Merge branch 'master' of https://github.com/DMPRoadmap/roadmap into r…

…oadmap-main

README.md

@@ -44,6 +44,7 @@ See the [Troubleshooting Guide](https://github.com/DMPRoadmap/roadmap/wiki/Troub
 #### Support
 Issues should be reported here on [Github Issues](https://github.com/DMPRoadmap/roadmap/issues)
 Please be advised though that we can only provide limited support for your local installations.
+Any security patches and bugfixes will be applied to the most recent version, and we will endeavour to support migrations to the current release.
 
 #### Contributing
 If you would like to contribute to the project. Please follow these steps to submit a contribution:

app/controllers/contacts_controller.rb

@@ -5,7 +5,7 @@ class ContactUs::ContactsController < ApplicationController
   def create
     @contact = ContactUs::Contact.new(params[:contact_us_contact])
 
-    unless user_signed_in?
+    if !user_signed_in? && Rails.configuration.x.recaptcha.enabled
       unless verify_recaptcha(model: @contact) && @contact.save
         flash[:alert] = _("Captcha verification failed, please retry.")
         render_new_page and return

app/controllers/orgs_controller.rb

@@ -96,7 +96,10 @@ def admin_update
   # This action is used by installations that have the following config enabled:
   #   Rails.configuration.x.shibboleth.use_filtered_discovery_service
   def shibboleth_ds
-    redirect_to root_path unless current_user.nil?
+    unless current_user.nil?
+      redirect_to root_path
+      return
+    end
 
     @user = User.new
     # Display the custom Shibboleth discovery service page.
@@ -106,12 +109,13 @@ def shibboleth_ds
 
     # Disabling the rubocop check here because it would not be clear what happens
     # if the ``@orgs` array has items ... it renders the shibboleth_ds view
-    # rubocop:disable Style/GuardClause
+    # rubocop:disable Style/GuardClause, Style/RedundantReturn
     if @orgs.empty?
       flash.now[:alert] = _("No organisations are currently registered.")
       redirect_to user_shibboleth_omniauth_authorize_path
+      return
     end
-    # rubocop:enable Style/GuardClause
+    # rubocop:enable Style/GuardClause, Style/RedundantReturn
   end
 
   # This action is used to redirect a user to the Shibboleth IdP

app/controllers/super_admin/themes_controller.rb

@@ -51,7 +51,7 @@ def destroy
         redirect_to super_admin_themes_path, notice: msg
       else
         flash.now[:alert] = failure_message(@theme, _("delete"))
-        redner :edit
+        render :edit
       end
     end
 

app/javascript/src/utils/tinymce.js.erb

@@ -46,7 +46,7 @@ export const defaultOptions = {
   // editorManager.baseURL is not resolved properly for IE since document.currentScript
   // is not supported, see issue https://github.com/tinymce/tinymce/issues/358
   skin_url: '/tinymce/skins/lightgray',
-  content_css: ['<%= helpers.asset_path "/assets/blocks/_tinymce_content.css"  %>'],
+  content_css: ['/tinymce/tinymce.css'],
 };
 /*
   This function is invoked anytime a new editor is initialised (e.g. Tinymce.init())

app/views/contact_us/contacts/_new_left.html.erb

@@ -33,11 +33,11 @@
             rows: 10,
             "aria-required": true) %>
     </div>
-<% if !user_signed_in? then %>
-    <div class="form-group"><!-- FIX first https://github.com/DMPRoadmap/roadmap/issues/501 !-->
+<% if !user_signed_in? && Rails.configuration.x.recaptcha.enabled then %>
+    <div class="form-group">
         <%= label_tag(nil, _('Security check')) %>
         <%= recaptcha_tags %>
     </div>
 <% end %>
     <%= f.button(_('Submit'), class: "btn btn-default", type: "submit") %>
-<% end %>
+<% end %>

config/brakeman.ignore

@@ -7,7 +7,7 @@
       "check_name": "SQL",
       "message": "Possible SQL injection",
       "file": "app/models/user.rb",
-      "line": 391,
+      "line": 396,
       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
       "code": "User.where(\"LOWER(#{field}) = :value\", :value => val.to_s.downcase)",
       "render_path": null,
@@ -43,24 +43,24 @@
     {
       "warning_type": "Redirect",
       "warning_code": 18,
-      "fingerprint": "f234fa0eaf727b823f3730afaad2a8d559e590cbb39468d6d23f6697214ecb43",
+      "fingerprint": "de6833d84a22d2b01c5357657b8109e96310d7d3be6001c2c752e9b596f6b02d",
       "check_name": "Redirect",
       "message": "Possible unprotected redirect",
       "file": "app/controllers/orgs_controller.rb",
-      "line": 126,
+      "line": 131,
       "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
-      "code": "redirect_to(\"#{shib_login_url}?#{shib_callback_url}&#{\"entityID=#{Identifier.by_scheme_name(\"shibboleth\", \"Org\").where(:identifiable => Org.where(:id => shib_params[\"shib-ds\"][:org_id])).first.value}\"}\")",
+      "code": "redirect_to(\"#{shib_login_url}?#{shib_callback_url}&#{\"entityID=#{Identifier.by_scheme_name(\"shibboleth\", \"Org\").where(:identifiable => Org.where(:id => shib_params[:org_id])).first.value}\"}\")",
       "render_path": null,
       "location": {
         "type": "method",
         "class": "OrgsController",
         "method": "shibboleth_ds_passthru"
       },
-      "user_input": "Identifier.by_scheme_name(\"shibboleth\", \"Org\").where(:identifiable => Org.where(:id => shib_params[\"shib-ds\"][:org_id])).first.value",
+      "user_input": "Identifier.by_scheme_name(\"shibboleth\", \"Org\").where(:identifiable => Org.where(:id => shib_params[:org_id])).first.value",
       "confidence": "High",
       "note": ""
     }
   ],
-  "updated": "2020-10-16 15:41:55 +0000",
-  "brakeman_version": "4.8.2"
+  "updated": "2020-12-17 10:14:39 -0800",
+  "brakeman_version": "4.10.0"
 }