fix(i18n): wrap text under i18n.t

i18n(france_connect/*): replace wording with i18n fix(lint): i18n key issue secu(views/france_connect/particulier/merge.html.haml): sanitize france_connect_email just in case fix(brakeman): sanitize FCI.email_france_connect when used with html_safe via an I18n.t, also add exception to brakeman
2021-11-23 13:30:07 +01:00 · 2021-11-23 13:30:07 +01:00 · fdf0f18fda
commit fdf0f18fda
parent febe890d28
8 changed files with 104 additions and 38 deletions
--- a/app/controllers/france_connect/particulier_controller.rb
+++ b/app/controllers/france_connect/particulier_controller.rb
@ -51,18 +51,18 @@ class FranceConnect::ParticulierController < ApplicationController

    if user.present? && user.valid_for_authentication? { user.valid_password?(password_params) }
      if !user.can_france_connect?
-        flash.alert = "#{user.email} ne peut utiliser FranceConnect"
+        flash.alert = t('errors.messages.france_connect.forbidden_html', reset_link: new_user_password_path)

        render js: ajax_redirect(root_path)
      else
        @fci.update(user: user)
        @fci.delete_merge_token!

-        flash.notice = "Les comptes FranceConnect et #{APPLICATION_NAME} sont à présent fusionnés"
+        flash.notice = t('france_connect.particulier.flash.connection_done', application_name: APPLICATION_NAME)
        connect_france_connect_particulier(user)
      end
    else
-      flash.alert = 'Mauvais mot de passe'
+      flash.alert = t('france_connect.particulier.flash.invalid_password')

      render js: helpers.render_flash
    end
@ -74,7 +74,7 @@ class FranceConnect::ParticulierController < ApplicationController
      @fci.update(user: user)
      @fci.delete_merge_token!

-      flash.notice = "Les comptes FranceConnect et #{APPLICATION_NAME} sont à présent fusionnés"
+      flash.notice = t('france_connect.particulier.flash.connection_done', application_name: APPLICATION_NAME)
      connect_france_connect_particulier(user)
    else # same behaviour as redirect nicely with message when instructeur/administrateur
      @fci.destroy
@ -89,7 +89,7 @@ class FranceConnect::ParticulierController < ApplicationController
      @fci.associate_user!(sanitized_email_params)
      @fci.delete_merge_token!

-      flash.notice = "Les comptes FranceConnect et #{APPLICATION_NAME} sont à présent fusionnés"
+      flash.notice = t('france_connect.particulier.flash.connection_done', application_name: APPLICATION_NAME)
      connect_france_connect_particulier(@fci.user)
    else
      @email = sanitized_email_params
@ -99,9 +99,9 @@ class FranceConnect::ParticulierController < ApplicationController

  def resend_and_renew_merge_confirmation
    merge_token = @fci.create_merge_token!
-    UserMailer.france_connect_merge_confirmation(@fci.email_france_connect, merge_token).deliver_later
+    UserMailer.france_connect_merge_confirmation(@fci.email_france_connect, merge_token, @fci.merge_token_created_at).deliver_later
    redirect_to france_connect_particulier_merge_path(merge_token),
-                notice: "Nous venons de vous envoyer le mail de confirmation, veuillez cliquer sur le lien contenu dans ce mail pour fusionner vos comptes"
+                notice: t('france_connect.particulier.flash.confirmation_mail_sent')
  end

  private
@ -110,7 +110,7 @@ class FranceConnect::ParticulierController < ApplicationController
    @fci = FranceConnectInformation.find_by(merge_token: merge_token_params)

    if @fci.nil? || !@fci.valid_for_merge?
-      flash.alert = "Le délai pour fusionner les comptes FranceConnect et #{APPLICATION_NAME} est expirée. Veuillez recommencer la procédure pour vous fusionner les comptes."
+      flash.alert = t('france_connect.particulier.flash.merger_token_expired', application_name: APPLICATION_NAME)

      respond_to do |format|
        format.html { redirect_to root_path }
--- a/app/views/france_connect/particulier/_password_confirmation.html.haml
+++ b/app/views/france_connect/particulier/_password_confirmation.html.haml
@ -1,16 +1,16 @@
 %p
-  Le compte #{email} existe déjà sur #{APPLICATION_NAME}
+  = t('.already_exists', email: email, application_name: APPLICATION_NAME)
  %br
-  entrez votre mot de passe pour fusionner les comptes
+  = t('.fill_in_password')

 = form_tag france_connect_particulier_merge_with_existing_account_path, remote: true, class: 'mt-2 form fconnect-form' do
  = hidden_field_tag :merge_token, merge_token
  = hidden_field_tag :email, email
-  = label_tag :password, 'Mot de passe (8 caractères minimum)'
+  = label_tag :password, t('views.registrations.new.password_label', min_length: 8)
  = password_field_tag :password, nil, autocomplete: 'current-password', id: 'password-for-another-account'
  .mb-2
-    Mot de passe oublié ?
+    = t('views.users.sessions.new.reset_password')
    = link_to france_connect_particulier_resend_and_renew_merge_confirmation_path(merge_token: merge_token), method: :post do
-      Confirmer mon compte par email
-  = button_tag 'revenir en arrière', type: 'button', class: 'button secondary', onclick: 'DS.showNewAccount(event);'
-  = submit_tag 'Fusionner les comptes', class: 'button primary'
+      = t('france_connect.particulier.merge.link_confirm_by_email')
+  = button_tag t('.back'), type: 'button', class: 'button secondary', onclick: 'DS.showNewAccount(event);'
+  = submit_tag t('france_connect.particulier.merge.button_merge'), class: 'button primary'
--- a/app/views/france_connect/particulier/merge.html.haml
+++ b/app/views/france_connect/particulier/merge.html.haml
@ -1,52 +1,46 @@
 = content_for :title, "Fusion des comptes FC et #{APPLICATION_NAME}"

 .container
-  %h1.page-title Fusion des comptes FranceConnect et #{APPLICATION_NAME}
+  %h1.page-title= t('.title', application_name: APPLICATION_NAME)

-  %p
-    Bonjour,
-    %br
-    %br
-    Votre compte FranceConnect utilise <b class='bold'>#{@fci.email_france_connect}</b> comme email de contact.
-    %br
-    Or il existe un compte sur #{APPLICATION_NAME} avec cet email.
+  %p= t('.subtitle', email: sanitize(@fci.email_france_connect), application_name: APPLICATION_NAME).html_safe

  .form.mt-2
-    %label Ce compte #{@fci.email_france_connect} vous appartient-il ?
+    %label= t('.label_select_merge_flow', email: @fci.email_france_connect)
    %fieldset.radios
      %label{ onclick: "DS.showFusion(event);" }
        = radio_button_tag :value, true, false, autocomplete: "off", id: 'it-is-mine'
-        Oui
+        = t('utils.yes')

      %label{ onclick: "DS.showNewAccount(event);" }
        = radio_button_tag :value, false, false, autocomplete: "off", id: 'it-is-not-mine'
-        Non
+        = t('utils.no')

  .fusion.hidden
-    %p Pour fusionner ces comptes, veuillez cliquer sur le lien présent dans le mail que nous venons de vous envoyer.
+    %p= t('.title_fill_in_password')

    = form_tag france_connect_particulier_merge_with_existing_account_path, remote: true, class: 'mt-2 form fconnect-form' do
      = hidden_field_tag :merge_token, @fci.merge_token
      = hidden_field_tag :email, @fci.email_france_connect

-      = label_tag :password, 'Mot de passe (8 caractères minimum)'
+      = label_tag :password, t('views.registrations.new.password_label', min_length: 8)
      = password_field_tag :password, nil, autocomplete: 'current-password', class: 'mb-1'
      .mb-2
-        Mot de passe oublié ?
+        = t('views.users.sessions.new.reset_password')
        = link_to france_connect_particulier_resend_and_renew_merge_confirmation_path(merge_token: @fci.merge_token), method: :post do
-          Confirmer mon compte par email
+          = t('.link_confirm_by_email')

-      = submit_tag 'Fusionner les comptes', class: 'button primary'
+      = submit_tag t('.button_merge'), class: 'button primary'


  .new-account.hidden
-    %p Donnez-nous alors le mail que #{APPLICATION_NAME} utilisera pour vous contacter
+    %p= t('.title_fill_in_email', application_name: APPLICATION_NAME)

    = form_tag france_connect_particulier_merge_with_new_account_path, remote: true, class: 'mt-2 form' do
      = hidden_field_tag :merge_token, @fci.merge_token
-      = label_tag :email, 'Email (nom@site.com)'
+      = label_tag :email, t('views.registrations.new.email_label')
      = email_field_tag :email, "", required: true
-      = submit_tag 'Utiliser ce mail', class: 'button primary'
+      = submit_tag t('.button_use_this_email'), class: 'button primary'


  .new-account-password-confirmation.hidden
--- a/app/views/user_mailer/france_connect_merge_confirmation.haml
+++ b/app/views/user_mailer/france_connect_merge_confirmation.haml
@ -10,7 +10,7 @@
 %p
  Vous pouvez aussi visiter ce lien : #{link_to france_connect_particulier_mail_merge_with_existing_account_url(merge_token: @merge_token), france_connect_particulier_mail_merge_with_existing_account_url(merge_token: @merge_token)}

-%p Ce lien est valide #{distance_of_time_in_words(FranceConnectInformation::MERGE_VALIDITY)}, jusqu'à #{I18n.l(@merge_token_created_at, format: "%d-%m-%Y à %H:%M (%Z)")}
+%p Ce lien est valide #{distance_of_time_in_words(FranceConnectInformation::MERGE_VALIDITY)}, jusqu'à #{@merge_token_created_at.strftime("%d-%m-%Y à %H:%M (%Z)")}

 %p
  Si vous n’êtes pas à l’origine de cette demande, vous pouvez ignorer ce message. Et si vous avez besoin d’assistance, n’hésitez pas à nous contacter à
--- a/config/brakeman.ignore
+++ b/config/brakeman.ignore
@ -1,5 +1,36 @@
 {
  "ignored_warnings": [
+    {
+      "warning_type": "Cross-Site Scripting",
+      "warning_code": 2,
+      "fingerprint": "42099f4550a8377f455e830e8ab645cecd5806248481c5c646b4e17548c3cb07",
+      "check_name": "CrossSiteScripting",
+      "message": "Unescaped model attribute",
+      "file": "app/views/france_connect/particulier/merge.html.haml",
+      "line": 6,
+      "link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting",
+      "code": "t(\".subtitle\", :email => sanitize(FranceConnectInformation.find_by(:merge_token => merge_token_params).email_france_connect), :application_name => (APPLICATION_NAME))",
+      "render_path": [
+        {
+          "type": "controller",
+          "class": "FranceConnect::ParticulierController",
+          "method": "merge",
+          "line": 48,
+          "file": "app/controllers/france_connect/particulier_controller.rb",
+          "rendered": {
+            "name": "france_connect/particulier/merge",
+            "file": "app/views/france_connect/particulier/merge.html.haml"
+          }
+        }
+      ],
+      "location": {
+        "type": "template",
+        "template": "france_connect/particulier/merge"
+      },
+      "user_input": "FranceConnectInformation.find_by(:merge_token => merge_token_params).email_france_connect",
+      "confidence": "Weak",
+      "note": "explicitely sanitized even if we are using html_safe"
+    },
    {
      "warning_type": "Cross-Site Scripting",
      "warning_code": 2,
@ -15,7 +46,7 @@
          "type": "controller",
          "class": "Users::DossiersController",
          "method": "merci",
-          "line": 188,
+          "line": 193,
          "file": "app/controllers/users/dossiers_controller.rb",
          "rendered": {
            "name": "users/dossiers/merci",
@ -58,7 +89,7 @@
      "check_name": "Redirect",
      "message": "Possible unprotected redirect",
      "file": "app/controllers/instructeurs/procedures_controller.rb",
-      "line": 180,
+      "line": 190,
      "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
      "code": "redirect_to(Export.find_or_create_export(params[:export_format], (params[:time_span_type] or \"everything\"), current_instructeur.groupe_instructeurs.where(:procedure => procedure)).file.service_url)",
      "render_path": null,
@ -72,6 +103,6 @@
      "note": ""
    }
  ],
-  "updated": "2021-09-02 16:12:11 -0500",
+  "updated": "2021-11-23 14:09:21 +0100",
  "brakeman_version": "5.1.1"
 }
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@ -382,3 +382,23 @@ en:
        identity_saved: "Identity data is registred"
      attestation:
        no_longer_available: "The certificate is no longer available on this file."
+  france_connect:
+    particulier:
+      password_confirmation:
+        back: 'back to previous step'
+        already_exists: An account with %{email} already existis on %{application_name}
+        fill_in_password: fill in your password to merge your accounts
+      merge:
+        title: "Merge your account FranceConnect and %{application_name}"
+        subtitle: "Hello,<br /><br />Your account FranceConnect uses <b class='bold'>%{email}</b> as contact email.<br />But there is an existing %{application_name} account using this email."
+        label_select_merge_flow: Is %{email} one of your email account ?
+        title_fill_in_password:  To merge your accounts fill in your password
+        button_merge: Merge accounts
+        title_fill_in_email: Fill in the email that %{application_name} will use to contact you
+        button_use_this_email: Use this email
+        link_confirm_by_email: Confirm by receiving an email
+      flash:
+          confirmation_mail_sent: "An email with the confirmation link has been sent, please click on the link."
+          invalid_password: "The password is not correct."
+          connection_done: "The accounts for FranceConnect and %{application_name} are now merged."
+          merger_token_expired: "Le delay to merge your FranceConnect and %{application_name} accounts is expired. Please retry."
--- a/config/locales/fr.yml
+++ b/config/locales/fr.yml
@ -421,3 +421,23 @@ fr:
        ready: "Validé"
        needs_configuration: "À configurer"
        configure_api_particulier_token: "Configurer le jeton API particulier"
+  france_connect:
+    particulier:
+      password_confirmation:
+        back: 'revenir en arrière'
+        already_exists: Le compte %{email} existe déjà sur %{application_name}
+        fill_in_password: entrez votre mot de passe pour fusionner les comptes
+      merge:
+        title: "Fusion des comptes FranceConnect et %{application_name}"
+        subtitle: "Bonjour,<br /><br />Votre compte FranceConnect utilise <b class='bold'>%{email}</b> comme email de contact.<br />Or il existe un compte sur %{application_name} avec cet email."
+        label_select_merge_flow: Ce compte %{email} vous appartient-il ?
+        title_fill_in_password:  Pour les fusionner, entrez votre mot de passe
+        button_merge: Fusionner les comptes
+        title_fill_in_email: Donnez-nous alors le mail que %{application_name} utilisera pour vous contacter
+        button_use_this_email: Utiliser ce mail
+        link_confirm_by_email: Confirmer mon compte par email
+      flash:
+        confirmation_mail_sent: "Nous venons de vous envoyer le mail de confirmation, veuillez cliquer sur le lien contenu dans ce mail pour fusionner vos comptes"
+        invalid_password: "Mauvais mot de passe"
+        connection_done: "Les comptes FranceConnect et %{application_name} sont à présent fusionnés"
+        merger_token_expired: "Le délai pour fusionner les comptes FranceConnect et %{application_name} est expirée. Veuillez recommencer la procédure pour vous fusionner les comptes."
--- a/spec/controllers/france_connect/particulier_controller_spec.rb
+++ b/spec/controllers/france_connect/particulier_controller_spec.rb
@ -267,6 +267,7 @@ describe FranceConnect::ParticulierController, type: :controller do
        expect(fci.user).to eq(user)
        expect(fci.merge_token).to be_nil
        expect(controller.current_user).to eq(user)
+        expect(flash[:notice]).to eq("Les comptes FranceConnect et #{APPLICATION_NAME} sont à présent fusionnés")
      end

      context 'but the targeted user is an instructeur' do