", git: "https://github.com/jquery-ui-rails/jquery-ui-rails.git", tag: "v7.0.0"
 gem "kamifusen"#, path: "../kamifusen"
 gem "kaminari"
 gem "leaflet-rails"

Gemfile.lock

+GIT
+  remote: https://github.com/jquery-ui-rails/jquery-ui-rails.git
+  revision: 413265e81f790f795239e07e7e25e01429b2f18d
+  tag: v7.0.0
+  specs:
+    jquery-ui-rails (7.0.0)
+      railties (>= 3.2.16)
+
 GIT
   remote: https://github.com/noesya/summernote-rails.git
   revision: 32fd182c929cdcacaa6e3bd3569871bd025fa669
@@ -8,9 +16,9 @@ GIT
 
 GIT
   remote: https://github.com/noesya/two_factor_authentication.git
-  revision: 16fb01e5731c2b08ef0885134e5e0bdec2ed87ff
+  revision: a3505e961baf7cb0bf68bb3a6349aeaf5e1baf97
   specs:
-    two_factor_authentication (4.1.1)
+    two_factor_authentication (4.1.2)
       devise
       encryptor
       rails (>= 3.1.1)
@@ -112,20 +120,20 @@ GEM
     autoprefixer-rails (10.4.16.0)
       execjs (~> 2)
     aws-eventstream (1.3.0)
-    aws-partitions (1.859.0)
-    aws-sdk-core (3.188.0)
-      aws-eventstream (~> 1, >= 1.0.2)
+    aws-partitions (1.863.0)
+    aws-sdk-core (3.190.0)
+      aws-eventstream (~> 1, >= 1.3.0)
       aws-partitions (~> 1, >= 1.651.0)
-      aws-sigv4 (~> 1.5)
+      aws-sigv4 (~> 1.8)
       jmespath (~> 1, >= 1.6.1)
-    aws-sdk-kms (1.73.0)
+    aws-sdk-kms (1.74.0)
       aws-sdk-core (~> 3, >= 3.188.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.140.0)
-      aws-sdk-core (~> 3, >= 3.188.0)
+    aws-sdk-s3 (1.141.0)
+      aws-sdk-core (~> 3, >= 3.189.0)
       aws-sdk-kms (~> 1)
-      aws-sigv4 (~> 1.6)
-    aws-sigv4 (1.7.0)
+      aws-sigv4 (~> 1.8)
+    aws-sigv4 (1.8.0)
       aws-eventstream (~> 1, >= 1.0.2)
     base64 (0.2.0)
     bcrypt (3.1.20)
@@ -248,7 +256,7 @@ GEM
     ffi (1.16.3)
     figaro (1.2.0)
       thor (>= 0.14.0, < 2)
-    font-awesome-sass (6.4.2)
+    font-awesome-sass (6.5.1)
       sassc (~> 2.0)
     front_matter_parser (1.0.1)
     geo_calc (0.7.8)
@@ -298,7 +306,7 @@ GEM
       mini_magick (>= 4.9.5, < 5)
       ruby-vips (>= 2.0.17, < 3)
     io-console (0.6.0)
-    irb (1.9.1)
+    irb (1.10.1)
       rdoc
       reline (>= 0.3.8)
     jbuilder (2.11.5)
@@ -309,9 +317,7 @@ GEM
       rails-dom-testing (>= 1, < 3)
       railties (>= 4.2.0)
       thor (>= 0.14, < 2.0)
-    jquery-ui-rails (6.0.1)
-      railties (>= 3.2.16)
-    json (2.6.3)
+    json (2.7.1)
     jwt (2.7.1)
     kamifusen (1.11.2)
       image_processing
@@ -369,7 +375,7 @@ GEM
     nesty (1.0.2)
     net-http (0.4.0)
       uri
-    net-imap (0.4.6)
+    net-imap (0.4.7)
       date
       net-protocol
     net-pop (0.1.2)
@@ -378,7 +384,7 @@ GEM
       timeout
     net-smtp (0.4.0)
       net-protocol
-    nio4r (2.6.1)
+    nio4r (2.7.0)
     nokogiri (1.15.5-arm64-darwin)
       racc (~> 1.4)
     nokogiri (1.15.5-x86_64-darwin)
@@ -405,7 +411,7 @@ GEM
     omniauth-saml (2.1.0)
       omniauth (~> 2.0)
       ruby-saml (~> 1.12)
-    open-uri (0.4.0)
+    open-uri (0.4.1)
       stringio
       time
       uri
@@ -428,7 +434,7 @@ GEM
       rack (>= 1.2.0)
     rack-protection (3.1.0)
       rack (~> 2.2, >= 2.2.4)
-    rack-session (1.0.1)
+    rack-session (1.0.2)
       rack (< 3)
     rack-test (2.1.0)
       rack (>= 1.3)
@@ -474,10 +480,10 @@ GEM
     rb-fsevent (0.11.2)
     rb-inotify (0.10.1)
       ffi (~> 1.0)
-    rdoc (6.6.0)
+    rdoc (6.6.1)
       psych (>= 4.0.0)
-    regexp_parser (2.8.2)
-    reline (0.4.0)
+    regexp_parser (2.8.3)
+    reline (0.4.1)
       io-console (~> 0.5)
     requests (1.0.2)
     require_all (3.0.0)
@@ -654,7 +660,7 @@ DEPENDENCIES
   image_processing
   jbuilder
   jquery-rails
-  jquery-ui-rails (~> 6.0.1)
+  jquery-ui-rails!
   kamifusen
   kaminari
   leaflet-rails

app/assets/javascripts/admin/commons/association.js

@@ -10,8 +10,8 @@ $(function () {
                 type: 'POST',
                 url: target,
                 data: {
-                    objectId: id,
-                    objectType: type
+                    'object_id': id,
+                    'object_type': type
                 }
             }).done(function () {
                 location.reload();

app/assets/javascripts/application/plugins/ujs.js

+/*global $, jQuery */
+/* This allow ujs requests to automatically inject nonce */
+$(function () {
+    'use strict';
+    $.ajaxSetup({
+        converters: {
+            'text script': function (text) {
+                jQuery.globalEval(text, { nonce: $('meta[name="csp-nonce"]').attr('content') });
+                return text;
+            }
+        }
+    });
+});
\ No newline at end of file

app/assets/javascripts/devise.js

@@ -9,6 +9,5 @@
 //= require cropperjs/dist/cropper
 //= require jquery-cropper/dist/jquery-cropper
 //= require_self
-//= require_tree ./admin/plugins
 
 window.osuny = {};

app/assets/javascripts/leaflet.js

+//= require leaflet/dist/leaflet.js
\ No newline at end of file

app/assets/stylesheets/admin/commons/sidebar.sass

+.sidebar-icon
+    min-width: 30px
\ No newline at end of file

app/assets/stylesheets/leaflet.sass

+@import 'leaflet/dist/leaflet'
\ No newline at end of file

app/controllers/admin/communication/blocks/headings_controller.rb

@@ -20,7 +20,12 @@ class Admin::Communication::Blocks::HeadingsController < Admin::Communication::B
   end
 
   def new
-    @heading.about = PolymorphicObjectFinder.find params, :about
+    @heading.about = PolymorphicObjectFinder.find(
+      params,
+      key: :about,
+      university: current_university,
+      only: Communication::Block::Heading.permitted_about_types
+    )
     breadcrumb
   end
 

app/controllers/admin/communication/blocks_controller.rb

@@ -18,7 +18,12 @@ class Admin::Communication::BlocksController < Admin::Communication::Application
   end
 
   def new
-    @block.about = PolymorphicObjectFinder.find params, :about
+    @block.about = PolymorphicObjectFinder.find(
+      params,
+      key: :about,
+      university: current_university,
+      only: Communication::Block.permitted_about_types
+    )
     breadcrumb
   end
 
@@ -61,12 +66,17 @@ class Admin::Communication::BlocksController < Admin::Communication::Application
     return unless request.xhr?
     cookies.signed[Communication::Block::BLOCK_COPY_COOKIE] = {
       value: params[:id],
-      path: '/admin' 
+      path: '/admin'
     }
   end
 
   def paste
-    about = PolymorphicObjectFinder.find(params, :about)
+    about = PolymorphicObjectFinder.find(
+      params,
+      key: :about,
+      university: current_university,
+      only: Communication::Block.permitted_about_types
+    )
     # On réattribue à @block pour bénéficier du calcul dans about_path
     @block = @block.paste(about)
     cookies.delete(Communication::Block::BLOCK_COPY_COOKIE, path: '/admin')

app/controllers/admin/communication/contents_controller.rb

@@ -13,8 +13,12 @@ class Admin::Communication::ContentsController < Admin::Communication::Applicati
   protected
 
   def load_about
-    @about = PolymorphicObjectFinder.find(params, :about)
-    raise_403_unless @about.university == current_university
+    @about = PolymorphicObjectFinder.find(
+      params,
+      key: :about,
+      university: current_university,
+      only: Communication::Block.permitted_about_types
+    )
     raise_403_unless can?(:edit, @about)
   end
 end
\ No newline at end of file

app/controllers/admin/communication/extranets/contacts_controller.rb

@@ -53,8 +53,11 @@ class Admin::Communication::Extranets::ContactsController < Admin::Communication
   protected
 
   def load_object
-    object_type = params[:objectType]
-    object_id = params[:objectId]
-    @object = object_type.constantize.find object_id
+    @object = PolymorphicObjectFinder.find(
+      params,
+      key: :object,
+      university: current_university,
+      only: Communication::Extranet::Connection.permitted_about_types
+    )
   end
 end

app/controllers/admin/communication/websites/pages_controller.rb

@@ -134,9 +134,12 @@ class Admin::Communication::Websites::PagesController < Admin::Communication::We
   protected
 
   def load_object
-    object_type = params[:objectType]
-    object_id = params[:objectId]
-    @object = object_type.constantize.find object_id
+    @object = PolymorphicObjectFinder.find(
+      params,
+      key: :object,
+      university: current_university,
+      only: [@page.class.direct_connection_permitted_about_type]
+    )
   end
 
   def breadcrumb

app/controllers/admin/communication/websites/permalinks_controller.rb

@@ -2,7 +2,12 @@ class Admin::Communication::Websites::PermalinksController < Admin::Communicatio
 
   def create
     @path = params['communication_website_permalink']['path']
-    @about = PolymorphicObjectFinder.find(params, :about)
+    @about = PolymorphicObjectFinder.find(
+      params,
+      key: :about,
+      university: current_university,
+      only: Communication::Website::Permalink.permitted_about_types
+    )
     @permalink = @about.add_redirection(@path)
   end
 end
\ No newline at end of file

app/controllers/admin/users_controller.rb

@@ -21,9 +21,12 @@ class Admin::UsersController < Admin::ApplicationController
 
   def favorite
     operation = params[:operation]
-    id = params[:about_id]
-    type = params[:about_type]
-    about = type.constantize.find id
+    about = PolymorphicObjectFinder.find(
+      params,
+      key: :about,
+      university: current_university,
+      only: User::Favorite.permitted_about_types
+    )
     if operation == 'add'
       current_user.add_favorite(about)
     else

app/controllers/server/websites_controller.rb

 class Server::WebsitesController < Server::ApplicationController
-  before_action :load_website, except: :index
+  before_action :load_websites, only: [:index, :manage_versions, :update_all_themes]
+  before_action :load_website, except: [:index, :manage_versions, :update_all_themes]
 
   has_scope :for_theme_version
   has_scope :for_production
@@ -8,10 +9,22 @@ class Server::WebsitesController < Server::ApplicationController
   has_scope :for_updatable_theme
 
   def index
-    @websites = apply_scopes(Communication::Website.all).ordered
     breadcrumb
   end
 
+  def manage_versions
+    load_filters
+    breadcrumb
+    add_breadcrumb "Gestion des versions"
+  end
+
+  def update_all_themes
+    @websites.find_each do |website|
+      website.clean_and_rebuild
+    end
+    redirect_back(fallback_location: manage_versions_server_websites_path, notice: t('server_admin.websites.update_all_themes_notice'))
+  end
+
   def sync_theme_version
     @website.get_current_theme_version!
   end
@@ -38,6 +51,10 @@ class Server::WebsitesController < Server::ApplicationController
     add_breadcrumb Communication::Website.model_name.human(count: 2), server_websites_path
   end
 
+  def load_websites
+    @websites = apply_scopes(Communication::Website.all).ordered
+  end
+
   def load_website
     @website = Communication::Website.find params[:id]
   end

app/models/application_record.rb

 class ApplicationRecord < ActiveRecord::Base
   self.abstract_class = true
+
+  def self.models_with_concern(concern)
+    descendants.select { |model|
+      model.included_modules.include?(concern)
+    }
+  end
+
+  def self.model_names_with_concern(concern)
+    models_with_concern(concern).map(&:name)
+  end
 end

app/models/communication/block.rb

@@ -102,6 +102,10 @@ class Communication::Block < ApplicationRecord
   before_save :attach_template_blobs
   before_validation :set_university_and_website_from_about, on: :create
 
+  def self.permitted_about_types
+    ApplicationRecord.model_names_with_concern(WithBlocks)
+  end
+
   # When we set data from json, we pass it to the template.
   # The json we save is first sanitized and prepared by the template.
   def data=(value)

app/models/communication/block/component/text.rb

 class Communication::Block::Component::Text < Communication::Block::Component::Base
 
   def data=(value)
-    @data = Osuny::Sanitizer.sanitize value, 'string'
+    @data = Osuny::Sanitizer.sanitize value, 'text'
   end
 
   def full_text

app/models/communication/block/heading.rb

@@ -51,6 +51,10 @@ class Communication::Block::Heading < ApplicationRecord
 
   before_validation :compute_level
 
+  def self.permitted_about_types
+    ApplicationRecord.model_names_with_concern(WithBlocks)
+  end
+
   def references
     [about]
   end