isprambiente · MdreW · Feb 14, 2025 · Feb 6, 2025 · Feb 6, 2025 · Feb 10, 2025
diff --git a/Gemfile b/Gemfile
@@ -99,4 +99,4 @@ gem "pagy"
 gem "bulmacomp"
 gem "csv"
 gem "icalendar"
-gem 'prawn-rails'
+gem "prawn-rails"
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -160,8 +160,8 @@ GEM
       ice_cube (~> 0.16)
       ostruct
     ice_cube (0.17.0)
-    image_processing (1.13.0)
-      mini_magick (>= 4.9.5, < 5)
+    image_processing (1.14.0)
+      mini_magick (>= 4.9.5, < 6)
       ruby-vips (>= 2.0.17, < 3)
     importmap-rails (2.1.0)
       actionpack (>= 6.0.0)
@@ -175,7 +175,7 @@ GEM
     jbuilder (2.13.0)
       actionview (>= 5.0.0)
       activesupport (>= 5.0.0)
-    json (2.9.1)
+    json (2.10.1)
     json-jwt (1.16.7)
       activesupport (>= 4.2)
       aes_key_wrap
@@ -190,7 +190,7 @@ GEM
       logger (~> 1.6)
     letter_opener (1.10.0)
       launchy (>= 2.2, < 4)
-    logger (1.6.5)
+    logger (1.6.6)
     loofah (2.24.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
@@ -202,20 +202,23 @@ GEM
     marcel (1.0.4)
     matrix (0.4.2)
     method_source (1.1.0)
-    mini_magick (4.13.2)
+    mini_magick (5.1.2)
+      benchmark
+      logger
     mini_mime (1.1.5)
     minitest (5.25.4)
-    msgpack (1.7.5)
+    msgpack (1.8.0)
     net-http (0.6.0)
       uri
-    net-imap (0.5.5)
+    net-imap (0.5.6)
       date
       net-protocol
     net-pop (0.1.2)
       net-protocol
     net-protocol (0.2.2)
       timeout
-    net-smtp (0.5.0)
+    net-smtp (0.5.1)
+      net-protocol
     nio4r (2.7.4)
     nokogiri (1.18.2-x86_64-linux-gnu)
       racc (~> 1.4)
@@ -246,7 +249,7 @@ GEM
     ostruct (0.6.1)
     pagy (9.3.3)
     parallel (1.26.3)
-    parser (3.3.7.0)
+    parser (3.3.7.1)
       ast (~> 2.4.1)
       racc
     pdf-core (0.10.0)
@@ -278,7 +281,7 @@ GEM
       nio4r (~> 2.0)
     raabro (1.4.0)
     racc (1.8.1)
-    rack (3.1.9)
+    rack (3.1.10)
     rack-oauth2 (2.2.1)
       activesupport
       attr_required
@@ -328,7 +331,7 @@ GEM
       zeitwerk (~> 2.6)
     rainbow (3.1.1)
     rake (13.2.1)
-    rdoc (6.11.0)
+    rdoc (6.12.0)
       psych (>= 4.0.0)
     regexp_parser (2.10.0)
     reline (0.6.0)
@@ -337,7 +340,7 @@ GEM
       actionpack (>= 5.2)
       railties (>= 5.2)
     rexml (3.4.0)
-    rubocop (1.71.1)
+    rubocop (1.71.2)
       json (~> 2.3)
       language_server-protocol (>= 3.17.0)
       parallel (~> 1.10)
@@ -370,7 +373,7 @@ GEM
       rubocop-performance
       rubocop-rails
     ruby-progressbar (1.13.0)
-    ruby-vips (2.2.2)
+    ruby-vips (2.2.3)
       ffi (~> 1.12)
       logger
     rubyzip (2.4.1)
@@ -386,7 +389,7 @@ GEM
       activejob (>= 7.2)
       activerecord (>= 7.2)
       railties (>= 7.2)
-    solid_cache (1.0.6)
+    solid_cache (1.0.7)
       activejob (>= 7.2)
       activerecord (>= 7.2)
       railties (>= 7.2)
@@ -407,7 +410,7 @@ GEM
       faraday-follow_redirects
     temple (0.10.3)
     thor (1.3.2)
-    thruster (0.1.10-x86_64-linux)
+    thruster (0.1.11-x86_64-linux)
     tilt (2.6.0)
     timeout (0.4.3)
     ttfunk (1.8.0)

diff --git a/app/components/admin/users/user_component.rb b/app/components/admin/users/user_component.rb
@@ -15,6 +15,6 @@ def editor_tag
   end
 
   def member_tag
-    tag.div icon_text("fas fa-users", 'Member'), class: "tag is-success" if @user.member?
+    tag.div icon_text("fas fa-users", "Member"), class: "tag is-success" if @user.member?
   end
 end
diff --git a/app/components/common_component.rb b/app/components/common_component.rb
@@ -50,8 +50,8 @@ def turbo_yield(body, **opts)
     tag.turbo_frame body, **options
   end
 
-  def level_item(head, body)
-    tag.div tag.div(tag.p(head, class: "heading") + tag.p(body, class: "title is-6")), class: "level-item"
+  def level_item(head, body, id = nil)
+    tag.div tag.div(tag.p(head, class: "heading") + tag.p(body, class: "title is-6")), class: "level-item", id: id
   end
 
   def level(ary)

diff --git a/app/components/editor/users/user_component.rb b/app/components/editor/users/user_component.rb
@@ -23,6 +23,6 @@ def active_tag
   end
 
   def member_tag
-    tag.div icon_text("fas fa-users", 'Member'), class: "tag is-success" if @user.member?
+    tag.div icon_text("fas fa-users", "Member"), class: "tag is-success" if @user.member?
   end
 end
diff --git a/app/components/happenings/box_component.html.haml b/app/components/happenings/box_component.html.haml
@@ -11,4 +11,6 @@
       = l @happening.start_sale_at, format: :detailed
       = t '.active.to'
       = l @happening.stop_sale_at, format: :detailed
+      - if @happening.event.reserved?
+        %span.tag.is-dark= icon_text 'fas fa-lock', t('activerecord.attributes.event.reserved')
     = content
diff --git a/app/components/happenings/box_component.rb b/app/components/happenings/box_component.rb
@@ -7,10 +7,10 @@ def initialize(happening:)
 
   def info
     ary = [
-    [ t(".start_at"), l(@happening.start_at, format: :short) ],
-      [ t(".max_tickets"), @happening.max_tickets ],
-      [ t(".max_tickets_for_user"), @happening.max_tickets_for_user ],
-      [ t(".available_tickets"), tag.span(@happening.tickets_available, id: "available_#{@happening.id}") ]
+      [ t(".start_at"), l(@happening.start_at, format: :short), "start-at" ],
+      [ t(".max_tickets"), @happening.max_tickets, "max-tickets" ],
+      [ t(".max_tickets_for_user"), @happening.max_tickets_for_user, "max-tickets-for-user" ],
+      [ t(".available_tickets"), tag.span(@happening.tickets_available, id: "available_#{@happening.id}"), "available-tickets" ]
     ]
     level ary
   end

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -46,4 +46,8 @@ def set_turbo
   def turbo_render(action, *options)
     render turbo_stream: turbo_stream.send(action, options)
   end
+
+  def include_reserved?
+    ENV.fetch("RAILS_SHOW_RESERVED", false) || current_user.try(:member)
+  end
 end
diff --git a/app/controllers/editor/happenings_controller.rb b/app/controllers/editor/happenings_controller.rb
@@ -17,21 +17,20 @@ def index
       group_id = @groups.exists?(filter_params[:category]) ? filter_params[:category] : @groups.pluck(:id)
       text     = filter_params[:text]
       soldout  = filter_params[:soldout]
-      searchable = Happening.searchable( from:, to:, event_id:, group_id:, text:, soldout:, reserved: true)
+      searchable = Happening.searchable(from:, to:, event_id:, group_id:, text:, soldout:, reserved: true)
       respond_to do |format|
         format.html { @pagy, @happenings = pagy(searchable, items: 6) }
-        format.csv { @happenings = searchable.includes(:questions, tickets: [:answers, :user]) }
-        format.pdf { @happenings = searchable.includes(:questions, tickets: [:answers, :user]) }
+        format.csv { @happenings = searchable.includes(:questions, tickets: [ :answers, :user ]) }
+        format.pdf { @happenings = searchable.includes(:questions, tickets: [ :answers, :user ]) }
       end
-
     end
 
     # GET /editor/events/:event_id/happenings/:id
     def show
       respond_to do |format|
         format.html { }
         format.csv { }
-        format.pdf { } 
+        format.pdf { }
       end
     end
 

diff --git a/app/controllers/events_controller.rb b/app/controllers/events_controller.rb
@@ -9,13 +9,14 @@ def index
     to       = filter_params[:to]
     group_id = filter_params[:category]
     text     = filter_params[:text]
-    @pagy, @events = pagy(Event.searchable(from:, to:, group_id:, text:, reserved: current_user.try(:member)), items: 6)
+    @pagy, @events = pagy(Event.searchable(from:, to:, group_id:, text:, reserved: include_reserved?), items: 6)
   end
 
   # GET /events/:id
   def show
     @event = Event.find(params[:id])
     @scope = @event.id
+    access_denied! if @event.reserved? && !include_reserved?
     redirect_to happening_path(@event.happenings.last) if @event.single == true
   end
 

diff --git a/app/controllers/happenings_controller.rb b/app/controllers/happenings_controller.rb
@@ -13,14 +13,15 @@ def index
     group_id = filter_params[:category]
     text     = filter_params[:text]
     soldout  = filter_params[:soldout]
-    @pagy, @happenings = pagy(Happening.searchable(from:, to:, event_id:, group_id:, text:, soldout:, reserved: current_user.try(:member)), items: 6)
+    @pagy, @happenings = pagy(Happening.searchable(from:, to:, event_id:, group_id:, text:, soldout:, reserved: include_reserved?), items: 6)
   end
 
   # GET /event/:event_id/happenings/:id
   # Show detail of happening and a form to prenotate a ticket
   def show
     @happening = Happening.includes(:event).find(params[:id])
     @event = @happening.event
+    access_denied! if @event.reserved? && !include_reserved?
   end
 
   private

diff --git a/app/controllers/users/omniauth_callbacks_controller.rb b/app/controllers/users/omniauth_callbacks_controller.rb
@@ -3,9 +3,7 @@ class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
   skip_before_action :verify_authenticity_token, only: :openid_connect
 
   def openid_connect
-    # You need to implement the method below in your model (e.g. app/models/user.rb)
-    # @user = User.from_omniauth(request.env["omniauth.auth"])
-    @user = User.from_omniauth(request.env["omniauth.auth"])
+    @user = Custom::OidcUser.from_omniauth(request.env["omniauth.auth"])
 
     if @user.persisted? && @user.errors.empty?
       sign_in_and_redirect @user, event: :authentication # this will throw if @user is not activated

diff --git a/app/models/event.rb b/app/models/event.rb
@@ -54,7 +54,7 @@ class Event < ApplicationRecord
     by_keys[:stop_on]  = (from.try(:to_date)..) if from.present?
     by_keys[:start_on] = (..to.try(:to_date)) if to.present?
     by_keys[:group_id] = group_id  if group_id.present?
-    by_keys[:reserved] = false unless reserved == true
+    by_keys[:reserved] = false unless reserved
     by_text = text.present? ? [ "title ilike :text", { text: "%#{text}%" } ] : nil
     where(by_text).where(by_keys)
   end

diff --git a/app/models/happening.rb b/app/models/happening.rb
@@ -56,12 +56,12 @@ class Happening < ApplicationRecord
   validates  :max_tickets_for_user, presence: true
   after_save :update_event_data
 
-  delegate :group_id, to: :event
+  delegate :group_id, :reserved?, to: :event
 
   default_scope { includes(:event).order("start_at asc") }
   scope :searchable, ->(from: nil, to: nil, event_id: nil, group_id: nil, text: nil, soldout: nil, reserved: false) do
-    search_event = {} 
-    search_event[:reserved] = false unless reserved == true
+    search_event = {}
+    search_event[:reserved] = false unless reserved
     search_event[:group_id] = group_id if group_id.present?
     by_keys = { start_at: (from.try(:to_date) || Date.today)..to.try(:to_date).try(:end_of_day) }
     by_keys[:event_id] = event_id if event_id.present?

diff --git a/app/models/ticket.rb b/app/models/ticket.rb
@@ -24,7 +24,8 @@ class Ticket < ApplicationRecord
   belongs_to :happening, counter_cache: true
   belongs_to :user
   has_many :answers, dependent: :destroy
-  delegate :event, :event_id, :max_tickets, :max_tickets_for_user, :saleable?, :start_at, to: :happening, allow_nil: true
+  delegate :event, :event_id, :max_tickets, :max_tickets_for_user, :reserved?, :saleable?, :start_at, to: :happening, allow_nil: true
+  delegate :member?, to: :user, allow_nil: true
   accepts_nested_attributes_for :answers, reject_if: :all_blank
   attr_accessor :by_editor
   after_create  -> { TicketMailer.confirm(self).deliver_later }
@@ -38,6 +39,7 @@ class Ticket < ApplicationRecord
     validates :tickets_for_user_count,
               numericality: { only_integer: true, less_than_or_equal_to: :max_tickets_for_user }
     validates :missing_answers, absence: true
+    validates :member?, presence: true if :reserved?
     validate  :validate_frequency
   end
 

diff --git a/app/models/user.rb b/app/models/user.rb
@@ -60,18 +60,6 @@ class User < ApplicationRecord
     attr_accessor :password
   end
 
-  # @return user finded or created from omiauth session
-  def self.from_omniauth(auth)
-    user = find_or_initialize_by(username: auth.uid)
-    user.email = auth.info.email
-    user.password = SecureRandom.alphanumeric(20)
-    user.name = auth.info.try(ENV.fetch("RAILS_OIDC_NAME") { "given_name" })
-    user.surname = auth.info.try(ENV.fetch("RAILS_OIDC_SURNAME") { "family_name" })
-    user.skip_confirmation! if RAILS_DEVISE_CONFIRMABLE
-    user.save
-    user
-  end
-
   # Make gravatar url from email
   # @return [String] gravatar user url
   def avatar_url

diff --git a/app/views/tickets/new.html.haml b/app/views/tickets/new.html.haml
@@ -2,11 +2,12 @@
 %h4.subtitle= @happening.title
 %turbo-frame#ticket-new
   - if user_signed_in?
-    .divider= icon_text 'fas fa-ticket-simple', 'Nuova prenotazione'
-    = form_with model: @ticket do |f|
-      = f.hidden_field :happening_id
-      = f.fields_for :answers do |sub_form|
-        = render Answers::SubFormComponent.new form: sub_form
-      .has-text-centered= f.button icon_text('fas fa-ticket', t('site.generic.reserve')), class: 'button is-success is-large'
+    - unless @ticket.reserved? && !current_user.member?
+      .divider= icon_text 'fas fa-ticket-simple', 'Nuova prenotazione'
+      = form_with model: @ticket do |f|
+        = f.hidden_field :happening_id
+        = f.fields_for :answers do |sub_form|
+          = render Answers::SubFormComponent.new form: sub_form
+        .has-text-centered= f.button icon_text('fas fa-ticket', t('site.generic.reserve')), class: 'button is-success is-large'
   - else
-    .has-text-centered= link_to icon_text('fas fa-right-to-bracket', t('login_to_continue')), new_user_session_path, class: 'button is-warning is-large', data: {turbo: 'false'}
+    .has-text-centered= link_to icon_text('fas fa-right-to-bracket', t('login_to_continue')), new_user_session_path, class: 'button is-link is-large', data: {turbo: 'false'}
diff --git a/bun.lockb b/bun.lockb
diff --git a/config/brakeman.ignore b/config/brakeman.ignore
@@ -0,0 +1,51 @@
+{
+  "ignored_warnings": [
+    {
+      "warning_type": "Mass Assignment",
+      "warning_code": 105,
+      "fingerprint": "9e92e32e6fa2e7876b8f6f7e85856c3f0cd2e42c0e8cb7a7862331f39ce2ffad",
+      "check_name": "PermitAttributes",
+      "message": "Potentially dangerous key allowed for mass assignment",
+      "file": "app/controllers/editor/users_controller.rb",
+      "line": 52,
+      "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
+      "code": "params.fetch(:filter, {}).permit(:text, :admin, :editor)",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Editor::UsersController",
+        "method": "filter_params"
+      },
+      "user_input": ":admin",
+      "confidence": "High",
+      "cwe_id": [
+        915
+      ],
+      "note": "Fale positive, editor controller can filter and show admin user list"
+    },
+    {
+      "warning_type": "Mass Assignment",
+      "warning_code": 105,
+      "fingerprint": "b6178e2314edac8464b705f7c9e3ef1986beb62101e84ee3b04a943fc43f2003",
+      "check_name": "PermitAttributes",
+      "message": "Potentially dangerous key allowed for mass assignment",
+      "file": "app/controllers/admin/users_controller.rb",
+      "line": 40,
+      "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
+      "code": "params.require(:user).permit(:editor, :admin, :member, :group_ids => ([]))",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Admin::UsersController",
+        "method": "user_params"
+      },
+      "user_input": ":admin",
+      "confidence": "High",
+      "cwe_id": [
+        915
+      ],
+      "note": "Fale positive, admin controller can add admin role to user"
+    }
+  ],
+  "brakeman_version": "7.0.0"
+}