Security fixes

This release addresses one security issue:

• CVE-2024-32034

The details regarding the security vulnerability will be published on September 16th 2024, which is two months after the release date of this version. For more information, please refer to our Security Policy.

Upgrade notes

As usual, we recommend that you have a full backup, of the database, application code and static files.

To update, follow these steps:

1.1. Update your ruby version

If you're using rbenv, this is done with the following commands:

rbenv install 3.2.2
rbenv local 3.2.2

You may need to change your .ruby-version file too.

If not, you need to adapt it to your environment. See "2.1. Ruby update to 3.2"

1.2. Update your Gemfile

gem "decidim", "0.29.0.rc1"
gem "decidim-dev", "0.29.0.rc1"

1.3. Run these commands

rm config/initializers/carrierwave.rb # see "3.1. CarrierWave removal"
rm babel.config.json # see "3.3. esbuild migration"
wget https://raw.githubusercontent.com/decidim/decidim/develop/decidim-core/lib/decidim/webpacker/webpack/custom.js -O config/webpack/custom.js # see "3.3. esbuild migration"
rm Gemfile.lock package-lock.json
bundle install
bin/rails decidim:upgrade
bin/rails db:migrate

1.4. Follow the steps and commands detailed in these notes

2. General notes

2.1. Ruby update to 3.2

We have updated the Ruby version to 3.2.2. Upgrading to this version will require either to install this Ruby version on your host, or change the decidim docker image to use ruby:3.2.2.

You can read more about this change on PR #12199.

2.2. Rails update to 7.0

We have updated the Rails version to 7.0.8.1. You do not need to do anything.

You can read more about this change on PR #12616.

2.3. Removal of the accountability naming customization

We have removed the ability to customize the labels from the Accountability component, as it was not following the recommended way of handling these text customizations. If you want to migrate your current customizations, you can read about Text customizations in Decidim Documentation

You can read more about this change on PR #12853.

2.4 Removal of useless fields

We are removing some useless fields that are leftovers from the Redesign.

For the moment we are leaving the information in your database in case that you want to save it, but in v0.30 these fields we'll be fully removed.

• participatory process table: banner_image. You can read more about this change on PR #13119.
• assemblies table: show_statistics. You can read more about this change on PR #13123.
• participatory process table: show_statistics. You can read more about this change on PR #13123.
• participatory process table: show_metrics. You can read more about this change on PR #13123.

3. One time actions

These are one time actions that need to be done after the code is updated in the production database.

3.1. CarrierWave removal

Back in Decidim 0.25 we have added ActiveStorage (via #7902) as main uploader instead of CarrierWave.

We've left some code to ease-up with the migration process during these last versions.

In your application, you need to remove the initializer:

rm config/initializers/carrierwave.rb

You can read more about this change on PR #12200.

3.2. Verifications documents configurations

Until now we have hard-coded the document types for verifications with types from Spain legislation ("DNI, NIE and passport"). We have change it to "Identification number and passport", and allow installations to adapt them to their own needs.

If you want to go back to the old setting, you need to follow these steps:

3.2.1. Add to your config/secrets.yml the decidim.verifications.document_types key

decidim_default: &decidim_default
  application_name: <%%= Decidim::Env.new("DECIDIM_APPLICATION_NAME", "My Application Name").to_json %>
  (...)
  verifications:
    document_types: <%%= Decidim::Env.new("VERIFICATIONS_DOCUMENT_TYPES", %w(identification_number passport)).to_array %>

3.2.2. Add to your config/initializers/decidim.rb the following snippet in the bottom of the file

if Decidim.module_installed? :verifications
  Decidim::Verifications.configure do |config|
    config.document_types = Rails.application.secrets.dig(:verifications, :document_types).presence || %w(identification_number passport)
  end
end

3.2.3. Add the values that you want to define using the environment variable VERIFICATIONS_DOCUMENT_TYPES

VERIFICATIONS_DOCUMENT_TYPES="dni,nie,passport"

3.2.4. Add the translation of these values to your i18n files (i.e. config/locales/en.yml)

en:
  decidim:
    verifications:
        id_documents:
          dni: DNI
          nie: NIE
          passport: Passport

You can read more about this change on PR #12306

3.3. esbuild migration

In order to speed up the asset compilation, we have migrated from babel to esbuild.

There are some small changes that needs to be performed in your application code.

• Remove babel.config.js
• Replace config/webpack/custom.js with the new version.

wget https://raw.githubusercontent.com/decidim/decidim/develop/decidim-core/lib/decidim/webpacker/webpack/custom.js -O config/webpack/custom.js

In case you have modifications in your application's webpack configuration, adapt it by checking out the diff of the changes.

You can read more about this change on PR #12238.

3.4. Allow removal of orphan categories

A bug was identified that prevented the deletion of categories lacking associated resources. This action is a one-time task that must be performed directly in the production database.

bin/rails decidim:upgrade:fix_orphan_categorizations

You can read more about this change on PR #12143.

3.5. Improved CSS overrides

We have improved the CSS overriding mechanism. This is what allows you to change the CSS of decidim in your application in a more granular way.

Previously, you could do this by adding CSS rules in the app/packs/stylesheets/decidim/decidim_application.scss file. This file remains in place but is loaded as the last file in the application, so it will take precedence over all the CSS rules from the Decidim modules.

Additionally, if you need, you can also customize the admin and system interfaces by creating in your application the following files:

• app/packs/stylesheets/decidim/admin/decidim_application.scss for admin interface
• app/packs/stylesheets/decidim/system/decidim_application.scss for system interface

You can read more about this change on PR #12646.

3.6. Update to Footer Topic and Pages functionality

We have changed the behavior of the footer pages and topics links:

• Removed the "show in the footer" checkbox for pages.
• Removed duplicate "Terms of Service" link.
• Always show the link to the "Terms of Service" page.
• Only show links in footer to topics.

You can read more about this change on PR #12592.

4. Scheduled tasks

None

5. Changes in APIs

5.1 Migration of Proposal states in own table

As of #12052 all the proposals states are kept in a separate database table, enabling end users to customize the states of the proposals. By default we will create for any proposal component that is being installed in the project 5 default states that cannot be disabled nor deleted. These states are:

• Not Answered ( default state for any new created proposal )
• Evaluating
• Accepted
• Rejected
• Withdrawn ( special states for proposals that have been withdrawn by the author )

For any of the above states you can customize the name, description, css class used by labels. You can also decide which states the user can receive a notification or an answer.

You do not need to run any task to migrate the existing states, as we will automatically migrate the existing states to the new table.

You can see more details about this change on PR #12052

5.2. Seeds require assets precompiling

In order to successfully showcase the features of the application, we have added as a mandatory step the assets precompiling, as the seeds will now fire the notification system. That allows any Decidim demo instance to display user notifications.

if you previously seeded your database using:

bin/rails db:drop db:create db:migrate db:seed

You are required to run using:

bin/rails db:drop db:create db:migrate assets:precompile db:seed

You can see more details about this change on PR #12828

5.3. Verifications need a help text

In order to explain better to administrat...

Security fixes

This release addresses one security issue:

• CVE-2024-32034

The details regarding the security vulnerability will be published on September 16th 2024, which is two months after the release date of this version. For more information, please refer to our Security Policy.

Upgrade notes

As usual, we recommend that you have a full backup, of the database, application code and static files.

To update, follow these steps:

1.1. Update your Gemfile

gem "decidim", "0.28.2"
gem "decidim-dev", "0.28.2"

1.2. Run commands

bundle update decidim
bin/rails decidim:upgrade
bin/rails db:migrate

Detailed changes

Added

Nothing.

Changed

Nothing.

Fixed

• decidim-dev: Backport 'Fix lighthouse URLs' to v0.28 #12835
• decidim-proposals: Backport 'Fix proposal comparison step' to v0.28 #12831
• decidim-core: Backport 'Add the rel="nofollow noopener noreferrer" attribute to external links' to v0.28 #12832
• decidim-conferences: Backport 'Fix broken conference registering when no registration types' to v0.28 #12833
• decidim-core: Backport 'Fix flaky specs when organization name has an apostrophe' to v0.28 #12836
• decidim-admin, decidim-comments, decidim-core, decidim-participatory processes: Backport 'Fix some accessibility issues with comments' to v0.28 #12834
• decidim-meetings: Backport 'Fix organization multitenant issue with meeting's reminders' to v0.28 #12838
• decidim-admin, decidim-core, decidim-system: Backport 'Add organization or application name in emails' From header' to v0.28 #12860
• decidim-system: Backport 'Fix 500 error when creating or updating an organization without a secret key' to v0.28 #12862
• decidim-core: Backport 'Fix exceptions there isn't an organization with a host' to v0.28 #12861
• decidim-core: Backport 'Fix layout in Safari when there are few elements in the page' to v0.28 #12854
• decidim-admin: Backport 'Order users by term similarity within admin dashboard selectors' to v0.28 #12856
• decidim-conferences: Backport 'Remove sidebar when conference has no components' to v0.28 #12863
• decidim-accountability, decidim-admin, decidim-budgets, decidim-comments, decidim-core, decidim-design, decidim-forms, decidim-meetings, decidim-participatory processes, decidim-proposals: Backport 'Fix several HTML validation issues in redesign' to v0.28 #12859
• decidim-admin: Backport 'Fix admin language selector' to v0.28 #12855
• decidim-core: Backport 'Use values from secrets to set default max attachment and avatar size' to v0.28 #12906
• decidim-budgets: Backport 'Fix strings for ordering when listing budgets' to v0.28 #12928
• decidim-accountability, decidim-admin, decidim-conferences, decidim-core: Backport 'Prevent showing the dropdown menu when changing orientation of mobile devices' to v0.28 #12929
• decidim-accountability, decidim-comments, decidim-core, decidim-dev, decidim-proposals: Backport 'Hide moderated content from notifications' to v0.28 #12926
• decidim-system: Backport 'Fix admin name errors during organization creation' to v0.28 #12946
• decidim-comments: Backport 'Fix flaky spec on comments seeds' to v0.28 #12944
• decidim-conferences: Backport 'Fix flaky spec on long registration type titles' to v0.28 #12943
• decidim-meetings: Backport 'Fix invalid dates on meetings' seeds' to v0.28 #12942
• decidim-conferences: Backport 'Remove unecessary accordion in Conferences' program' to v0.28 #12941
• decidim-debates, decidim-meetings, decidim-proposals: Backport 'Fix exception when going to debates new URL directly as non-logged user ' to v0.28 #12937
• decidim-admin: Backport 'Fix flaky related to Decidim.available_locales' to v0.28 #12962
• decidim-admin: Backport 'Fix flaky spec when pasting a link in the WYSIWYG editor' to v0.28 #12963
• decidim-core, decidim-system: Backport 'Do not update SMTP or omniauth attributes if no values are specified' to v0.28 #12949
• decidim-dev: Backport 'Fix incomplete regexp in webmock configuration' to v0.28 #12947
• decidim-assemblies, decidim-conferences, decidim-participatory processes: Backport 'Fix flaky specs with last job matcher with concurreny' to v0.28 #12945
• decidim-core: Backport 'Fix external URL with a fragment' to v0.28 #12940
• decidim-admin, decidim-initiatives: Backport 'Fix i18n string misplacement in decidim-initiatives' to v0.28 #12938
• decidim-assemblies, decidim-conferences, decidim-participatory processes: Backport 'Fix valuators access to the admin participatory space' to v0.28 #12969
• decidim-proposals: Backport 'Hide support instruction messages once support collection is finished' to v0.28 #12967
• decidim-comments, decidim-core: Backport 'Fix flaky specs in comment search' to v0.28 #12968
• decidim-admin: Backport 'Fix flaky spec on organization form (comment max length)' to v0.28 #12989
• decidim-proposals: Backport 'Add proposal author when exporting proposals' to v0.28 #12939
• decidim-proposals: Backport 'Fix proposal bulk actions buttons display' to v0.28 #12991
• decidim-proposals: Backport 'Fix stying in participatory texts' to v0.28 #12990
• decidim-core, decidim-proposals: Backport 'Do not display an error when filling a form' to v0.28 #12966
• decidim-proposals: Backport 'Change default proposal sorting word to automatic' to v0.28 #13020
• decidim-admin, decidim-verifications: Backport 'Fix enable authorizations listing in admin panel' to v0.28 #13021
• Bump tailwindcss from 3.3.2 to 3.4.1 #13031
• decidim-admin, decidim-dev: Backport 'Enable admin's system tests' to v0.28 #13080
• decidim-proposals: Backport 'Fix hard dependency on meetings for decidim-proposals' to v0.28 #13071
• decidim-meetings: Backport 'Do not allow registering to a meeting if it started' to v0.28 #13019
• decidim-assemblies, decidim-core, decidim-participatory processes: Backport 'Fix participatory process groups a11y errors' to v0.28 #13073
• decidim-core: Backport 'Consider that the meetings module might not be installed' to v0.28 #13072
• decidim-core: Backport 'Remove dependency on decidim-system from decidim-core' to v0.28 #13070
• decidim-initiatives: Backport 'Do not show unecessary actions in the initiative page' to v0.28 #13092
• decidim-core: Backport 'Change background color for PWA from primary to white' to v0.28 #13090
• decidim-initiatives: Backport 'Fix escaping in initiatives type description HTML' to v0.28 #13093
• decidim-accountability, decidim-blogs, decidim-budgets, decidim-comments, decidim-core, decidim-debates, decidim-dev, decidim-meetings, decidim-proposals: Backport 'Fix showing announcement when comments are disabled ' to v0.28 #13089
• decidim-core: Backport 'Fix endorsement seeds with low amount of users' to v0.28 #13095
• **decidim-accoun...

Security fixes

This release addresses several security issues:

• CVE-2024-39910
• CVE-2024-32034

The details regarding the security vulnerabilities will be published on September 16th 2024, which is two months after the release date of this version. For more information, please refer to our Security Policy.

Upgrade notes

As usual, we recommend that you have a full backup, of the database, application code and static files.

To update, follow these steps:

1. Update your Gemfile:

gem "decidim", "0.27.7"
gem "decidim-dev", "0.27.7"

2. Run these commands to upgrade and make sure you get all the latest migrations:

bundle update decidim
bin/rails decidim:upgrade
bin/rails db:migrate

And then follow the steps and commands detailed in these notes.

Verifications documents configurations

Until now we have hard-coded the document types for verifications with types from Spain legislation ("DNI, NIE and passport"). We have change it to "Identification number and passport", and allow installations to adapt them to their own needs.

If you want to go back to the old setting, you need to follow these steps:

Add to your config/secrets.yml the decidim.verifications.document_types key

decidim_default: &decidim_default
  application_name: <%%= Decidim::Env.new("DECIDIM_APPLICATION_NAME", "My Application Name").to_json %>
  (...)
  verifications:
    document_types: <%%= Decidim::Env.new("VERIFICATIONS_DOCUMENT_TYPES", %w(identification_number passport)).to_array %>

Add to your config/initializers/decidim.rb the following snippet in the bottom of the file

if Decidim.module_installed? :verifications
  Decidim::Verifications.configure do |config|
    config.document_types = Rails.application.secrets.dig(:verifications, :document_types).presence || %w(identification_number passport)
  end
end

Add the values that you want to define using the environmnet variable VERIFICATIONS_DOCUMENT_TYPES

VERIFICATIONS_DOCUMENT_TYPES="dni,nie,passport"

Add the translation of these values to your i18n files (i.e. config/locales/en.yml)

en:
  decidim:
    verifications:
        id_documents:
          dni: DNI
          nie: NIE
          passport: Passport

You can read more about this change on PR #12306

Allow removal of orphan categories

A bug was identified that prevented the deletion of categories lacking associated resources. This action is a one-time task that must be performed directly in the production database.

bin/rails decidim:upgrade:fix_orphan_categorizations

You can read more about this change on PR #12143.

Detailed changes

Added

Nothing.

Changed

Nothing.

Fixed

• decidim-participatory processes: Fix using CTA image on promoted process group #12202
• decidim-proposals: Backport 'Add answered_at field in proposals' export' to v0.27 #12297
• Backport 'Use git instead of filesystem for releases files' to v0.27 #12303
• Backport 'Lock Ruby to Decidim supported version' to v0.27 #12299
• decidim-admin: Backport 'Fix favicons in admin panel' to v0.27 #12315
• decidim-budgets: Backport 'Change the selected column in budgets' projects' to v0.27 #12296
• decidim-admin: Backport 'Add admin permissions for conflicts and logs controllers' to v0.27 #12300
• decidim-core: Backport 'Allow passing a blob object to AssetRouter::Storage' to v0.27 #12304
• Backport 'Fix webpack generation on cells specs' to v0.27 #12335
• decidim-proposals: Backport 'Protect participatory text buttons under authorization' to v0.27 #12353
• decidim-meetings: Do not display dates for upcoming moderated meetings #12295
• decidim-proposals: Add participatory text missing attribute #12330
• decidim-core: Backport 'Properly handle the category name in tags cell' to v0.27 #12298
• Pinning chrome version to v119 #12420
• Backport 'Fix Proposals bulk action form' to v0.27 #12444
• decidim-elections: Backport 'Fix voting data migration for AddFollowableCounterCacheToVotings' to v0.27 #12443
• Backport 'Fix authorization handler in OmniauthRegistrations' to v0.27 #12445
• Backport 'Generate component Gemfile template when releasing' to v0.27 #12450
• decidim-budgets: Backport 'Pass the budget context to the admin new and edit actions for projects' to v0.27 #12448
• decidim-admin, decidim-system: Backport 'Fix exception when presenting oauth application in admin log' to v0.27 #12447
• Backport 'Bump stringio and carrierwave' to v0.27 #12449
• decidim-verifications: Backport 'Allow apps to configure the document types in the verifications module' to v0.27 #12451
• decidim-dev: Backport 'Disable shm usage in Capybara' to v0.27 #12506
• decidim-admin: Backport 'Fix deleted and blocked users display from impersonations participant list' to v0.27 #12505
• Backport 'Fix decidim-core and decidim-api dependency tree' to v0.27 #12512
• decidim-api: Backport 'Add note about the unescaped contents of the GraphQL API' to v0.27 #12510
• decidim-core: Backport 'Refactor of events specs' to v0.27 #12507
• decidim-core: Backport 'Refactor of events specs (part 2)' to v0.27 #12508
• decidim-core: Backport 'Implement push notifications for conversations' messages' to v0.27 #12511
• Backport 'Standardize the way resources are being listed ...' to v0.27 #12533
• Backport 'Fix decidim-templates usage' to v0.27 #12600
• decidim-admin: Backport 'Fix images URL in newsletters' to v0.27 #12612
• Fix embeds for resources and spaces that shouldn't be embedded #12528
• decidim-comments: Backport 'Restrict comments replies tree including polymorphism' to v0.27 #12305
• Backport 'Patch participatory spaces factories' to v0.27 #12647
• Backport 'Patch events on the new format' to v0.27 #12648
• Backport 'Patch components and spaces factories' to v0.27 #12547
• decidim-core: Backport 'Fix user profile current tab' to v0.27 #12729
• Backport 'Add description for the decidim:reminders:all task' to v0.27 #12733
• Backport 'Add matrix for Decidim/Ruby/Node versions in manual guide' to v0.27 #12759
• decidim-admin, decidim-core, decidim-generators: Backport 'Fix bug in welcome notifications when the organization has weird characters' to v0.27 #12784
• decidim-comments: Backport 'Add votes count to comment caches' to v0.27 #12782
• decidim-budgets: Backport 'Fix DOM text reinterpreted as HTML in budgets' exit handler' to v0.27 #12769
• decidim-initiatives: Backport 'Fix potential unsafe external link in initiatives' to v0.27 #12780
• decidim-api: Backport 'Fix graphiql initial query escaping' to v0.27 #12779
• decidim-core: Backport 'Fix clear-text storage of sensitive information in omniauth registration' to v0.27 #12773
• decidim-accountability: Backport 'Remove ComponentInterface from the ResultType in the API' to v0.27 #12774
• decidim-core: Backport 'Fix flaky spec on join user group command spec' to v0.27 #12776
• decidim-core: Backport 'Fix flaky spec on endorsements controller' to v0.27 #12777
• decidim-core: Backport 'Fix overly permissive regular expression range in "has reference...

Release Notes

Security fixes

This release addresses several security issues:

• CVE-2024-27095
• CVE-2024-32469

The details regarding the security vulnerabilities will be published on June 30th 2024, which is two months after the release date of this version. For more information, please refer to our Security Policy.

We highly recommend updating to this version as soon as possible to ensure the security of your system.

1. Upgrade notes

As usual, we recommend that you have a full backup, of the database, application code and static files.

To update, follow these steps:

1. Update your Gemfile:

gem "decidim", "0.28.1"
gem "decidim-dev", "0.28.1"

2. Run these commands to upgrade and make sure you get all the latest migrations:

bundle update decidim
bin/rails decidim:upgrade
bin/rails db:migrate

And then follow the steps and commands detailed in these notes.

2. General notes

None

3. One time actions

3.1. Verifications documents configurations

Until now we have hard-coded the document types for verifications with types from Spain legislation ("DNI, NIE and passport"). We have change it to "Identification number and passport", and allow installations to adapt them to their own needs.

If you want to go back to the old setting, you need to follow these steps:

3.1.1. Add to your config/secrets.yml the decidim.verifications.document_types key

decidim_default: &decidim_default
  application_name: <%%= Decidim::Env.new("DECIDIM_APPLICATION_NAME", "My Application Name").to_json %>
  (...)
  verifications:
    document_types: <%%= Decidim::Env.new("VERIFICATIONS_DOCUMENT_TYPES", %w(identification_number passport)).to_array %>

3.1.2. Add to your config/initializers/decidim.rb the following snippet in the bottom of the file

if Decidim.module_installed? :verifications
  Decidim::Verifications.configure do |config|
    config.document_types = Rails.application.secrets.dig(:verifications, :document_types).presence || %w(identification_number passport)
  end
end

3.1.3. Add the values that you want to define using the environmnet variable VERIFICATIONS_DOCUMENT_TYPES

VERIFICATIONS_DOCUMENT_TYPES="dni,nie,passport"

3.1.4. Add the translation of these values to your i18n files (i.e. config/locales/en.yml)

en:
  decidim:
    verifications:
        id_documents:
          dni: DNI
          nie: NIE
          passport: Passport

You can read more about this change on PR #12306

3.2. Allow removal of orphan categories

A bug was identified that prevented the deletion of categories lacking associated resources. This action is a one-time task that must be performed directly in the production database.

bin/rails decidim:upgrade:fix_orphan_categorizations

You can read more about this change on PR #12143.

3.3. Improved CSS overrides

We have improved the CSS overriding mechanism. This is what allows you to change the CSS of decidim in your application in a more granular way.

Previously, you could do this by adding CSS rules in the app/packs/stylesheets/decidim/decidim_application.scss file. This file remains in place but is loaded as the last file in the application, so it will take precedence over all the CSS rules from the Decidim modules.

Additionally, if you need, you can also customize the admin and system interfaces by creating in your application the following files:

• app/packs/stylesheets/decidim/admin/decidim_application.scss for admin interface
• app/packs/stylesheets/decidim/system/decidim_application.scss for system interface

You can read more about this change on PR #12646.

4. Scheduled tasks

None

5. Changes in APIs

None

Changelog

0.28.1

Added

Nothing.

Changed

Nothing.

Fixed

• decidim-budgets: Backport 'Resolve icon usage in projects' to v0.28 #12260
• decidim-accountability: Backport 'Register forgotten icon in Accountability' to v0.28 #12259
• decidim-proposals: Backport 'Add answered_at field in proposals' export' to v0.28 #12266
• Backport 'Update manual installation doc to v0.28.0' to v0.28 #12272
• Backport 'Add icons for verifications' to v0.28 #12271
• Backport 'Fix the markup for verifications' to v0.28 #12273
• decidim-core: Backport 'Properly handle the category name in tags cell' to v0.28 #12261
• Backport 'Use git instead of filesystem for releases files' to v0.28 #12262
• decidim-budgets: Backport 'Change the selected column in budgets' projects' to v0.28 #12274
• decidim-core, decidim-proposals: Backport 'Add missing creation date on the proposals page' to v0.28 #12267
• decidim-core: Backport 'Allow passing a blob object to AssetRouter::Storage' to v0.28 #12263
• Backport 'Lock Ruby to Decidim supported version' to v0.28 #12268
• decidim-admin: Backport 'Fix flash of admin inputs, panels and dropdowns' to v0.28 #12264
• decidim-participatory processes: Backport 'Add "Processes groups" to filter in admin' to v0.28 #12270
• decidim-admin: Backport 'Add admin permissions for conflicts and logs controllers' to v0.28 #12269
• Backport 'Lock TipTap editor to 2.1.13' to v0.28 #12288
• Backport 'Use relative JS imports to allow overrides' to v0.28 #12265
• decidim-assemblies, decidim-elections, decidim-participatory processes: Backport 'Make consistent the Hero content block in the spaces' landing pages' to v0.28 #12301
• Backport 'Implement breadcrumb menu in all admin pages' to v0.28 #12302
• decidim-core: Backport 'Fix errors in Offline page' to v0.28 #12311
• decidim-admin: Backport 'Fix favicons in admin panel' to v0.28 #12314
• decidim-proposals: Backport 'Fix help text style in the participatory text upload' to v0.28 #12316
• decidim-admin: Backport 'Migrate hardcoded Manage menu in spaces' admin pages' to v0.28 #12333
• Backport 'Fix webpack generation on cells specs' to v0.28 #12334
• decidim-proposals: Backport 'Protect participatory text buttons under authorization' to v0.28 #12352
• Backport 'Upgrade chromedriver to v120 ' to v0.28 #12419
• Backport 'Add a better ChromeDriver workaround' to v0.28 #12416
• Backport 'Add matrix for Decidim/Ruby/Node versions in manual guide' to v0.28 #12428
• decidim-meetings: Backport 'Fix meetings counter calculating total amount' to v0.28 #12418
• decidim-proposals: Backport 'Fix context on proposal preview' to v0.28 #12426
• Backport 'Fix Proposals bulk action form' to v0.28 #12432
• Backport 'Fix flaky for AXE violations in breadcrumb menu for mobile and tablets' to v0.28 #12433
• decidim-elections: Backport 'Fix voting data migration for AddFollowableCounterCacheToVotings' to v0.28 #12431
• Backport 'Fix authorization handler in OmniauthRegistrations' to v0.28 #12435
• decidim-proposals: Backport 'Fix flaky specs in proposals' to v0.28 #12437
• decidim-budgets: Backport 'Pass the budget context to the admin new and edit actions for projects' to v0.28 #12438
• decidim-verifications: Backport 'Allow apps to configure the document types in the verifications module' to v0.28 #12427
• Backport 'Generate component Gemfile template when releasing' to v0.28 #12424
• decidim-admin, decidim-system: Backport 'Fix exception when presenting oauth application in admin log' to v0.28 #12434
• decidim-admin, decidim-core: Backport 'Fix bug in welcome notific...

Security fixes

This release addresses several security issues:

• CVE-2024-27090
• CVE-2024-27095
• CVE-2024-32469

The details regarding the security vulnerabilities will be published on June 30th 2024, which is two months after the release date of this version. For more information, please refer to our Security Policy.

Upgrade notes

As usual, we recommend that you have a full backup, of the database, application code and static files.

To update, follow these steps:

1. Update your Gemfile:

gem "decidim", "0.27.6"
gem "decidim-dev", "0.27.6"

2. Run these commands to upgrade and make sure you get all the latest migrations:

bundle update decidim
bin/rails decidim:upgrade
bin/rails db:migrate

And then follow the steps and commands detailed in these notes.

Verifications documents configurations

Until now we have hard-coded the document types for verifications with types from Spain legislation ("DNI, NIE and passport"). We have change it to "Identification number and passport", and allow installations to adapt them to their own needs.

If you want to go back to the old setting, you need to follow these steps:

Add to your config/secrets.yml the decidim.verifications.document_types key

decidim_default: &decidim_default
  application_name: <%%= Decidim::Env.new("DECIDIM_APPLICATION_NAME", "My Application Name").to_json %>
  (...)
  verifications:
    document_types: <%%= Decidim::Env.new("VERIFICATIONS_DOCUMENT_TYPES", %w(identification_number passport)).to_array %>

Add to your config/initializers/decidim.rb the following snippet in the bottom of the file

if Decidim.module_installed? :verifications
  Decidim::Verifications.configure do |config|
    config.document_types = Rails.application.secrets.dig(:verifications, :document_types).presence || %w(identification_number passport)
  end
end

Add the values that you want to define using the environmnet variable VERIFICATIONS_DOCUMENT_TYPES

VERIFICATIONS_DOCUMENT_TYPES="dni,nie,passport"

Add the translation of these values to your i18n files (i.e. config/locales/en.yml)

en:
  decidim:
    verifications:
        id_documents:
          dni: DNI
          nie: NIE
          passport: Passport

You can read more about this change on PR #12306

Allow removal of orphan categories

A bug was identified that prevented the deletion of categories lacking associated resources. This action is a one-time task that must be performed directly in the production database.

bin/rails decidim:upgrade:fix_orphan_categorizations

You can read more about this change on PR #12143.

Detailed changes

Added

Nothing.

Changed

Nothing.

Fixed

• decidim-participatory processes: Fix using CTA image on promoted process group #12202
• decidim-proposals: Backport 'Add answered_at field in proposals' export' to v0.27 #12297
• Backport 'Use git instead of filesystem for releases files' to v0.27 #12303
• Backport 'Lock Ruby to Decidim supported version' to v0.27 #12299
• decidim-admin: Backport 'Fix favicons in admin panel' to v0.27 #12315
• decidim-budgets: Backport 'Change the selected column in budgets' projects' to v0.27 #12296
• decidim-admin: Backport 'Add admin permissions for conflicts and logs controllers' to v0.27 #12300
• decidim-core: Backport 'Allow passing a blob object to AssetRouter::Storage' to v0.27 #12304
• Backport 'Fix webpack generation on cells specs' to v0.27 #12335
• decidim-proposals: Backport 'Protect participatory text buttons under authorization' to v0.27 #12353
• decidim-meetings: Do not display dates for upcoming moderated meetings #12295
• decidim-proposals: Add participatory text missing attribute #12330
• decidim-core: Backport 'Properly handle the category name in tags cell' to v0.27 #12298
• Pinning chrome version to v119 #12420
• Backport 'Fix Proposals bulk action form' to v0.27 #12444
• decidim-elections: Backport 'Fix voting data migration for AddFollowableCounterCacheToVotings' to v0.27 #12443
• Backport 'Fix authorization handler in OmniauthRegistrations' to v0.27 #12445
• Backport 'Generate component Gemfile template when releasing' to v0.27 #12450
• decidim-budgets: Backport 'Pass the budget context to the admin new and edit actions for projects' to v0.27 #12448
• decidim-admin, decidim-system: Backport 'Fix exception when presenting oauth application in admin log' to v0.27 #12447
• Backport 'Bump stringio and carrierwave' to v0.27 #12449
• decidim-verifications: Backport 'Allow apps to configure the document types in the verifications module' to v0.27 #12451
• decidim-dev: Backport 'Disable shm usage in Capybara' to v0.27 #12506
• decidim-admin: Backport 'Fix deleted and blocked users display from impersonations participant list' to v0.27 #12505
• Backport 'Fix decidim-core and decidim-api dependency tree' to v0.27 #12512
• decidim-api: Backport 'Add note about the unescaped contents of the GraphQL API' to v0.27 #12510
• decidim-core: Backport 'Refactor of events specs' to v0.27 #12507
• decidim-core: Backport 'Refactor of events specs (part 2)' to v0.27 #12508
• decidim-core: Backport 'Implement push notifications for conversations' messages' to v0.27 #12511
• Backport 'Standardize the way resources are being listed ...' to v0.27 #12533
• Backport 'Fix decidim-templates usage' to v0.27 #12600
• decidim-admin: Backport 'Fix images URL in newsletters' to v0.27 #12612
• Fix embeds for resources and spaces that shouldn't be embedded #12528
• decidim-comments: Backport 'Restrict comments replies tree including polymorphism' to v0.27 #12305
• Backport 'Patch participatory spaces factories' to v0.27 #12647
• Backport 'Patch events on the new format' to v0.27 #12648
• Backport 'Patch components and spaces factories' to v0.27 #12547
• decidim-core: Backport 'Fix user profile current tab' to v0.27 #12729
• Backport 'Add description for the decidim:reminders:all task' to v0.27 #12733
• Backport 'Add matrix for Decidim/Ruby/Node versions in manual guide' to v0.27 #12759
• decidim-admin, decidim-core, decidim-generators: Backport 'Fix bug in welcome notifications when the organization has weird characters' to v0.27 #12784
• decidim-comments: Backport 'Add votes count to comment caches' to v0.27 #12782
• decidim-budgets: Backport 'Fix DOM text reinterpreted as HTML in budgets' exit handler' to v0.27 #12769
• decidim-initiatives: Backport 'Fix potential unsafe external link in initiatives' to v0.27 #12780
• decidim-api: Backport 'Fix graphiql initial query escaping' to v0.27 #12779
• decidim-core: Backport 'Fix clear-text storage of sensitive information in omniauth registration' to v0.27 #12773
• decidim-accountability: Backport 'Remove ComponentInterface from the ResultType in the API' to v0.27 #12774
• decidim-core: Backport 'Fix flaky spec on join user group command spec' to v0.27 [#12776](https://github.com/decidim/d...

Upgrade notes

As usual, we recommend that you have a full backup, of the database, application code and static files.

To update, follow these steps:

1. Update your Gemfile:

gem "decidim", "0.26.10"
gem "decidim-dev", "0.26.10"

2. Run these commands to upgrade and make sure you get all the latest migrations:

bundle update decidim
bin/rails decidim:upgrade
bin/rails db:migrate

Changelog

Added

Nothing.

Changed

Nothing.

Fixed

• Pinning chrome version to v119 #12498
• Backport 'Fix decidim-templates usage' to v0.26 #12601

Removed

Nothing.

Internal

Nothing.

Developer improvements

Nothing.

Security fixes

This release addresses several security issues:

• CVE-2023-48220
• CVE-2023-47634

The details regarding the security vulnerability will be published on February 20th 2024, which is two months after the release date of this version. For more information, please refer to our Security Policy.

Upgrade notes

As usual, we recommend that you have a full backup, of the database, application code and static files.

To update, follow these steps:

1. Update your Gemfile:

gem "decidim", "0.26.9"
gem "decidim-dev", "0.26.9"

2. Run these commands to upgrade and make sure you get all the latest migrations:

bundle update decidim
bin/rails decidim:upgrade
bin/rails db:migrate

And then follow the steps and commands detailed in these notes.

Deduplicating endorsements

We have identified a case when the same user can endorse the same resource multiple times. This is a bug that we have fixed in this release, but we need to clean up the existing duplicated endorsements. We have added a new task that helps you clean the duplicated endorsements.

bundle exec rails decidim:upgrade:fix_duplicate_endorsements

You can see more details about this change on PR #11853

Changelog

Added

Nothing.

Changed

Nothing.

Fixed

• decidim-core: Backport 'Raise exception in UserTimelineController if no user with the nickname provided' to v0.26 #11470
• decidim-core: Backport 'Encode non-ASCII characters on external links' to v0.26 #11500
• Backport 'Revert "Lock ChromeDriver to the latest working version"' to 0.26 #11620
• Backport 'Add "Tile usage" notice at the top of doc page for OSM maps and geocoding' to v0.26 #11891
• decidim-generators: Backport 'Fix Bootsnap configuration' to v0.26 #11897
• decidim-core: Backport 'Update HERE API autocomplete' to v0.26 #11907
• decidim-core: Backport 'Return the coordinates from Photon geocoding in correct order' to v0.26 #11916
• Backport 'Add 127.0.0.1 and 0.0.0.0 as secondary hosts in the Organization's seeds' to v0.26 #11912
• decidim-budgets, decidim-comments: Backport 'Fix 'download your data' when there are comments on budgets' to v0.26 #11902
• decidim-surveys: Backport 'Add alert when publish a survey with answers' to v0.26 #11894
• decidim-admin: Backport 'Sort components in "Add component" alphabetically' to v0.26 #11922
• decidim-core: Backport 'Fix autocomplete result list duplicates' to v0.26 #11893
• decidim-core: Backport 'Deletion of ZIP file in tmp folder OpenData export job' to v0.26 #11901
• decidim-core: Backport 'Raise an error if the export format is unknown' to v0.26 #11921
• decidim-conferences, decidim-meetings: Backport 'Fix conference venues meetings visibility' to v0.26 #11913
• decidim-system: Backport 'Add admin's password confirmation validation in system' to v0.26 #11928
• decidim-core: Backport 'Deletion of leftovers ZIP files in tmp directory' to v0.26 #11898
• decidim-elections, decidim-forms, decidim-meetings: Backport 'Use UTC in the serializers for the date fields' to v0.26 #11926
• decidim-core: Backport 'Fix password confirm validation error message' to v0.26 #11934
• Backport 'Add missing activerecord budget locales for search' to v0.26 #11939
• decidim-meetings: Backport 'Display meeting button for unauthenticated users' to v0.26 #11946
• decidim-core: Backport 'Fix possible JavaScript console error with geocoding inputs' to v0.26 #11943
• decidim-system: Backport 'Extraction of i18n strings in system panel' to v0.26 #11952
• decidim-core: Backport 'Fix search when moderations are hidden' to v0.26 #11918
• decidim-budgets: Backport 'Fix Permissions screen on budgets throw errors' to v0.26 #11905
• decidim-initiatives: Backport 'Hide omnipresent in media print of initiatives' to v0.26 #11947
• decidim-admin: Backport 'Redirect non-admin users to core's root_path' to v0.26 #11936
• decidim-conferences, decidim-meetings: Backport 'Fix empty address in conference's venues ' to v0.26 #11909
• decidim-system: Backport 'Add titles in system pages' to v0.26 #11954
• Backport 'Bump devise_invitable from v2.0.8 to v2.0.9' to v0.26 #11938
• decidim-templates: Backport 'Simplify the code related to questionnaire templates previews' to v0.26 #11927
• decidim-meetings: Backport 'Don't show map with only online meetings in Content Block' to v0.26 #11958
• Backport 'Fix duplicated endorsements' to v0.26 #11973
• decidim-core: Backport 'Fix dependency resolver trying to fetch gem paths from lazy specifications' to v0.26 #12061
• Backport 'Lock ChromeDriver to 119.0.6045.105' to v0.26 #12167
• Remove duplicated chromedriver setting in v0.26 #12186

Removed

Nothing.

Internal

• Backport "Lock ChromeDriver to the latest working version" to v0.26 #11393
• Backport 'Revert "Lock ChromeDriver to the latest working version"' to 0.26 #11620
• Fix spec for i18n change in Crowdin in release/0.26-stable #11906

Developer improvements

• Backport 'Revert "Lock ChromeDriver to the latest working version"' to 0.26 #11620
• Backport 'Add 127.0.0.1 and 0.0.0.0 as secondary hosts in the Organization's seeds' to v0.26 #11912

Release Notes

See our blog post about the highlights for admins in this release.

⚠️ Mind that our last stable version (v0.27.0) is more than one year old. Lots of things have happened in Decidim, so we recommend that you follow all the steps in this guide for updating your application. Enjoy the new design and features!

Security fixes

This release addresses several security issues:

• CVE-2023-48220
• CVE-2023-47634
• CVE-2023-47635
• CVE-2023-51447

The details regarding the security vulnerability will be published on February 20th 2024, which is two months after the release date of this version. For more information, please refer to our Security Policy.

We highly recommend updating to this version as soon as possible to ensure the security of your system.

1. Upgrade notes

As usual, we recommend that you have a full backup, of the database, application code and static files.

To update, follow these steps:

1.1. Update your ruby and node versions

For ruby, if you're using rbenv, this is done with the following commands:

rbenv install 3.1.1
rbenv local 3.1.1

If not, you need to adapt it to your environment. See "2.1. Ruby update to 3.1"

For node, if you're using nvm, this is done with the following commands:

nvm install 18.17.1
nvm use 18.17.1

If not, you need to adapt it to your environment. See "2.2. Node update to 18.17"

1.2. Update your Gemfile

gem "decidim", "0.28.0"
gem "decidim-dev", "0.28.0"

Comment out any of the 3rd party decidim modules that you're using in your Gemfile. You can uncomment them later after you've updated them.
Before upgrading to decidim 0.28.0, you need to manually comment out the decidim-consulations if you have it installed. This gem has been removed from the core and you need to remove it from your Gemfile as well.

Please note that sometimes you may get some errors, so please make sure you fully understand the output of the commands before continuing.

When running bundle update decidim, you may get some errors like the one below:

Bundler could not find compatible versions for gem "faker":
  In snapshot (Gemfile.lock):
    faker (= 2.23.0)  # <<< This is the name of the name of the gem that you need to add to bundle update command

  In Gemfile:
    faker

    decidim-dev (= 0.28.0) was resolved to 0.28.0, which depends on
      faker (~> 3.2)

Please repeat the bundle command adding gems to the list until there the above error type disappears.

bundle update decidim faker

1.3. Manual changes

In order to successfully run decidim 0.28.0, you will need to manually edit the following files:

1.3.1. package.json

Edit the engines key to :

  "engines": {
    "node": "18.17.1",
    "npm": ">=9.6.7"
  }

Also remove, if present, the following lines:

   "babel": {
     "presets": [
       "./node_modules/@rails/webpacker/package/babel/preset.js"
     ]
   },

1.3.2. babel.config.json

Edit the file, and remove, if present, the following lines:

    [ "@babel/plugin-proposal-private-property-in-object", { "loose": true }],
    ["@babel/plugin-proposal-private-methods", { "loose": true }],
    ["@babel/plugin-proposal-class-properties", { "loose": true }]

1.3.3. postcss.config.js

Replace the file content with:

module.exports = {
  syntax: 'postcss-scss',
  plugins: [
    // postcss-import must be the very first plugin https://tailwindcss.com/docs/using-with-preprocessors#build-time-imports
    require('postcss-import'),
    require('tailwindcss'),
    require('postcss-flexbugs-fixes'),
    require('postcss-preset-env')({
      autoprefixer: {
        flexbox: 'no-2009'
      },
      stage: 3
    }),
    require('autoprefixer')
  ]
}

1.4. Commands to run

bundle update decidim
rm config/initializers/social_share_button.rb # for "4.2. Social Share Button change"
bin/rails decidim:upgrade
wget https://github.com/decidim/decidim/releases/download/v0.28.0/consulations_removal.bash -O consultations_removal.bash  # For "2.4. Consultation module removal"
bash consultations_removal.bash # For "2.4. Consultation module removal"
bin/rails db:migrate
bin/rails decidim:procfile:install # For "3.3. Added Procfile support"
bin/rails decidim:robots:replace # for "3.11. Anti-spam measures in the robots.txt"
sed -i -e "/rackup      DefaultRackup/d" config/puma.rb # for "3.14. Puma syntax change"

Then there are some actions that needs to be done that depend in your customizations and configurations:

• Do you have any custom design in your application or a custom module? If yes, then you'll need to adapt your design to the new framework, Tailwind CSS. Check out "5.1. Tailwind CSS instead of Foundation"

• Do you have the decidim-consultations module installed in your application? If yes, you need to remove it and change some migrations. Check out "2.4. Consultation module removal"

• Do you have any custom module or external javascript/font/stylesheet/assets? If yes, you need to configure it. Check out "3.10. Add Content Security Policy (CSP) support"

• Have you integrated the SMS gateway? Then you may be interested in "5.5. Extra context argument added to SMS gateway implementations"

• Have you customized the Decidim.password_blacklist configuration or DECIDIM_PASSWORD_BLACKLIST. Then you need to adapt it, check out "5.6. Configuration parameter change"

• Are you using the print feature in Initaitives? Then you need to enable it manually, check out "5.7. Change in Initiatives configuration"

• Do you have any custom module or component that uses Decidim permissions? If yes, we recommend checking out the "5.2. Automated authorization conflict handling for deleted users" so it's consistent with the rest of the modules.

• Do you have any custom configuration/code with the WYSIWYG editor used until now (Quill.js)? If yes, then you'll need to adapt it to the new library (TipTap). Check out "5.3. Tiptap rich text editor"

• Do you have any custom module that implements the Report functionality? If yes, we recommend checking out "5.4. Ability to hide content of a user from the public interface" so it's consistent with the rest of the modules.

In the production environment there are some data migrations that need to be done:

bin/rails decidim:upgrade:migrate_wysiwyg_content  # for "3.2. Content migration for rich text editor"
bin/rails decidim:upgrade:moderation:fix_blocked_user_panel # for "3.4. User moderation panel changes"
bin/rails decidim:content_blocks:initialize_default_content_blocks # for "3.6. Initialize content blocks on spaces or resources with landing page"
bin/rails decidim:proposals:upgrade:remove_valuator_orphan_records # for "3.8. Orphans valuator assignments cleanup"
bin/rails decidim:initiatives:upgrade:fix_broken_pages # for "3.9. Initiatives pages exception fix"
bin/rails decidim:upgrade:fix_duplicate_endorsements # for "3.12. Deduplicating endorsements"
bin/rails decidim:upgrade:fix_short_urls # for "3.13. Fix component short links"

In the production server, add the following scheduling task if you want to have participatory processes steps changing automatically

*/15 * * * * cd /home/user/decidim_application && RAILS_ENV=production bin/rails decidim_participatory_processes:change_active_step # for "4.1. Automatically change active step in participatory processes"

For running the application in the development application you now have the command:

./bin/dev

This is just a summary of all the most relevant changes done in this version. Keep reading to know the details of the relevant changes for your environmnet.

2. General notes

2.1. Ruby update to 3.1

We have updated the Ruby version to 3.1.1. Upgrading to this version will require either to install this Ruby version on your host, or change the decidim docker image to use ruby:3.1.1.

You can read more about this change on PR #9449.

2.2. Node update to 18.17

We have updated the Node version to 18.17.1 Upgrading to this version will require either to install this Node version on your host, or adapt your decidim docker image.

You can read more about this change on PR #11564.

2.3. Redesign

The design of the application has changed radically. The most relevant things to notice are:

• Improvements in the general user interface and experience, both for participants and administrators
• New module decidim-design, available by default in the development_app and optionally in other appllications. Avaialable at /design. I.e.: http://yourdomain.example.org/design
• Replacement of Foundation CSS by Tailwind CSS. You can read more about this change in the section "3.1. Tailwind CSS introduction" and also in "5.1. Tailwind CSS instead of Foundation".
• Introduction of Content Blocks for the Participatory Processes and Assemblies' landing pages. You can read more about this change in the section "3.6. Initialize content blocks on spaces or resources with landing page".
• Introduction of the mega-menu on desktop: improvements of the navigation based on breadcrumbs with extra information w...

Security fixes

This release addresses several security issues:

• CVE-2023-48220
• CVE-2023-47634
• CVE-2023-47635
• CVE-2023-51447

The details regarding the security vulnerability will be published on February 20th 2024, which is two months after the release date of this version. For more information, please refer to our Security Policy.

Upgrade notes

As usual, we recommend that you have a full backup, of the database, application code and static files.

To update, follow these steps:

1. Update your Gemfile:

gem "decidim", "0.27.5"
gem "decidim-dev", "0.27.5"

2. Run these commands to upgrade and make sure you get all the latest migrations:

bundle update decidim
bin/rails decidim:upgrade
bin/rails db:migrate

And then follow the steps and commands detailed in these notes.

Deduplicating endorsements

We have identified a case when the same user can endorse the same resource multiple times. This is a bug that we have fixed in this release, but we need to clean up the existing duplicated endorsements. We have added a new task that helps you clean the duplicated endorsements.

bundle exec rails decidim:upgrade:fix_duplicate_endorsements

You can see more details about this change on PR #11853

Fix component short links

We have identified that some of the short links for components are not working properly. We have added a new task that helps you fix the short links for components.

bundle exec rails decidim:upgrade:fix_short_urls

You can see more details about this change on PR #12004

Changelog

Added

Nothing.

Changed

Nothing.

Fixed

• decidim-accountability, decidim-blogs, decidim-budgets, decidim-debates, decidim-meetings, decidim-sortitions: Backport 'Nullable component setting generates error :comments_max_length' to v0.27 #11239
• decidim-core: Raise exception in UserTimelineController if no user with the nickname provided #11465
• decidim-budgets: Backport 'Fix ambiguous id column on projects query' to v0.27 #11482
• decidim-core: Backport 'Encode non-ASCII characters on external links' to v0.27 #11499
• Backport 'Revert "Lock ChromeDriver to the latest working version"' to 0.27 #11619
• decidim-core: Backport 'Use left outer join instead of include in with_any_category scope' to v0.27 #11614
• decidim-admin, decidim-assemblies, decidim-conferences, decidim-core, decidim-generators, decidim-participatory processes: Backport 'Update the Twitter icons and brand name to X' to v0.27 #11616
• decidim-assemblies, decidim-participatory processes: Use with_any_scope instead of with_scope for assemblies and processes #11438
• decidim-core: Fix password confirm validation error message #11625
• decidim-core: Backport 'Fix PWA availability for organizations with forced sign in' to v0.27 #11805
• decidim-surveys: Backport 'Add alert when publish a survey with answers' to v0.27 #11895
• Backport 'Add "Tile usage" notice at the top of doc page for OSM maps and geocoding' to v0.27 #11890
• decidim-core: Backport 'Update HERE API autocomplete' to v0.27 #11908
• decidim-generators: Backport 'Fix Bootsnap configuration' to v0.27 #11896
• decidim-conferences, decidim-meetings: Backport 'Fix conference venues meetings visibility' to v0.27 #11914
• Backport 'Add 127.0.0.1 and 0.0.0.0 as secondary hosts in the Organization's seeds' to v0.27 #11911
• decidim-budgets, decidim-comments: Backport 'Fix 'download your data' when there are comments on budgets' to v0.27 #11903
• decidim-core: Backport 'Deletion of leftovers ZIP files in tmp directory' to v0.27 #11899
• decidim-admin: Backport 'Sort components in "Add component" alphabetically' to v0.27 #11923
• decidim-core: Backport 'Fix autocomplete result list duplicates' to v0.27 #11892
• decidim-system: Backport 'Add admin's password confirmation validation in system' to v0.27 #11929
• decidim-core: Backport 'Deletion of ZIP file in tmp folder OpenData export job' to v0.27 #11900
• decidim-core: Backport 'Return the coordinates from Photon geocoding in correct order' to v0.27 #11915
• decidim-core: Backport 'Raise an error if the export format is unknown' to v0.27 #11920
• decidim-elections, decidim-forms, decidim-meetings: Backport 'Use UTC in the serializers for the date fields' to v0.27 #11925
• decidim-templates: Backport 'Simplify the code related to questionnaire templates previews' to v0.27 #11930
• Backport 'Add missing activerecord budget locales for search' to v0.27 #11941
• decidim-meetings: Backport 'Display meeting button for unauthenticated users' to v0.27 #11945
• decidim-core: Backport 'Fix possible JavaScript console error with geocoding inputs' to v0.27 #11942
• decidim-system: Backport 'Extraction of i18n strings in system panel' to v0.27 #11951
• decidim-core: Backport 'Fix missing results on Geocoded when search without diacritics' to v0.27 #11949
• Backport 'Bump devise_invitable from v2.0.8 to v2.0.9' to v0.27 #11937
• decidim-budgets: Backport 'Fix Permissions screen on budgets throw errors' to v0.27 #11904
• decidim-initiatives: Backport 'Hide omnipresent in media print of initiatives' to v0.27 #11948
• decidim-core: Backport 'Fix search when moderations are hidden' to v0.27 #11919
• decidim-conferences, decidim-meetings: Backport 'Fix empty address in conference's venues ' to v0.27 #11910
• decidim-system: Backport 'Add titles in system pages' to v0.27 #11953
• decidim-meetings: Backport 'Don't show map with only online meetings in Content Block' to v0.27 #11961
• Backport 'Support deploy to a subdirectory - direct_uploads' to v0.27 #11931
• decidim-admin: Backport 'Redirect non-admin users to core's root_path' to v0.27 #11935
• Backport 'Fix duplicated endorsements' to v0.27 #11974
• decidim-initiatives: Backport 'Fix order initiatives by comments using the column instead of a subquery' to v0.27 #11983
• decidim-proposals: Backport 'Fix order proposals by comments and follows using the column instead of a query' to v0.27 #11993
• decidim-core: Backport 'Fix issues with the file uploader input display' to v0.27 #11731
• decidim-core: Backport 'Fix shortlink references' to v0.27 #12007
• decidim-assemblies: Backport 'Fix n 1 query on assemblies permissions' to v0.27 #12042
• decidim-meetings: Backport 'Add link explicitly in the meetings' icalendar event' to v0.27 #12047
• decidim-core: Fix filter by scope on search page #12036
• Backport 'Add prerequirements to the manual installation tutorial' to v0.27 #12070
• decidim-proposals: Backport 'Do not show the titles in the admin proposals page if there isn't any' to v0.27 #12046
• decidim-debates: Backport 'Show message when there are no deb...

Security fixes

This release addresses one security issue:

• CVE-2023-36465

The details regarding the security vulnerability will be published on September 25th 2023, which is two months after the release date of this version. For more information, please refer to our Security Policy.

We highly recommend updating to this version as soon as possible to ensure the security of your system.

Upgrade notes

As usual, we recommend that you have a full backup, of the database, application code and static files.

To update, follow these steps:

1. Update your Gemfile:

gem "decidim", "0.27.4"
gem "decidim-dev", "0.27.4"

2. Run these commands to upgrade and make sure you get all the latest migrations:

bundle update decidim
bin/rails decidim:upgrade
bin/rails db:migrate

And then follow the steps and commands detailed in these notes.

Orphans valuator assignments cleanup

We have added a new task that helps you clean the valuator assignements records of roles that have been deleted.

You can run the task with the following command:

bundle exec rake decidim:proposals:upgrade:remove_valuator_orphan_records

You can see more details about this change on PR #10607

Initiatives pages exception fix

We have added a new tasks to fix a bug related to the pages component inside of the Initiatives module (decidim-initiatives).

You can run the task with the following command:

bundle exec rake decidim:initiatives:upgrade:fix_broken_pages

You can see more details about this change on PR #10928

Added

Nothing.

Changed

Nothing.

Fixed

• Backport 'Remove unused preset-env dependencies' to v0.27 #11005
• decidim-verifications: Backport 'Fix missing translations for SMS confirmation when signing a petition' to v0.27 #11011
• decidim-initiatives: Backport 'Fix for initiative menu not active on creation' to v0.27 #11019
• decidim-initiatives: Backport 'Change to display initiatives after creation' to v0.27 #11029
• decidim-elections: Backport 'Allow to publish an Election even if it hasn't valid Questions' to v0.27 #11031
• decidim-core: Backport 'Fix to Proposal cards CSS in Processes' to v0.27 #11021
• decidim-core: Backport 'Add translation string for URL error message' to v0.27 #11013
• decidim-blogs: Backport 'Add possibility of reporting blog posts ' to v0.27 #11025
• decidim-core, decidim-debates, decidim-initiatives, decidim-proposals, decidim-sortitions: Backport 'Fix user and group related migrations calling the actual record classes' to v0.27 #11009
• decidim-budgets: Backport 'Fix budgets zero single view' to v0.27 #11015
• decidim-conferences: Backport 'Fix partner type in Conferences' partners edit form' to v0.27 #11017
• decidim-core: Backport 'Fix do not count blocked users to stats' to v0.27 #11027
• decidim-core: Backport 'Fix error when SVG icon is not available in the file system' to v0.27 #11007
• decidim-elections: Backport 'Fix error message mismatch in election' to v0.27 #11033
• decidim-core: Backport 'Fix notifications page when vapid is not available' to v0.27 #10940
• decidim-initiatives: Backport 'Fix exception in Initiatives' Page' to v0.27 #11023
• decidim-admin: Backport 'Don't allow access to admin panel without ToS acceptance' to v0.27 #11042
• decidim-core: Backport 'Fix "No activity" message in Last Activities isn't shown sometimes' to v0.27 #11056
• decidim-budgets: Backport 'Show all projects if none is selected when the voting has finished' to v0.27 #11118
• decidim-core: Backport 'Fix for sending welcome emails for new participants' to v0.27 #11121
• decidim-elections: Backport 'Fix Admin dashboard disappear if you are in Trustee Zone' to v0.27 #11114
• decidim-core: Backport 'Avoid password change to be requested when user registration mode is disabled' to v0.27 #11120
• decidim-proposals: Backport 'Fix flaky collaborative drafts spec' to v0.27 #11127
• Backport 'Fix webpack version to <5.83.0' to v0.27 #11133
• decidim-participatory processes: Backport 'Fix the active filter for process groups' to v0.27 #11130
• decidim-core: Backport 'Verify modules are installed in StatsParticipantsCount query' to v0.27 #11157
• decidim-core: Backport 'Fix issues with overriding maps and loading Leaflet' to v0.27 #11131
• decidim-elections, decidim-initiatives: Backport 'CSV & JSON export function fix' to v0.27 #11185
• decidim-budgets: Backport 'Fix the unused keyword arguments for the budgets workflows' to v0.27 #11228
• decidim-budgets, decidim-elections: Backport 'Budgets component fix for Votings module' to v0.27 #11229
• decidim-elections: Backport 'Fix for saving an Election that wasn't blocked' to v0.27 #11187
• decidim-admin: Backport 'Fix blocked users not present in global moderation panel' to v0.27 #11234
• decidim-core, decidim-meetings, decidim-proposals: Backport 'Always allow image upload in WYSWYG editor' to v0.27 #11237
• decidim-core: Backport 'Fix linking to invariable image URLs' to v0.27 #11242
• decidim-core, decidim-surveys: Backport 'Fix running DB commands consecutively' to v0.27 #11236
• decidim-forms: Backport 'Fix memory leak with user answers serializer (at survey export)' to v0.27 #11241
• decidim-core: Backport 'Fix admin password change required for omniauth-only accounts' to v0.27 #11240
• decidim-core: Backport 'Prevent aria-describedby attribute being added to hidden inputs' to v0.27 #11243
• decidim-budgets, decidim-core, decidim-initiatives, decidim-proposals, decidim-sortitions: Backport 'Fix scope and category filtering links with ransack' to v0.27 #11248
• decidim-admin, decidim-assemblies, decidim-blogs, decidim-conferences, decidim-core, decidim-elections, decidim-initiatives, decidim-participatory processes, decidim-templates: Backport 'Enforce resources being found in the organization scope' to v0.27 #11232
• decidim-assemblies, decidim-conferences, decidim-participatory processes, decidim-proposals: Backport 'Fix proposals' valuators assignments not deleted when space admin is removed' to v0.27 #11332
• decidim-admin: Backport 'Fix HTML titles in admin panel' to v0.27 #11333
• decidim-admin: Backport 'Fix HTML titles in admin panel (part 2)' to v0.27 #11336

Removed

Nothing.

Developer improvements

• Backport "Update several gems" to v0.27 #11139

Internal

• decidim-admin, decidim-core: Backport 'Fix default seeds on first login (password_updated_at and accepted_tos_version)' to v0.27 #10854
• decidim-core: Backport 'Remove duplication of LastActivity queries' to v0.27 #11055
• decidim-proposals: Backport 'Fix flaky collaborative drafts spec' to v0.27 #11127

Previous versions

Please check release/0.27-stable for previous changes.