From 7e1edef8a0315f499a51a9ff2e9ada56efd04f77 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Wed, 13 May 2020 08:37:49 +0200 Subject: [PATCH 01/22] [bug] when an admin logs on the subscription page, his view is broken Also: Prevent admins from leaving their dedicated group --- CHANGELOG.md | 3 +++ app/assets/javascripts/controllers/plans.js.erb | 4 ++-- app/services/members/members_service.rb | 6 ++++++ config/locales/en.yml | 1 + 4 files changed, 12 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 62eafbce6..e064b0d4c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ # Changelog Fab-manager +- Prevent admins from leaving their dedicated group +- Fix a bug: when an admin logs on the subscription page, his view is broken + ## v4.4.1 2020 May 12 - Prevent VersionCheckWorker from polluting the sidekiq stack in development diff --git a/app/assets/javascripts/controllers/plans.js.erb b/app/assets/javascripts/controllers/plans.js.erb index 7f4fa4386..19fbc30cf 100644 --- a/app/assets/javascripts/controllers/plans.js.erb +++ b/app/assets/javascripts/controllers/plans.js.erb @@ -197,10 +197,10 @@ Application.Controllers.controller('PlansIndexController', ['$scope', '$rootScop } } - $scope.$on('devise:new-session', function (event, user) { $scope.ctrl.member = user; }); + $scope.$on('devise:new-session', function (event, user) { if (user.role !== 'admin') { $scope.ctrl.member = user; } }); // watch when a coupon is applied to re-compute the total price - return $scope.$watch('coupon.applied', function (newValue, oldValue) { + $scope.$watch('coupon.applied', function (newValue, oldValue) { if ((newValue !== null) || (oldValue !== null)) { return updateCartPrice(); } diff --git a/app/services/members/members_service.rb b/app/services/members/members_service.rb index a5f63ca8e..991a192a9 100644 --- a/app/services/members/members_service.rb +++ b/app/services/members/members_service.rb @@ -15,6 +15,12 @@ class Members::MembersService return false end + if params[:group_id] && params[:group_id].to_i != Group.find_by(slug: 'admins').id && @member.admin? + # an admin cannot change his group + @member.errors.add(:group_id, I18n.t('members.admins_cant_change_group')) + return false + end + not_complete = member.need_completion? up_result = member.update(params) diff --git a/config/locales/en.yml b/config/locales/en.yml index b4d4eff67..38e57f15a 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -53,6 +53,7 @@ en: #members management members: unable_to_change_the_group_while_a_subscription_is_running: "Unable to change the group while a subscription is running" + admins_cant_change_group: "Unable to remove an administrator from his dedicated group" please_input_the_authentication_code_sent_to_the_address: "Please input the authentication code sent to the e-mail address %{EMAIL}" your_authentication_code_is_not_valid: "Your authentication code is not valid." current_authentication_method_no_code: "The current authentication method does not require any migration code" From ca7a50baccb0bfa87c4ddedc8ea3e4184c66bbc8 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Wed, 13 May 2020 10:59:16 +0200 Subject: [PATCH 02/22] [bug] admin's members list shows the same members multiple times --- CHANGELOG.md | 1 + app/services/members/list_service.rb | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e064b0d4c..5b1fabfd5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ - Prevent admins from leaving their dedicated group - Fix a bug: when an admin logs on the subscription page, his view is broken +- Fix a bug: admin's members list shows the same members multiple times ## v4.4.1 2020 May 12 diff --git a/app/services/members/list_service.rb b/app/services/members/list_service.rb index 7b7c8d429..4f2f6c8ab 100644 --- a/app/services/members/list_service.rb +++ b/app/services/members/list_service.rb @@ -16,7 +16,7 @@ class Members::ListService SELECT MAX("created_at") AS "s2_created_at", "statistic_profile_id" AS "s2_statistic_profile_id" FROM "subscriptions" GROUP BY "statistic_profile_id" - ) As s2 + ) AS s2 ON "s1"."statistic_profile_id" = "s2"."s2_statistic_profile_id" WHERE "s1"."expiration_date" > now()::date ) AS "subscriptions" ON "subscriptions"."statistic_profile_id" = "statistic_profiles"."id" ' \ @@ -78,7 +78,7 @@ class Members::ListService direction = (params[:order_by][0] == '-' ? 'DESC' : 'ASC') order_key = (params[:order_by][0] == '-' ? params[:order_by][1, params[:order_by].size] : params[:order_by]) limit = params[:size] - offset = (params[:page]&.to_i || 1) - 1 + offset = ((params[:page]&.to_i || 1) - 1) * (params[:size]&.to_i || 1) order_key = case order_key when 'last_name' @@ -97,7 +97,7 @@ class Members::ListService 'users.id' end - "#{order_key} #{direction} LIMIT #{limit} OFFSET #{offset}" + "#{order_key} #{direction}, users.id ASC LIMIT #{limit} OFFSET #{offset}" end end end From b18bc2a97e3ef504702b12de339a75651ed0b5ea Mon Sep 17 00:00:00 2001 From: Sylvain Date: Wed, 13 May 2020 12:15:29 +0200 Subject: [PATCH 03/22] Downgraded faraday from 1.0 to 0.17 for better compatibility with elasticsearch-ruby 5 (#205 #196) --- CHANGELOG.md | 1 + Gemfile | 1 + Gemfile.lock | 3 ++- 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5b1fabfd5..4be00df17 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,7 @@ # Changelog Fab-manager - Prevent admins from leaving their dedicated group +- Downgraded faraday from 1.0 to 0.17 for better compatibility with elasticsearch-ruby 5 (#205 #196) - Fix a bug: when an admin logs on the subscription page, his view is broken - Fix a bug: admin's members list shows the same members multiple times diff --git a/Gemfile b/Gemfile index dfe35d9bd..4526e6a3f 100644 --- a/Gemfile +++ b/Gemfile @@ -115,6 +115,7 @@ gem 'prawn-table' gem 'elasticsearch-model', '~> 5' gem 'elasticsearch-persistence', '~> 5' gem 'elasticsearch-rails', '~> 5' +gem 'faraday', '~> 0.17' gem 'notify_with' diff --git a/Gemfile.lock b/Gemfile.lock index 5513821f6..3f7b54744 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -165,7 +165,7 @@ GEM execjs (2.7.0) faker (2.10.2) i18n (>= 1.6, < 2) - faraday (1.0.0) + faraday (0.17.3) multipart-post (>= 1.2, < 3) ffi (1.12.2) font-awesome-rails (4.7.0.5) @@ -484,6 +484,7 @@ DEPENDENCIES elasticsearch-persistence (~> 5) elasticsearch-rails (~> 5) faker + faraday (~> 0.17) font-awesome-rails foreman forgery From a275fd462add08da08d5f9504d1ff8e1226d0911 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Wed, 13 May 2020 12:17:30 +0200 Subject: [PATCH 04/22] New translations en.yml (French) --- config/locales/fr.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/config/locales/fr.yml b/config/locales/fr.yml index f4335218c..f30b9f7be 100644 --- a/config/locales/fr.yml +++ b/config/locales/fr.yml @@ -53,6 +53,7 @@ fr: #members management members: unable_to_change_the_group_while_a_subscription_is_running: "Impossible de changer le groupe tant qu'un abonnement est en cours" + admins_cant_change_group: "Unable to remove an administrator from his dedicated group" please_input_the_authentication_code_sent_to_the_address: "Merci d'enter le code d'authentification qui a été envoyé à l'adresse de courriel %{EMAIL}" your_authentication_code_is_not_valid: "Votre code d'authentification n'est pas valide." current_authentication_method_no_code: "La méthode d'authentification actuelle ne requiert pas de code de migration" From c8121b78b90d2097ccda4cf67230139f9b74e343 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Wed, 13 May 2020 12:17:40 +0200 Subject: [PATCH 05/22] New translations en.yml (Spanish) --- config/locales/es.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/config/locales/es.yml b/config/locales/es.yml index 764028fb7..e5a17c705 100644 --- a/config/locales/es.yml +++ b/config/locales/es.yml @@ -53,6 +53,7 @@ es: #members management members: unable_to_change_the_group_while_a_subscription_is_running: "No se puede cambiar de grupo mientras haya una suscripción en curso" + admins_cant_change_group: "Unable to remove an administrator from his dedicated group" please_input_the_authentication_code_sent_to_the_address: "Por favor Ingrese el código de autenticación enviado a la dirección de correo electrónico %{EMAIL}" your_authentication_code_is_not_valid: "Su código de autenticación no es válido." current_authentication_method_no_code: "El método de autenticación actual no requiere ningún código de migración" From 3f35308ad54ddc5f192eca98eb2a53d711544c22 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Wed, 13 May 2020 12:17:48 +0200 Subject: [PATCH 06/22] New translations en.yml (Zulu) --- config/locales/zu.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/config/locales/zu.yml b/config/locales/zu.yml index fc2868d77..ed2d331a5 100644 --- a/config/locales/zu.yml +++ b/config/locales/zu.yml @@ -53,6 +53,7 @@ zu: #members management members: unable_to_change_the_group_while_a_subscription_is_running: "crwdns3275:0crwdne3275:0" + admins_cant_change_group: "crwdns20496:0crwdne20496:0" please_input_the_authentication_code_sent_to_the_address: "crwdns3277:0%{EMAIL}crwdne3277:0" your_authentication_code_is_not_valid: "crwdns3279:0crwdne3279:0" current_authentication_method_no_code: "crwdns3281:0crwdne3281:0" From 39c6a6cc4d97c6edd9dbf07c25deadc4d7d63bf1 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Wed, 13 May 2020 12:17:51 +0200 Subject: [PATCH 07/22] New translations en.yml (Portuguese) --- config/locales/pt.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/config/locales/pt.yml b/config/locales/pt.yml index baf95e3dc..e4e9b1af2 100755 --- a/config/locales/pt.yml +++ b/config/locales/pt.yml @@ -53,6 +53,7 @@ pt: #members management members: unable_to_change_the_group_while_a_subscription_is_running: "Não é possível alterar o grupo enquanto uma assinatura está sendo executada" + admins_cant_change_group: "Unable to remove an administrator from his dedicated group" please_input_the_authentication_code_sent_to_the_address: "Por favor insira o código de autenticação enviado para seu endereço de email %{EMAIL}" your_authentication_code_is_not_valid: "Seu código de autentiicação não é válido." current_authentication_method_no_code: "O método de autenticação atual não requer nenhum código de migração" From 826d3cd4b7231abab698823795cc687ec0361e6f Mon Sep 17 00:00:00 2001 From: Sylvain Date: Wed, 13 May 2020 14:03:58 +0200 Subject: [PATCH 08/22] Added an option to allow usage in production without HTTPS --- CHANGELOG.md | 3 ++- config/initializers/session_store.rb | 4 +++- config/secrets.yml | 4 ++++ doc/environment.md | 7 +++++++ env.example | 1 + setup/env.example | 1 + 6 files changed, 18 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4be00df17..e5d7f5ba4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,8 @@ # Changelog Fab-manager - Prevent admins from leaving their dedicated group -- Downgraded faraday from 1.0 to 0.17 for better compatibility with elasticsearch-ruby 5 (#205 #196) +- Faraday was downgraded from 1.0 to 0.17 for better compatibility with elasticsearch-ruby 5 (#205 #196) +- Added an option to allow usage in production without HTTPS - Fix a bug: when an admin logs on the subscription page, his view is broken - Fix a bug: admin's members list shows the same members multiple times diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb index 3e0085a3c..d9c5c4111 100644 --- a/config/initializers/session_store.rb +++ b/config/initializers/session_store.rb @@ -2,4 +2,6 @@ # Be sure to restart your server when you modify this file. -Rails.application.config.session_store :cookie_store, key: '_Fab-manager_session', secure: (Rails.env.production? || Rails.env.staging?) +Rails.application.config.session_store :cookie_store, + key: '_Fab-manager_session', + secure: (Rails.env.production? || Rails.env.staging?) && !Rails.application.secrets.allow_insecure_http diff --git a/config/secrets.yml b/config/secrets.yml index f864f9dc1..6a261a3ec 100644 --- a/config/secrets.yml +++ b/config/secrets.yml @@ -56,6 +56,7 @@ development: superadmin_email: <%= ENV["SUPERADMIN_EMAIL"] %> recaptcha_site_key: <%= ENV["RECAPTCHA_SITE_KEY"] %> recaptcha_secret_key: <%= ENV["RECAPTCHA_SECRET_KEY"] %> + allow_insecure_http: <%= ENV.fetch("ALLOW_INSECURE_HTTP", false) %> test: secret_key_base: 83daf5e7b80d990f037407bab78dff9904aaf3c195a50f84fa8695a22287e707dfbd9524b403b1dcf116ae1d8c06844c3d7ed942564e5b46be6ae3ead93a9d30 @@ -103,6 +104,7 @@ test: superadmin_email: <%= ENV["SUPERADMIN_EMAIL"] %> recaptcha_site_key: <%= ENV["RECAPTCHA_SITE_KEY"] %> recaptcha_secret_key: <%= ENV["RECAPTCHA_SECRET_KEY"] %> + allow_insecure_http: <%= ENV.fetch("ALLOW_INSECURE_HTTP", false) %> staging: secret_key_base: <%= ENV["SECRET_KEY_BASE"] %> @@ -160,6 +162,7 @@ staging: recaptcha_site_key: <%= ENV["RECAPTCHA_SITE_KEY"] %> recaptcha_secret_key: <%= ENV["RECAPTCHA_SECRET_KEY"] %> enable_in_context_translation: <%= ENV["ENABLE_IN_CONTEXT_TRANSLATION"] %> + allow_insecure_http: <%= ENV.fetch("ALLOW_INSECURE_HTTP", false) %> # Do not keep production secrets in the repository, # instead read values from the environment. @@ -218,3 +221,4 @@ production: superadmin_email: <%= ENV["SUPERADMIN_EMAIL"] %> recaptcha_site_key: <%= ENV["RECAPTCHA_SITE_KEY"] %> recaptcha_secret_key: <%= ENV["RECAPTCHA_SECRET_KEY"] %> + allow_insecure_http: <%= ENV.fetch("ALLOW_INSECURE_HTTP", false) %> diff --git a/doc/environment.md b/doc/environment.md index 90d713044..717f82d58 100644 --- a/doc/environment.md +++ b/doc/environment.md @@ -265,6 +265,13 @@ You can change this behavior by setting this variable to one of the following va - "once" to keep the default behavior. - "session" to display the tours each time you reopen the application. - "manual" to prevent displaying the tours automatically; you'll still be able to trigger them by pressing the F1 key. + + + ALLOW_INSECURE_HTTP + +In production and staging environments, the session cookie won't be sent to the server unless through the HTTPS protocol. +If you're using Fab-manager on a non-public network or for testing purposes, you can disable this behavior by setting this variable to `true`. +Please, ensure you know what you're doing, as this can lead to serious security issues. ## Internationalization setting. diff --git a/env.example b/env.example index 739f04dae..16130e8e7 100644 --- a/env.example +++ b/env.example @@ -71,6 +71,7 @@ SUMMERNOTE_LOCALE=fr-FR ANGULAR_LOCALE=fr-fr FULLCALENDAR_LOCALE=fr FORCE_VERSION_CHECK=false +ALLOW_INSECURE_HTTP=false ELASTICSEARCH_LANGUAGE_ANALYZER=french diff --git a/setup/env.example b/setup/env.example index 37a2edd57..65a19af58 100644 --- a/setup/env.example +++ b/setup/env.example @@ -72,6 +72,7 @@ NAVINUM_API_PASSWORD= LOG_LEVEL=debug DISK_SPACE_MB_ALERT='100' SUPERADMIN_EMAIL= +ALLOW_INSECURE_HTTP=false ALLOWED_EXTENSIONS=pdf ai eps cad math svg stl dxf dwg obj step iges igs 3dm 3dmf doc docx png ino scad fcad skp sldprt sldasm slddrw slddrt tex latex ps fcstd fcstd1 From bc99ac0ebb37094b3986cab1152f80cdf9e1f7d3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 May 2020 16:30:40 +0000 Subject: [PATCH 09/22] Bump actionpack-page_caching from 1.1.0 to 1.2.1 Bumps [actionpack-page_caching](https://github.com/rails/actionpack-page_caching) from 1.1.0 to 1.2.1. - [Release notes](https://github.com/rails/actionpack-page_caching/releases) - [Changelog](https://github.com/rails/actionpack-page_caching/blob/master/CHANGELOG.md) - [Commits](https://github.com/rails/actionpack-page_caching/compare/v1.1.0...v1.2.1) Signed-off-by: dependabot[bot] --- Gemfile | 2 +- Gemfile.lock | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Gemfile b/Gemfile index dfe35d9bd..7c610d531 100644 --- a/Gemfile +++ b/Gemfile @@ -122,7 +122,7 @@ gem 'pundit' gem 'oj' -gem 'actionpack-page_caching', '1.1.0' +gem 'actionpack-page_caching', '1.2.1' gem 'rails-observers' gem 'chroma' diff --git a/Gemfile.lock b/Gemfile.lock index 5513821f6..3973c72c9 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -39,8 +39,8 @@ GEM rack-test (>= 0.6.3) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.0.2) - actionpack-page_caching (1.1.0) - actionpack (>= 4.0.0, < 6) + actionpack-page_caching (1.2.1) + actionpack (>= 5.0.0) actionview (5.2.4.2) activesupport (= 5.2.4.2) builder (~> 3.1) @@ -221,7 +221,7 @@ GEM listen (3.0.8) rb-fsevent (~> 0.9, >= 0.9.4) rb-inotify (~> 0.9, >= 0.9.7) - loofah (2.4.0) + loofah (2.5.0) crass (~> 1.0.2) nokogiri (>= 1.5.9) mail (2.7.1) @@ -432,7 +432,7 @@ GEM camertron-eprun cldr-plurals-runtime-rb (~> 1.0) tzinfo - tzinfo (1.2.6) + tzinfo (1.2.7) thread_safe (~> 0.1) uglifier (4.2.0) execjs (>= 0.3.0, < 3) @@ -463,7 +463,7 @@ PLATFORMS DEPENDENCIES aasm - actionpack-page_caching (= 1.1.0) + actionpack-page_caching (= 1.2.1) active_record_query_trace api-pagination apipie-rails From dc2ae51b07d2bfd8fa8c970819f7ab5d56ebafad Mon Sep 17 00:00:00 2001 From: Joel Shprentz Date: Fri, 15 May 2020 17:36:43 -0400 Subject: [PATCH 10/22] Add missing ? to create? method name. --- app/policies/training_policy.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/policies/training_policy.rb b/app/policies/training_policy.rb index 585f1d7b5..6fb3d1215 100644 --- a/app/policies/training_policy.rb +++ b/app/policies/training_policy.rb @@ -8,7 +8,7 @@ class TrainingPolicy < ApplicationPolicy end end - def create + def create? user.admin? end From af136cab714018aea5bc1e64f22d76f9b3b1f6d2 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Mon, 18 May 2020 09:14:27 +0200 Subject: [PATCH 11/22] New translations en.yml (French) --- config/locales/fr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/locales/fr.yml b/config/locales/fr.yml index f30b9f7be..009fec28e 100644 --- a/config/locales/fr.yml +++ b/config/locales/fr.yml @@ -53,7 +53,7 @@ fr: #members management members: unable_to_change_the_group_while_a_subscription_is_running: "Impossible de changer le groupe tant qu'un abonnement est en cours" - admins_cant_change_group: "Unable to remove an administrator from his dedicated group" + admins_cant_change_group: "Impossible de supprimer un administrateur de son groupe dédié" please_input_the_authentication_code_sent_to_the_address: "Merci d'enter le code d'authentification qui a été envoyé à l'adresse de courriel %{EMAIL}" your_authentication_code_is_not_valid: "Votre code d'authentification n'est pas valide." current_authentication_method_no_code: "La méthode d'authentification actuelle ne requiert pas de code de migration" From 879bc7b58a2f5d4b1f7586baeb1e8bec6ef6ddfc Mon Sep 17 00:00:00 2001 From: Sylvain Date: Mon, 18 May 2020 10:28:30 +0200 Subject: [PATCH 12/22] upgrade to ruby 2.6 --- .ruby-version | 2 +- Dockerfile | 2 +- Gemfile | 2 +- Gemfile.lock | 8 ++++---- README.md | 2 +- doc/development_readme.md | 2 +- provision/box_setup.zsh | 6 +++--- 7 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.ruby-version b/.ruby-version index a9eea9a34..d7edb5686 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -ruby-2.3.8 +ruby-2.6.5 diff --git a/Dockerfile b/Dockerfile index 04e5c8428..a6119a10b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ruby:2.3.8-alpine +FROM ruby:2.6.5-alpine MAINTAINER peng@sleede.com # Install upgrade system packages diff --git a/Gemfile b/Gemfile index a88aec5c8..0d0268f9a 100644 --- a/Gemfile +++ b/Gemfile @@ -19,7 +19,7 @@ gem 'sass-rails', '~> 5.0', '>= 5.0.6' # Use Uglifier as compressor for JavaScript assets gem 'uglifier', '>= 4.1.20' # See https://github.com/sstephenson/execjs#readme for more supported runtimes -gem 'therubyracer', '= 0.12.0', platforms: :ruby +gem 'therubyracer', '= 0.12.3', platforms: :ruby # Use jquery as the JavaScript library gem 'jquery-rails' diff --git a/Gemfile.lock b/Gemfile.lock index 9726ec897..42eb02d7a 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -419,8 +419,8 @@ GEM ffi term-ansicolor (1.7.1) tins (~> 1.0) - therubyracer (0.12.0) - libv8 (~> 3.16.14.0) + therubyracer (0.12.3) + libv8 (~> 3.16.14.15) ref thor (1.0.1) thread_safe (0.3.6) @@ -534,11 +534,11 @@ DEPENDENCIES spring-watcher-listen (~> 2.0.0) stripe (= 5.1.1) sys-filesystem - therubyracer (= 0.12.0) + therubyracer (= 0.12.3) uglifier (>= 4.1.20) vcr (= 3.0.1) web-console (>= 3.3.0) webmock BUNDLED WITH - 1.17.3 + 2.1.4 diff --git a/README.md b/README.md index 01a4d8e53..29fb01742 100644 --- a/README.md +++ b/README.md @@ -111,7 +111,7 @@ Before reporting an issue, please check if your issue is not listed in the [know ## Related Documentation -- [Ruby 2.3.0](http://ruby-doc.org/core-2.3.0/) +- [Ruby 2.6.5](http://ruby-doc.org/core-2.6.5/) - [Ruby on Rails](http://api.rubyonrails.org) - [AngularJS](https://docs.angularjs.org/api) - [Angular-Bootstrap](http://angular-ui.github.io/bootstrap/) diff --git a/doc/development_readme.md b/doc/development_readme.md index 23839225d..7a681f880 100644 --- a/doc/development_readme.md +++ b/doc/development_readme.md @@ -93,7 +93,7 @@ This procedure is not easy to follow so if you don't need to write some code for 10. Install bundler in the current RVM gemset ```bash - gem install bundler --version=1.17.3 + gem install bundler ``` 11. Install the required ruby gems and javascript plugins diff --git a/provision/box_setup.zsh b/provision/box_setup.zsh index a266beefb..491e2598b 100755 --- a/provision/box_setup.zsh +++ b/provision/box_setup.zsh @@ -157,11 +157,11 @@ install_rvm() { install_ruby() { echo 'Installing Ruby' sudo apt-get install -y libxml2-dev libxslt1-dev libpq-dev libidn11-dev - rvm install ruby-2.3.8 - rvm use ruby-2.3.8@global + rvm install ruby-2.6.5 + rvm use ruby-2.6.5@global gem update --system --no-doc gem update --no-doc - rvm use ruby-2.3.8 --default + rvm use ruby-2.6.5 --default rvm cleanup all } From 9f922322a7c0fa41ce74269175130bd05b1be7d9 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Mon, 18 May 2020 11:08:06 +0200 Subject: [PATCH 13/22] install bundler before use in dockerfile --- Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Dockerfile b/Dockerfile index a6119a10b..b93014ac6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -28,6 +28,8 @@ RUN apk update && apk upgrade && \ git \ patch +RUN gem install bundler + # Throw error if Gemfile has been modified since Gemfile.lock RUN bundle config --global frozen 1 From da2489d462fd04978d078d47255a88ca7401e3e2 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Mon, 18 May 2020 11:23:20 +0200 Subject: [PATCH 14/22] updated CHANGELOG --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e5d7f5ba4..7312e4d61 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,12 @@ # Changelog Fab-manager +- Upgraded to ruby 2.6.5 - Prevent admins from leaving their dedicated group - Faraday was downgraded from 1.0 to 0.17 for better compatibility with elasticsearch-ruby 5 (#205 #196) - Added an option to allow usage in production without HTTPS - Fix a bug: when an admin logs on the subscription page, his view is broken - Fix a bug: admin's members list shows the same members multiple times +- Fix a security issue: updated actionpack-page_caching from 1.1.0 to 1.2.1 to fix [CVE-2020-8159](https://nvd.nist.gov/vuln/detail/CVE-2020-8159) ## v4.4.1 2020 May 12 From 50dbc78bbf7a3e1eeac14b1fc2f153a8269cb7f2 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Mon, 18 May 2020 13:12:13 +0200 Subject: [PATCH 15/22] use nodeJS instead of deprecated therubyracer for uglifier > execjs --- Gemfile | 2 -- Gemfile.lock | 6 ------ 2 files changed, 8 deletions(-) diff --git a/Gemfile b/Gemfile index 0d0268f9a..b41b8ca29 100644 --- a/Gemfile +++ b/Gemfile @@ -18,8 +18,6 @@ gem 'sass-rails', '~> 5.0', '>= 5.0.6' # Use Uglifier as compressor for JavaScript assets gem 'uglifier', '>= 4.1.20' -# See https://github.com/sstephenson/execjs#readme for more supported runtimes -gem 'therubyracer', '= 0.12.3', platforms: :ruby # Use jquery as the JavaScript library gem 'jquery-rails' diff --git a/Gemfile.lock b/Gemfile.lock index 42eb02d7a..dbb074ebc 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -217,7 +217,6 @@ GEM activerecord kaminari-core (= 1.2.0) kaminari-core (1.2.0) - libv8 (3.16.14.19) listen (3.0.8) rb-fsevent (~> 0.9, >= 0.9.4) rb-inotify (~> 0.9, >= 0.9.7) @@ -348,7 +347,6 @@ GEM redis (4.1.3) redis-namespace (1.6.0) redis (>= 3.0.4) - ref (2.0.0) repost (0.3.2) responders (2.4.1) actionpack (>= 4.2.0, < 6.0) @@ -419,9 +417,6 @@ GEM ffi term-ansicolor (1.7.1) tins (~> 1.0) - therubyracer (0.12.3) - libv8 (~> 3.16.14.15) - ref thor (1.0.1) thread_safe (0.3.6) tilt (2.0.10) @@ -534,7 +529,6 @@ DEPENDENCIES spring-watcher-listen (~> 2.0.0) stripe (= 5.1.1) sys-filesystem - therubyracer (= 0.12.3) uglifier (>= 4.1.20) vcr (= 3.0.1) web-console (>= 3.3.0) From 0cd50618529bae30b66fd7ca8defda803aae4029 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Mon, 18 May 2020 15:31:17 +0200 Subject: [PATCH 16/22] update actionpack-page_caching to 1.2.2 to get the bugfix about relative_path --- CHANGELOG.md | 3 ++- Gemfile | 2 +- Gemfile.lock | 4 ++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7312e4d61..0ba8d048f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,9 +4,10 @@ - Prevent admins from leaving their dedicated group - Faraday was downgraded from 1.0 to 0.17 for better compatibility with elasticsearch-ruby 5 (#205 #196) - Added an option to allow usage in production without HTTPS +- Now using node.js instead of therubyracer for building javascript assets - Fix a bug: when an admin logs on the subscription page, his view is broken - Fix a bug: admin's members list shows the same members multiple times -- Fix a security issue: updated actionpack-page_caching from 1.1.0 to 1.2.1 to fix [CVE-2020-8159](https://nvd.nist.gov/vuln/detail/CVE-2020-8159) +- Fix a security issue: updated actionpack-page_caching from 1.1.0 to 1.2.2 to fix [CVE-2020-8159](https://nvd.nist.gov/vuln/detail/CVE-2020-8159) ## v4.4.1 2020 May 12 diff --git a/Gemfile b/Gemfile index b41b8ca29..3eb93aaca 100644 --- a/Gemfile +++ b/Gemfile @@ -121,7 +121,7 @@ gem 'pundit' gem 'oj' -gem 'actionpack-page_caching', '1.2.1' +gem 'actionpack-page_caching', '1.2.2' gem 'rails-observers' gem 'chroma' diff --git a/Gemfile.lock b/Gemfile.lock index dbb074ebc..486eaf098 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -39,7 +39,7 @@ GEM rack-test (>= 0.6.3) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.0.2) - actionpack-page_caching (1.2.1) + actionpack-page_caching (1.2.2) actionpack (>= 5.0.0) actionview (5.2.4.2) activesupport (= 5.2.4.2) @@ -458,7 +458,7 @@ PLATFORMS DEPENDENCIES aasm - actionpack-page_caching (= 1.2.1) + actionpack-page_caching (= 1.2.2) active_record_query_trace api-pagination apipie-rails From fdc2f60ff5231a2d7708785455f485fd39ee0cc9 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Mon, 18 May 2020 16:23:53 +0200 Subject: [PATCH 17/22] [bug] when a new account is created through the sign-up modal, the role is not reported in the StatisticProfile (#196) Also: if a member was deleted the /api/members/mapping will raise an error --- CHANGELOG.md | 5 ++++- app/assets/javascripts/controllers/application.js.erb | 4 ++-- app/models/user.rb | 10 ++++++---- app/views/api/members/mapping.json.jbuilder | 4 +++- doc/environment.md | 3 ++- lib/tasks/fablab/es.rake | 11 +++++++++-- lib/tasks/fablab/fix.rake | 10 ++++++++++ 7 files changed, 36 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0ba8d048f..29f44a7ee 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,11 +3,14 @@ - Upgraded to ruby 2.6.5 - Prevent admins from leaving their dedicated group - Faraday was downgraded from 1.0 to 0.17 for better compatibility with elasticsearch-ruby 5 (#205 #196) -- Added an option to allow usage in production without HTTPS +- Added [an option](doc/environment.md#ALLOW_INSECURE_HTTP) to allow usage in production without HTTPS - Now using node.js instead of therubyracer for building javascript assets - Fix a bug: when an admin logs on the subscription page, his view is broken - Fix a bug: admin's members list shows the same members multiple times +- Fix a bug: when a new account is created through the sign-up modal, the role is not reported in the StatisticProfile (#196) - Fix a security issue: updated actionpack-page_caching from 1.1.0 to 1.2.2 to fix [CVE-2020-8159](https://nvd.nist.gov/vuln/detail/CVE-2020-8159) +- [TODO DEPLOY] `rails fablab:fix:role_in_statistic_profile` +- [TODO DEPLOY] `rails fablab:es:generate_stats[2019-06-13]` (run after the command above!) ## v4.4.1 2020 May 12 diff --git a/app/assets/javascripts/controllers/application.js.erb b/app/assets/javascripts/controllers/application.js.erb index ea478fb65..c0f67baa2 100644 --- a/app/assets/javascripts/controllers/application.js.erb +++ b/app/assets/javascripts/controllers/application.js.erb @@ -450,9 +450,9 @@ Application.Controllers.controller('ApplicationController', ['$rootScope', '$sco return $state.go(toState, toParams); } }, function (reason) { - // authentication did not ended successfully + // authentication did not end successfully if (reason === 'signup') { - // open signup modal + // open sign-up modal $scope.signup(); } else if (reason === 'resetPassword') { // open the 'reset password' modal diff --git a/app/models/user.rb b/app/models/user.rb index 9be269857..43c469e41 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -9,7 +9,7 @@ class User < ApplicationRecord # :lockable, :timeoutable and :omniauthable devise :database_authenticatable, :registerable, :recoverable, :rememberable, :trackable, :validatable, :confirmable - rolify + rolify after_add: :update_statistic_profile, after_remove: :update_statistic_profile # enable OmniAuth authentication only if needed devise :omniauthable, omniauth_providers: [AuthProvider.active.strategy_name.to_sym] unless @@ -431,12 +431,14 @@ class User < ApplicationRecord ) end - # will update the statistic_profile after a group switch. Updating the role is not supported - def update_statistic_profile + # will update the statistic_profile after a group switch + # Rolify callbacks will call this function with an argument unused here + def update_statistic_profile(_param = nil) raise NoProfileError if statistic_profile.nil? statistic_profile.update_attributes( - group_id: group_id + group_id: group_id, + role_id: roles.first.id ) end end diff --git a/app/views/api/members/mapping.json.jbuilder b/app/views/api/members/mapping.json.jbuilder index ffbc0da97..265942937 100644 --- a/app/views/api/members/mapping.json.jbuilder +++ b/app/views/api/members/mapping.json.jbuilder @@ -1,3 +1,5 @@ +# frozen_string_literal: true + @members.each do |member| - json.set! member.id, member.profile.full_name + json.set! member.id, member&.profile&.full_name end \ No newline at end of file diff --git a/doc/environment.md b/doc/environment.md index 717f82d58..c98a597df 100644 --- a/doc/environment.md +++ b/doc/environment.md @@ -265,10 +265,11 @@ You can change this behavior by setting this variable to one of the following va - "once" to keep the default behavior. - "session" to display the tours each time you reopen the application. - "manual" to prevent displaying the tours automatically; you'll still be able to trigger them by pressing the F1 key. + ALLOW_INSECURE_HTTP - + In production and staging environments, the session cookie won't be sent to the server unless through the HTTPS protocol. If you're using Fab-manager on a non-public network or for testing purposes, you can disable this behavior by setting this variable to `true`. Please, ensure you know what you're doing, as this can lead to serious security issues. diff --git a/lib/tasks/fablab/es.rake b/lib/tasks/fablab/es.rake index 5950bd550..3b8285d25 100644 --- a/lib/tasks/fablab/es.rake +++ b/lib/tasks/fablab/es.rake @@ -166,9 +166,10 @@ namespace :fablab do desc '(re)generate statistics in ElasticSearch for the past period. Use 0 to generate for today' task :generate_stats, [:period] => :environment do |_task, args| - raise 'FATAL ERROR: You must pass a number of days (=> past period) to generate statistics on' unless args.period + raise 'FATAL ERROR: You must pass a number of days (=> past period) OR a date to generate statistics' unless args.period - days = args.period.to_i + days = date_to_days(args.period) + puts "\n==> generating statistics for the last #{days} days <==\n" if days.zero? StatisticService.new.generate_statistic(start_date: DateTime.current.beginning_of_day, end_date: DateTime.current.end_of_day) else @@ -178,5 +179,11 @@ namespace :fablab do end end + def date_to_days(value) + date = Date.parse(value.to_s) + (DateTime.current.to_date - date).to_i + rescue ArgumentError + value.to_i + end end end diff --git a/lib/tasks/fablab/fix.rake b/lib/tasks/fablab/fix.rake index af7836254..0d479b1e2 100644 --- a/lib/tasks/fablab/fix.rake +++ b/lib/tasks/fablab/fix.rake @@ -164,5 +164,15 @@ namespace :fablab do end end end + + desc '[release 4.4.2] add missing role to StatisticProfile' + task role_in_statistic_profile: :environment do + puts "Fixing #{StatisticProfile.where(role_id: nil).count} bugged profiles...\n" + StatisticProfile.where(role_id: nil).each do |sp| + role_id = sp&.user&.roles&.first&.id + sp.role_id = role_id + sp.save! + end + end end end From 6c1a500ffab83a3f6229f26b67a29d736b700a2e Mon Sep 17 00:00:00 2001 From: Sylvain Date: Mon, 18 May 2020 17:10:04 +0200 Subject: [PATCH 18/22] add the url of our website into the endpoint --- app/controllers/health_controller.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/app/controllers/health_controller.rb b/app/controllers/health_controller.rb index e3de9c028..004566f98 100644 --- a/app/controllers/health_controller.rb +++ b/app/controllers/health_controller.rb @@ -20,7 +20,8 @@ class HealthController < ActionController::Base version: Version.up_to_date? }, stats: HealthService.stats, - tagline: 'The platform to manage your fablab or your coworking space.' + tagline: 'The platform to manage your fablab or your coworking space.', + url: 'https://www.fab-manager.com' } end end From 2b95c043e33cc3d365ecd9e3f9cbd80b77097def Mon Sep 17 00:00:00 2001 From: Sylvain Date: Mon, 18 May 2020 17:45:01 +0200 Subject: [PATCH 19/22] Removed dependency to has_secure_token to fix warnings about already initialized constant --- CHANGELOG.md | 1 + Gemfile | 1 - Gemfile.lock | 3 --- app/models/open_api/client.rb | 22 +++++++++++++++++++++- 4 files changed, 22 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 29f44a7ee..a3967568f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ - Faraday was downgraded from 1.0 to 0.17 for better compatibility with elasticsearch-ruby 5 (#205 #196) - Added [an option](doc/environment.md#ALLOW_INSECURE_HTTP) to allow usage in production without HTTPS - Now using node.js instead of therubyracer for building javascript assets +- Removed dependency to has_secure_token to fix warnings about already initialized constant - Fix a bug: when an admin logs on the subscription page, his view is broken - Fix a bug: admin's members list shows the same members multiple times - Fix a bug: when a new account is created through the sign-up modal, the role is not reported in the StatisticProfile (#196) diff --git a/Gemfile b/Gemfile index 3eb93aaca..6c091f384 100644 --- a/Gemfile +++ b/Gemfile @@ -132,7 +132,6 @@ gem 'openlab_ruby' gem 'api-pagination' gem 'apipie-rails' -gem 'has_secure_token' # XLS files generation gem 'caxlsx' diff --git a/Gemfile.lock b/Gemfile.lock index 486eaf098..f6cbe0f62 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -179,8 +179,6 @@ GEM raabro (~> 1.1) globalid (0.4.2) activesupport (>= 4.2.0) - has_secure_token (1.0.0) - activerecord (>= 3.0) hashdiff (1.0.1) hashery (2.1.2) hashie (4.1.0) @@ -484,7 +482,6 @@ DEPENDENCIES foreman forgery friendly_id (~> 5.1.0) - has_secure_token icalendar jbuilder (~> 2.5) jbuilder_cache_multi diff --git a/app/models/open_api/client.rb b/app/models/open_api/client.rb index 2dc2bf231..a9815eaf7 100644 --- a/app/models/open_api/client.rb +++ b/app/models/open_api/client.rb @@ -1,9 +1,29 @@ +# frozen_string_literal: true + +# OpenAPI::Client keeps track of the authorized accesses to the 3-rd party API (aka. OpenAPI) class OpenAPI::Client < ApplicationRecord has_many :calls_count_tracings, foreign_key: :open_api_client_id, dependent: :destroy - has_secure_token + validates :name, presence: true + validates_uniqueness_of :token + + before_create :set_initial_token def increment_calls_count update_column(:calls_count, calls_count+1) end + + def regenerate_token + update_attributes(token: generate_unique_secure_token) + end + + private + + def set_initial_token + self.token = generate_unique_secure_token + end + + def generate_unique_secure_token + SecureRandom.base58(24) + end end From c9670c9d1d1b5b105ef891453b0d9a6e2f3e9ae2 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Mon, 18 May 2020 18:09:13 +0200 Subject: [PATCH 20/22] [bug] openAPI clients interface has a bugged behavior when creating/editing a client --- CHANGELOG.md | 1 + .../controllers/admin/open_api_clients.js | 29 ++++++++++++++----- .../admin/open_api_clients/index.html.erb | 4 +-- 3 files changed, 25 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a3967568f..0561ccdaf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ - Fix a bug: when an admin logs on the subscription page, his view is broken - Fix a bug: admin's members list shows the same members multiple times - Fix a bug: when a new account is created through the sign-up modal, the role is not reported in the StatisticProfile (#196) +- Fix a bug: openAPI clients interface has a bugged behavior when creating/editing a client - Fix a security issue: updated actionpack-page_caching from 1.1.0 to 1.2.2 to fix [CVE-2020-8159](https://nvd.nist.gov/vuln/detail/CVE-2020-8159) - [TODO DEPLOY] `rails fablab:fix:role_in_statistic_profile` - [TODO DEPLOY] `rails fablab:es:generate_stats[2019-06-13]` (run after the command above!) diff --git a/app/assets/javascripts/controllers/admin/open_api_clients.js b/app/assets/javascripts/controllers/admin/open_api_clients.js index 0b71944dc..17fb545ae 100644 --- a/app/assets/javascripts/controllers/admin/open_api_clients.js +++ b/app/assets/javascripts/controllers/admin/open_api_clients.js @@ -20,11 +20,18 @@ Application.Controllers.controller('OpenAPIClientsController', ['$scope', 'clien $scope.clientFormVisible = false; $scope.client = {}; - $scope.toggleForm = () => $scope.clientFormVisible = !$scope.clientFormVisible; + /** + * Show the name edition form for a new client + */ + $scope.createClient = function () { + $scope.clientFormVisible = true; + $scope.client = {}; + }; - // Change the order criterion to the one provided - // @param orderBy {string} ordering criterion - // + /** + * Change the order criterion to the one provided + * @param orderBy {string} ordering criterion + */ $scope.setOrder = function (orderBy) { if ($scope.order === orderBy) { return $scope.order = `-${orderBy}`; @@ -33,6 +40,14 @@ Application.Controllers.controller('OpenAPIClientsController', ['$scope', 'clien } }; + /** + * Reset the name ot its original value and close the edition form + */ + $scope.cancelEdit = function () { + $scope.client.name = $scope.clientOriginalName; + $scope.clientFormVisible = false; + }; + $scope.saveClient = function (client) { if (client.id != null) { OpenAPIClient.update({ id: client.id }, { open_api_client: client }, function (clientResp) { @@ -47,13 +62,13 @@ Application.Controllers.controller('OpenAPIClientsController', ['$scope', 'clien } $scope.clientFormVisible = false; - $scope.clientForm.$setPristine(); - return $scope.client = {}; + $scope.client = {}; }; $scope.editClient = function (client) { $scope.clientFormVisible = true; - return $scope.client = client; + $scope.client = client; + $scope.clientOriginalName = client.name; }; $scope.deleteClient = index => diff --git a/app/assets/templates/admin/open_api_clients/index.html.erb b/app/assets/templates/admin/open_api_clients/index.html.erb index 07e9764f7..73ff4df84 100644 --- a/app/assets/templates/admin/open_api_clients/index.html.erb +++ b/app/assets/templates/admin/open_api_clients/index.html.erb @@ -34,14 +34,14 @@
- +
- +
From 18e2b032ae8498abad386f08394573135d9a7740 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Tue, 19 May 2020 11:45:51 +0200 Subject: [PATCH 21/22] fix import users from csv --- app/models/user.rb | 23 +++++++++++------------ app/services/members/import_service.rb | 4 +--- app/services/members/members_service.rb | 17 ++++++++++------- config/initializers/active_record_base.rb | 18 ++++++++++-------- 4 files changed, 32 insertions(+), 30 deletions(-) diff --git a/app/models/user.rb b/app/models/user.rb index 43c469e41..545285114 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -9,7 +9,7 @@ class User < ApplicationRecord # :lockable, :timeoutable and :omniauthable devise :database_authenticatable, :registerable, :recoverable, :rememberable, :trackable, :validatable, :confirmable - rolify after_add: :update_statistic_profile, after_remove: :update_statistic_profile + rolify # enable OmniAuth authentication only if needed devise :omniauthable, omniauth_providers: [AuthProvider.active.strategy_name.to_sym] unless @@ -319,6 +319,16 @@ class User < ApplicationRecord .delete_if { |col| blacklist.include?(col[0]) } end + # will update the statistic_profile after a group switch or a role update + def update_statistic_profile + raise NoProfileError if statistic_profile.nil? || statistic_profile.id.nil? + + statistic_profile.update_attributes( + group_id: group_id, + role_id: roles.first.id + ) + end + protected # remove projects drafts that are not linked to another user @@ -430,15 +440,4 @@ class User < ApplicationRecord email: email ) end - - # will update the statistic_profile after a group switch - # Rolify callbacks will call this function with an argument unused here - def update_statistic_profile(_param = nil) - raise NoProfileError if statistic_profile.nil? - - statistic_profile.update_attributes( - group_id: group_id, - role_id: roles.first.id - ) - end end diff --git a/app/services/members/import_service.rb b/app/services/members/import_service.rb index 305610750..d087cfc4b 100644 --- a/app/services/members/import_service.rb +++ b/app/services/members/import_service.rb @@ -7,8 +7,7 @@ class Members::ImportService require 'csv' log = [] begin - CSV.foreach(import.attachment.url, headers: true, col_sep: ';') do |row| - begin + CSV.foreach(import.attachment.url, headers: true, col_sep: ';') do |row| password = hide_password(row) log << { row: row.to_hash } @@ -31,7 +30,6 @@ class Members::ImportService puts e puts e.backtrace end - end rescue ArgumentError => e log << e.to_s puts e diff --git a/app/services/members/members_service.rb b/app/services/members/members_service.rb index 991a192a9..df90b1d4d 100644 --- a/app/services/members/members_service.rb +++ b/app/services/members/members_service.rb @@ -41,13 +41,16 @@ class Members::MembersService @member.statistic_profile.group_id = params[:group_id] @member.statistic_profile.role_id = Role.find_or_create_by!(name: 'member').id - if @member.save - @member.generate_subscription_invoice(current_user.id) - @member.send_confirmation_instructions - UsersMailer.delay.notify_user_account_created(@member, @member.password) - true - else - false + ActiveRecord::Base.transaction do + if @member.save + @member.update_statistic_profile + @member.generate_subscription_invoice(current_user.id) + @member.send_confirmation_instructions + UsersMailer.delay.notify_user_account_created(@member, @member.password) + true + else + false + end end end diff --git a/config/initializers/active_record_base.rb b/config/initializers/active_record_base.rb index 07b68d779..4bb708204 100644 --- a/config/initializers/active_record_base.rb +++ b/config/initializers/active_record_base.rb @@ -1,24 +1,26 @@ +# frozen_string_literal: true + ActiveRecord::Base.class_eval do def dump_fixture fixture_file = "#{Rails.root}/test/fixtures/#{self.class.table_name}.yml" - File.open(fixture_file, "a") do |f| + File.open(fixture_file, 'a') do |f| f.puts({ "#{self.class.table_name.singularize}_#{id}" => attributes }. to_yaml.sub!(/---\s?/, "\n")) end end def self.dump_fixtures - fixture_file = "#{Rails.root}/test/fixtures/#{self.table_name}.yml" - mode = (File.exists?(fixture_file) ? 'a' : 'w') + fixture_file = "#{Rails.root}/test/fixtures/#{table_name}.yml" + mode = (File.exist?(fixture_file) ? 'a' : 'w') File.open(fixture_file, mode) do |f| - if self.attribute_names.include?("id") - self.all.each do |instance| - f.puts({ "#{self.table_name.singularize}_#{instance.id}" => instance.attributes }.to_yaml.sub!(/---\s?/, "\n")) + if attribute_names.include?('id') + all.each do |instance| + f.puts({ "#{table_name.singularize}_#{instance.id}" => instance.attributes }.to_yaml.sub!(/---\s?/, "\n")) end else - self.all.each_with_index do |instance, i| - f.puts({ "#{self.table_name.singularize}_#{i}" => instance.attributes }.to_yaml.sub!(/---\s?/, "\n")) + all.each_with_index do |instance, i| + f.puts({ "#{table_name.singularize}_#{i}" => instance.attributes }.to_yaml.sub!(/---\s?/, "\n")) end end end From 06cfaebe8dcff5f3fbf7e079c55c4b5cb681e041 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Tue, 19 May 2020 13:51:59 +0200 Subject: [PATCH 22/22] Version 4.4.2 --- CHANGELOG.md | 3 +++ package.json | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0561ccdaf..38b542d17 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ # Changelog Fab-manager +## v4.4.2 2020 May 19 + - Upgraded to ruby 2.6.5 - Prevent admins from leaving their dedicated group - Faraday was downgraded from 1.0 to 0.17 for better compatibility with elasticsearch-ruby 5 (#205 #196) @@ -13,6 +15,7 @@ - Fix a security issue: updated actionpack-page_caching from 1.1.0 to 1.2.2 to fix [CVE-2020-8159](https://nvd.nist.gov/vuln/detail/CVE-2020-8159) - [TODO DEPLOY] `rails fablab:fix:role_in_statistic_profile` - [TODO DEPLOY] `rails fablab:es:generate_stats[2019-06-13]` (run after the command above!) +- [TODO DEPLOY] -> (only dev) `rvm use && bundle install` ## v4.4.1 2020 May 12 diff --git a/package.json b/package.json index ab52b2670..631e53021 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "fab-manager", - "version": "4.4.1", + "version": "4.4.2", "description": "Fab-manager is the FabLab management solution. It provides a comprehensive, web-based, open-source tool to simplify your administrative tasks and your marker's projects.", "keywords": [ "fablab",