fix!(omniauth): keep verified email in session between forms

.env-example

@@ -106,6 +106,9 @@ SMS_GATEWAY_MB_ACCOUNT_ID=
 # Format : comma separated list of auhtorization handler names
 # AUTO_EXPORT_AUTHORIZATIONS_DATA_TO_USER_DATA_ENABLED_FOR="authorization1,authorization2"
 
+# Force profile sync on every omniauth connection (default: false)
+# FORCE_PROFILE_SYNC_ON_OMNIAUTH_CONNECTION=false
+
 # Delay until a user is considered inactive and receive a warning email (in days, default: 365)
 # DECIDIM_CLEANER_INACTIVE_USERS_MAIL=
 

.github/workflows/ci_cd.yml

@@ -118,12 +118,12 @@ jobs:
         name: RSpec
       # - run: ./.github/upload_coverage.sh decidim-app $GITHUB_EVENT_PATH
       #  name: Upload coverage
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         if: always()
         with:
           name: screenshots
           path: ./spec/tmp/screenshots
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         if: always()
         with:
           name: assets-manifest-${{ matrix.slice }}
@@ -192,12 +192,12 @@ jobs:
         name: RSpec
       # - run: ./.github/upload_coverage.sh decidim-app $GITHUB_EVENT_PATH
       #  name: Upload coverage
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         if: always()
         with:
           name: screenshots
           path: ./spec/tmp/screenshots
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         if: always()
         with:
           name: assets-manifest-${{ matrix.slice }}

Gemfile

@@ -19,6 +19,7 @@ gem "decidim-templates", "~> #{DECIDIM_VERSION}.0"
 gem "decidim-budgets_booth", github: "OpenSourcePolitics/decidim-module-ptp"
 
 # External Decidim gems
+gem "decidim-admin_multi_factor", git: "https://github.com/OpenSourcePolitics/decidim-module-admin_multi_factor.git", branch: "fix/decidim_version_and_missing_helper"
 gem "decidim-anonymous_proposals", DECIDIM_ANONYMOUS_PROPOSALS_VERSION
 gem "decidim-budget_category_voting", git: "https://github.com/alecslupu-pfa/decidim-budget_category_voting.git", branch: DECIDIM_BRANCH
 gem "decidim-cache_cleaner"
@@ -42,7 +43,9 @@ gem "decidim-term_customizer", git: "https://github.com/OpenSourcePolitics/decid
 
 gem "decidim-guest_meeting_registration", git: "https://github.com/alecslupu-pfa/guest-meeting-registration.git", branch: DECIDIM_BRANCH
 # Omniauth gems
-gem "omniauth-france_connect", git: "https://github.com/OpenSourcePolitics/omniauth-france_connect"
+
+gem "omniauth-france_connect", git: "https://github.com/OpenSourcePolitics/omniauth-france_connect", branch: "feat/omniauth_openid_connect--v0.7.1"
+gem "omniauth-oauth2"
 gem "omniauth_openid_connect"
 gem "omniauth-publik", git: "https://github.com/OpenSourcePolitics/omniauth-publik"
 
@@ -51,6 +54,7 @@ gem "activejob-uniqueness", require: "active_job/uniqueness/sidekiq_patch"
 gem "activerecord-session_store"
 gem "aws-sdk-s3", require: false
 gem "bootsnap", "~> 1.4"
+gem "concurrent-ruby", "1.3.4"
 gem "deepl-rb", require: "deepl"
 gem "deface"
 gem "dotenv-rails", "~> 2.7"

Gemfile.lock

@@ -1,3 +1,12 @@
+GIT
+  remote: https://github.com/OpenSourcePolitics/decidim-module-admin_multi_factor.git
+  revision: 8fd7a2736962259cb1bcad1fc1dfbd973bcb9055
+  branch: fix/decidim_version_and_missing_helper
+  specs:
+    decidim-admin_multi_factor (0.27.4)
+      countries (~> 5.1, >= 5.1.2)
+      decidim-core (= 0.27.4)
+
 GIT
   remote: https://github.com/OpenSourcePolitics/decidim-module-anonymous_proposals
   revision: ea7c828c82fabb1c35e161095082f15ba63b6eaf
@@ -42,7 +51,7 @@ GIT
 
 GIT
   remote: https://github.com/OpenSourcePolitics/decidim-module-gallery.git
-  revision: 726fab33984c3adeec30cf90d0e1b4ad3881787d
+  revision: 0ce98eeade3f86055782522ab9aa0339183eaa6e
   branch: fix/nokogiri_deps
   specs:
     decidim-gallery (0.26.0)
@@ -72,7 +81,7 @@ GIT
 
 GIT
   remote: https://github.com/OpenSourcePolitics/decidim-module-ptp.git
-  revision: 32b0f9a29499768cf6783a0026badaed33f025ab
+  revision: 46bb834a68d52cd7d1d4bba6182cca55f2495125
   specs:
     decidim-budgets_booth (0.27.0)
       decidim-budgets (~> 0.27.0)
@@ -124,10 +133,11 @@ GIT
 
 GIT
   remote: https://github.com/OpenSourcePolitics/omniauth-france_connect
-  revision: 14a53ad31928c8a83742360cfbdb90938d0a057e
+  revision: cbf54f82e0ea55e7397004aa21905dce2b528674
+  branch: feat/omniauth_openid_connect--v0.7.1
   specs:
     omniauth-france_connect (0.1.0)
-      omniauth_openid_connect (~> 0.4.0)
+      omniauth_openid_connect (~> 0.7.0)
 
 GIT
   remote: https://github.com/OpenSourcePolitics/omniauth-publik
@@ -364,7 +374,7 @@ GEM
     coffee-script-source (1.12.2)
     colorize (0.8.1)
     commonmarker (0.23.10)
-    concurrent-ruby (1.2.3)
+    concurrent-ruby (1.3.4)
     connection_pool (2.4.1)
     countries (5.7.2)
       unaccent (~> 0.3)
@@ -612,6 +622,8 @@ GEM
       dotenv (= 2.8.1)
       railties (>= 3.2)
     dumb_delegator (1.0.0)
+    email_validator (2.2.4)
+      activemodel
     erb_lint (0.0.37)
       activesupport
       better_html (~> 1.0.7)
@@ -694,7 +706,6 @@ GEM
       nokogiri (>= 1.4)
     html_tokenizer (0.0.7)
     htmlentities (4.3.4)
-    httpclient (2.8.3)
     i18n (1.14.5)
       concurrent-ruby (~> 1.0)
     i18n-tasks (0.9.37)
@@ -846,21 +857,22 @@ GEM
     omniauth-twitter (1.4.0)
       omniauth-oauth (~> 1.1)
       rack
-    omniauth_openid_connect (0.4.0)
-      addressable (~> 2.5)
+    omniauth_openid_connect (0.7.1)
       omniauth (>= 1.9, < 3)
-      openid_connect (~> 1.1)
-    openid_connect (1.4.2)
+      openid_connect (~> 2.2)
+    openid_connect (2.3.1)
       activemodel
       attr_required (>= 1.0.0)
-      json-jwt (>= 1.15.0)
-      net-smtp
-      rack-oauth2 (~> 1.21)
-      swd (~> 1.3)
+      email_validator
+      faraday (~> 2.0)
+      faraday-follow_redirects
+      json-jwt (>= 1.16)
+      mail
+      rack-oauth2 (~> 2.2)
+      swd (~> 2.0)
       tzinfo
-      validate_email
       validate_url
-      webfinger (~> 1.2)
+      webfinger (~> 2.0)
     origami (2.1.0)
       colorize (~> 0.7)
     orm_adapter (0.5.0)
@@ -896,10 +908,11 @@ GEM
       rack (>= 1.0, < 4)
     rack-cors (1.1.1)
       rack (>= 2.0.0)
-    rack-oauth2 (1.21.3)
+    rack-oauth2 (2.2.1)
       activesupport
       attr_required
-      httpclient
+      faraday (~> 2.0)
+      faraday-follow_redirects
       json-jwt (>= 1.11.0)
       rack (>= 2.1.0)
     rack-protection (3.2.0)
@@ -1079,10 +1092,11 @@ GEM
       activesupport (>= 5.2)
       sprockets (>= 3.0.0)
     ssrf_filter (1.1.2)
-    swd (1.3.0)
+    swd (2.0.3)
       activesupport (>= 3)
       attr_required (>= 0.0.5)
-      httpclient (>= 2.4)
+      faraday (~> 2.0)
+      faraday-follow_redirects
     sys-filesystem (1.4.4)
       ffi (~> 1.1)
     temple (0.10.3)
@@ -1102,9 +1116,6 @@ GEM
     valid_email2 (2.3.1)
       activemodel (>= 3.2)
       mail (~> 2.5)
-    validate_email (0.1.6)
-      activemodel (>= 3.0)
-      mail (>= 2.2.5)
     validate_url (1.0.15)
       activemodel (>= 3.0.0)
       public_suffix
@@ -1128,9 +1139,10 @@ GEM
       activemodel (>= 6.0.0)
       bindex (>= 0.4.0)
       railties (>= 6.0.0)
-    webfinger (1.2.0)
+    webfinger (2.1.3)
       activesupport
-      httpclient (>= 2.4)
+      faraday (~> 2.0)
+      faraday-follow_redirects
     webmock (3.22.0)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
@@ -1175,8 +1187,10 @@ DEPENDENCIES
   brakeman (~> 5.1)
   byebug (~> 11.0)
   climate_control (~> 1.2)
+  concurrent-ruby (= 1.3.4)
   dalli
   decidim (~> 0.27.0)
+  decidim-admin_multi_factor!
   decidim-anonymous_proposals!
   decidim-budget_category_voting!
   decidim-budgets_booth!
@@ -1215,6 +1229,7 @@ DEPENDENCIES
   multipart-post
   nokogiri (= 1.13.4)
   omniauth-france_connect!
+  omniauth-oauth2
   omniauth-publik!
   omniauth-rails_csrf_protection (~> 1.0)
   omniauth_openid_connect
@@ -1235,4 +1250,4 @@ RUBY VERSION
    ruby 3.0.6p216
 
 BUNDLED WITH
-   2.5.22
+   2.5.10

app/helpers/application_helper.rb

@@ -27,4 +27,10 @@ def sso_provider_button(provider, link_to_path)
       html_element
     end
   end
+
+  def force_profile_sync_on_omniauth_connection?
+    !current_organization.sign_in_enabled? &&
+      current_organization.enabled_omniauth_providers.any? &&
+      Rails.application.secrets.dig(:decidim, :omniauth, :force_profile_sync_on_omniauth_connection)
+  end
 end

app/jobs/decidim/export_job.rb

@@ -12,7 +12,7 @@ def perform(user, component, name, format, resource_id = nil)
       collection = export_manifest.collection.call(component, user, resource_id)
       serializer = export_manifest.serializer
 
-      export_data = if (serializer == Decidim::Proposals::ProposalSerializer) && (user.admin? || admin_of_process?(user, component))
+      export_data = if (serializer == Decidim::Proposals::ProposalSerializer) && (user.admin? || admin_of_process?(user, component) || admin_of_assembly?(user, component))
                       Decidim::Exporters.find_exporter(format).new(collection, serializer).admin_export
                     else
                       Decidim::Exporters.find_exporter(format).new(collection, serializer).export
@@ -27,5 +27,11 @@ def admin_of_process?(user, component)
 
       Decidim::ParticipatoryProcessUserRole.exists?(decidim_user_id: user.id, decidim_participatory_process_id: component.participatory_space.id, role: "admin")
     end
+
+    def admin_of_assembly?(user, component)
+      return unless component.respond_to?(:participatory_space)
+
+      Decidim::AssemblyUserRole.exists?(decidim_user_id: user.id, decidim_assembly_id: component.participatory_space.id, role: "admin")
+    end
   end
 end

app/overrides/decidim/account/show/disabled_omniauth_synced_email_field.html.erb.deface

@@ -0,0 +1,2 @@
+<!-- replace "erb[loud]:contains('email_field :email')" -->
+      <%= f.email_field :email, disabled: force_profile_sync_on_omniauth_connection? || current_user.unconfirmed_email.present?, autocomplete: "email" %>

app/overrides/decidim/account/show/disabled_omniauth_synced_name_field.html.erb.deface

@@ -0,0 +1,2 @@
+<!-- replace "erb[loud]:contains('text_field :name')" -->
+      <%= f.text_field :name, disabled: force_profile_sync_on_omniauth_connection?, autocomplete: "name" %>

app/overrides/decidim/account/show/disabled_omniauth_synced_nickname_field.html.erb.deface

@@ -0,0 +1,2 @@
+<!-- replace "erb[loud]:contains('text_field :nickname')" -->
+      <%= f.text_field :nickname, disabled: force_profile_sync_on_omniauth_connection?, autocomplete: "nickname" %>

app/overrides/decidim/account/show/omniauth_synced_profile_helper.html.erb.deface

@@ -0,0 +1,2 @@
+<!-- insert_before "erb[loud]:contains('form_required_explanation')" -->
+  <%= render partial: "/decidim/account/omniauth_synced_profile_helper", locals: { f: f } %>

app/overrides/decidim/budgets/projects/show/fix_videos_and_images_display.html.erb.deface

@@ -0,0 +1,3 @@
+<!-- replace "erb[loud]:contains('decidim_sanitize_editor translated_attribute project.description')" -->
+
+<%= decidim_sanitize_editor_admin translated_attribute project.description %>