Merge branch 'dev' for release 5.5.8

.github/workflows/brakeman-analysis.yml

@@ -17,11 +17,11 @@ jobs:
     steps:
     # Checkout the repository to the GitHub Actions runner
     - name: Checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     # Customize the ruby version depending on your needs
     - name: Setup Ruby
-      uses: actions/setup-ruby@v1
+      uses: ruby/setup-ruby@v1
       with:
         ruby-version: '2.6'
 
@@ -39,6 +39,6 @@ jobs:
 
     # Upload the SARIF file generated in the previous step
     - name: Upload SARIF
-      uses: github/codeql-action/upload-sarif@v1
+      uses: github/codeql-action/upload-sarif@v2
       with:
         sarif_file: output.sarif.json

.overcommit.yml

@@ -12,7 +12,7 @@ CommitMsg:
 
   MessageFormat:
     enabled: true
-    pattern: ^(\([a-z0-9]+\) [\w ]+(\n\n.+)?)|(Version (\d+\.?)+)|(Merge branch .*)
-    expected_pattern_message: (type) title\n\ndescription
+    pattern: ^(\((doc|bug|feat|security|dev|i18n|api|test|quality|ui|merge)\) [\w ]++(\n\n.+)?)|(Version (\d+\.?)+)|(Merge branch .*)
+    expected_pattern_message: (doc|bug|feat|security|dev|i18n|api|test|quality|ui|merge) title\n\ndescription
     sample_message: (bug) no validation on date\n\nThe birthdate was not validated...
 

CHANGELOG.md

@@ -1,5 +1,16 @@
 # Changelog Fab-manager
 
+## v5.5.8 2022 December 16
+
+- Fix a bug: wrong reservations count for spaces in availabilities export (#415)
+- Fix a bug: phone or address required are not marked as it, in create manager/admin form
+- Fix a security issue: updated express to 4.18.2 to fix [CVE-2022-24999](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24999)
+- Fix a security issue: updated @claviska/jquery-minicolors to 2.3.6 to fix [CVE-2021-4243](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4243)
+- Fix a security issue: updated loofah to 2.19.1 to fix [CVE-2022-23514](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23514), [CVE-2022-23515](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23515) and [CVE-2022-23516](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23516)
+- Fix a security issue: updated rails-html-sanitizer to 1.4.4 to fix [CVE-2022-23517](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23517), [CVE-2022-23518](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23518), [CVE-2022-23519](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23519), [CVE-2022-23520](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23520) and [CVE-2022-32209](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32209)
+- Removed gem rails_12factor
+- [TODO DEPLOY] add the `RAILS_LOG_TO_STDOUT=true` environment variable (see [doc/environment.md](doc/environment.md#RAILS_LOG_TO_STDOUT) for configuration details)
+
 ## v5.5.7 2022 December 13
 
 - Fix a bug: unable to update/delete a space

Gemfile

@@ -56,10 +56,6 @@ group :test do
   gem 'webmock'
 end
 
-group :production, :staging do
-  gem 'rails_12factor'
-end
-
 gem 'seed_dump'
 
 gem 'pg'

Gemfile.lock

@@ -207,7 +207,7 @@ GEM
     listen (3.0.8)
       rb-fsevent (~> 0.9, >= 0.9.4)
       rb-inotify (~> 0.9, >= 0.9.7)
-    loofah (2.18.0)
+    loofah (2.19.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
@@ -334,15 +334,10 @@ GEM
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.4.3)
-      loofah (~> 2.3)
+    rails-html-sanitizer (1.4.4)
+      loofah (~> 2.19, >= 2.19.1)
     rails-observers (0.1.5)
       activemodel (>= 4.0)
-    rails_12factor (0.0.3)
-      rails_serve_static_assets
-      rails_stdout_logging
-    rails_serve_static_assets (0.0.5)
-    rails_stdout_logging (0.0.5)
     railties (5.2.8.1)
       actionpack (= 5.2.8.1)
       activesupport (= 5.2.8.1)
@@ -552,7 +547,6 @@ DEPENDENCIES
   railroady
   rails (~> 5.2.8)
   rails-observers
-  rails_12factor
   rb-readline
   recurrence
   redis-session-store
@@ -580,4 +574,4 @@ DEPENDENCIES
   webmock
 
 BUNDLED WITH
-   2.3.13
+   2.3.25

app/frontend/src/javascript/controllers/admin/members.js

@@ -1190,8 +1190,8 @@ Application.Controllers.controller('NewAdminController', ['$state', '$scope', 'A
 /**
  * Controller used in the manager's creation page (admin view)
  */
-Application.Controllers.controller('NewManagerController', ['$state', '$scope', 'User', 'groupsPromise', 'tagsPromise', 'growl', '_t',
-  function ($state, $scope, User, groupsPromise, tagsPromise, growl, _t) {
+Application.Controllers.controller('NewManagerController', ['$state', '$scope', 'User', 'groupsPromise', 'tagsPromise', 'growl', '_t', 'settingsPromise',
+  function ($state, $scope, User, groupsPromise, tagsPromise, growl, _t, settingsPromise) {
   // default admin profile
     $scope.manager = {
       statistic_profile_attributes: {
@@ -1210,6 +1210,12 @@ Application.Controllers.controller('NewManagerController', ['$state', '$scope',
       }
     };
 
+    // is the phone number required in _admin_form?
+    $scope.phoneRequired = (settingsPromise.phone_required === 'true');
+
+    // is the address required in _admin_form?
+    $scope.addressRequired = (settingsPromise.address_required === 'true');
+
     // list of all groups
     $scope.groups = groupsPromise.filter(function (g) { return !g.disabled; });
 

app/frontend/src/javascript/router.js

@@ -1098,7 +1098,8 @@ angular.module('application.router', ['ui.router'])
         },
         resolve: {
           groupsPromise: ['Group', function (Group) { return Group.query().$promise; }],
-          tagsPromise: ['Tag', function (Tag) { return Tag.query().$promise; }]
+          tagsPromise: ['Tag', function (Tag) { return Tag.query().$promise; }],
+          settingsPromise: ['Setting', function (Setting) { return Setting.query({ names: "['phone_required', 'address_required']" }).$promise; }]
         }
       })
 

app/frontend/templates/shared/_admin_form.html

@@ -95,7 +95,10 @@
 
     <div class="form-group">
       <div class="input-group">
-        <span class="input-group-addon"><i class="fa fa-map-marker"></i> </span>
+        <span class="input-group-addon">
+          <i class="fa fa-map-marker"></i>
+          <span class="exponent" ng-show="addressRequired"><i class="fa fa-asterisk" aria-hidden="true"></i></span>
+        </span>
         <input type="hidden"
                name="admin[invoicing_profile_attributes][address_attributes][id]"
                ng-value="admin.invoicing_profile_attributes.address.id" />

app/frontend/templates/shared/_manager_form.html

@@ -95,7 +95,10 @@
 
     <div class="form-group">
       <div class="input-group">
-        <span class="input-group-addon"><i class="fa fa-map-marker"></i> </span>
+        <span class="input-group-addon">
+          <i class="fa fa-map-marker"></i>
+          <span class="exponent" ng-show="addressRequired"><i class="fa fa-asterisk" aria-hidden="true"></i></span>
+        </span>
         <input type="hidden"
                name="manager[invoicing_profile_attributes][address_attributes][id]"
                ng-value="manager.invoicing_profile_attributes.address.id" />
@@ -110,7 +113,10 @@
 
     <div class="form-group" ng-class="{'has-error': managerForm['manager[profile_attributes][phone]'].$dirty && managerForm['manager[profile_attributes][phone]'].$invalid}">
       <div class="input-group">
-        <span class="input-group-addon"><i class="fa fa-phone"></i> </span>
+        <span class="input-group-addon">
+          <i class="fa fa-phone"></i>
+          <span class="exponent" ng-show="phoneRequired"><i class="fa fa-asterisk" aria-hidden="true"></i></span>
+        </span>
         <input ng-model="manager.profile_attributes.phone"
                type="text"
                name="manager[profile_attributes][phone]"

app/views/exports/availabilities_index.xlsx.axlsx

@@ -88,7 +88,7 @@ if Setting.get('spaces_module')
       ((a.end_at - a.start_at) / slot_duration.minutes).to_i.times do |i|
         start_at = a.start_at + (i * slot_duration).minutes
         end_at = a.start_at + (i * slot_duration).minutes + slot_duration.minutes
-        reservations = a.slots.where(start_at: start_at).count
+        reservations = a.slots_reservations.where(slots: { start_at: start_at }).count
 
         data = [
           start_at.to_date,

doc/environment.md

@@ -99,6 +99,12 @@ These two variables are also used for SSO authentication.
 
 This parameter configures the logs verbosity.
 Available log levels can be found [here](http://guides.rubyonrails.org/debugging_rails_applications.html#log-levels).
+<a name="RAILS_LOG_TO_STDOUT"></a>
+
+    RAILS_LOG_TO_STDOUT
+
+Enable redirecting logs (including errors) to stdout.
+Set this variable to `true` in production environments.
 <a name="MAX_IMAGE_SIZE"></a>
 
     MAX_IMAGE_SIZE

env.example

@@ -58,6 +58,7 @@ OPENLAB_SSL_VERIFY=true
 
 # System settings
 LOG_LEVEL=debug
+RAILS_LOG_TO_STDOUT=true
 DISK_SPACE_MB_ALERT=100
 [email protected]
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "fab-manager",
-  "version": "5.5.7",
+  "version": "5.5.8",
   "description": "Fab-manager is the FabLab management solution. It provides a comprehensive, web-based, open-source tool to simplify your administrative tasks and your marker's projects.",
   "keywords": [
     "fablab",
@@ -46,7 +46,7 @@
     "@babel/preset-react": "^7.12.1",
     "@babel/preset-typescript": "^7.16.7",
     "@babel/runtime": "^7.17.2",
-    "@claviska/jquery-minicolors": "^2.3.5",
+    "@claviska/jquery-minicolors": "^2.3.6",
     "@dnd-kit/core": "^6.0.5",
     "@dnd-kit/modifiers": "^6.0.0",
     "@dnd-kit/sortable": "^7.0.1",

test/integration/exports/members_export_test.rb

@@ -39,13 +39,12 @@ class Exports::MembersExportTest < ActionDispatch::IntegrationTest
     assert_not_nil workbook[I18n.t('export_members.members')]
 
     # test data
-    member = User.members.first
     wb = workbook[I18n.t('export_members.members')]
-    assert_equal member.id, wb.sheet_data[1][0].value
+    member = User.find(wb.sheet_data[1][0].value)
     assert_equal (member.is_allow_newsletter ? 1 : nil), wb.sheet_data[1][4].value
 
     # Clean XLSX file
     require 'fileutils'
     FileUtils.rm(e.file)
   end
-end
+end