Commit graph

78 commits

Author SHA1 Message Date
Nicolas Cavigneaux
db71323b92
fix: add missing encryption key / salt introduced in Rails 7 2023-05-03 11:35:28 +02:00
simon lehericey
4f0f221e46 secu: remove a balise from sane user input 2023-02-06 11:01:28 +01:00
Martin
a4d6692bc6 accessibilite(pages-authentification): evolutions des pages de connexion/creation de compte pour respecter le DSFR et supporter une meilleure accessibilite
Update app/components/dsfr/input_component/input_component.html.haml

Co-authored-by: Colin Darie <colin@darie.eu>
2023-01-03 16:26:05 +01:00
Christophe Robillard
11a18516b2 remove feature flag zonage 2022-12-21 09:02:16 +01:00
Christophe Robillard
edffd0a7a8 extract ds_opendata_enabled 2022-12-20 12:52:56 +01:00
Martin
235da8b04a amelioration(sanitize): assainie aussi les balises <img> 2022-12-01 17:42:24 +01:00
Colin Darie
0641069d0b chore(bundle): update view_component, no need for use_global_output_buffer anymore
This fix contact form and captcha invisibility due to buffer issues.

Closes #7627
2022-08-03 11:57:26 +02:00
Kara Diaby
e98b2417cb load jobs/concerns 2022-07-29 12:25:27 +02:00
Paul Chavard
2a187ca9a0 feat(autosave): reduce debounce delay 2022-05-24 15:05:14 +02:00
Paul Chavard
dca4dda228 chore(view_component): enable global_output_buffer 2022-05-17 16:08:47 +02:00
simon lehericey
faae2f55d8 Flipper: remove deprecated conf
https://github.com/jnunemaker/flipper/pull/523
2022-05-16 16:10:35 +02:00
Paul Chavard
86df16ebda feat(view_components): add view_components 2022-04-26 14:54:58 +02:00
François Vantomme
d5cd0101c8 feat(footer): customize using custom views & locales 2022-03-10 17:31:20 +01:00
Jon
97feca6305 feat(ClamAV): add config to disable clamav usage 2022-02-15 09:15:47 +01:00
Pierre de La Morinerie
d524beee4e app: remove :instructeur_bypass_email_login_token from Flipper 2021-12-02 08:51:52 +01:00
Pierre de La Morinerie
99c77046d2 models: improve error message for invalid champs
Avoid prepending the message with 'Draft revision '
2021-11-30 13:34:41 +01:00
Pierre de La Morinerie
5b4f7f9ae9 app: restore the default cache settings
We initially did that to avoid a browser being restarted to display a
cached form with a stale CSRF token – thus provoking an
InvalidAuthenticityToken exception when the form is submitted.

But now that we use a long-lived CSRF token, we can submit forms with
a stale CSRF token successfully (because the long-lived CSRF cookie)
is still valid – so we no longer need to change the HTML cache behavior.

This fixes issues where the browser Back button wants to display a
previous POST document, but can't because of the 'no-store' setting. In
this case the browser either displays an error, or re-attempts the POST
request (without any cookies), which results in an 
InvalidAuthenticityToken exception.

See `docs/adr-csrf-forgery.md` for more explanations.
2021-07-20 11:11:52 +02:00
Pierre de La Morinerie
d93342e1d7 config: cleanup allowed tags after Rails 6.1 migration 2021-05-25 11:06:53 +02:00
simon lehericey
44f9ae3c65 only preload what is needed on most requests 2021-04-06 18:23:14 +02:00
Pierre de La Morinerie
42b3ba1e1b config: migrate all config to Rails 6.1 defaults 2021-04-06 12:12:57 +02:00
Pierre de La Morinerie
b65de3e583 config: make the queue names explicit
With Rails 6.1, the default queue is now the global application queue.

We want to retain our custom queues in some cases, so configure them
epxlicitely.
2021-04-06 12:12:57 +02:00
Pierre de La Morinerie
5990439ab7 app: update code to Rails 6.1 2021-03-25 13:24:53 +01:00
Christophe Robillard
83cf0fa903 detect staging env 2021-03-24 15:30:12 +01:00
Pierre de La Morinerie
70104d7059 config: avoid blocking legitimate requests from mobile ISPs 2021-03-11 18:28:10 +01:00
Pierre de La Morinerie
fb305e31c4 config: move application_name to an initializer
It seems cleaner not to require a file before the Rails configuration
runs.
2021-02-24 15:06:55 +01:00
Pierre de La Morinerie
211ddeda45 config: enable zeitwerk
Check that everything works using
bin/rails zeitwerk:check
2021-02-11 12:30:43 +01:00
Fabrice Gangler
60d6b1909d Fix for using APPLICATION_NAME in .env file
Refs: #5450
2020-08-28 03:46:19 +02:00
Judith
af25fdd77c gem http_accept_language installed and (de)activable with feature flag 2020-08-27 16:15:01 +02:00
Pierre de La Morinerie
d77efec7a0 config: enable active_record.belongs_to_required_by_default 2020-08-18 15:57:37 +02:00
Pierre de La Morinerie
ededf5c6c5 config: don't explicitely eager-load lib/
Rationale:

- `lib/` is supposed to contain code mostly independant from Rails;
- By default, Rails doesn't eager-load `lib/` anymore (this used to be
the case, but since a few releases).

If this commits triggers some errors, then these errors should be fixed
(rather that `lib/` being added again to the load path).
2020-08-18 11:02:09 +02:00
Pierre de La Morinerie
c514898b84 config: don't explicitely eager-load controllers/concerns
Per the documentation, Rails automatically loads `**/concerns` paths.

See https://guides.rubyonrails.org/autoloading_and_reloading_constants_classic_mode.html#autoload-paths-and-eager-load-paths
2020-08-18 11:02:09 +02:00
Pierre de La Morinerie
527a330c7a config: use Rails 6.0 config defaults
We already flipped the new defaults, so this is a no-op.
2020-08-05 17:22:46 +02:00
Pierre de La Morinerie
bc0244456c config: explicitely use the classic autoloader
I'm sure we can use zeitwerk in the future, but let's retain the classic
loader until the config issues are proved to be safe.
2020-08-05 17:22:46 +02:00
Pierre de La Morinerie
a1be888f7c config: use Rails 5.2 config defaults 2020-08-05 16:48:29 +02:00
Pierre de La Morinerie
0d55919fab config: use Rails 5.1 defaults
New or changed defaults are:

- config.assets.unknown_asset_fallback: false
- config.action_view.form_with_generates_remote_forms: true
2020-08-05 13:02:56 +02:00
clemkeirua
3340a2b091 ajout du nom d'application tot au demarrage
The application name is used in the views, but also in the initializers and in the config/ directory

According to rails doc (https://guides.rubyonrails.org/v6.0/configuring.html#locations-for-initialization-code),
if we want to do some things before the initializers and the environment, the only place to do so is in config/application.rb
2020-07-23 16:16:36 +02:00
Pierre de La Morinerie
b192b48fc7 config: use Rails 5.0 options
Stop overriding Rails 5.0 options, and use the framework defaults.

(Except for `active_record.belongs_to_required_by_default`, which is a
lot of work and will be fixed later.)
2020-07-20 15:54:48 +02:00
clemkeirua
68b37cf6aa config: make default Rails 5 config explicit 2020-07-08 11:00:12 +02:00
Pierre de La Morinerie
e2b8545222 config: fix missing default list of allowed HTML tags
See https://github.com/rails/rails/issues/39586
2020-07-07 18:03:56 +02:00
Paul Chavard
6a24c3f812 Rails app:update 2020-07-07 18:03:56 +02:00
Pierre de La Morinerie
968e470684 config: never cache rails-generated pages
This instruct browsers to never cache content directly generated by the
controllers. This includes HTML pages, JSON responses, PDF files, etc.

This is because Some mobile browsers have a behaviour where, although
they will delete the session cookie when the browser shutdowns, they
will still serve a cached version of the page on relaunch.

The CSRF token in the HTML is then mismatched with the CSRF token in the
session cookie (because the session cookie has been cleared). This
causes form submissions to fail with an
"ActionController::InvalidAuthenticityToken" exception.

To prevent this, tell browsers to never cache the HTML of a page.
(This doesn’t affect assets files, which are still sent with the proper
cache headers).

See https://github.com/rails/rails/issues/21948
2020-04-14 18:29:17 +02:00
Paul Chavard
7478a51846 [GraphQL] use official skylight support 2020-01-28 15:39:37 +01:00
Pierre de La Morinerie
68f5aae99d autosave: add feature test 2019-11-21 14:00:06 +01:00
Paul Chavard
65e227c44b Migrate to flipper 2019-09-10 16:10:14 +02:00
pedong
fc8cebd78d add Gem rack_attack for prevent attack brute-force 2019-08-20 13:29:29 +02:00
Paul Chavard
6cfad01d12 Stop using Flipflop as switch for weekly_overview 2019-07-31 15:15:09 +02:00
Paul Chavard
3cb39c2840 Refactor message attachements to use active_storage 2019-07-10 15:35:29 +02:00
Frederic Merizen
d54a0a4612 Fix link to procedure brouillon in manager 2019-03-04 15:03:30 +01:00
Frederic Merizen
31ca0552ab [#835] Extract avis creation into concern 2018-11-06 15:44:43 +01:00
Frederic Merizen
6a43be4f39 [#835] Extra paths deserve eagler loading in production too 2018-11-06 15:44:43 +01:00