Release Notes
Security fixes
This release addresses several security issues:
- CVE-2024-27095
- CVE-2024-32469
The details regarding the security vulnerabilities will be published on June 30th 2024, which is two months after the release date of this version. For more information, please refer to our Security Policy.
We highly recommend updating to this version as soon as possible to ensure the security of your system.
1. Upgrade notes
As usual, we recommend that you have a full backup, of the database, application code and static files.
To update, follow these steps:
- Update your Gemfile:
gem "decidim", "0.28.1"
gem "decidim-dev", "0.28.1"
- Run these commands to upgrade and make sure you get all the latest migrations:
bundle update decidim
bin/rails decidim:upgrade
bin/rails db:migrate
And then follow the steps and commands detailed in these notes.
2. General notes
None
3. One time actions
3.1. Verifications documents configurations
Until now we have hard-coded the document types for verifications with types from Spain legislation ("DNI, NIE and passport"). We have change it to "Identification number and passport", and allow installations to adapt them to their own needs.
If you want to go back to the old setting, you need to follow these steps:
3.1.1. Add to your config/secrets.yml the decidim.verifications.document_types
key
decidim_default: &decidim_default
application_name: <%%= Decidim::Env.new("DECIDIM_APPLICATION_NAME", "My Application Name").to_json %>
(...)
verifications:
document_types: <%%= Decidim::Env.new("VERIFICATIONS_DOCUMENT_TYPES", %w(identification_number passport)).to_array %>
3.1.2. Add to your config/initializers/decidim.rb
the following snippet in the bottom of the file
if Decidim.module_installed? :verifications
Decidim::Verifications.configure do |config|
config.document_types = Rails.application.secrets.dig(:verifications, :document_types).presence || %w(identification_number passport)
end
end
3.1.3. Add the values that you want to define using the environmnet variable VERIFICATIONS_DOCUMENT_TYPES
VERIFICATIONS_DOCUMENT_TYPES="dni,nie,passport"
3.1.4. Add the translation of these values to your i18n files (i.e. config/locales/en.yml
)
en:
decidim:
verifications:
id_documents:
dni: DNI
nie: NIE
passport: Passport
You can read more about this change on PR #12306
3.2. Allow removal of orphan categories
A bug was identified that prevented the deletion of categories lacking associated resources. This action is a one-time task that must be performed directly in the production database.
bin/rails decidim:upgrade:fix_orphan_categorizations
You can read more about this change on PR #12143.
3.3. Improved CSS overrides
We have improved the CSS overriding mechanism. This is what allows you to change the CSS of decidim in your application in a more granular way.
Previously, you could do this by adding CSS rules in the app/packs/stylesheets/decidim/decidim_application.scss
file. This file remains in place but is loaded as the last file in the application, so it will take precedence over all the CSS rules from the Decidim modules.
Additionally, if you need, you can also customize the admin
and system
interfaces by creating in your application the following files:
app/packs/stylesheets/decidim/admin/decidim_application.scss
for admin interfaceapp/packs/stylesheets/decidim/system/decidim_application.scss
for system interface
You can read more about this change on PR #12646.
4. Scheduled tasks
None
5. Changes in APIs
None
Changelog
0.28.1
Added
Nothing.
Changed
Nothing.
Fixed
- decidim-budgets: Backport 'Resolve icon usage in projects' to v0.28 #12260
- decidim-accountability: Backport 'Register forgotten icon in Accountability' to v0.28 #12259
- decidim-proposals: Backport 'Add answered_at field in proposals' export' to v0.28 #12266
- Backport 'Update manual installation doc to v0.28.0' to v0.28 #12272
- Backport 'Add icons for verifications' to v0.28 #12271
- Backport 'Fix the markup for verifications' to v0.28 #12273
- decidim-core: Backport 'Properly handle the category name in tags cell' to v0.28 #12261
- Backport 'Use git instead of filesystem for releases files' to v0.28 #12262
- decidim-budgets: Backport 'Change the selected column in budgets' projects' to v0.28 #12274
- decidim-core, decidim-proposals: Backport 'Add missing creation date on the proposals page' to v0.28 #12267
- decidim-core: Backport 'Allow passing a blob object to
AssetRouter::Storage
' to v0.28 #12263 - Backport 'Lock Ruby to Decidim supported version' to v0.28 #12268
- decidim-admin: Backport 'Fix flash of admin inputs, panels and dropdowns' to v0.28 #12264
- decidim-participatory processes: Backport 'Add "Processes groups" to filter in admin' to v0.28 #12270
- decidim-admin: Backport 'Add admin permissions for conflicts and logs controllers' to v0.28 #12269
- Backport 'Lock TipTap editor to 2.1.13' to v0.28 #12288
- Backport 'Use relative JS imports to allow overrides' to v0.28 #12265
- decidim-assemblies, decidim-elections, decidim-participatory processes: Backport 'Make consistent the Hero content block in the spaces' landing pages' to v0.28 #12301
- Backport 'Implement breadcrumb menu in all admin pages' to v0.28 #12302
- decidim-core: Backport 'Fix errors in Offline page' to v0.28 #12311
- decidim-admin: Backport 'Fix favicons in admin panel' to v0.28 #12314
- decidim-proposals: Backport 'Fix help text style in the participatory text upload' to v0.28 #12316
- decidim-admin: Backport 'Migrate hardcoded Manage menu in spaces' admin pages' to v0.28 #12333
- Backport 'Fix webpack generation on cells specs' to v0.28 #12334
- decidim-proposals: Backport 'Protect participatory text buttons under authorization' to v0.28 #12352
- Backport 'Upgrade chromedriver to v120+' to v0.28 #12419
- Backport 'Add a better ChromeDriver workaround' to v0.28 #12416
- Backport 'Add matrix for Decidim/Ruby/Node versions in manual guide' to v0.28 #12428
- decidim-meetings: Backport 'Fix meetings counter calculating total amount' to v0.28 #12418
- decidim-proposals: Backport 'Fix context on proposal preview' to v0.28 #12426
- Backport 'Fix Proposals bulk action form' to v0.28 #12432
- Backport 'Fix flaky for AXE violations in breadcrumb menu for mobile and tablets' to v0.28 #12433
- decidim-elections: Backport 'Fix voting data migration for AddFollowableCounterCacheToVotings' to v0.28 #12431
- Backport 'Fix authorization handler in OmniauthRegistrations' to v0.28 #12435
- decidim-proposals: Backport 'Fix flaky specs in proposals' to v0.28 #12437
- decidim-budgets: Backport 'Pass the budget context to the admin new and edit actions for projects' to v0.28 #12438
- decidim-verifications: Backport 'Allow apps to configure the document types in the verifications module' to v0.28 #12427
- Backport 'Generate component Gemfile template when releasing' to v0.28 #12424
- decidim-admin, decidim-system: Backport 'Fix exception when presenting oauth application in admin log' to v0.28 #12434
- decidim-admin, decidim-core: Backport 'Fix bug in welcome notifications when the organization has weird characters' to v0.28 #12430
- Backport 'Fix a11y errors with organizations seeds colors' to v0.28 #12436
- Backport 'Add patch_generators task to maintainers' releases instructions' to v0.28 #12442
- decidim-admin: Backport 'Fix a11y "page-has-heading-one" warning for some pages in the admin panel' to v0.28 #12429
- decidim-core: Backport 'Refactor of events specs' to v0.28 #12452
- decidim-core: Backport 'Refactor of events specs (part 2)' to v0.28 #12453
- decidim-dev: Backport 'Disable shm usage in Capybara' to v0.28 #12466
- Backport 'Standardize the way resources are being listed in application' to v0.28 #12425
- Backport 'Patch participatory spaces factories' to v0.28 #12477
- decidim-debates: Backport 'Fix broken links in debates index' to v0.28 #12384
- Backport 'Patch events on the new format' to v0.28 #12470
- decidim-admin: Backport 'Have only one h1 in the admin pages' to v0.28 #12488
- decidim-proposals: Backport 'Attempt to fix flaky spec on proposals' ammends' to v0.28 #12491
- decidim-core: Backport 'Fix the focus guard under redesign' to v0.28 #12489
- decidim-admin: Backport 'Fix deleted and blocked users display from impersonations participant list' to v0.28 #12492
- Backport 'Remove redundant block user link' to v0.28 #12496
- Backport 'Fix bugs in details of RTL' to v0.28 #12495
- decidim-core: Backport 'Escape categories translations in CheckBoxesTreeHelper' to v0.28 #12494
- Backport 'Fix decidim-core and decidim-api dependency tree' to v0.28 #12493
- decidim-core: Backport 'Implement push notifications for conversations' messages' to v0.28 #12490
- decidim-api: Backport 'Add note about the unescaped contents of the GraphQL API' to v0.28 #12503
- Backport 'Patch components and spaces factories' to v0.28 #12497
- Backport 'Fix authorization required screen design' to v0.28 #12526
- Backport 'Allow deletion of categories when there are no resources associated' to v0.28 #12527
- decidim-templates: Backport 'Skip authenticity token in questionnaire templates' to v0.28 #12504
- Revert "Backport 'Fix bugs in details of RTL' to v0.28 (#12495)" #12564
- decidim-blogs: Backport 'Blog post spacing between buttons' to v0.28 #12594
- decidim-core: Backport 'Fix performance issue with attribute encryption/decryption' to v0.28 #12596
- Backport 'Fix decidim-templates usage' to v0.28 #12597
- decidim-comments: Backport 'Add votes count to comment caches' to v0.28 #12602
- decidim-admin: Backport 'Fix images URL in newsletters' to v0.28 #12599
- decidim-meetings: Backport 'Fix display of the online meeting link' to v0.28 #12598
- decidim-comments: Backport 'Improve performance on comment rendering' to v0.28 #12595
- decidim-core: Backport 'Show extended information when a new comment is in a digest email' to v0.28 #12603
- Backport 'Fix typo in remove admin event subscriber' to v0.28 #12608
- decidim-debates: Backport 'Do not list hidden reported debates in the admin' to v0.28 #12607
- decidim-budgets: Backport 'Prevent multiple requests from creating multiple orders...' to v0.28 #12604
- Backport 'Review brakeman configuration' to v0.28 #12609
- Backport 'Fix duplicate ActiveSupport notifications' to v0.28 #12611
- decidim-core: Backport 'Remove
tabindex="-1"
from the SVG icons' to v0.28 #12610 - decidim-admin: Backport 'Fix newsletter flow in admin panel' to v0.28 #12606
- Backport 'Fix DOM text reinterpreted as HTML in budgets' exit handler' to v0.28 #12724
- Backport 'Add description for the decidim:reminders:all task' to v0.28 #12723
- decidim-debates: Backport 'Display endorsements after debate's closure' to v0.28 #12720
- Backport 'Fix padding for select tag language selector' to v0.28 #12721
- Backport 'Fix class of
DatesMetadataCell#space_presenter
' to v0.28 #12716 - Backport 'Hide last activities on breadcrumb dropdown when organization...' to v0.28 #12719
- decidim-debates, decidim-meetings: Backport 'Fix saving date fields on forms' to v0.28 #12718
- Backport 'Fix tab usage in comment action menu' to v0.28 #12717
- Backport 'Add counter cache for proposals' ValuationAssignments' to v0.28 #12727
- Backport 'Fix overly permissive regular expression range in "has reference" specs' to v0.28 #12726
- decidim-comments: Backport 'Dropdown on Comment Edit' to v0.28 #12728
- decidim-core: Backport 'Fix user profile current tab' to v0.28 #12715
- decidim-core: Backport 'Prevent malformed URLs in the general search' to v0.28 #12730
- Backport 'Fix flaky generator spec with missing
package.json
' to v0.28 #12731 - decidim-accountability: Backport 'Remove ComponentInterface from the ResultType in the API' to v0.28 #12734
- Backport 'Fix clear-text storage of sensitive information in omniauth registration' to v0.28 #12732
- Backport 'Fix API paths when deploying decidim in folder' to v0.28 #12735
- Backport 'Fix flaky spec on join user group command spec' to v0.28 #12736
- decidim-admin, decidim-budgets: Backport 'Do not show scopes column in budgets if there isn't subscopes' to v0.28 #12738
- Backport 'Fix impersonnating users' to v0.28 #12740
- decidim-core: Backport 'Fix WYSIWYG migration error with non li elements inside lists' to v0.28 #12741
- Backport 'Bump webpack-dev-middleware from 5.3.3 to 5.3.4' to v0.28 #12743
- Backport 'Bump linthtml from 0.9.5 to 0.9.6' to v0.28 #12744
- decidim-core: Backport 'Improve iframe accessibility' to v0.28 #12748
- decidim-api: Backport 'Fix graphiql initial query escaping' to v0.28 #12742
- Backport 'Improve premailer HTML parsing' to v0.28 #12750
- Backport 'Improve testing on address cell' to v0.28 #12751
- decidim-initiatives: Backport 'Fix potential unsafe external link in initiatives' to v0.28 #12754
- Backport 'Fix flaky spec on endorsements controller' to v0.28 #12753
- decidim-comments, decidim-conferences, decidim-core, decidim-meetings: Backport 'Accessibility fixes regarding links that open in new tabs' to v0.28 #12739
- Backport 'Don't add the slug of the space in some links' to v0.28 #12749
- decidim-core: Backport 'Fix flaky shakapacker compilation' to v0.28 #12755
- Backport 'Fix flaky with accessibility errors in Direct Uploads' to v0.28 #12756
- decidim-comments: Backport 'Fix flaky spec on CommentVote model spec' to v0.28 #12757
- Backport 'Adjust concurency settings in GitHub Actions' to v0.28 #12764
- decidim-core: Backport 'Fix illogical heading order on registration page' to v0.28 #12767
- decidim-core: Backport 'Update Leaflet and related NPM packages' to v0.28 #12768
- decidim-core: Backport 'Fix flaky scope creation in Seeds' to v0.28 #12778
- decidim-admin, decidim-core, decidim-design, decidim-system: Backport 'Fix CSS overrides in applications ' to v0.28 #12737
- decidim-core, decidim-design, decidim-meetings: Backport 'Show meeting timezone for visitors and participants' to v0.28 #12787
- decidim-templates: Backport 'Allow valuators to use proposal answer templates' to v0.28 #12809
Removed
Nothing.
Developer improvements
- Backport 'Fix a11y errors with organizations seeds colors' to v0.28 #12436
- Backport 'Improve premailer HTML parsing' to v0.28 #12750
- Backport 'Improve testing on address cell' to v0.28 #12751
- Backport 'Fix flaky scope creation in Seeds' to v0.28 #12778