github decidim/decidim v0.28.1
v.28.1
on GitHub

14 days ago

Release Notes

Security fixes

This release addresses several security issues:

  • CVE-2024-27095
  • CVE-2024-32469

The details regarding the security vulnerabilities will be published on June 30th 2024, which is two months after the release date of this version. For more information, please refer to our Security Policy.

We highly recommend updating to this version as soon as possible to ensure the security of your system.

1. Upgrade notes

As usual, we recommend that you have a full backup, of the database, application code and static files.

To update, follow these steps:

  1. Update your Gemfile: 
gem "decidim", "0.28.1"
gem "decidim-dev", "0.28.1"
  1. Run these commands to upgrade and make sure you get all the latest migrations: 
bundle update decidim
bin/rails decidim:upgrade
bin/rails db:migrate

And then follow the steps and commands detailed in these notes.

2. General notes

None

3. One time actions

3.1. Verifications documents configurations

Until now we have hard-coded the document types for verifications with types from Spain legislation ("DNI, NIE and passport"). We have change it to "Identification number and passport", and allow installations to adapt them to their own needs.

If you want to go back to the old setting, you need to follow these steps:

3.1.1. Add to your config/secrets.yml the decidim.verifications.document_types key

decidim_default: &decidim_default
  application_name: <%%= Decidim::Env.new("DECIDIM_APPLICATION_NAME", "My Application Name").to_json %>
  (...)
  verifications:
    document_types: <%%= Decidim::Env.new("VERIFICATIONS_DOCUMENT_TYPES", %w(identification_number passport)).to_array %>

3.1.2. Add to your config/initializers/decidim.rb the following snippet in the bottom of the file

if Decidim.module_installed? :verifications
  Decidim::Verifications.configure do |config|
    config.document_types = Rails.application.secrets.dig(:verifications, :document_types).presence || %w(identification_number passport)
  end
end

3.1.3. Add the values that you want to define using the environmnet variable VERIFICATIONS_DOCUMENT_TYPES

VERIFICATIONS_DOCUMENT_TYPES="dni,nie,passport"

3.1.4. Add the translation of these values to your i18n files (i.e. config/locales/en.yml)

en:
  decidim:
    verifications:
        id_documents:
          dni: DNI
          nie: NIE
          passport: Passport

You can read more about this change on PR #12306

3.2. Allow removal of orphan categories

A bug was identified that prevented the deletion of categories lacking associated resources. This action is a one-time task that must be performed directly in the production database. 

bin/rails decidim:upgrade:fix_orphan_categorizations

You can read more about this change on PR #12143.

3.3. Improved CSS overrides

We have improved the CSS overriding mechanism. This is what allows you to change the CSS of decidim in your application in a more granular way.

Previously, you could do this by adding CSS rules in the app/packs/stylesheets/decidim/decidim_application.scss file. This file remains in place but is loaded as the last file in the application, so it will take precedence over all the CSS rules from the Decidim modules.

Additionally, if you need, you can also customize the admin and system interfaces by creating in your application the following files:

  • app/packs/stylesheets/decidim/admin/decidim_application.scss for admin interface
  • app/packs/stylesheets/decidim/system/decidim_application.scss for system interface

You can read more about this change on PR #12646.

4. Scheduled tasks

None

5. Changes in APIs

None

Changelog

0.28.1

Added

Nothing.

Changed

Nothing.

Fixed

  • decidim-budgets: Backport 'Resolve icon usage in projects' to v0.28 #12260
  • decidim-accountability: Backport 'Register forgotten icon in Accountability' to v0.28 #12259
  • decidim-proposals: Backport 'Add answered_at field in proposals' export' to v0.28 #12266
  • Backport 'Update manual installation doc to v0.28.0' to v0.28 #12272
  • Backport 'Add icons for verifications' to v0.28 #12271
  • Backport 'Fix the markup for verifications' to v0.28 #12273
  • decidim-core: Backport 'Properly handle the category name in tags cell' to v0.28 #12261
  • Backport 'Use git instead of filesystem for releases files' to v0.28 #12262
  • decidim-budgets: Backport 'Change the selected column in budgets' projects' to v0.28 #12274
  • decidim-core, decidim-proposals: Backport 'Add missing creation date on the proposals page' to v0.28 #12267
  • decidim-core: Backport 'Allow passing a blob object to AssetRouter::Storage' to v0.28 #12263
  • Backport 'Lock Ruby to Decidim supported version' to v0.28 #12268
  • decidim-admin: Backport 'Fix flash of admin inputs, panels and dropdowns' to v0.28 #12264
  • decidim-participatory processes: Backport 'Add "Processes groups" to filter in admin' to v0.28 #12270
  • decidim-admin: Backport 'Add admin permissions for conflicts and logs controllers' to v0.28 #12269
  • Backport 'Lock TipTap editor to 2.1.13' to v0.28 #12288
  • Backport 'Use relative JS imports to allow overrides' to v0.28 #12265
  • decidim-assemblies, decidim-elections, decidim-participatory processes: Backport 'Make consistent the Hero content block in the spaces' landing pages' to v0.28 #12301
  • Backport 'Implement breadcrumb menu in all admin pages' to v0.28 #12302
  • decidim-core: Backport 'Fix errors in Offline page' to v0.28 #12311
  • decidim-admin: Backport 'Fix favicons in admin panel' to v0.28 #12314
  • decidim-proposals: Backport 'Fix help text style in the participatory text upload' to v0.28 #12316
  • decidim-admin: Backport 'Migrate hardcoded Manage menu in spaces' admin pages' to v0.28 #12333
  • Backport 'Fix webpack generation on cells specs' to v0.28 #12334
  • decidim-proposals: Backport 'Protect participatory text buttons under authorization' to v0.28 #12352
  • Backport 'Upgrade chromedriver to v120+' to v0.28 #12419
  • Backport 'Add a better ChromeDriver workaround' to v0.28 #12416
  • Backport 'Add matrix for Decidim/Ruby/Node versions in manual guide' to v0.28 #12428
  • decidim-meetings: Backport 'Fix meetings counter calculating total amount' to v0.28 #12418
  • decidim-proposals: Backport 'Fix context on proposal preview' to v0.28 #12426
  • Backport 'Fix Proposals bulk action form' to v0.28 #12432
  • Backport 'Fix flaky for AXE violations in breadcrumb menu for mobile and tablets' to v0.28 #12433
  • decidim-elections: Backport 'Fix voting data migration for AddFollowableCounterCacheToVotings' to v0.28 #12431
  • Backport 'Fix authorization handler in OmniauthRegistrations' to v0.28 #12435
  • decidim-proposals: Backport 'Fix flaky specs in proposals' to v0.28 #12437
  • decidim-budgets: Backport 'Pass the budget context to the admin new and edit actions for projects' to v0.28 #12438
  • decidim-verifications: Backport 'Allow apps to configure the document types in the verifications module' to v0.28 #12427
  • Backport 'Generate component Gemfile template when releasing' to v0.28 #12424
  • decidim-admin, decidim-system: Backport 'Fix exception when presenting oauth application in admin log' to v0.28 #12434
  • decidim-admin, decidim-core: Backport 'Fix bug in welcome notifications when the organization has weird characters' to v0.28 #12430
  • Backport 'Fix a11y errors with organizations seeds colors' to v0.28 #12436
  • Backport 'Add patch_generators task to maintainers' releases instructions' to v0.28 #12442
  • decidim-admin: Backport 'Fix a11y "page-has-heading-one" warning for some pages in the admin panel' to v0.28 #12429
  • decidim-core: Backport 'Refactor of events specs' to v0.28 #12452
  • decidim-core: Backport 'Refactor of events specs (part 2)' to v0.28 #12453
  • decidim-dev: Backport 'Disable shm usage in Capybara' to v0.28 #12466
  • Backport 'Standardize the way resources are being listed in application' to v0.28 #12425
  • Backport 'Patch participatory spaces factories' to v0.28 #12477
  • decidim-debates: Backport 'Fix broken links in debates index' to v0.28 #12384
  • Backport 'Patch events on the new format' to v0.28 #12470
  • decidim-admin: Backport 'Have only one h1 in the admin pages' to v0.28 #12488
  • decidim-proposals: Backport 'Attempt to fix flaky spec on proposals' ammends' to v0.28 #12491
  • decidim-core: Backport 'Fix the focus guard under redesign' to v0.28 #12489
  • decidim-admin: Backport 'Fix deleted and blocked users display from impersonations participant list' to v0.28 #12492
  • Backport 'Remove redundant block user link' to v0.28 #12496
  • Backport 'Fix bugs in details of RTL' to v0.28 #12495
  • decidim-core: Backport 'Escape categories translations in CheckBoxesTreeHelper' to v0.28 #12494
  • Backport 'Fix decidim-core and decidim-api dependency tree' to v0.28 #12493
  • decidim-core: Backport 'Implement push notifications for conversations' messages' to v0.28 #12490
  • decidim-api: Backport 'Add note about the unescaped contents of the GraphQL API' to v0.28 #12503
  • Backport 'Patch components and spaces factories' to v0.28 #12497
  • Backport 'Fix authorization required screen design' to v0.28 #12526
  • Backport 'Allow deletion of categories when there are no resources associated' to v0.28 #12527
  • decidim-templates: Backport 'Skip authenticity token in questionnaire templates' to v0.28 #12504
  • Revert "Backport 'Fix bugs in details of RTL' to v0.28 (#12495)" #12564
  • decidim-blogs: Backport 'Blog post spacing between buttons' to v0.28 #12594
  • decidim-core: Backport 'Fix performance issue with attribute encryption/decryption' to v0.28 #12596
  • Backport 'Fix decidim-templates usage' to v0.28 #12597
  • decidim-comments: Backport 'Add votes count to comment caches' to v0.28 #12602
  • decidim-admin: Backport 'Fix images URL in newsletters' to v0.28 #12599
  • decidim-meetings: Backport 'Fix display of the online meeting link' to v0.28 #12598
  • decidim-comments: Backport 'Improve performance on comment rendering' to v0.28 #12595
  • decidim-core: Backport 'Show extended information when a new comment is in a digest email' to v0.28 #12603
  • Backport 'Fix typo in remove admin event subscriber' to v0.28 #12608
  • decidim-debates: Backport 'Do not list hidden reported debates in the admin' to v0.28 #12607
  • decidim-budgets: Backport 'Prevent multiple requests from creating multiple orders...' to v0.28 #12604
  • Backport 'Review brakeman configuration' to v0.28 #12609
  • Backport 'Fix duplicate ActiveSupport notifications' to v0.28 #12611
  • decidim-core: Backport 'Remove tabindex="-1" from the SVG icons' to v0.28 #12610
  • decidim-admin: Backport 'Fix newsletter flow in admin panel' to v0.28 #12606
  • Backport 'Fix DOM text reinterpreted as HTML in budgets' exit handler' to v0.28 #12724
  • Backport 'Add description for the decidim:reminders:all task' to v0.28 #12723
  • decidim-debates: Backport 'Display endorsements after debate's closure' to v0.28 #12720
  • Backport 'Fix padding for select tag language selector' to v0.28 #12721
  • Backport 'Fix class of DatesMetadataCell#space_presenter' to v0.28 #12716
  • Backport 'Hide last activities on breadcrumb dropdown when organization...' to v0.28 #12719
  • decidim-debates, decidim-meetings: Backport 'Fix saving date fields on forms' to v0.28 #12718
  • Backport 'Fix tab usage in comment action menu' to v0.28 #12717
  • Backport 'Add counter cache for proposals' ValuationAssignments' to v0.28 #12727
  • Backport 'Fix overly permissive regular expression range in "has reference" specs' to v0.28 #12726
  • decidim-comments: Backport 'Dropdown on Comment Edit' to v0.28 #12728
  • decidim-core: Backport 'Fix user profile current tab' to v0.28 #12715
  • decidim-core: Backport 'Prevent malformed URLs in the general search' to v0.28 #12730
  • Backport 'Fix flaky generator spec with missing package.json' to v0.28 #12731
  • decidim-accountability: Backport 'Remove ComponentInterface from the ResultType in the API' to v0.28 #12734
  • Backport 'Fix clear-text storage of sensitive information in omniauth registration' to v0.28 #12732
  • Backport 'Fix API paths when deploying decidim in folder' to v0.28 #12735
  • Backport 'Fix flaky spec on join user group command spec' to v0.28 #12736
  • decidim-admin, decidim-budgets: Backport 'Do not show scopes column in budgets if there isn't subscopes' to v0.28 #12738
  • Backport 'Fix impersonnating users' to v0.28 #12740
  • decidim-core: Backport 'Fix WYSIWYG migration error with non li elements inside lists' to v0.28 #12741
  • Backport 'Bump webpack-dev-middleware from 5.3.3 to 5.3.4' to v0.28 #12743
  • Backport 'Bump linthtml from 0.9.5 to 0.9.6' to v0.28 #12744
  • decidim-core: Backport 'Improve iframe accessibility' to v0.28 #12748
  • decidim-api: Backport 'Fix graphiql initial query escaping' to v0.28 #12742
  • Backport 'Improve premailer HTML parsing' to v0.28 #12750
  • Backport 'Improve testing on address cell' to v0.28 #12751
  • decidim-initiatives: Backport 'Fix potential unsafe external link in initiatives' to v0.28 #12754
  • Backport 'Fix flaky spec on endorsements controller' to v0.28 #12753
  • decidim-comments, decidim-conferences, decidim-core, decidim-meetings: Backport 'Accessibility fixes regarding links that open in new tabs' to v0.28 #12739
  • Backport 'Don't add the slug of the space in some links' to v0.28 #12749
  • decidim-core: Backport 'Fix flaky shakapacker compilation' to v0.28 #12755
  • Backport 'Fix flaky with accessibility errors in Direct Uploads' to v0.28 #12756
  • decidim-comments: Backport 'Fix flaky spec on CommentVote model spec' to v0.28 #12757
  • Backport 'Adjust concurency settings in GitHub Actions' to v0.28 #12764
  • decidim-core: Backport 'Fix illogical heading order on registration page' to v0.28 #12767
  • decidim-core: Backport 'Update Leaflet and related NPM packages' to v0.28 #12768
  • decidim-core: Backport 'Fix flaky scope creation in Seeds' to v0.28 #12778
  • decidim-admin, decidim-core, decidim-design, decidim-system: Backport 'Fix CSS overrides in applications ' to v0.28 #12737
  • decidim-core, decidim-design, decidim-meetings: Backport 'Show meeting timezone for visitors and participants' to v0.28 #12787
  • decidim-templates: Backport 'Allow valuators to use proposal answer templates' to v0.28 #12809

Removed

Nothing.

Developer improvements

  • Backport 'Fix a11y errors with organizations seeds colors' to v0.28 #12436
  • Backport 'Improve premailer HTML parsing' to v0.28 #12750
  • Backport 'Improve testing on address cell' to v0.28 #12751
  • Backport 'Fix flaky scope creation in Seeds' to v0.28 #12778

Internal

  • Remove elections pipeline in 0.28 #12455
  • Backport 'Patch participatory spaces factories' to v0.28 #12477
  • Backport 'Patch events on the new format' to v0.28 #12470

See full CHANGELOG.

Check out latest releases or
releases around decidim/decidim v0.28.1

Don't miss a new decidim release

NewReleases is sending notifications on new releases.

Get notifications