consul/nairobi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
14,411 Commits 1 Branch 0 Tags
6b1864fbcd4e588373d928596f6fc1ffff7ec00d
Commit Graph

107 Commits

Author SHA1 Message Date
Javi Martín
6b1864fbcd Sanitize translations instead of using _html 
Using the `_html` suffix in an i18n key is the same as using `html_safe`
on it, which means that translation could potentially be used for XSS
attacks.
 2019-10-09 19:46:47 +02:00
Javi Martín
391f58eb90 Sanitize dashboard action before displaying it 
We were using `<%==`, which is the same as using `raw`.

Note ERB Lint doesn't warn us of this usage. Brakeman does warn us,
though.
 2019-10-08 19:10:14 +02:00
Javi Martín
a20c0f078d Use safe_join instead of <%== 
Using `<%==` is the same as using `raw`, and here we only want to mark
as safe a `<br>` tag.
 2019-10-08 19:10:14 +02:00
Javi Martín
00a6f5b601 Remove <%== usage displaying settings 
Using `<%==` is the same as using `raw`. I'm not sure if we meant
`sanitize` in this case, or it's just a typo. I'm assuming the latter
since we don't use anything similar in any other places.
 2019-10-08 19:10:14 +02:00
Javi Martín
928312e218 Use sanitize in translations with links 
Sometimes we're interpolating a link inside a translation, and marking
the whole translations as HTML safe.

However, some translations added by admins to the database or through
crowdin are not entirely under our control.

Although AFAIK crowdin checks for potential cross-site scripting
attacks, it's a good practice to sanitize parts of a string potentially
out of our control before marking the string as HTML safe.
 2019-10-08 18:46:21 +02:00
Javi Martín
0f485308b7 Sanitize CKEditor content before displaying it 
It's possible to create a newsletter or a proposed action with
<script> tags by filling in the body using a textarea instead of a
CKEditor. While we trust our administrators not to do so, it's better to
completely eliminate that possibility.
 2019-10-08 18:46:20 +02:00
Javi Martín
20ca6beb30 Remove unneeded html_safe and raw calls 
There's no HTML in these texts, or it has already been escaped by Rails
`link_to` helper method.
 2019-10-08 13:20:22 +02:00
Javi Martín
6fa67b5e53 Use active record translations for labels 
This way we can simplify the way we generate form fields. In some cases,
we also use the human attribute in table headers, which IMHO makes
sense.

I haven't moved all of them: for example, sometimes a label is
different depending on whether it's shown to administrators, valuators,
or users. And I haven't touched the ones related to devise, since I
wasn't sure about possible side effects.

Note I've also removed placeholders when they had the same text as their
labels, since they weren't helpful. On the contrary, the added redundant
text to the form, potentially distracting users.
 2019-10-07 01:56:23 +02:00
decabeza
abf04bea4c Add related content section on proposal dashboard 2019-09-11 19:45:19 +02:00
Javi Martín
f9ed186909 Add rubocop spacing rules 
We were following these rules in most places; we just didn't define them
anywhere.
 2019-09-10 21:04:56 +02:00
Javi Martín
cf9e36c767 Replace single quotes with double quotes 
Most of these quotes were in the dashboard branch before we added the
rule for double quotes.
 2019-09-10 19:21:03 +02:00
Javi Martín
911fe4e481 Simplify calls to render partial 
We're also adding a bit of consistency, since most of our calls to
partial rendering omit the `partial` and `locals` keys.
 2019-09-04 15:00:36 +02:00
Javi Martín
a21240b230 Use Date.current and Time.current 
Using Date.today and Time.now might lead to inconsistencies if the time
zone the application uses is not the same as the system time zone.
 2019-08-28 20:32:40 +02:00
Alberto
2f8505332e Merge pull request #3574 from consul/remove-dashboard-polls 
Allow users to delete dashboard polls
 2019-06-01 11:06:34 +02:00
decabeza
3855bf26ad Allow users to delete dashboard polls 2019-05-31 11:55:23 +02:00
decabeza
de7b2e8681 Replace name label on dashboard polls form 2019-05-31 11:55:14 +02:00
decabeza
4c5b2723f4 Create new messages section for proposal's dashboard 2019-05-31 11:42:15 +02:00
Javi Martín
8094417828 Remove best_in_place 
It was only used in one place, so it's best to remove it and use the
patterns we use everywhere else.
 2019-04-29 12:37:28 -05:00
decabeza
9f973bf789 Add message on dashboard request to archived proposals 2019-04-29 15:46:44 +02:00
decabeza
4b7d7f27a4 Fix typo 2019-04-29 15:45:44 +02:00
decabeza
3add160b4b Change i18n to resources on next goal 
This resources always are locked when are shown on next goal section.
 2019-04-29 15:45:04 +02:00
voodoorai2000
dfbdc0568c Allow actions to be unexecuted 
Before actions could be marked as executed. With this commit we are also allowing actions to be marked as unexecuted.
 2019-04-29 15:43:53 +02:00
voodoorai2000
6f3b213612 Refactor proposal poll routes 
Moving routes from custom file to the proposal's routes file.
 2019-04-29 15:43:25 +02:00
voodoorai2000
93972eeb33 Use custom url for proposal poll results 2019-04-29 15:42:27 +02:00
voodoorai2000
93ff173a0d Use a custom url for proposal polls 
Before we used the standard poll url (vota/:id) for a user generated poll.

However this url is considered too important for this kind of polls, so we are changing it to a namespaced url (proposals/:proposal_id/polls/:id)
 2019-04-29 15:42:04 +02:00
decabeza
0994ef2342 Hide request to admin button for archived proposals 2019-04-24 14:08:22 +02:00
decabeza
b53a2f8012 Fix button text on dashboard polls form 2019-04-24 14:02:07 +02:00
decabeza
5bbf325c1f Remove copy link on dashboard polls 2019-04-24 14:01:08 +02:00
decabeza
c76b465ce8 Show message when request a resource to admins 2019-04-24 13:58:42 +02:00
decabeza
5b8fe4bb98 Add truncate to proposed action description 
The show description link only appears if the description is longer than defined length.
 2019-04-24 13:58:37 +02:00
decabeza
41e692737b Add expanded class to dashboard resources buttons 2019-04-24 13:58:32 +02:00
decabeza
2cff3767c1 Remove open in new tab option for links 2019-04-24 13:58:13 +02:00
decabeza
050896d1d3 Add autocomplete off to dashboard poll dates form 2019-04-24 13:57:27 +02:00
decabeza
90ca78a0bd Show actions section only if there is any action 2019-04-24 13:57:12 +02:00
decabeza
4064fea1e5 Remove button to remove image 
This image still can be removed with edit button.
 2019-04-24 13:57:08 +02:00
decabeza
0517ae04a6 Remove consul logo 2019-04-24 13:57:04 +02:00
decabeza
21e6e8097f Update i18n texts 2019-04-24 13:56:49 +02:00
decabeza
91be3cf775 Fix more hound warnings 2019-03-27 15:22:14 +01:00
decabeza
e5bff01027 Replace incoming filter on dashboard polls 
Add starts_at attribute intead of incoming because this scope doesn't exists anymore.
 2019-03-26 18:25:35 +01:00
Alberto
29a87e2746 Merge branch 'dashboard' into dashboard-polish 2019-03-26 12:19:20 +01:00
Raimond Garcia
f6526f4a45 Merge pull request #3271 from Platoniq/dashboard-user-communication 
Dashboard user communication
 2019-03-26 12:10:18 +01:00
Senén Rodero Rodríguez
5e98c23be5 Fix HTML markup 
We cannot use 'id' html attributes on nested answers
because there will be many answers form each question so
this would have generated invalid HTML.
 2019-03-21 14:51:17 +01:00
Senén Rodero Rodríguez
0d3e20f370 Fix dashboard poll form nested questions and answers 
Nested remove association links were not working properly because of
missing Cocoon needed CSS class
 2019-03-21 14:51:17 +01:00
Senén Rodero Rodríguez
9d9ad5003b Add given_order to related poll question answers forms 
Since given order is no longer being generated automatically we need
to add it to related forms and to strong parameters methods
 2019-03-21 14:51:17 +01:00
taitus
9d85b39356 Display correcty link for resources with request_to_administrator: false 
Fix: When a resource not need request_for_administrator always show text "request_resource" when the correct text is "view_resource".
 2019-03-21 12:29:31 +01:00
taitus
a1de5b2334 Display tag "new" on actions 
An author will see a "new" tag on each action or resource that has appeared on his dashboard since his last login.
Too add "new" tag on dashbord menu when there are new resources.
 2019-03-21 12:29:31 +01:00
taitus
08383b9cac Send new notification email after publish Proposal 
After publish a proposal send email to proposal's author with information text and new actions available.
 2019-03-21 12:29:30 +01:00
taitus
5177adb32a New rake task for proposals to send new action email 
Execute rake task every day to detect new actions available for not archived proposals. If there are new actions available for today, send email to proposal's author with information text, new actions available and link to proposal dashboard url.
 2019-03-21 12:29:28 +01:00
taitus
c959e078b8 Send new action notification email after create Proposal 
After create a proposal send email to proposal's author with information text and new actions available.
 2019-03-20 11:50:47 +01:00
decabeza
cebcf5783d Refactor proposed action 2019-03-19 18:07:40 +01:00