Merge v7.3.1

CHANGELOG.md

@@ -20,6 +20,44 @@ This file follows the best practices from [keepachangelog.com](http://keepachang
 
 ### Security
 
+## [7.3.1] - 2018-06-07
+
+### Added
+
+- Add soundcloud link support in custom landing page footer [#3300](https://github.com/sharetribe/sharetribe/pull/3300)
+- Add checkbox for consent for receiving emails from admins to signup process [#3318](https://github.com/sharetribe/sharetribe/pull/3318)
+- Add popup notification when giving admin rights to a new user [#3329](https://github.com/sharetribe/sharetribe/pull/3329)
+- Add link to privacy policy in the signup page [#3328](https://github.com/sharetribe/sharetribe/pull/3328)
+- Allow admins to disable end-user Analytics [#3319](https://github.com/sharetribe/sharetribe/pull/3319)
+- Allow links in custom listing text fields [#3297](https://github.com/sharetribe/sharetribe/pull/3297)
+- Add View reviews section in the admin panel [#3267](https://github.com/sharetribe/sharetribe/pull/3267)
+- Add possibility to export transaction as CSV file [#3245](https://github.com/sharetribe/sharetribe/pull/3245)
+
+
+### Changed
+
+- Improve user deletion to clear personal data more thoroughly [#3325](https://github.com/sharetribe/sharetribe/pull/3325)
+- Delete automatically transactions that fail with Stripe [#3326](https://github.com/sharetribe/sharetribe/pull/3326)
+- Prevent an admin from deleting their account if they are the only admin in the marketplace[#3320](https://github.com/sharetribe/sharetribe/pull/3320)
+- Split first name and last name from Stripe account connection form [#3317](https://github.com/sharetribe/sharetribe/pull/3317)
+
+### Removed
+
+- Remove feature flag for export transactions feature [#3288](https://github.com/sharetribe/sharetribe/pull/3288)
+
+### Fixed
+
+- Fix Dockerfile issue where bundler was trying to install binaries in root-owner directory [#3321](https://github.com/sharetribe/sharetribe/pull/3321). Thanks, Nick Meiremans.
+- Fix Stripe payout scheduler [#3309](https://github.com/sharetribe/sharetribe/pull/3309)
+- Fix last 4 digits of SSN passing to Stripe for US bank accounts [#3282](https://github.com/sharetribe/sharetribe/pull/3283)
+
+### Security
+
+- [Critical] Fix several parameter validation bugs that opened the app to SQL injection
+- Update sinatra dependency [#3344](https://github.com/sharetribe/sharetribe/pull/3344)
+- Update multiple dependencies
+- Present form auto-complete for Stripe secret keys [#3338](https://github.com/sharetribe/sharetribe/pull/3338)
+
 ## [7.3.0] - 2018-02-23
 
 ### Added
@@ -486,7 +524,9 @@ This file follows the best practices from [keepachangelog.com](http://keepachang
 
 For older releases, see [RELEASE_NOTES.md](https://github.com/sharetribe/sharetribe/blob/v5.0.0/RELEASE_NOTES.md).
 
-[Unreleased]: https://github.com/sharetribe/sharetribe/compare/v7.2.0...HEAD
+[Unreleased]: https://github.com/sharetribe/sharetribe/compare/v7.3.1...HEAD
+[7.3.1]: https://github.com/sharetribe/sharetribe/compare/v7.3.0...v7.3.1
+[7.3.0]: https://github.com/sharetribe/sharetribe/compare/v7.2.0...v7.3.0
 [7.2.0]: https://github.com/sharetribe/sharetribe/compare/v7.1.0...v7.2.0
 [7.1.0]: https://github.com/sharetribe/sharetribe/compare/v7.0.0...v7.1.0
 [7.0.0]: https://github.com/sharetribe/sharetribe/compare/v6.4.0...v7.1.0

Dockerfile

@@ -47,6 +47,7 @@ RUN curl -SLO "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-
 RUN apt-get install -y nginx
 
 # Install latest bundler
+ENV BUNDLE_BIN=
 RUN gem install bundler
 
 # Run as non-privileged user

Gemfile

@@ -24,7 +24,7 @@ gem 'sass', '~> 3.4.24'
 gem 'rack-attack', '~> 5.0.1'
 gem 'rest-client', '~> 2.0.2'
 
-gem 'paperclip', '~> 5.1.0'
+gem 'paperclip', '~> 5.2.1'
 gem 'delayed_paperclip', '~> 3.0.1'
 
 gem 'aws-sdk', '~> 2.9.25'

Gemfile.lock

@@ -174,6 +174,7 @@ GEM
       unicode_utils (~> 1.4)
     crack (0.4.3)
       safe_yaml (~> 1.0.0)
+    crass (1.0.4)
     css_parser (1.5.0)
       addressable
     cucumber (2.4.0)
@@ -293,7 +294,8 @@ GEM
       actionpack (>= 4, < 5.2)
       activesupport (>= 4, < 5.2)
       railties (>= 4, < 5.2)
-    loofah (2.0.3)
+    loofah (2.2.2)
+      crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     lumberjack (1.0.12)
     mail (2.6.6.rc1)
@@ -329,7 +331,7 @@ GEM
     multi_test (0.1.2)
     multi_xml (0.6.0)
     multipart-post (2.0.0)
-    mustermann (1.0.1)
+    mustermann (1.0.2)
     mysql2 (0.4.6)
     nenv (0.3.0)
     net-scp (1.2.1)
@@ -338,7 +340,7 @@ GEM
     netrc (0.11.0)
     newrelic_rpm (4.2.0.334)
     nio4r (2.1.0)
-    nokogiri (1.8.1)
+    nokogiri (1.8.2)
       mini_portile2 (~> 2.3.0)
     notiffany (0.1.1)
       nenv (~> 0.1)
@@ -359,7 +361,7 @@ GEM
       oauth2 (~> 1.0)
       omniauth (~> 1.2)
     orm_adapter (0.5.0)
-    paperclip (5.1.0)
+    paperclip (5.2.1)
       activemodel (>= 4.2.0)
       activesupport (>= 4.2.0)
       cocaine (~> 0.5.5)
@@ -396,12 +398,12 @@ GEM
     pusher-client (0.6.2)
       json
       websocket (~> 1.0)
-    rack (2.0.3)
+    rack (2.0.5)
     rack-attack (5.0.1)
       rack
     rack-contrib (1.2.0)
       rack (>= 0.9.1)
-    rack-protection (2.0.0)
+    rack-protection (2.0.2)
       rack
     rack-test (0.6.3)
       rack (>= 1.0)
@@ -424,8 +426,8 @@ GEM
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.0.3)
-      loofah (~> 2.0)
+    rails-html-sanitizer (1.0.4)
+      loofah (~> 2.2, >= 2.2.2)
     rails-i18n (5.0.4)
       i18n (~> 0.7)
       railties (~> 5.0)
@@ -519,10 +521,10 @@ GEM
       connection_pool (~> 2.2, >= 2.2.0)
       rack-protection (>= 1.5.0)
       redis (~> 3.3, >= 3.3.3)
-    sinatra (2.0.0)
+    sinatra (2.0.2)
       mustermann (~> 1.0)
       rack (~> 2.0)
-      rack-protection (= 2.0.0)
+      rack-protection (= 2.0.2)
       tilt (~> 2.0)
     sitemap_generator (5.3.1)
       builder (~> 3.0)
@@ -558,7 +560,7 @@ GEM
       thinking-sphinx (~> 3.3, >= 3.3.0)
     thor (0.19.4)
     thread_safe (0.3.6)
-    tilt (2.0.7)
+    tilt (2.0.8)
     timecop (0.8.1)
     transit-ruby (0.8.599)
       addressable (~> 2.3.6)
@@ -674,7 +676,7 @@ DEPENDENCIES
   newrelic_rpm (~> 4.2.0.334)
   oauth2 (~> 1.3.1)
   omniauth-facebook (~> 4.0.0)
-  paperclip (~> 5.1.0)
+  paperclip (~> 5.2.1)
   passenger (~> 5.1.4)
   paypal-sdk-merchant (~> 1.116.0)
   paypal-sdk-permissions (~> 1.96.4)
@@ -726,4 +728,4 @@ RUBY VERSION
    ruby 2.3.4p301
 
 BUNDLED WITH
-   1.15.4
+   1.16.1

README.md

@@ -6,6 +6,12 @@ Sharetribe is an open source platform to create your own peer-to-peer marketplac
 
 Would you like to set up your marketplace in one minute without touching code? [Head to Sharetribe.com](https://www.sharetribe.com).
 
+*****
+
+Would you like to contribute to the development of Sharetribe? Our equity crowdfunding campaign is now open for people around the world! Check out [our campaign page](https://www.invesdor.com/en/pitches/903) for more info.
+
+*****
+
 ### Contents
 
 - [Technology stack](#technology-stack)

UPGRADE.md

@@ -6,14 +6,21 @@ Upgrade notes will be documented in this file.
 
 First things first, take a backup of your database before updating.
 
-When updating, always run the following commands to update gem set, database structure and recompile custom stylesheet:
+To fetch the latest code, run:
+
+```bash
+git fetch --tags
+git checkout latest
+```
+
+After updating the code, run the following commands to update gem set, npm packages and database structure:
 
 ```bash
 bundle install
 npm install
 RAILS_ENV=production rake db:migrate
 
-# if running on local instance (localhost), you need to precompile assets using once update is done:
+# If you're running on local instance (localhost), you also need to precompile assets:
 rake assets:precompile
 ```
 
@@ -33,6 +40,10 @@ See instructions how to set application in [maintenance mode in Heroku](https://
 
 ## Unreleased
 
+## Upgrade from 7.3.0 to 7.3.1
+
+Nothing special. See the [#general-update-instructions].
+
 ## Upgrade from 7.2.0 to 7.3.0
 
 Nothing special. See the [#general-update-instructions].

VERSION

@@ -1 +1 @@
-7.3.0
+7.3.1

app/assets/javascripts/admin/manage_members.js

@@ -4,30 +4,17 @@ window.ST = window.ST || {};
   Maganage members in admin UI
 */
 window.ST.initializeManageMembers = function() {
-  function elementToValueObject(element) {
-    var r = {};
-    r[$(element).val()] = $(element).prop("checked");
-    return r;
-  }
-
-  function createCheckboxAjaxRequest(selector, url, allowedKey, disallowedKey) {
-    var streams = $(selector).toArray().map(function(domElement) {
-      return $(domElement).asEventStream("change").map(function(event){
-        return elementToValueObject(event.target);
-      }).toProperty(elementToValueObject(domElement));
-    });
+  var DELAY = 800;
 
-    var ajaxRequest = Bacon.combineAsArray(streams).changes().debounce(800).skipDuplicates(_.isEqual).map(function(valueObjects) {
+  function createCheckboxAjaxRequest(streams, url, allowedKey, disallowedKey) {
+    var ajaxRequest = Bacon.combineAsArray(streams).changes().debounce(DELAY).skipDuplicates(_.isEqual).map(function(valueObjects) {
       function isValueTrue(valueObject) {
-        return _.values(valueObject)[0];
+        return valueObject.checked;
       }
 
-      var allowed = _.filter(valueObjects, isValueTrue);
-      var disallowed = _.reject(valueObjects, isValueTrue);
-
       var data = {};
-      data[allowedKey] = _.keys(ST.utils.objectsMerge(allowed));
-      data[disallowedKey] = _.keys(ST.utils.objectsMerge(disallowed));
+      data[allowedKey] = _.filter(valueObjects, isValueTrue).map(function(input){ return input.value; });
+      data[disallowedKey] = _.reject(valueObjects, isValueTrue).map(function(input){ return input.value; });
 
       return {
         type: "POST",
@@ -39,37 +26,95 @@ window.ST.initializeManageMembers = function() {
     return ajaxRequest;
   }
 
-  var postingAllowed = createCheckboxAjaxRequest(".admin-members-can-post-listings", "posting_allowed", "allowed_to_post", "disallowed_to_post");
-  var isAdmin = createCheckboxAjaxRequest(".admin-members-is-admin", "promote_admin", "add_admin", "remove_admin");
-
-  var ajaxRequest = postingAllowed.merge(isAdmin);
-  var ajaxResponse = ajaxRequest.ajax().endOnError();
-
-  var ajaxStatus = window.ST.ajaxStatusIndicator(ajaxRequest, ajaxResponse);
-
-  ajaxStatus.loading.onValue(function() {
+  var showUpdateNotification = function() {
     $(".ajax-update-notification").show();
     $("#admin-members-saving-posting-allowed").show();
     $("#admin-members-error-posting-allowed").hide();
     $("#admin-members-saved-posting-allowed").hide();
-  });
+  };
 
-  ajaxStatus.success.onValue(function() {
+  var showUpdateSuccess = function() {
     $("#admin-members-saving-posting-allowed").hide();
     $("#admin-members-saved-posting-allowed").show();
-  });
+  };
 
-  ajaxStatus.error.onValue(function() {
+  var showUpdateError = function() {
     $("#admin-members-saving-posting-allowed").hide();
     $("#admin-members-error-posting-allowed").show();
-  });
+  };
 
-  ajaxStatus.idle.onValue(function() {
+  var showUpdateIdle = function() {
     $(".ajax-update-notification").fadeOut();
-  });
+  };
+
+  var initBanToggle = function () {
+    $(document).on("click", ".admin-members-ban-toggle", function(){
+      var banned = this.checked;
+      var row = $(this).parent().parent()[0];
+      var confirmation, url;
+      if(banned) {
+        confirmation = ST.t('admin.communities.manage_members.ban_user_confirmation');
+        url = $(this).data("ban-url");
+      } else {
+        confirmation = ST.t('admin.communities.manage_members.unban_user_confirmation');
+        url = $(this).data("unban-url");
+      }
+      if(confirm(confirmation)) {
+        showUpdateNotification();
+        $.ajax({
+          type: "PUT",
+          url: url,
+          dataType: "JSON",
+          success: function(resp) {
+            row.className = "member-"+resp.status;
+            showUpdateSuccess();
+          },
+          error: showUpdateError,
+          complete: _.debounce(showUpdateIdle, DELAY)
+        });
+      } else {
+        this.checked = !banned;
+      }
+    });
+  };
+
+  var adminStreams = $(".admin-members-is-admin").asEventStream('change')
+    .map(function (ev) {
+      return ev.target;
+    })
+    .filter(function (target) {
+      if (target.checked) {
+        if (confirm(ST.t('admin.communities.manage_members.this_makes_the_user_an_admin'))) {
+          return true;
+        }
+        target.checked = !target.checked;
+        return false;
+      }
+      return true;
+    });
+
+  var postingAllowedStreams = $(".admin-members-can-post-listings").asEventStream('change')
+    .map(function (ev) {
+      return ev.target;
+    });
+
+  var postingAllowed = createCheckboxAjaxRequest(postingAllowedStreams, "posting_allowed", "allowed_to_post", "disallowed_to_post");
+  var isAdmin = createCheckboxAjaxRequest(adminStreams, "promote_admin", "add_admin", "remove_admin");
+
+  var ajaxRequest = postingAllowed.merge(isAdmin);
+  var ajaxResponse = ajaxRequest.ajax().endOnError();
+
+  var ajaxStatus = window.ST.ajaxStatusIndicator(ajaxRequest, ajaxResponse);
+
+  ajaxStatus.loading.onValue(showUpdateNotification);
+  ajaxStatus.success.onValue(showUpdateSuccess);
+  ajaxStatus.error.onValue(showUpdateError);
+  ajaxStatus.idle.onValue(showUpdateIdle);
 
   // Attach analytics click handler for CSV export
   $(".js-users-csv-export").click(function(){
     window.ST.analytics.logEvent('admin', 'export', 'users');
   });
+
+  initBanToggle();
 };