Merge pull request #5496 from consuldemocracy/rails7.1

Upgrade to Rails 7.1

.rubocop.yml

@@ -12,6 +12,7 @@ AllCops:
   Exclude:
     - "db/schema.rb"
     - "app/lib/ckeditor/backend/active_storage.rb"
+    - "config/initializers/disable_active_storage_pdf_auto_previews.rb"
     - "vendor/**/*"
   DisabledByDefault: true
 
@@ -186,6 +187,8 @@ Layout/MultilineMethodCallBraceLayout:
 
 Layout/MultilineMethodCallIndentation:
   Enabled: true
+  Exclude:
+    - "config/environments/production.rb"
 
 Layout/MultilineOperationIndentation:
   Enabled: true
@@ -698,6 +701,8 @@ Style/AndOr:
 
 Style/ArgumentsForwarding:
   Enabled: true
+  Exclude:
+    - "bin/setup"
 
 Style/ArrayCoercion:
   Enabled: true

Gemfile

@@ -2,7 +2,7 @@ source "https://rubygems.org"
 
 ruby file: ".ruby-version"
 
-gem "rails", "7.0.8.7"
+gem "rails", "7.1.5.1"
 
 gem "acts-as-taggable-on", "~> 11.0.0"
 gem "acts_as_votable", "~> 0.14.0"

Gemfile.lock

@@ -2,70 +2,82 @@ GEM
   remote: https://rubygems.org/
   specs:
     Ascii85 (2.0.1)
-    actioncable (7.0.8.7)
-      actionpack (= 7.0.8.7)
-      activesupport (= 7.0.8.7)
+    actioncable (7.1.5.1)
+      actionpack (= 7.1.5.1)
+      activesupport (= 7.1.5.1)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailbox (7.0.8.7)
-      actionpack (= 7.0.8.7)
-      activejob (= 7.0.8.7)
-      activerecord (= 7.0.8.7)
-      activestorage (= 7.0.8.7)
-      activesupport (= 7.0.8.7)
+      zeitwerk (~> 2.6)
+    actionmailbox (7.1.5.1)
+      actionpack (= 7.1.5.1)
+      activejob (= 7.1.5.1)
+      activerecord (= 7.1.5.1)
+      activestorage (= 7.1.5.1)
+      activesupport (= 7.1.5.1)
       mail (>= 2.7.1)
       net-imap
       net-pop
       net-smtp
-    actionmailer (7.0.8.7)
-      actionpack (= 7.0.8.7)
-      actionview (= 7.0.8.7)
-      activejob (= 7.0.8.7)
-      activesupport (= 7.0.8.7)
+    actionmailer (7.1.5.1)
+      actionpack (= 7.1.5.1)
+      actionview (= 7.1.5.1)
+      activejob (= 7.1.5.1)
+      activesupport (= 7.1.5.1)
       mail (~> 2.5, >= 2.5.4)
       net-imap
       net-pop
       net-smtp
-      rails-dom-testing (~> 2.0)
-    actionpack (7.0.8.7)
-      actionview (= 7.0.8.7)
-      activesupport (= 7.0.8.7)
-      rack (~> 2.0, >= 2.2.4)
+      rails-dom-testing (~> 2.2)
+    actionpack (7.1.5.1)
+      actionview (= 7.1.5.1)
+      activesupport (= 7.1.5.1)
+      nokogiri (>= 1.8.5)
+      racc
+      rack (>= 2.2.4)
+      rack-session (>= 1.0.1)
       rack-test (>= 0.6.3)
-      rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actiontext (7.0.8.7)
-      actionpack (= 7.0.8.7)
-      activerecord (= 7.0.8.7)
-      activestorage (= 7.0.8.7)
-      activesupport (= 7.0.8.7)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+    actiontext (7.1.5.1)
+      actionpack (= 7.1.5.1)
+      activerecord (= 7.1.5.1)
+      activestorage (= 7.1.5.1)
+      activesupport (= 7.1.5.1)
       globalid (>= 0.6.0)
       nokogiri (>= 1.8.5)
-    actionview (7.0.8.7)
-      activesupport (= 7.0.8.7)
+    actionview (7.1.5.1)
+      activesupport (= 7.1.5.1)
       builder (~> 3.1)
-      erubi (~> 1.4)
-      rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activejob (7.0.8.7)
-      activesupport (= 7.0.8.7)
+      erubi (~> 1.11)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+    activejob (7.1.5.1)
+      activesupport (= 7.1.5.1)
       globalid (>= 0.3.6)
-    activemodel (7.0.8.7)
-      activesupport (= 7.0.8.7)
-    activerecord (7.0.8.7)
-      activemodel (= 7.0.8.7)
-      activesupport (= 7.0.8.7)
-    activestorage (7.0.8.7)
-      actionpack (= 7.0.8.7)
-      activejob (= 7.0.8.7)
-      activerecord (= 7.0.8.7)
-      activesupport (= 7.0.8.7)
+    activemodel (7.1.5.1)
+      activesupport (= 7.1.5.1)
+    activerecord (7.1.5.1)
+      activemodel (= 7.1.5.1)
+      activesupport (= 7.1.5.1)
+      timeout (>= 0.4.0)
+    activestorage (7.1.5.1)
+      actionpack (= 7.1.5.1)
+      activejob (= 7.1.5.1)
+      activerecord (= 7.1.5.1)
+      activesupport (= 7.1.5.1)
       marcel (~> 1.0)
-      mini_mime (>= 1.1.0)
-    activesupport (7.0.8.7)
+    activesupport (7.1.5.1)
+      base64
+      benchmark (>= 0.3)
+      bigdecimal
       concurrent-ruby (~> 1.0, >= 1.0.2)
+      connection_pool (>= 2.2.5)
+      drb
       i18n (>= 1.6, < 2)
+      logger (>= 1.4.2)
       minitest (>= 5.1)
+      mutex_m
+      securerandom (>= 0.3)
       tzinfo (~> 2.0)
     acts-as-taggable-on (11.0.0)
       activerecord (>= 7.0, < 8.0)
@@ -98,6 +110,7 @@ GEM
       execjs (~> 2)
     base64 (0.2.0)
     bcrypt (3.1.20)
+    benchmark (0.4.0)
     better_html (2.1.1)
       actionview (>= 6.0)
       activesupport (>= 6.0)
@@ -172,6 +185,7 @@ GEM
       execjs
     coffee-script-source (1.12.2)
     concurrent-ruby (1.3.4)
+    connection_pool (2.5.0)
     crass (1.0.6)
     csv (3.3.2)
     daemons (1.4.1)
@@ -196,6 +210,7 @@ GEM
       devise (>= 4.3.0)
     diff-lcs (1.6.0)
     docile (1.4.0)
+    drb (2.2.1)
     email_spec (2.3.0)
       htmlentities (~> 4.3.3)
       launchy (>= 2.1, < 4.0)
@@ -478,22 +493,27 @@ GEM
       rack (~> 2.2, >= 2.2.4)
     rack-proxy (0.7.6)
       rack
+    rack-session (1.0.2)
+      rack (< 3)
     rack-test (2.2.0)
       rack (>= 1.3)
-    rails (7.0.8.7)
-      actioncable (= 7.0.8.7)
-      actionmailbox (= 7.0.8.7)
-      actionmailer (= 7.0.8.7)
-      actionpack (= 7.0.8.7)
-      actiontext (= 7.0.8.7)
-      actionview (= 7.0.8.7)
-      activejob (= 7.0.8.7)
-      activemodel (= 7.0.8.7)
-      activerecord (= 7.0.8.7)
-      activestorage (= 7.0.8.7)
-      activesupport (= 7.0.8.7)
+    rackup (1.0.1)
+      rack (< 3)
+      webrick
+    rails (7.1.5.1)
+      actioncable (= 7.1.5.1)
+      actionmailbox (= 7.1.5.1)
+      actionmailer (= 7.1.5.1)
+      actionpack (= 7.1.5.1)
+      actiontext (= 7.1.5.1)
+      actionview (= 7.1.5.1)
+      activejob (= 7.1.5.1)
+      activemodel (= 7.1.5.1)
+      activerecord (= 7.1.5.1)
+      activestorage (= 7.1.5.1)
+      activesupport (= 7.1.5.1)
       bundler (>= 1.15.0)
-      railties (= 7.0.8.7)
+      railties (= 7.1.5.1)
     rails-dom-testing (2.2.0)
       activesupport (>= 5.0.0)
       minitest
@@ -504,13 +524,14 @@ GEM
     rails-i18n (7.0.9)
       i18n (>= 0.7, < 2)
       railties (>= 6.0.0, < 8)
-    railties (7.0.8.7)
-      actionpack (= 7.0.8.7)
-      activesupport (= 7.0.8.7)
-      method_source
+    railties (7.1.5.1)
+      actionpack (= 7.1.5.1)
+      activesupport (= 7.1.5.1)
+      irb
+      rackup (>= 1.0.0)
       rake (>= 12.2)
-      thor (~> 1.0)
-      zeitwerk (~> 2.5)
+      thor (~> 1.0, >= 1.2.2)
+      zeitwerk (~> 2.6)
     rainbow (3.1.1)
     rake (13.2.1)
     rbtree3 (0.7.1)
@@ -617,6 +638,7 @@ GEM
     sawyer (0.9.2)
       addressable (>= 2.3.5)
       faraday (>= 0.17.3, < 3)
+    securerandom (0.4.1)
     selenium-webdriver (4.29.1)
       base64 (~> 0.2)
       logger (~> 1.4)
@@ -697,7 +719,8 @@ GEM
       railties (>= 6.0.0)
     webrick (1.8.2)
     websocket (1.2.11)
-    websocket-driver (0.7.6)
+    websocket-driver (0.7.7)
+      base64
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
     whenever (1.0.0)
@@ -778,7 +801,7 @@ DEPENDENCIES
   pronto-rubocop (~> 0.11.6)
   pronto-stylelint (~> 0.11.0)
   puma (~> 5.6.9)
-  rails (= 7.0.8.7)
+  rails (= 7.1.5.1)
   recipient_interceptor (~> 0.3.3)
   redcarpet (~> 3.6.0)
   responders (~> 3.1.1)

app/assets/stylesheets/shared/banner.scss

@@ -1,5 +1,7 @@
 .banner {
   @include full-width-background;
+  @include card;
+  padding: 0 rem-calc(16);
 
   .debates-list &::before,
   .proposals-list &::before,
@@ -7,18 +9,21 @@
     content: none;
   }
 
+  &:hover {
+    text-decoration: underline;
+  }
+
   a {
-    display: block;
-
-    > * {
-      padding: 0 rem-calc(16);
-
-      &:empty {
-        display: none;
-      }
+    &,
+    &:hover {
+      color: inherit;
     }
   }
 
+  > :empty {
+    display: none;
+  }
+
   + .budget-header,
   + .budgets-index > .budget-header,
   + .jumbo {

app/components/shared/banner_component.html.erb

@@ -1,3 +1,3 @@
 <div class="banner" style="background-color:<%= banner.background_color %>;">
-  <%= sanitize link, attributes: %w[href style] %>
+  <%= sanitize banner_content, attributes: %w[href style] %>
 </div>

app/components/shared/banner_component.rb

@@ -19,10 +19,8 @@ class Shared::BannerComponent < ApplicationComponent
 
   private
 
-    def link
-      link_to banner.target_url do
-        tag.h2(banner.title, style: "color:#{banner.font_color}") +
-          tag.h3(banner.description, style: "color:#{banner.font_color}")
-      end
+    def banner_content
+      tag.h2(link_to(banner.title, banner.target_url), style: "color:#{banner.font_color}") +
+        tag.h3(banner.description, style: "color:#{banner.font_color}")
     end
 end

app/controllers/budgets/investments_controller.rb

@@ -38,7 +38,7 @@ module Budgets
 
     def index
       @investments = investments.page(params[:page]).per(PER_PAGE).for_render
-      @investment_ids = @investments.ids
+      @investment_ids = @investments.unscope(:includes).ids
 
       @investments_in_map = investments
       @tag_cloud = tag_cloud

app/models/legislation/annotation.rb

@@ -3,7 +3,7 @@ class Legislation::Annotation < ApplicationRecord
   acts_as_paranoid column: :hidden_at
   include ActsAsParanoidAliases
 
-  serialize :ranges, Array
+  serialize :ranges, type: Array
 
   belongs_to :draft_version, foreign_key: "legislation_draft_version_id", inverse_of: :annotations
   belongs_to :author, -> { with_hidden }, class_name: "User", inverse_of: :legislation_annotations

bin/setup

@@ -5,7 +5,7 @@ require "fileutils"
 APP_ROOT = File.expand_path("..", __dir__)
 
 def system!(*args)
-  system(*args) || abort("\n== Command #{args} failed ==")
+  system(*args, exception: true)
 end
 
 FileUtils.chdir APP_ROOT do

config/application.rb

@@ -21,7 +21,15 @@ Bundler.require(*Rails.groups)
 
 module Consul
   class Application < Rails::Application
-    config.load_defaults 7.0
+    def secrets
+      Rails.deprecator.silence { super }
+    end
+
+    def secret_key_base
+      Rails.deprecator.silence { super }
+    end
+
+    config.load_defaults 7.1
 
     # Keep belongs_to fields optional by default, because that's the way
     # Rails 4 models worked
@@ -43,6 +51,9 @@ module Consul
     # order to make upgrades easier.
     config.active_storage.variant_processor = :mini_magick
 
+    # Keep using YAML to serialize the legislation_annotations ranges column
+    config.active_record.default_column_serializer = YAML
+
     # Keep reading existing data in the legislation_annotations ranges column
     config.active_record.yaml_column_permitted_classes = [ActiveSupport::HashWithIndifferentAccess, Symbol]
 

config/environments/development.rb

@@ -7,7 +7,7 @@ Rails.application.configure do
   # In the development environment your application's code is reloaded any time
   # it changes. This slows down response time but is perfect for development
   # since you don't have to restart the web server when you make code changes.
-  config.cache_classes = false
+  config.enable_reloading = true
 
   # Do not eager load code on boot.
   config.eager_load = false
@@ -61,6 +61,9 @@ Rails.application.configure do
   # Highlight code that triggered database queries in logs.
   config.active_record.verbose_query_logs = true
 
+  # Highlight code that enqueued background job in logs.
+  config.active_job.verbose_enqueue_logs = true
+
   # Suppress logger output for asset requests.
   config.assets.quiet = true
 
@@ -71,16 +74,13 @@ Rails.application.configure do
   # config.action_view.annotate_rendered_view_with_filenames = true
 
   config.eager_load_paths << "#{Rails.root}/spec/mailers/previews"
-  config.action_mailer.preview_path = "#{Rails.root}/spec/mailers/previews"
-
-  # Limit size of local logs
-  # TODO: replace with config.log_file_size after upgrading to Rails 7.1
-  logger = ActiveSupport::Logger.new(config.default_log_file, 1, 100.megabytes)
-  logger.formatter = config.log_formatter
-  config.logger = ActiveSupport::TaggedLogging.new(logger)
+  config.action_mailer.preview_paths << "#{Rails.root}/spec/mailers/previews"
 
   # Uncomment if you wish to allow Action Cable access from any origin.
   # config.action_cable.disable_request_forgery_protection = true
+
+  # Raise error when a before_action's only/except options reference missing actions
+  # config.action_controller.raise_on_missing_callback_actions = true
 end
 
 require Rails.root.join("config", "environments", "custom", "development")

config/environments/production.rb

@@ -4,7 +4,7 @@ Rails.application.configure do
   # Settings specified here will take precedence over those in config/application.rb.
 
   # Code is not reloaded between requests.
-  config.cache_classes = true
+  config.enable_reloading = false
 
   # Eager load code on boot. This eager loads most of Rails and
   # your application in memory, allowing both threaded web servers
@@ -13,22 +13,21 @@ Rails.application.configure do
   config.eager_load = true
 
   # Full error reports are disabled and caching is turned on.
-  config.consider_all_requests_local       = false
+  config.consider_all_requests_local = false
   config.action_controller.perform_caching = true
 
-  # Ensures that a master key has been made available in either ENV["RAILS_MASTER_KEY"]
-  # or in config/master.key. This key is used to decrypt credentials (and other encrypted files).
+  # Ensures that a master key has been made available in ENV["RAILS_MASTER_KEY"], config/master.key, or an environment
+  # key such as config/credentials/production.key. This key is used to decrypt credentials (and other encrypted files).
   # config.require_master_key = true
 
-  # Disable serving static files from the `/public` folder by default since
-  # Apache or NGINX already handles this.
+  # Disable serving static files from `public/`, relying on NGINX/Apache to do so instead.
   config.public_file_server.enabled = ENV["RAILS_SERVE_STATIC_FILES"].present?
 
   # Compress JavaScripts and CSS.
   config.assets.js_compressor = Uglifier.new(harmony: true)
   # config.assets.css_compressor = :sass
 
-  # Do not fallback to assets pipeline if a precompiled asset is missed.
+  # Do not fall back to assets pipeline if a precompiled asset is missed.
   config.assets.compile = false
 
   # Enable serving of images, stylesheets, and JavaScripts from an asset server.
@@ -43,22 +42,42 @@ Rails.application.configure do
   # config.action_cable.url = "wss://example.com/cable"
   # config.action_cable.allowed_request_origins = [ "http://example.com", /http:\/\/example.*/ ]
 
+  # Assume all access to the app is happening through a SSL-terminating reverse proxy.
+  # Can be used together with config.force_ssl for Strict-Transport-Security and secure cookies.
+  # config.assume_ssl = true
+
   # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
   # Configure force_ssl in secrets.yml
   config.force_ssl = Rails.application.secrets.force_ssl
 
-  # Include generic and useful information about system operation, but avoid logging too much
-  # information to avoid inadvertent exposure of personally identifiable information (PII).
-  config.log_level = :warn
+  # Use default logging formatter so that PID and timestamp are not suppressed.
+  config.log_formatter = ::Logger::Formatter.new
+
+  # Rotate logger
+  logger = ActiveSupport::Logger.new(config.default_log_file, "daily")
+  logger.formatter = config.log_formatter
+  config.logger = ActiveSupport::TaggedLogging.new(logger)
+
+  # Log to STDOUT if enabled
+  if ENV["RAILS_LOG_TO_STDOUT"].present?
+    config.logger = ActiveSupport::Logger.new(STDOUT)
+      .tap  { |logger| logger.formatter = ::Logger::Formatter.new }
+      .then { |logger| ActiveSupport::TaggedLogging.new(logger) }
+  end
 
   # Prepend all log lines with the following tags.
   config.log_tags = [:request_id]
 
+  # "info" includes generic and useful information about system operation, but avoids logging too much
+  # information to avoid inadvertent exposure of personally identifiable information (PII). If you
+  # want to log everything, set the level to "debug".
+  config.log_level = ENV.fetch("RAILS_LOG_LEVEL", "warn")
+
   # Use a different cache store in production.
   config.cache_store = :mem_cache_store, { namespace: proc { Tenant.current_schema }}
 
   # Use a real queuing backend for Active Job (and separate queues per environment).
-  # config.active_job.queue_adapter     = :resque
+  # config.active_job.queue_adapter = :resque
   # config.active_job.queue_name_prefix = "consul_#{Rails.env}"
 
   config.action_mailer.perform_caching = false
@@ -82,26 +101,16 @@ Rails.application.configure do
   # Don't log any deprecations.
   config.active_support.report_deprecations = false
 
-  # Use default logging formatter so that PID and timestamp are not suppressed.
-  config.log_formatter = ::Logger::Formatter.new
-
-  # Rotate logger
-  logger = ActiveSupport::Logger.new(config.default_log_file, "daily")
-  logger.formatter = config.log_formatter
-  config.logger = ActiveSupport::TaggedLogging.new(logger)
-
-  # Use a different logger for distributed setups.
-  # require "syslog/logger"
-  # config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new "app-name")
-
-  if ENV["RAILS_LOG_TO_STDOUT"].present?
-    logger           = ActiveSupport::Logger.new(STDOUT)
-    logger.formatter = config.log_formatter
-    config.logger    = ActiveSupport::TaggedLogging.new(logger)
-  end
-
   # Do not dump schema after migrations.
   config.active_record.dump_schema_after_migration = false
+
+  # Enable DNS rebinding protection and other `Host` header attacks.
+  # config.hosts = [
+  #   "example.com",     # Allow requests from example.com
+  #   /.*\.example\.com/ # Allow requests from subdomains like `www.example.com`
+  # ]
+  # Skip DNS rebinding protection for the default health check endpoint.
+  # config.host_authorization = { exclude: ->(request) { request.path == "/up" } }
 end
 
 require Rails.root.join("config", "environments", "custom", "production")

config/environments/test.rb

@@ -15,12 +15,13 @@ Rails.application.configure do
   config.i18n.default_locale = :en
   config.i18n.available_locales = %w[de en es fr nl pt-BR zh-CN]
 
-  # Turn false under Spring and add config.action_view.cache_template_loading = true.
-  config.cache_classes = true
+  # While tests run files are not watched, reloading is not necessary.
+  config.enable_reloading = false
 
-  # Eager loading loads your whole application. When running a single test locally,
-  # this probably isn't necessary. It's a good idea to do in a continuous integration
-  # system, or in some way before deploying your code.
+  # Eager loading loads your entire application. When running a single test locally,
+  # this is usually not necessary, and can slow down your test suite. However, it's
+  # recommended that you enable it in continuous integration systems to ensure eager
+  # loading is working properly before deploying your code.
   config.eager_load = ENV["CI"].present?
 
   # Configure public file server for tests with Cache-Control for performance.
@@ -30,12 +31,12 @@ Rails.application.configure do
   }
 
   # Show full error reports and disable caching.
-  config.consider_all_requests_local       = true
+  config.consider_all_requests_local = true
   config.action_controller.perform_caching = false
   config.cache_store = :null_store
 
-  # Raise exceptions instead of rendering exception templates.
-  config.action_dispatch.show_exceptions = false
+  # Render exception templates for rescuable exceptions and raise for other exceptions.
+  config.action_dispatch.show_exceptions = :rescuable
 
   # Disable request forgery protection in test environment.
   config.action_controller.allow_forgery_protection = false
@@ -66,11 +67,8 @@ Rails.application.configure do
   # Annotate rendered view with file names.
   # config.action_view.annotate_rendered_view_with_filenames = true
 
-  # Limit size of local logs
-  # TODO: replace with config.log_file_size after upgrading to Rails 7.1
-  logger = ActiveSupport::Logger.new(config.default_log_file, 1, 100.megabytes)
-  logger.formatter = config.log_formatter
-  config.logger = ActiveSupport::TaggedLogging.new(logger)
+  # Raise error when a before_action's only/except options reference missing actions
+  # config.action_controller.raise_on_missing_callback_actions = true
 
   # Allow managing different tenants using the same application
   config.multitenancy = true

config/initializers/01_filter_parameter_logging.rb

@@ -1,8 +1,8 @@
 # Be sure to restart your server when you modify this file.
 
-# Configure parameters to be filtered from the log file. Use this to limit dissemination of
-# sensitive information. See the ActiveSupport::ParameterFilter documentation for supported
-# notations and behaviors.
+# Configure parameters to be partially matched (e.g. passw matches password) and filtered from the log file.
+# Use this to limit dissemination of sensitive information.
+# See the ActiveSupport::ParameterFilter documentation for supported notations and behaviors.
 Rails.application.config.filter_parameters += [
   :passw, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn
 ]

config/initializers/content_security_policy.rb

@@ -16,9 +16,9 @@
 #     # policy.report_uri "/csp-violation-report-endpoint"
 #   end
 #
-#   # Generate session nonces for permitted importmap and inline scripts
+#   # Generate session nonces for permitted importmap, inline scripts, and inline styles.
 #   config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
-#   config.content_security_policy_nonce_directives = %w(script-src)
+#   config.content_security_policy_nonce_directives = %w(script-src style-src)
 #
 #   # Report violations without enforcing the policy.
 #   # config.content_security_policy_report_only = true

config/initializers/disable_active_storage_pdf_auto_previews.rb

@@ -0,0 +1,22 @@
+ActiveSupport.on_load(:active_storage_attachment) do
+  # Code copied from Rails 7.2. TODO: remove after upgrading to Rails 7.2
+  # See: https://github.com/rails/rails/pull/51351/files
+  class ActiveStorage::Attachment
+    private
+      def transform_variants_later
+        preprocessed_variations = named_variants.filter_map { |_name, named_variant|
+          if named_variant.preprocessed?(record)
+            named_variant.transformations
+          end
+        }
+
+        if blob.preview_image_needed_before_processing_variants? && preprocessed_variations.any?
+          blob.create_preview_image_later(preprocessed_variations)
+        else
+          preprocessed_variations.each do |transformations|
+            blob.preprocessed(transformations)
+          end
+        end
+      end
+  end
+end

config/initializers/permissions_policy.rb

@@ -1,11 +1,13 @@
+# Be sure to restart your server when you modify this file.
+
 # Define an application-wide HTTP permissions policy. For further
-# information see https://developers.google.com/web/updates/2018/06/feature-policy
-#
-# Rails.application.config.permissions_policy do |f|
-#   f.camera      :none
-#   f.gyroscope   :none
-#   f.microphone  :none
-#   f.usb         :none
-#   f.fullscreen  :self
-#   f.payment     :self, "https://secure.example.com"
+# information see: https://developers.google.com/web/updates/2018/06/feature-policy
+
+# Rails.application.config.permissions_policy do |policy|
+#   policy.camera      :none
+#   policy.gyroscope   :none
+#   policy.microphone  :none
+#   policy.usb         :none
+#   policy.fullscreen  :self
+#   policy.payment     :self, "https://secure.example.com"
 # end

db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.0].define(version: 2025_03_13_014205) do
+ActiveRecord::Schema[7.1].define(version: 2025_03_13_014205) do
   # These are extensions that must be enabled in order to support this database
   enable_extension "pg_trgm"
   enable_extension "plpgsql"

spec/controllers/graphql_controller_spec.rb

@@ -4,10 +4,11 @@ require "rails_helper"
 
 describe GraphqlController, type: :request do
   let(:proposal) { create(:proposal) }
+  let(:query_string) { "{ proposal(id: #{proposal.id}) { title } }" }
 
   describe "handles GET request" do
     specify "with query string inside query params" do
-      get "/graphql", params: { query: "{ proposal(id: #{proposal.id}) { title } }" }
+      get "/graphql", params: { query: query_string }
 
       expect(response).to have_http_status(:ok)
       expect(response.parsed_body["data"]["proposal"]["title"]).to eq(proposal.title)
@@ -33,7 +34,7 @@ describe GraphqlController, type: :request do
     let(:json_headers) { { "CONTENT_TYPE" => "application/json" } }
 
     specify "with json-encoded query string inside body" do
-      post "/graphql", params: { query: "{ proposal(id: #{proposal.id}) { title } }" }.to_json,
+      post "/graphql", params: { query: query_string }.to_json,
                        headers: json_headers
 
       expect(response).to have_http_status(:ok)
@@ -42,7 +43,7 @@ describe GraphqlController, type: :request do
 
     specify "with raw query string inside body" do
       graphql_headers = { "CONTENT_TYPE" => "application/graphql" }
-      post "/graphql", params: "{ proposal(id: #{proposal.id}) { title } }",
+      post "/graphql", params: query_string,
                        headers: graphql_headers
 
       expect(response).to have_http_status(:ok)
@@ -66,8 +67,6 @@ describe GraphqlController, type: :request do
   end
 
   describe "correctly parses query variables" do
-    let(:query_string) { "{ proposal(id: #{proposal.id}) { title } }" }
-
     specify "when absent" do
       get "/graphql", params: { query: query_string }
 
@@ -91,8 +90,13 @@ describe GraphqlController, type: :request do
     before { Setting["feature.graphql_api"] = false }
 
     it "is disabled" do
-      expect { get "/graphql" }.to raise_exception(FeatureFlags::FeatureDisabled)
-      expect { post "/graphql" }.to raise_exception(FeatureFlags::FeatureDisabled)
+      get "/graphql", params: { query: query_string }
+
+      expect(response).to have_http_status(:forbidden)
+
+      post "/graphql", params: { query: query_string }
+
+      expect(response).to have_http_status(:forbidden)
     end
   end
 end

spec/controllers/officing/voters_controller_spec.rb

@@ -15,7 +15,7 @@ describe Officing::VotersController do
             voter: { poll_id: poll.id, user_id: user.id },
             format: :js
           }
-        rescue ActionDispatch::IllegalStateError, ActiveRecord::RecordInvalid
+        rescue ActiveRecord::RecordInvalid
         end
       end.each(&:join)
 

spec/controllers/polls/answers_controller_spec.rb

@@ -13,7 +13,7 @@ describe Polls::AnswersController do
             option_id: question.question_options.find_by(title: "Answer A").id,
             format: :js
           }
-        rescue ActionDispatch::IllegalStateError, ActiveRecord::RecordInvalid
+        rescue ActiveRecord::RecordInvalid
         end
       end.each(&:join)
 

spec/models/legislation/draft_version_spec.rb

@@ -135,16 +135,14 @@ describe Legislation::DraftVersion do
 
       <p>Something about this.</p>
 
-      <table>
-      <thead>
+      <table><thead>
       <tr>
       <th>id</th>
       <th>name</th>
       <th>age</th>
       <th>gender</th>
       </tr>
-      </thead>
-      <tbody>
+      </thead><tbody>
       <tr>
       <td>1</td>
       <td>Roberta</td>
@@ -157,8 +155,7 @@ describe Legislation::DraftVersion do
       <td>25</td>
       <td>F</td>
       </tr>
-      </tbody>
-      </table>
+      </tbody></table>
     BODY_HTML
   end
 

spec/spec_helper.rb

@@ -10,7 +10,7 @@ Dir["./spec/shared/**/*.rb"].sort.each  { |f| require f }
 
 RSpec.configure do |config|
   config.use_transactional_fixtures = true
-  config.fixture_path = "spec/fixtures/files"
+  config.fixture_paths = ["spec/fixtures/files"]
 
   config.filter_run_when_matching :focus
   config.include RequestSpecHelper, type: :request
@@ -102,7 +102,7 @@ RSpec.configure do |config|
 
     allow(Rails.application).to receive(:env_config) do
       config.merge(
-        "action_dispatch.show_exceptions" => true,
+        "action_dispatch.show_exceptions" => :all,
         "action_dispatch.show_detailed_exceptions" => false,
         "consider_all_requests_local" => false
       )

spec/system/admin/banners_spec.rb

@@ -86,7 +86,7 @@ describe "Admin banners magement", :admin do
     visit proposals_path
 
     expect(page).to have_content "Such banner"
-    expect(page).to have_link "Such banner many text wow link", href: "https://www.url.com"
+    expect(page).to have_link "Such banner", href: "https://www.url.com"
   end
 
   scenario "Publish a banner with a translation different than the current locale" do

spec/system/comments_spec.rb

@@ -267,7 +267,7 @@ describe "Comments" do
   scenario "Sanitizes comment body for security" do
     create(:comment, commentable: resource,
                      body: "<script>alert('hola')</script> " \
-                           "<a href=\"javascript:alert('sorpresa!')\">click me<a/> " \
+                           "<a href=\"javascript:alert('sorpresa!')\">click me</a> " \
                            "http://www.url.com")
 
     visit polymorphic_path(resource)

spec/system/debates_spec.rb

@@ -296,7 +296,7 @@ describe "Debates" do
   scenario "JS injection is prevented but autolinking is respected", :no_js do
     author = create(:user)
     js_injection_string = "<script>alert('hey')</script> " \
-                          "<a href=\"javascript:alert('surprise!')\">click me<a/> " \
+                          "<a href=\"javascript:alert('surprise!')\">click me</a> " \
                           "http://example.org"
     login_as(author)
 

spec/system/multitenancy_spec.rb

@@ -3,7 +3,7 @@ require "rails_helper"
 describe "Multitenancy", :seed_tenants do
   before { create(:tenant, schema: "mars") }
 
-  scenario "Disabled features", :no_js do
+  scenario "Disabled features", :show_exceptions do
     create(:tenant, schema: "venus")
     Tenant.switch("mars") { Setting["process.debates"] = true }
     Tenant.switch("venus") { Setting["process.debates"] = nil }
@@ -15,7 +15,9 @@ describe "Multitenancy", :seed_tenants do
     end
 
     with_subdomain("venus") do
-      expect { visit debates_path }.to raise_exception(FeatureFlags::FeatureDisabled)
+      visit debates_path
+
+      expect(page).to have_title "Forbidden"
     end
   end
 

spec/system/proposals_spec.rb

@@ -514,7 +514,7 @@ describe "Proposals" do
   scenario "JS injection is prevented but autolinking is respected", :no_js do
     author = create(:user)
     js_injection_string = "<script>alert('hey')</script> " \
-                          "<a href=\"javascript:alert('surprise!')\">click me<a/> " \
+                          "<a href=\"javascript:alert('surprise!')\">click me</a> " \
                           "http://example.org"
     login_as(author)