From bc6b470bca102ccdc4ed1d898fcdb13a62c5599f Mon Sep 17 00:00:00 2001 From: briri Date: Tue, 30 Nov 2021 10:37:41 -0800 Subject: [PATCH 01/18] added 'distinct' to the paginable concern's search function --- app/controllers/concerns/paginable.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/concerns/paginable.rb b/app/controllers/concerns/paginable.rb index aea376ed12..84376e70b2 100644 --- a/app/controllers/concerns/paginable.rb +++ b/app/controllers/concerns/paginable.rb @@ -128,7 +128,7 @@ def paginable? # rubocop:disable Metrics/AbcSize def refine_query(scope) @args = @args.with_indifferent_access - scope = scope.search(@args[:search]) if @args[:search].present? + scope = scope.search(@args[:search]).distinct if @args[:search].present? # Can raise NoMethodError if the scope does not define a search method if @args[:sort_field].present? frmt = @args[:sort_field][SORT_COLUMN_FORMAT] From ad52bfc4e815eb03ebd1cd50ff3efe8609d2681f Mon Sep 17 00:00:00 2001 From: briri Date: Tue, 30 Nov 2021 14:24:48 -0800 Subject: [PATCH 02/18] fixed issues with a few edge-case errors for plan downloads in csv and text formats --- app/controllers/org_admin/plans_controller.rb | 6 +++--- app/views/shared/export/_plan.erb | 2 +- app/views/shared/export/_plan_txt.erb | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/app/controllers/org_admin/plans_controller.rb b/app/controllers/org_admin/plans_controller.rb index d04739b5fc..c52e6ffe31 100644 --- a/app/controllers/org_admin/plans_controller.rb +++ b/app/controllers/org_admin/plans_controller.rb @@ -65,9 +65,9 @@ def download_plans csv << [ plan.title.to_s, plan.template.title.to_s, - (plan.owner.org.present? ? plan.owner.org.name : "").to_s, - plan.owner.name(false).to_s, - plan.owner.email.to_s, + (plan.owner&.org&.present? ? plan.owner.org.name : "").to_s, + plan.owner&.name(false)&.to_s, + plan.owner&.email&.to_s, l(plan.latest_update.to_date, format: :csv).to_s, Plan::VISIBILITY_MESSAGE[plan.visibility.to_sym].capitalize.to_s ] diff --git a/app/views/shared/export/_plan.erb b/app/views/shared/export/_plan.erb index f5c2e45e83..423de9ae25 100644 --- a/app/views/shared/export/_plan.erb +++ b/app/views/shared/export/_plan.erb @@ -78,7 +78,7 @@
<%# case for displaying comments OR text %> <% elsif !blank %> - <%= sanitize answer.text %> + <%= sanitize answer&.text %>

<% end %> <% end %> diff --git a/app/views/shared/export/_plan_txt.erb b/app/views/shared/export/_plan_txt.erb index fd8ce323e6..32f83e8303 100644 --- a/app/views/shared/export/_plan_txt.erb +++ b/app/views/shared/export/_plan_txt.erb @@ -1,7 +1,7 @@ <%= "#{@plan.title}" %> <%= "----------------------------------------------------------\n" %> <% if @show_coversheet %> -<%= @hash[:attribution].many? ? _("Creators: ") : _('Creator:') %> <%= @hash[:attribution].join(', ') %> +<%= @hash[:attribution].length > 1 ? _("Creators: ") : _('Creator:') %> <%= @hash[:attribution].join(', ') %> <%= _("Affiliation: ") + @hash[:affiliation] %> <% if @hash[:funder].present? %> <%= _("Template: ") + @hash[:funder] %> @@ -24,7 +24,7 @@ <% @hash[:phases].each do |phase| %> <%# Only render selected phase %> <% if phase[:title] == @selected_phase.title %> -<%= (@hash[:phases].many? ? "#{phase[:title]}" : "") %> +<%= (@hash[:phases].length > 1 ? "#{phase[:title]}" : "") %> <% phase[:sections].each do |section| %> <% if display_section?(@hash[:customization], section, @show_custom_sections) && num_section_questions(@plan, section, phase) > 0 %> <% if @show_sections_questions %> From 90069f56476c069b953e458122b14cea6e2e0fde Mon Sep 17 00:00:00 2001 From: Ray Carrick Date: Wed, 29 Dec 2021 22:08:43 +0000 Subject: [PATCH 03/18] untethered regex allows for sql injection --- app/controllers/concerns/paginable.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/concerns/paginable.rb b/app/controllers/concerns/paginable.rb index aea376ed12..7bf5059dff 100644 --- a/app/controllers/concerns/paginable.rb +++ b/app/controllers/concerns/paginable.rb @@ -8,7 +8,7 @@ module Paginable ## # Regex to validate sort_field param is safe - SORT_COLUMN_FORMAT = /[\w_]+\.[\w_]/.freeze + SORT_COLUMN_FORMAT = /[\w_]+\.[\w_]+$/.freeze PAGINATION_QUERY_PARAMS = %i[page sort_field sort_direction search controller action].freeze From 9c2473421931e9077bc3c791b9a027bccfb1667e Mon Sep 17 00:00:00 2001 From: briri Date: Tue, 30 Nov 2021 10:37:41 -0800 Subject: [PATCH 04/18] added 'distinct' to the paginable concern's search function --- app/controllers/concerns/paginable.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/concerns/paginable.rb b/app/controllers/concerns/paginable.rb index 34d73c95d6..144b922689 100644 --- a/app/controllers/concerns/paginable.rb +++ b/app/controllers/concerns/paginable.rb @@ -129,7 +129,7 @@ def paginable? # rubocop:disable Metrics/AbcSize, Metrics/MethodLength def refine_query(scope) @args = @args.with_indifferent_access - scope = scope.search(@args[:search]) if @args[:search].present? + scope = scope.search(@args[:search]).distinct if @args[:search].present? # Can raise NoMethodError if the scope does not define a search method if @args[:sort_field].present? frmt = @args[:sort_field][SORT_COLUMN_FORMAT] From ef7f5cd4b486844f3a309aa485ae61f0e7f5b86a Mon Sep 17 00:00:00 2001 From: briri Date: Tue, 30 Nov 2021 10:37:41 -0800 Subject: [PATCH 05/18] added 'distinct' to the paginable concern's search function --- app/controllers/concerns/paginable.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/concerns/paginable.rb b/app/controllers/concerns/paginable.rb index 34d73c95d6..144b922689 100644 --- a/app/controllers/concerns/paginable.rb +++ b/app/controllers/concerns/paginable.rb @@ -129,7 +129,7 @@ def paginable? # rubocop:disable Metrics/AbcSize, Metrics/MethodLength def refine_query(scope) @args = @args.with_indifferent_access - scope = scope.search(@args[:search]) if @args[:search].present? + scope = scope.search(@args[:search]).distinct if @args[:search].present? # Can raise NoMethodError if the scope does not define a search method if @args[:sort_field].present? frmt = @args[:sort_field][SORT_COLUMN_FORMAT] From 544e77b8a1ccd9758d1682e785d18abf7922a4ff Mon Sep 17 00:00:00 2001 From: briri Date: Tue, 30 Nov 2021 14:24:48 -0800 Subject: [PATCH 06/18] fixed issues with a few edge-case errors for plan downloads in csv and text formats --- app/controllers/org_admin/plans_controller.rb | 6 +++--- app/views/shared/export/_plan.erb | 2 +- app/views/shared/export/_plan_txt.erb | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/app/controllers/org_admin/plans_controller.rb b/app/controllers/org_admin/plans_controller.rb index da5aad0ac3..c4f0df382a 100644 --- a/app/controllers/org_admin/plans_controller.rb +++ b/app/controllers/org_admin/plans_controller.rb @@ -68,9 +68,9 @@ def download_plans csv << [ plan.title.to_s, plan.template.title.to_s, - (plan.owner.org.present? ? plan.owner.org.name : '').to_s, - plan.owner.name(false).to_s, - plan.owner.email.to_s, + (plan.owner&.org&.present? ? plan.owner.org.name : "").to_s, + plan.owner&.name(false)&.to_s, + plan.owner&.email&.to_s, l(plan.latest_update.to_date, format: :csv).to_s, Plan::VISIBILITY_MESSAGE[plan.visibility.to_sym].capitalize.to_s ] diff --git a/app/views/shared/export/_plan.erb b/app/views/shared/export/_plan.erb index f5c2e45e83..423de9ae25 100644 --- a/app/views/shared/export/_plan.erb +++ b/app/views/shared/export/_plan.erb @@ -78,7 +78,7 @@
<%# case for displaying comments OR text %> <% elsif !blank %> - <%= sanitize answer.text %> + <%= sanitize answer&.text %>

<% end %> <% end %> diff --git a/app/views/shared/export/_plan_txt.erb b/app/views/shared/export/_plan_txt.erb index fd8ce323e6..32f83e8303 100644 --- a/app/views/shared/export/_plan_txt.erb +++ b/app/views/shared/export/_plan_txt.erb @@ -1,7 +1,7 @@ <%= "#{@plan.title}" %> <%= "----------------------------------------------------------\n" %> <% if @show_coversheet %> -<%= @hash[:attribution].many? ? _("Creators: ") : _('Creator:') %> <%= @hash[:attribution].join(', ') %> +<%= @hash[:attribution].length > 1 ? _("Creators: ") : _('Creator:') %> <%= @hash[:attribution].join(', ') %> <%= _("Affiliation: ") + @hash[:affiliation] %> <% if @hash[:funder].present? %> <%= _("Template: ") + @hash[:funder] %> @@ -24,7 +24,7 @@ <% @hash[:phases].each do |phase| %> <%# Only render selected phase %> <% if phase[:title] == @selected_phase.title %> -<%= (@hash[:phases].many? ? "#{phase[:title]}" : "") %> +<%= (@hash[:phases].length > 1 ? "#{phase[:title]}" : "") %> <% phase[:sections].each do |section| %> <% if display_section?(@hash[:customization], section, @show_custom_sections) && num_section_questions(@plan, section, phase) > 0 %> <% if @show_sections_questions %> From 27434b5515196af75cf959d1ea52bf13d217ea16 Mon Sep 17 00:00:00 2001 From: Ray Carrick Date: Fri, 28 Jan 2022 11:12:00 +0000 Subject: [PATCH 07/18] trying to figure out brakeman error --- app/controllers/concerns/paginable.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/app/controllers/concerns/paginable.rb b/app/controllers/concerns/paginable.rb index 144b922689..39185db2c3 100644 --- a/app/controllers/concerns/paginable.rb +++ b/app/controllers/concerns/paginable.rb @@ -161,7 +161,9 @@ def refine_query(scope) # rubocop:enable Metrics/AbcSize, Metrics/MethodLength def sort_direction - @sort_direction ||= SortDirection.new(@args[:sort_direction]) + sd = "asc" + sd = "desc" if @args[:sort_direction] == "desc" + @sort_direction ||= SortDirection.new(sd) end # Returns the sort link name for a given sort_field. The link name includes From 098b579f78a45a1661759f2ddbe849eb1fd26216 Mon Sep 17 00:00:00 2001 From: Ray Carrick Date: Fri, 28 Jan 2022 11:34:43 +0000 Subject: [PATCH 08/18] Fix brakeman sql injection Brake gives possible sql injection. Not entirely sure what it's about byt guessing it's the sort_direction. --- app/controllers/concerns/paginable.rb | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/app/controllers/concerns/paginable.rb b/app/controllers/concerns/paginable.rb index 39185db2c3..dfacd1bda1 100644 --- a/app/controllers/concerns/paginable.rb +++ b/app/controllers/concerns/paginable.rb @@ -148,8 +148,9 @@ def refine_query(scope) scope = scope.order(order_field.to_sym => sort_direction.to_s) else order_field = ActiveRecord::Base.sanitize_sql(@args[:sort_field]) + sd = ActiveRecord::Base.sanitize_sql(sort_direction) scope = scope.includes(table_part.singularize.to_sym) - .order("#{order_field} #{sort_direction}") + .order("#{order_field} #{sd}") end end if @args[:page] != 'ALL' @@ -161,9 +162,7 @@ def refine_query(scope) # rubocop:enable Metrics/AbcSize, Metrics/MethodLength def sort_direction - sd = "asc" - sd = "desc" if @args[:sort_direction] == "desc" - @sort_direction ||= SortDirection.new(sd) + @sort_direction ||= SortDirection.new(@args[:sort_direction]) end # Returns the sort link name for a given sort_field. The link name includes From 0c17d14bdc42892629fcba349f25597392c34227 Mon Sep 17 00:00:00 2001 From: Ray Carrick Date: Fri, 28 Jan 2022 11:43:26 +0000 Subject: [PATCH 09/18] Rubocop fixes disable complexity warnings and change quotes to get rubocop happy. --- app/controllers/org_admin/plans_controller.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/controllers/org_admin/plans_controller.rb b/app/controllers/org_admin/plans_controller.rb index c4f0df382a..7a612f061c 100644 --- a/app/controllers/org_admin/plans_controller.rb +++ b/app/controllers/org_admin/plans_controller.rb @@ -43,7 +43,7 @@ def feedback_complete # rubocop:enable Metrics/AbcSize # GET /org_admin/download_plans - # rubocop:disable Metrics/AbcSize, Metrics/MethodLength + # rubocop:disable Metrics/AbcSize, Metrics/MethodLength, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity def download_plans # Test auth directly and throw Pundit error sincePundit # is unaware of namespacing @@ -68,7 +68,7 @@ def download_plans csv << [ plan.title.to_s, plan.template.title.to_s, - (plan.owner&.org&.present? ? plan.owner.org.name : "").to_s, + (plan.owner&.org&.present? ? plan.owner.org.name : '').to_s, plan.owner&.name(false)&.to_s, plan.owner&.email&.to_s, l(plan.latest_update.to_date, format: :csv).to_s, From d9e26a62e03de0185c2026e5045b1b64da14f9cf Mon Sep 17 00:00:00 2001 From: Ray Carrick Date: Fri, 28 Jan 2022 11:48:27 +0000 Subject: [PATCH 10/18] renable rubocop renable rubocop after end of method --- app/controllers/org_admin/plans_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/org_admin/plans_controller.rb b/app/controllers/org_admin/plans_controller.rb index 7a612f061c..2c7ec2a396 100644 --- a/app/controllers/org_admin/plans_controller.rb +++ b/app/controllers/org_admin/plans_controller.rb @@ -81,6 +81,6 @@ def download_plans format.csv { send_data plans, filename: "#{file_name}.csv" } end end - # rubocop:enable Metrics/AbcSize, Metrics/MethodLength + # rubocop:enable Metrics/AbcSize, Metrics/MethodLength, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity end end From 18695e943d256c074a9a5cf38522c77aeff067fd Mon Sep 17 00:00:00 2001 From: Ray Carrick Date: Wed, 29 Dec 2021 22:08:43 +0000 Subject: [PATCH 11/18] untethered regex allows for sql injection --- app/controllers/concerns/paginable.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/concerns/paginable.rb b/app/controllers/concerns/paginable.rb index dfacd1bda1..0a81985b49 100644 --- a/app/controllers/concerns/paginable.rb +++ b/app/controllers/concerns/paginable.rb @@ -8,7 +8,7 @@ module Paginable ## # Regex to validate sort_field param is safe - SORT_COLUMN_FORMAT = /[\w_]+\.[\w_]/.freeze + SORT_COLUMN_FORMAT = /[\w_]+\.[\w_]+$/.freeze PAGINATION_QUERY_PARAMS = %i[page sort_field sort_direction search controller action].freeze From 957879c37b08142cbd43631373a59034aadbfb29 Mon Sep 17 00:00:00 2001 From: Ray Carrick Date: Fri, 28 Jan 2022 12:22:20 +0000 Subject: [PATCH 12/18] fix authorize --- app/controllers/paginable/contributors_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/paginable/contributors_controller.rb b/app/controllers/paginable/contributors_controller.rb index 091515df11..3e50ef5b65 100644 --- a/app/controllers/paginable/contributors_controller.rb +++ b/app/controllers/paginable/contributors_controller.rb @@ -12,7 +12,7 @@ class ContributorsController < ApplicationController # GET /paginable/plans/:plan_id/contributors/index/:page def index @plan = Plan.find_by(id: params[:plan_id]) - authorize @plan + authorize @plan, :show? paginable_renderise( partial: 'index', scope: Contributor.where(plan_id: @plan.id), From 75c266117a6b286b315b380a4ed8be5f2dc2cd88 Mon Sep 17 00:00:00 2001 From: Ray Carrick Date: Fri, 28 Jan 2022 13:08:47 +0000 Subject: [PATCH 13/18] based on scan of authorize statements --- app/controllers/contributors_controller.rb | 2 +- .../org_admin/phase_versions_controller.rb | 2 +- app/controllers/paginable/plans_controller.rb | 6 ++---- app/policies/department_policy.rb | 5 +++++ app/policies/phase_policy.rb | 4 ++++ app/policies/plan_policy.rb | 13 +++++++++++++ 6 files changed, 26 insertions(+), 6 deletions(-) diff --git a/app/controllers/contributors_controller.rb b/app/controllers/contributors_controller.rb index a92ea53356..3c210b63d4 100644 --- a/app/controllers/contributors_controller.rb +++ b/app/controllers/contributors_controller.rb @@ -30,7 +30,7 @@ def edit # rubocop:disable Metrics/AbcSize, Metrics/MethodLength # POST /plans/:plan_id/contributors def create - authorize @plan + authorize @plan, :edit? args = translate_roles(hash: contributor_params) args = process_org(hash: args) diff --git a/app/controllers/org_admin/phase_versions_controller.rb b/app/controllers/org_admin/phase_versions_controller.rb index 1d8ae32444..096acd4867 100644 --- a/app/controllers/org_admin/phase_versions_controller.rb +++ b/app/controllers/org_admin/phase_versions_controller.rb @@ -8,7 +8,7 @@ class PhaseVersionsController < ApplicationController # POST /org_admin/templates/:template_id/phases/:phase_id/versions def create @phase = Phase.find(params[:phase_id]) - authorize @phase, :create? + authorize @phase @new_phase = get_modifiable(@phase) flash[:notice] = if @new_phase == @phase 'This template is already a draft' diff --git a/app/controllers/paginable/plans_controller.rb b/app/controllers/paginable/plans_controller.rb index 4f17fb41aa..c0c5667f63 100644 --- a/app/controllers/paginable/plans_controller.rb +++ b/app/controllers/paginable/plans_controller.rb @@ -7,7 +7,7 @@ class PlansController < ApplicationController # /paginable/plans/privately_visible/:page def privately_visible - raise Pundit::NotAuthorizedError unless Paginable::PlanPolicy.new(current_user).privately_visible? + authorize Plan paginable_renderise( partial: 'privately_visible', @@ -19,9 +19,7 @@ def privately_visible # GET /paginable/plans/organisationally_or_publicly_visible/:page def organisationally_or_publicly_visible - unless Paginable::PlanPolicy.new(current_user).organisationally_or_publicly_visible? - raise Pundit::NotAuthorizedError - end + authorize Plan paginable_renderise( partial: 'organisationally_or_publicly_visible', diff --git a/app/policies/department_policy.rb b/app/policies/department_policy.rb index 1632749478..95018eb5cf 100644 --- a/app/policies/department_policy.rb +++ b/app/policies/department_policy.rb @@ -5,6 +5,11 @@ class DepartmentPolicy < ApplicationPolicy # NOTE: @user is the signed_in_user and @record is an instance of Department + def index? + (@user.can_org_admin? && @user.org.id == @department.org_id) || + @user.can_super_admin? + end + def new? @user.can_org_admin? || @user.can_super_admin? end diff --git a/app/policies/phase_policy.rb b/app/policies/phase_policy.rb index 18ed607788..4ae021c72f 100644 --- a/app/policies/phase_policy.rb +++ b/app/policies/phase_policy.rb @@ -19,6 +19,10 @@ def preview? @user.can_modify_templates? && (@record.template.org_id == @user.org_id) end + def edit? + user.can_modify_templates? && (phase.template.org_id == user.org_id) + end + def update? @user.can_modify_templates? && (@record.template.org_id == @user.org_id) end diff --git a/app/policies/plan_policy.rb b/app/policies/plan_policy.rb index 1ba95e6580..9a2581c0de 100644 --- a/app/policies/plan_policy.rb +++ b/app/policies/plan_policy.rb @@ -5,6 +5,10 @@ class PlanPolicy < ApplicationPolicy # NOTE: @user is the signed_in_user and @record is an instance of Plan + def index? + @user.present? + end + def show? @record.readable_by?(@user.id) end @@ -70,4 +74,13 @@ def select_guidances_list? def update_guidances_list? @record.editable_by?(@user.id) end + + def privately_visible? + @user.present? + end + + def organisationally_or_publicly_visible? + @user.present? + end + end From c068c3097391aadd9cac1f6b9ab4aeefb664a47e Mon Sep 17 00:00:00 2001 From: Ray Carrick Date: Fri, 28 Jan 2022 13:13:15 +0000 Subject: [PATCH 14/18] Fix spacing spacing round ops --- app/policies/phase_policy.rb | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/app/policies/phase_policy.rb b/app/policies/phase_policy.rb index 4ae021c72f..acc11b49c2 100644 --- a/app/policies/phase_policy.rb +++ b/app/policies/phase_policy.rb @@ -12,34 +12,34 @@ class PhasePolicy < ApplicationPolicy # - The template which they are modifying belongs to their org def show? - @user.can_modify_templates? && (@record.template.org_id == @user.org_id) + @user.can_modify_templates? && (@record.template.org_id == @user.org_id) end def preview? - @user.can_modify_templates? && (@record.template.org_id == @user.org_id) + @user.can_modify_templates? && (@record.template.org_id == @user.org_id) end def edit? - user.can_modify_templates? && (phase.template.org_id == user.org_id) + user.can_modify_templates? && (phase.template.org_id == user.org_id) end def update? - @user.can_modify_templates? && (@record.template.org_id == @user.org_id) + @user.can_modify_templates? && (@record.template.org_id == @user.org_id) end def new? - @user.can_modify_templates? && (@record.template.org_id == @user.org_id) + @user.can_modify_templates? && (@record.template.org_id == @user.org_id) end def create? - @user.can_modify_templates? && (@record.template.org_id == @user.org_id) + @user.can_modify_templates? && (@record.template.org_id == @user.org_id) end def destroy? - @user.can_modify_templates? && (@record.template.org_id == @user.org_id) + @user.can_modify_templates? && (@record.template.org_id == @user.org_id) end def sort? - @user.can_modify_templates? && (@record.template.org_id == @user.org_id) + @user.can_modify_templates? && (@record.template.org_id == @user.org_id) end end From 5962f2db9a288f35a2fe7a0249ff81816150b1b8 Mon Sep 17 00:00:00 2001 From: Ray Carrick Date: Fri, 28 Jan 2022 13:15:01 +0000 Subject: [PATCH 15/18] rubocop blank live it didn't like --- app/policies/plan_policy.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/app/policies/plan_policy.rb b/app/policies/plan_policy.rb index 9a2581c0de..a2a95f92b6 100644 --- a/app/policies/plan_policy.rb +++ b/app/policies/plan_policy.rb @@ -82,5 +82,4 @@ def privately_visible? def organisationally_or_publicly_visible? @user.present? end - end From d42ab02e7e5d11447ad77f5d08f22ef5b8ba4c4d Mon Sep 17 00:00:00 2001 From: Ray Carrick Date: Mon, 31 Jan 2022 12:42:22 +0000 Subject: [PATCH 16/18] Unknown local variable Is phase should be @record --- app/policies/phase_policy.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/policies/phase_policy.rb b/app/policies/phase_policy.rb index acc11b49c2..5d2b683162 100644 --- a/app/policies/phase_policy.rb +++ b/app/policies/phase_policy.rb @@ -20,7 +20,7 @@ def preview? end def edit? - user.can_modify_templates? && (phase.template.org_id == user.org_id) + user.can_modify_templates? && (@record.template.org_id == user.org_id) end def update? From 53012c38f088430ab5977acac5ae553a655078a5 Mon Sep 17 00:00:00 2001 From: Ray Carrick Date: Mon, 31 Jan 2022 12:52:46 +0000 Subject: [PATCH 17/18] update Gemfile.lock --- Gemfile.lock | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index c0e95e3b9b..81eca25817 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -64,7 +64,7 @@ GEM debug_inspector (>= 0.0.1) bootsnap (1.10.2) msgpack (~> 1.2) - brakeman (5.2.0) + brakeman (5.2.1) builder (3.2.4) bullet (7.0.1) activesupport (>= 3.0.0) @@ -218,7 +218,7 @@ GEM httparty (0.20.0) mime-types (~> 3.0) multi_xml (>= 0.5.2) - i18n (1.8.11) + i18n (1.9.1) concurrent-ruby (~> 1.0) ipaddress (0.8.3) jbuilder (2.11.5) @@ -317,7 +317,7 @@ GEM coderay (~> 1.1) method_source (~> 1.0) public_suffix (4.0.6) - puma (5.6.0) + puma (5.6.1) nio4r (~> 2.0) pundit (2.1.1) activesupport (>= 3.0.0) @@ -380,12 +380,12 @@ GEM rspec-mocks (~> 3.10.0) rspec-collection_matchers (1.2.0) rspec-expectations (>= 2.99.0.beta1) - rspec-core (3.10.1) + rspec-core (3.10.2) rspec-support (~> 3.10.0) rspec-expectations (3.10.2) diff-lcs (>= 1.2.0, < 2.0) rspec-support (~> 3.10.0) - rspec-mocks (3.10.2) + rspec-mocks (3.10.3) diff-lcs (>= 1.2.0, < 2.0) rspec-support (~> 3.10.0) rspec-rails (5.1.0) From 816f1273507e7b91fb5bbd4671745e77ac45a315 Mon Sep 17 00:00:00 2001 From: briri Date: Thu, 7 Oct 2021 15:20:12 -0700 Subject: [PATCH 18/18] updated PDF coversheet to always show the creator of the DMP --- app/models/concerns/exportable_plan.rb | 9 ++++----- app/views/shared/export/_plan_coversheet.erb | 4 +--- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/app/models/concerns/exportable_plan.rb b/app/models/concerns/exportable_plan.rb index d805df2b02..69159c16b0 100644 --- a/app/models/concerns/exportable_plan.rb +++ b/app/models/concerns/exportable_plan.rb @@ -104,11 +104,10 @@ def prepare(user, coversheet = false) # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity def prepare_coversheet hash = {} - # name of owner and any co-owners - attribution = owner.present? ? [owner.name(false)] : [] - roles.administrator.not_creator.each do |role| - attribution << role.user.name(false) - end + # Use the name of the DMP owner/creator OR the first Co-owner if there is no + # owner for some reason + attribution = roles.creator.first&.user&.name(false) + roles.administrator.not_creator.first&.user&.name(false) unless attribution.present? hash[:attribution] = attribution # Org name of plan owner's org diff --git a/app/views/shared/export/_plan_coversheet.erb b/app/views/shared/export/_plan_coversheet.erb index df16331646..370fdf2338 100644 --- a/app/views/shared/export/_plan_coversheet.erb +++ b/app/views/shared/export/_plan_coversheet.erb @@ -3,9 +3,7 @@

<%= _("A Data Management Plan created using %{application_name}") % { application_name: ApplicationService.application_name } %>


- <%# Using tags as the htmltoword gem does not recognise css styles defined %> - <%# Allow raw html (==) for plan_attribution as it has tags %> -

<%== plan_attribution(@hash[:attribution]) %>


+

<%= _("Creator:") %><%= @hash[:attribution] %>


<%= _("Affiliation: ") %><%= @hash[:affiliation] %>