Commit graph

445 commits

Author SHA1 Message Date
Christophe Robillard
9347951cea act as an saml identity provider 2020-11-16 12:19:54 +01:00
Christophe Robillard
305ccdc0cd add recoverable and two_factor stragegy for administration 2020-11-05 16:03:55 +01:00
Christophe Robillard
6c2eb22960 remove github authentication for manager 2020-11-05 16:03:55 +01:00
simon lehericey
d82d1132c2 Remove rack_mini_profiler from prod as it could show env var and force us to allow unsafe_eval and script in csp 2020-10-30 17:08:31 +01:00
kara Diaby
3d56b1d8b0 fix bootstrap cdn 2020-10-22 15:00:01 +02:00
clemkeirua
d7fff61d5d ajout de la gem sendinblue 2020-10-13 17:36:43 +02:00
clemkeirua
111f309c7f changement de l'adresse de création de compte administrateur 2020-09-21 17:02:37 +02:00
clemkeirua
f9c4e967d6 remove :autosave_dossier_draft 2020-09-21 08:46:01 +00:00
clemkeirua
6643b598c3 remove :administrateur_graphql 2020-09-17 09:24:50 +02:00
clemkeirua
1be07c1ef5 remove :administrateur_champ_integer_number 2020-09-17 09:24:50 +02:00
clemkeirua
01ac4d7e19 remove operation_log_serialize_subject 2020-09-17 09:24:50 +02:00
simon lehericey
5459c2fa7f Fix uninitialized excon constant 2020-09-08 18:36:24 +02:00
simon lehericey
19d73f13f0 variabilize banner message 2020-09-08 14:52:42 +02:00
simon lehericey
bd6705b90a Remove image and video analyzer which are not used 2020-09-02 17:00:26 +02:00
Judith
af25fdd77c gem http_accept_language installed and (de)activable with feature flag 2020-08-27 16:15:01 +02:00
Pierre de La Morinerie
82c89fb56f config: remove comment about ActiveStorage integration with VirusScanner
As the comment states, it would be nice to load the Virus Scanner on
the Attachment (rather than the blob).

However, in order not to clobber the blob metadata, we want to run the
VirusScanner once the blob analyzer did run.

And the most direct way to detect that the blob analyzer did run is to
add an `on_update_commit` hook on the blob, as this hook will be
trigerred when saving changes to the metadata. This is what the current
solution uses. 

So the current solution is almost optimal, and has a low chance of
accidentally clobbering the blob metadata – as the virus scanner is only
started when the analysis phase is finished.
2020-08-26 16:11:01 +02:00
Pierre de La Morinerie
527a330c7a config: use Rails 6.0 config defaults
We already flipped the new defaults, so this is a no-op.
2020-08-05 17:22:46 +02:00
Pierre de La Morinerie
fbbcd97463 config: flip config.active_record.collection_cache_versioning
This is related to internal cache implementation, and doesn't affect us.
2020-08-05 16:48:36 +02:00
Pierre de La Morinerie
4a9f081cfc config: flip config.action_mailer.delivery_job
This is safe in all cases – except that it prevents a downgrade to
Rails 5. We don't intend to downgrade now, so this is fine.
2020-08-05 16:48:36 +02:00
Pierre de La Morinerie
b556e2a99a config: flip config.active_storage.replace_on_assign_to_many
We don't have any `has_many_attached` relations in the code base, so
this is safe.
2020-08-05 16:48:36 +02:00
Pierre de La Morinerie
54a4db1c47 config: flip config.active_storage.queues
ActiveStorage jobs are now moved to their own queue.

For consistency, we also move our own analysis jobs (VirusScannerJob)
on the same `:active_storage_analysis` queue.
2020-08-05 16:48:36 +02:00
Pierre de La Morinerie
c6cdd08373 config: flip config.active_job.return_false_on_aborted_enqueue
We don't have any instance of aborting inside a job in the code base,
so this setting is safe to flip.
2020-08-05 16:48:36 +02:00
Pierre de La Morinerie
65809f8ea0 config: flip action_dispatch_return_only_media_type_on_content_type
This makes `ActionDispatch::Controller#content_type` return not only
the MIME type, but also in some circumstances the charset.

Example:

```ruby
reponse.content_type == 'text/html; charset=utf-8'
```

The MIME type-only fragment can now be accessed using `#media_type`.

Changes to the tests are not stricly necessary (because no charset is
present in the actual value), but represent the intent better.
2020-08-05 16:48:36 +02:00
Pierre de La Morinerie
8427f0eb75 config: flip config.action_dispatch.use_cookies_with_metadata
This makes cookies more secure, by adding an automatic "purpose" field
to each cookie.

Cookies generated by Rails 5 are still forward-compatible. However
from now on the generated cookies will not be backward-compatible with
Rails 6.
2020-08-05 16:48:36 +02:00
Pierre de La Morinerie
e8fa65f79d config: flip config.action_view.default_enforce_utf8
This prevents charset workaround on IE 8 and lower. We don't support
these browsers anyway, so we can flip the feature off.
2020-08-05 16:48:36 +02:00
Paul Chavard
4c87e547b3 Put IGN map behind a feature flag 2020-07-30 17:22:28 +02:00
Paul Chavard
f1cbc9846e Add carte ign 2020-07-30 16:58:20 +02:00
clemkeirua
db0d230531 add cdn.jsdeliver.net to the CSP 2020-07-27 16:54:46 +02:00
Fabrice Gangler
1352cde321 Feat: allow emails senders to be configured in .env file
Refs: #5408
2020-07-24 10:50:55 +02:00
clemkeirua
7e085c657d specific deactivation of rubocop DS/ApplicationName rule 2020-07-23 16:20:16 +02:00
clemkeirua
c658428441 added application name in config/ 2020-07-23 16:17:54 +02:00
clemkeirua
31a262efef extraction d'urls doc/faq/… dans url.rb 2020-07-23 16:16:36 +02:00
Paul Chavard
8b9e73a30a
Merge pull request #5382 from adullact/feat_status-page-customisation
#5379 - Allow status page URL to be configured in the .env file
2020-07-22 22:10:58 +02:00
Paul Chavard
35461f0159 Add revisions migrations 2020-07-21 19:35:30 +02:00
clemkeirua
c0cf8b1341 fix display of labels for datetime on screenreaders 2020-07-20 11:37:01 +02:00
Gangler Fabrice
39feca251d allow status page URL to be configured in .env 2020-07-17 15:53:49 +02:00
Paul Chavard
6a24c3f812 Rails app:update 2020-07-07 18:03:56 +02:00
clemkeirua
6a3811a4e2 fix catalog v3 2020-06-19 14:20:32 +02:00
krichtof
ff6eaf73db
Revert "Suppression de l'utilisation de Keystone v2" 2020-06-04 17:32:25 +02:00
Paul Chavard
901b6e23a8 Remove legacy carto 2020-06-04 16:03:23 +02:00
clemkeirua
def744d627 remove now useless keystone v2 2020-06-04 12:05:27 +00:00
clemkeirua
868decd06e add overide for fog openstack v3 2020-06-02 15:03:37 +02:00
Pierre de La Morinerie
c9820adbc4 urls: fix link to autosave FAQ article 2020-05-18 16:53:19 +02:00
Pierre de La Morinerie
6eca93faab urls: fix link to admin FAQ category 2020-05-18 16:53:19 +02:00
Pierre de La Morinerie
93bb5283ff app: remove the feature flag for pieces justificatives auto-upload
The feature works as intended: we can remove the feature flag.
2020-05-14 17:39:07 +02:00
Keirua
a869a04e1e Mise à jour de l'URL de doc sur l'archivage
Co-authored-by: Pierre de La Morinerie <pierre.de_la_morinerie@beta.gouv.fr>
2020-05-13 16:45:27 +02:00
clemkeirua
84888be255 clarification de l'archivage/suppression 2020-05-13 16:45:27 +02:00
kara Diaby
2fc438ab65 Fix safari and firefox compatibility mapbox gl 2020-04-30 14:14:03 +02:00
kara Diaby
9aea1fffee Migrate the map editor to mapbox-gl with react component 2020-04-27 11:30:32 +02:00
Pierre de La Morinerie
37645d3df2 config: fix (again) the CSP when running a LiveReload server locally
When running the app using `bin/webpack-dev-server` (the external
(and fast) assets server), LiveReload is used. We need to explicitely
allow the LiveReload connections in the CSP policy.

Turns out we now need to specify the protocol explicitely.
2020-04-20 17:24:16 +02:00
Paul Chavard
7a8fd3c679 Use graphql playground instead of graphiql 2020-04-09 19:38:19 +02:00
kara Diaby
56e9834389 Revert "Revert "Revert "Revert "feat/4893 - migrate the mapReader to mapbox-gl with react""""
This reverts commit 473ed00b6c.
2020-04-09 11:01:20 +02:00
kara Diaby
473ed00b6c Revert "Revert "Revert "feat/4893 - migrate the mapReader to mapbox-gl with react"""
This reverts commit fe0b3c2215.
2020-04-07 18:14:07 +02:00
kara Diaby
fe0b3c2215 Revert "Revert "feat/4893 - migrate the mapReader to mapbox-gl with react""
This reverts commit 3e21b78142.
2020-04-07 18:11:11 +02:00
Pierre de La Morinerie
3e21b78142
Revert "feat/4893 - migrate the mapReader to mapbox-gl with react" 2020-04-07 15:32:14 +02:00
kara Diaby
aa56cfd7a0 migrate map to mapbox-gl with a react component 2020-04-02 15:39:47 +02:00
Pierre de La Morinerie
6417c0d2c0 dossiers: allow auto upload of attachments 2020-03-31 13:09:44 +02:00
clemkeirua
5ef6f92fdc update CGU URL 2020-03-25 09:50:41 +00:00
clemkeirua
057d7bc2f1 add interval data type to ActiveRecord 2020-03-24 18:10:13 +01:00
clemkeirua
c077762a04 added labels for datetime
cf https://stackoverflow.com/a/47836699
2020-03-24 16:54:35 +00:00
Pierre de La Morinerie
ea94ea05a0 config: configure CSP to allow live-reload requests
This avoids CSP errors when using the `bin/webpack-dev-server` external
assets compilation server.
2020-03-18 13:26:54 +01:00
Paul Chavard
444d19e191 Remove unused gems 2020-03-17 11:25:21 +01:00
Paul Chavard
ae2cfdd44e Update browser gem
`modern?` method was removed in version 4
2020-03-17 11:25:20 +01:00
Pierre de La Morinerie
745b00366f Revert "app: hide IE11 deprecation banner during the strike"
This reverts commit c2882b6cc3.
2020-01-28 15:18:18 +01:00
Paul Chavard
4edc7b00cf Use geocoder 2020-01-15 15:04:04 +01:00
Paul Chavard
14295db9ad Revert "Revert "Merge pull request #4552 from tchak/champ-communes""
This reverts commit 4373cb22cb.
2020-01-14 18:46:07 +01:00
clemkeirua
4373cb22cb Revert "Merge pull request #4552 from tchak/champ-communes"
This reverts commit 4cec26f73a, reversing
changes made to 0ef25ef36c.
2020-01-13 16:26:27 +01:00
Paul Chavard
cccb04d725 ActiveStorage url should expire after an hour 2020-01-08 14:43:05 +01:00
Paul Chavard
e61e39d345 Remove unused code and tests 2020-01-07 11:52:51 +01:00
Paul Chavard
22aa2d4ee0 Make all location champs autocomplete 2020-01-07 11:52:51 +01:00
Paul Chavard
422b7f37ec [GraphQL] expose file information 2019-12-11 12:34:49 +01:00
Pierre de La Morinerie
c2882b6cc3 app: hide IE11 deprecation banner during the strike
Having two banners appearing in a few days may be overwhelming for
users.
2019-12-04 17:32:04 +01:00
Christophe Robillard
4e7c779116 refuse les numéros de tel invalides
rend facultatif les numéros de téléphone
2019-12-04 05:34:43 +01:00
Pierre de La Morinerie
97af50c700 app: fix detection of Chrome iOS and Firefox iOS as outdated browsers
For instance, Firefox iOS is reported as `firefox? true, version 20`.

As on iOS only the system-provided Webkit is allowed, we can instead
safely assume that all browsers on a recent iOS device are modern.
2019-12-03 16:09:41 +01:00
Pierre de La Morinerie
2ee8cab067 app: display a deprecation banner for IE 11 2019-12-03 16:02:08 +01:00
Pierre de La Morinerie
bff7892ba8 dossiers: autosave drafts 2019-11-21 14:00:06 +01:00
Alexandre Friquet
8f5203cc2e
Merge branch 'dev' into 4482-echec-initilaisation-env-dev 2019-11-14 17:07:28 +01:00
Alexandre Friquet
d9680252b0 Fixes missing database on initialization: closes #4482. 2019-11-14 09:17:39 +01:00
Paul Chavard
f7cbbe815c [GraphQL]: Add default query to playground 2019-11-13 15:53:56 +01:00
clemkeirua
6351eabfdd remove notification to report-uri in production 2019-11-07 17:32:40 +01:00
clemkeirua
959aacdea5 Sendinblue email balancing using proper credentials
This reverts commit c61981e795.
2019-11-06 13:34:36 +01:00
clemkeirua
c61981e795 Revert "Sendinblue email balancing using interceptor"
This reverts commit b2135b6576.
2019-11-04 15:55:08 +01:00
Chaïb Martinez
b2135b6576 Sendinblue email balancing using interceptor
Signed-off-by: Chaïb Martinez <chaibax@gmail.com>
2019-11-04 15:30:44 +01:00
Paul Chavard
18e91e7ca3 Extend old export format till mid-November 2019-10-31 17:11:46 +01:00
Paul Chavard
73d4ecf35d Add a DS_PROXY_URL env variable 2019-10-30 16:15:38 +01:00
Paul Chavard
6a3d725134 Revert "Revert "Decommission ActiveStorage proxy service and use openstack service""
This reverts commit 71227be37f.
2019-10-30 12:11:45 +01:00
simon lehericey
71227be37f Revert "Decommission ActiveStorage proxy service and use openstack service"
This reverts commit 0ff6c793ae.
2019-10-29 10:30:40 +01:00
Paul Chavard
0ff6c793ae Decommission ActiveStorage proxy service and use openstack service
We are making these changes in order to always use DS_Proxy. Before this change DS_Proxy was not used to write files when ActiveStorage was used directly and not through “direct upload”.
2019-10-23 17:58:00 +02:00
clemkeirua
4a6893d88b migrate sendinblue API to v3 2019-10-22 10:06:53 +02:00
clemkeirua
43424e4f4e merge with the work of paul, using 3 links 2019-10-22 09:51:14 +02:00
simon lehericey
f31c184b56 [fix #1537] Remove simple_form gem 2019-10-08 11:08:35 +02:00
clemkeirua
d3063c0b63 remove download_as_zip feature flag 2019-10-03 10:48:24 +02:00
Paul Chavard
5a7e415474 Put graphql behind a feature flag 2019-09-24 10:47:21 +02:00
Paul Chavard
91ad9bd7d3 Configure GraphQL::RailsLogger 2019-09-24 10:47:21 +02:00
Paul Chavard
d24e0e72a7 Correctly create new flipper flags 2019-09-12 10:46:13 +02:00
Paul Chavard
65e227c44b Migrate to flipper 2019-09-10 16:10:14 +02:00
Chaïb Martinez
dd6c6bfe7a mailers: add a NO_REPLY address to transactional emails 2019-09-10 13:37:28 +02:00
Paul Chavard
7ffb98e616 Remove carrierwave uploaders 2019-09-10 10:49:12 +02:00
Chaïb Martinez
f2386a5800 Add crips help domaine to defaut policy src
[fix #4234]

Signed-off-by: Chaïb Martinez <chaibax@gmail.com>
2019-08-27 10:30:10 +02:00
simon lehericey
86d968bb8e Use rack_attack_enabled?
We cannot enable rack attack during the tests as it interferes with features spec.
So we add a flag to enable it during the runtime.
2019-08-20 13:29:29 +02:00
simon lehericey
0f0fecdb25 RackAttack: use remote ip and test it ! 2019-08-20 13:29:29 +02:00
pedong
fc8cebd78d add Gem rack_attack for prevent attack brute-force 2019-08-20 13:29:29 +02:00
Nicolas Bouilleaud
7c7947adeb Rename gestionnaire to instructeur in a comment
About an (unused for now) env var.
2019-08-13 10:27:49 +02:00
simon lehericey
3fde2a6f70 Rename gestionnaire in code to instructeur 2019-08-12 13:47:01 +02:00
maatinito
3703a71ea3 #3928 Added constants to define password min length & complexity 2019-08-01 17:12:14 +02:00
Pierre de La Morinerie
95e24392f9 models: remove old pieces justificatives 2019-07-30 16:11:17 +02:00
pedong
9438f962c5 add alert for account is locked 2019-07-29 17:48:44 +02:00
pedong
8d03a6747c add lockable to User, Gestionnaire, administration, Administrateur 2019-07-29 17:48:44 +02:00
clemkeirua
99421545ab replaced api-carto endpoint 2019-07-23 16:21:15 +02:00
Pierre de La Morinerie
76335511c8 omniauth: protect against CSRF
See https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
2019-07-15 18:16:00 +02:00
Paul Chavard
3cb39c2840 Refactor message attachements to use active_storage 2019-07-10 15:35:29 +02:00
simon lehericey
0f9fdf3f75 Activate device email change confirmation 2019-07-09 11:55:17 +02:00
Mathieu Magnin
b34f8fbe3d Add ActionText 2019-07-03 13:15:49 +02:00
simon lehericey
4b154983fb Landing: voir les démarches -> comment trouver ma démarche 2019-07-03 12:59:09 +02:00
clemkeirua
dfefb827d9 missing connect-src 2019-07-02 10:50:10 +02:00
clemkeirua
d6f2de2fbf enable static + activate csp in production 2019-07-02 09:40:38 +02:00
clemkeirua
eaf850c1e9 enable csp 2019-06-27 11:10:29 +02:00
clemkeirua
f19b5f8911 fix csp rule for crisp websocket 2019-06-26 12:37:55 +02:00
clemkeirua
7064f7e973 enable crisp websockets and css 2019-06-25 17:39:08 +02:00
clemkeirua
d3c6021ef4 add duplicate rules as fallback 2019-06-20 11:34:24 +02:00
clemkeirua
dc6c2e6bc0 add missing elements 2019-06-17 17:05:08 +02:00
Nicolas Bouilleaud
dace9a53d3 Add Universign timestamp API query 2019-06-17 16:16:28 +02:00
clemkeirua
765b10026e more generic elements to the security policy 2019-06-17 09:51:27 +02:00
Pierre de La Morinerie
d410e31344 active_storage: document the virus scan hooks 2019-05-28 11:39:22 +02:00
Paul Chavard
cc4eba2b36 Less mokey patching 2019-05-21 14:21:42 +02:00
clemkeirua
5cbbbb8d3e more whitelist for the common domains we use 2019-05-20 09:52:44 +02:00
Paul Chavard
42235e81b1 Use active storage load hook to extend blob 2019-05-16 20:43:01 +02:00
Paul Chavard
348b15f595 Put devtools behind feature flags 2019-05-15 18:10:25 +02:00
clemkeirua
6fe4031b2e use constant for localhost 2019-05-15 16:33:27 +02:00
clemkeirua
b670b60ac6 changement de l'URI de report-uri 2019-05-15 15:32:00 +02:00
Pierre de La Morinerie
d431eeeb93 carrierwave: fix typo
Turns out the `openstack_identity_api_version` has not actually been
filled out for a while, because of a typo.
2019-05-15 14:03:15 +02:00
Chaïb Martinez
3004f96cf5 Add video and webinar URLs to admin pages
Fix #3850

Signed-off-by: Chaïb Martinez <chaibax@gmail.com>
2019-05-13 17:47:02 +02:00
clemkeirua
675cc5150c update on the security policy headers 2019-05-09 14:55:21 +02:00
clemkeirua
64b858ef19 handle Gon + add report-uri URL 2019-05-06 10:07:51 +02:00
clemkeirua
8582b08a98 add security policy 2019-05-06 10:07:51 +02:00
Paul Chavard
f113d108c9 Save virus scan status to blob metadata 2019-05-02 15:58:09 +02:00
Paul Chavard
b9be186d2c Sentry should send environment information 2019-04-03 18:19:16 +02:00
Paul Chavard
51c79ba6a6 Update webpacker and replace vue with react 2019-04-03 14:38:07 +02:00
Frederic Merizen
98713b6a4d Proxy for SendinBlue API 2019-03-08 16:33:28 +01:00
Mathieu Magnin
1eed114d78 Add status page in footer 2019-03-05 17:42:00 +01:00
simon lehericey
2920769a68 ActiveStorage: temp url are valid for 1 hour 2019-02-28 18:36:28 +01:00
Pierre de La Morinerie
283f110e9b stats: improve numeric separators and suffixes 2019-02-01 11:02:37 +01:00
Pierre de La Morinerie
3b92fe93fc stats: make groupdate week start on Monday 2019-01-10 16:14:14 +01:00
gregoirenovel
5fa5f2aa37 Bump development gems
- rubocop (0.61.1 → 0.62.0)
2019-01-05 11:47:55 +01:00
gregoirenovel
0596d53ac2 Enable the Lint/UnusedBlockArgument cop 2019-01-03 10:53:50 +01:00
gregoirenovel
8ffcc16ec5 Avoid EOL ifs 2019-01-03 10:53:50 +01:00
gregoirenovel
7ffe40868b Use parentheses 2019-01-03 10:53:50 +01:00
pedong
ef1c17beaa [Fix #3056] get url api in the environment variable 2018-11-27 14:47:10 +01:00
gregoirenovel
dffd132564 Remove a useless file 2018-11-22 01:51:55 +01:00
Frederic Merizen
d901cb286b [#2180] Bump fog-openstack 2018-11-16 11:11:39 +01:00