v.28.1

Release Notes

Security fixes

This release addresses several security issues:

• CVE-2024-27095
• CVE-2024-32469

The details regarding the security vulnerabilities will be published on June 30th 2024, which is two months after the release date of this version. For more information, please refer to our Security Policy.

We highly recommend updating to this version as soon as possible to ensure the security of your system.

1. Upgrade notes

As usual, we recommend that you have a full backup, of the database, application code and static files.

To update, follow these steps:

1. Update your Gemfile:

gem "decidim", "0.28.1"
gem "decidim-dev", "0.28.1"

2. Run these commands to upgrade and make sure you get all the latest migrations:

bundle update decidim
bin/rails decidim:upgrade
bin/rails db:migrate

And then follow the steps and commands detailed in these notes.

2. General notes

None

3. One time actions

3.1. Verifications documents configurations

Until now we have hard-coded the document types for verifications with types from Spain legislation ("DNI, NIE and passport"). We have change it to "Identification number and passport", and allow installations to adapt them to their own needs.

If you want to go back to the old setting, you need to follow these steps:

3.1.1. Add to your config/secrets.yml the decidim.verifications.document_types key

decidim_default: &decidim_default
  application_name: <%%= Decidim::Env.new("DECIDIM_APPLICATION_NAME", "My Application Name").to_json %>
  (...)
  verifications:
    document_types: <%%= Decidim::Env.new("VERIFICATIONS_DOCUMENT_TYPES", %w(identification_number passport)).to_array %>

3.1.2. Add to your config/initializers/decidim.rb the following snippet in the bottom of the file

if Decidim.module_installed? :verifications
  Decidim::Verifications.configure do |config|
    config.document_types = Rails.application.secrets.dig(:verifications, :document_types).presence || %w(identification_number passport)
  end
end

3.1.3. Add the values that you want to define using the environmnet variable VERIFICATIONS_DOCUMENT_TYPES

VERIFICATIONS_DOCUMENT_TYPES="dni,nie,passport"

3.1.4. Add the translation of these values to your i18n files (i.e. config/locales/en.yml)

en:
  decidim:
    verifications:
        id_documents:
          dni: DNI
          nie: NIE
          passport: Passport

You can read more about this change on PR #12306

3.2. Allow removal of orphan categories

A bug was identified that prevented the deletion of categories lacking associated resources. This action is a one-time task that must be performed directly in the production database.

bin/rails decidim:upgrade:fix_orphan_categorizations

You can read more about this change on PR #12143.

3.3. Improved CSS overrides

We have improved the CSS overriding mechanism. This is what allows you to change the CSS of decidim in your application in a more granular way.

Previously, you could do this by adding CSS rules in the app/packs/stylesheets/decidim/decidim_application.scss file. This file remains in place but is loaded as the last file in the application, so it will take precedence over all the CSS rules from the Decidim modules.

Additionally, if you need, you can also customize the admin and system interfaces by creating in your application the following files:

• app/packs/stylesheets/decidim/admin/decidim_application.scss for admin interface
• app/packs/stylesheets/decidim/system/decidim_application.scss for system interface

You can read more about this change on PR #12646.

4. Scheduled tasks

None

5. Changes in APIs

None

Changelog

0.28.1

Added

Nothing.

Changed

Nothing.

Fixed

• decidim-budgets: Backport 'Resolve icon usage in projects' to v0.28 #12260
• decidim-accountability: Backport 'Register forgotten icon in Accountability' to v0.28 #12259
• decidim-proposals: Backport 'Add answered_at field in proposals' export' to v0.28 #12266
• Backport 'Update manual installation doc to v0.28.0' to v0.28 #12272
• Backport 'Add icons for verifications' to v0.28 #12271
• Backport 'Fix the markup for verifications' to v0.28 #12273
• decidim-core: Backport 'Properly handle the category name in tags cell' to v0.28 #12261
• Backport 'Use git instead of filesystem for releases files' to v0.28 #12262
• decidim-budgets: Backport 'Change the selected column in budgets' projects' to v0.28 #12274
• decidim-core, decidim-proposals: Backport 'Add missing creation date on the proposals page' to v0.28 #12267
• decidim-core: Backport 'Allow passing a blob object to AssetRouter::Storage' to v0.28 #12263
• Backport 'Lock Ruby to Decidim supported version' to v0.28 #12268
• decidim-admin: Backport 'Fix flash of admin inputs, panels and dropdowns' to v0.28 #12264
• decidim-participatory processes: Backport 'Add "Processes groups" to filter in admin' to v0.28 #12270
• decidim-admin: Backport 'Add admin permissions for conflicts and logs controllers' to v0.28 #12269
• Backport 'Lock TipTap editor to 2.1.13' to v0.28 #12288
• Backport 'Use relative JS imports to allow overrides' to v0.28 #12265
• decidim-assemblies, decidim-elections, decidim-participatory processes: Backport 'Make consistent the Hero content block in the spaces' landing pages' to v0.28 #12301
• Backport 'Implement breadcrumb menu in all admin pages' to v0.28 #12302
• decidim-core: Backport 'Fix errors in Offline page' to v0.28 #12311
• decidim-admin: Backport 'Fix favicons in admin panel' to v0.28 #12314
• decidim-proposals: Backport 'Fix help text style in the participatory text upload' to v0.28 #12316
• decidim-admin: Backport 'Migrate hardcoded Manage menu in spaces' admin pages' to v0.28 #12333
• Backport 'Fix webpack generation on cells specs' to v0.28 #12334
• decidim-proposals: Backport 'Protect participatory text buttons under authorization' to v0.28 #12352
• Backport 'Upgrade chromedriver to v120+' to v0.28 #12419
• Backport 'Add a better ChromeDriver workaround' to v0.28 #12416
• Backport 'Add matrix for Decidim/Ruby/Node versions in manual guide' to v0.28 #12428
• decidim-meetings: Backport 'Fix meetings counter calculating total amount' to v0.28 #12418
• decidim-proposals: Backport 'Fix context on proposal preview' to v0.28 #12426
• Backport 'Fix Proposals bulk action form' to v0.28 #12432
• Backport 'Fix flaky for AXE violations in breadcrumb menu for mobile and tablets' to v0.28 #12433
• decidim-elections: Backport 'Fix voting data migration for AddFollowableCounterCacheToVotings' to v0.28 #12431
• Backport 'Fix authorization handler in OmniauthRegistrations' to v0.28 #12435
• decidim-proposals: Backport 'Fix flaky specs in proposals' to v0.28 #12437
• decidim-budgets: Backport 'Pass the budget context to the admin new and edit actions for projects' to v0.28 #12438
• decidim-verifications: Backport 'Allow apps to configure the document types in the verifications module' to v0.28 #12427
• Backport 'Generate component Gemfile template when releasing' to v0.28 #12424
• decidim-admin, decidim-system: Backport 'Fix exception when presenting oauth application in admin log' to v0.28 #12434
• decidim-admin, decidim-core: Backport 'Fix bug in welcome notifications when the organization has weird characters' to v0.28 #12430
• Backport 'Fix a11y errors with organ...

v0.27.6

Security fixes

This release addresses several security issues:

• CVE-2024-27090
• CVE-2024-27095
• CVE-2024-32469

The details regarding the security vulnerabilities will be published on June 30th 2024, which is two months after the release date of this version. For more information, please refer to our Security Policy.

Upgrade notes

As usual, we recommend that you have a full backup, of the database, application code and static files.

To update, follow these steps:

1. Update your Gemfile:

gem "decidim", "0.27.6"
gem "decidim-dev", "0.27.6"

2. Run these commands to upgrade and make sure you get all the latest migrations:

bundle update decidim
bin/rails decidim:upgrade
bin/rails db:migrate

And then follow the steps and commands detailed in these notes.

Verifications documents configurations

Until now we have hard-coded the document types for verifications with types from Spain legislation ("DNI, NIE and passport"). We have change it to "Identification number and passport", and allow installations to adapt them to their own needs.

If you want to go back to the old setting, you need to follow these steps:

Add to your config/secrets.yml the decidim.verifications.document_types key

decidim_default: &decidim_default
  application_name: <%%= Decidim::Env.new("DECIDIM_APPLICATION_NAME", "My Application Name").to_json %>
  (...)
  verifications:
    document_types: <%%= Decidim::Env.new("VERIFICATIONS_DOCUMENT_TYPES", %w(identification_number passport)).to_array %>

Add to your config/initializers/decidim.rb the following snippet in the bottom of the file

if Decidim.module_installed? :verifications
  Decidim::Verifications.configure do |config|
    config.document_types = Rails.application.secrets.dig(:verifications, :document_types).presence || %w(identification_number passport)
  end
end

Add the values that you want to define using the environmnet variable VERIFICATIONS_DOCUMENT_TYPES

VERIFICATIONS_DOCUMENT_TYPES="dni,nie,passport"

Add the translation of these values to your i18n files (i.e. config/locales/en.yml)

en:
  decidim:
    verifications:
        id_documents:
          dni: DNI
          nie: NIE
          passport: Passport

You can read more about this change on PR #12306

Allow removal of orphan categories

A bug was identified that prevented the deletion of categories lacking associated resources. This action is a one-time task that must be performed directly in the production database.

bin/rails decidim:upgrade:fix_orphan_categorizations

You can read more about this change on PR #12143.

Detailed changes

Added

Nothing.

Changed

Nothing.

Fixed

• decidim-participatory processes: Fix using CTA image on promoted process group #12202
• decidim-proposals: Backport 'Add answered_at field in proposals' export' to v0.27 #12297
• Backport 'Use git instead of filesystem for releases files' to v0.27 #12303
• Backport 'Lock Ruby to Decidim supported version' to v0.27 #12299
• decidim-admin: Backport 'Fix favicons in admin panel' to v0.27 #12315
• decidim-budgets: Backport 'Change the selected column in budgets' projects' to v0.27 #12296
• decidim-admin: Backport 'Add admin permissions for conflicts and logs controllers' to v0.27 #12300
• decidim-core: Backport 'Allow passing a blob object to AssetRouter::Storage' to v0.27 #12304
• Backport 'Fix webpack generation on cells specs' to v0.27 #12335
• decidim-proposals: Backport 'Protect participatory text buttons under authorization' to v0.27 #12353
• decidim-meetings: Do not display dates for upcoming moderated meetings #12295
• decidim-proposals: Add participatory text missing attribute #12330
• decidim-core: Backport 'Properly handle the category name in tags cell' to v0.27 #12298
• Pinning chrome version to v119 #12420
• Backport 'Fix Proposals bulk action form' to v0.27 #12444
• decidim-elections: Backport 'Fix voting data migration for AddFollowableCounterCacheToVotings' to v0.27 #12443
• Backport 'Fix authorization handler in OmniauthRegistrations' to v0.27 #12445
• Backport 'Generate component Gemfile template when releasing' to v0.27 #12450
• decidim-budgets: Backport 'Pass the budget context to the admin new and edit actions for projects' to v0.27 #12448
• decidim-admin, decidim-system: Backport 'Fix exception when presenting oauth application in admin log' to v0.27 #12447
• Backport 'Bump stringio and carrierwave' to v0.27 #12449
• decidim-verifications: Backport 'Allow apps to configure the document types in the verifications module' to v0.27 #12451
• decidim-dev: Backport 'Disable shm usage in Capybara' to v0.27 #12506
• decidim-admin: Backport 'Fix deleted and blocked users display from impersonations participant list' to v0.27 #12505
• Backport 'Fix decidim-core and decidim-api dependency tree' to v0.27 #12512
• decidim-api: Backport 'Add note about the unescaped contents of the GraphQL API' to v0.27 #12510
• decidim-core: Backport 'Refactor of events specs' to v0.27 #12507
• decidim-core: Backport 'Refactor of events specs (part 2)' to v0.27 #12508
• decidim-core: Backport 'Implement push notifications for conversations' messages' to v0.27 #12511
• Backport 'Standardize the way resources are being listed ...' to v0.27 #12533
• Backport 'Fix decidim-templates usage' to v0.27 #12600
• decidim-admin: Backport 'Fix images URL in newsletters' to v0.27 #12612
• Fix embeds for resources and spaces that shouldn't be embedded #12528
• decidim-comments: Backport 'Restrict comments replies tree including polymorphism' to v0.27 #12305
• Backport 'Patch participatory spaces factories' to v0.27 #12647
• Backport 'Patch events on the new format' to v0.27 #12648
• Backport 'Patch components and spaces factories' to v0.27 #12547
• decidim-core: Backport 'Fix user profile current tab' to v0.27 #12729
• Backport 'Add description for the decidim:reminders:all task' to v0.27 #12733
• Backport 'Add matrix for Decidim/Ruby/Node versions in manual guide' to v0.27 #12759
• decidim-admin, decidim-core, decidim-generators: Backport 'Fix bug in welcome notifications when the organization has weird characters' to v0.27 #12784
• decidim-comments: Backport 'Add votes count to comment caches' to v0.27 #12782
• decidim-budgets: Backport 'Fix DOM text reinterpreted as HTML in budgets' exit handler' to v0.27 #12769
• decidim-initiatives: Backport 'Fix potential unsafe external link in initiatives' to v0.27 #12780
• decidim-api: Backport 'Fix graphiql initial query escaping' to v0.27 #12779
• decidim-core: Backport 'Fix clear-text storage of sensitive information in omniauth registration' to v0.27 #12773
• decidim-accountability: Backport 'Remove ComponentInterface from the ResultType in the API' to v0.27 #12774
• decidim-core: Backport 'Fix flaky spec on join user group command spec' to v0.27 #12776
• decidim-core: Backport 'Fix flaky spec on endorsements controller' to v0.27 #12777
• decidim-core: Backport 'Fix overly permissive regular expression range i...

v0.26.10

Upgrade notes

As usual, we recommend that you have a full backup, of the database, application code and static files.

To update, follow these steps:

1. Update your Gemfile:

gem "decidim", "0.26.10"
gem "decidim-dev", "0.26.10"

2. Run these commands to upgrade and make sure you get all the latest migrations:

bundle update decidim
bin/rails decidim:upgrade
bin/rails db:migrate

Changelog

Added

Nothing.

Changed

Nothing.

Fixed

• Pinning chrome version to v119 #12498
• Backport 'Fix decidim-templates usage' to v0.26 #12601

Removed

Nothing.

Internal

Nothing.

Developer improvements

Nothing.

v0.26.9

Security fixes

This release addresses several security issues:

• CVE-2023-48220
• CVE-2023-47634

The details regarding the security vulnerability will be published on February 20th 2024, which is two months after the release date of this version. For more information, please refer to our Security Policy.

Upgrade notes

As usual, we recommend that you have a full backup, of the database, application code and static files.

To update, follow these steps:

1. Update your Gemfile:

gem "decidim", "0.26.9"
gem "decidim-dev", "0.26.9"

2. Run these commands to upgrade and make sure you get all the latest migrations:

bundle update decidim
bin/rails decidim:upgrade
bin/rails db:migrate

And then follow the steps and commands detailed in these notes.

Deduplicating endorsements

We have identified a case when the same user can endorse the same resource multiple times. This is a bug that we have fixed in this release, but we need to clean up the existing duplicated endorsements. We have added a new task that helps you clean the duplicated endorsements.

bundle exec rails decidim:upgrade:fix_duplicate_endorsements

You can see more details about this change on PR #11853

Changelog

Added

Nothing.

Changed

Nothing.

Fixed

• decidim-core: Backport 'Raise exception in UserTimelineController if no user with the nickname provided' to v0.26 #11470
• decidim-core: Backport 'Encode non-ASCII characters on external links' to v0.26 #11500
• Backport 'Revert "Lock ChromeDriver to the latest working version"' to 0.26 #11620
• Backport 'Add "Tile usage" notice at the top of doc page for OSM maps and geocoding' to v0.26 #11891
• decidim-generators: Backport 'Fix Bootsnap configuration' to v0.26 #11897
• decidim-core: Backport 'Update HERE API autocomplete' to v0.26 #11907
• decidim-core: Backport 'Return the coordinates from Photon geocoding in correct order' to v0.26 #11916
• Backport 'Add 127.0.0.1 and 0.0.0.0 as secondary hosts in the Organization's seeds' to v0.26 #11912
• decidim-budgets, decidim-comments: Backport 'Fix 'download your data' when there are comments on budgets' to v0.26 #11902
• decidim-surveys: Backport 'Add alert when publish a survey with answers' to v0.26 #11894
• decidim-admin: Backport 'Sort components in "Add component" alphabetically' to v0.26 #11922
• decidim-core: Backport 'Fix autocomplete result list duplicates' to v0.26 #11893
• decidim-core: Backport 'Deletion of ZIP file in tmp folder OpenData export job' to v0.26 #11901
• decidim-core: Backport 'Raise an error if the export format is unknown' to v0.26 #11921
• decidim-conferences, decidim-meetings: Backport 'Fix conference venues meetings visibility' to v0.26 #11913
• decidim-system: Backport 'Add admin's password confirmation validation in system' to v0.26 #11928
• decidim-core: Backport 'Deletion of leftovers ZIP files in tmp directory' to v0.26 #11898
• decidim-elections, decidim-forms, decidim-meetings: Backport 'Use UTC in the serializers for the date fields' to v0.26 #11926
• decidim-core: Backport 'Fix password confirm validation error message' to v0.26 #11934
• Backport 'Add missing activerecord budget locales for search' to v0.26 #11939
• decidim-meetings: Backport 'Display meeting button for unauthenticated users' to v0.26 #11946
• decidim-core: Backport 'Fix possible JavaScript console error with geocoding inputs' to v0.26 #11943
• decidim-system: Backport 'Extraction of i18n strings in system panel' to v0.26 #11952
• decidim-core: Backport 'Fix search when moderations are hidden' to v0.26 #11918
• decidim-budgets: Backport 'Fix Permissions screen on budgets throw errors' to v0.26 #11905
• decidim-initiatives: Backport 'Hide omnipresent in media print of initiatives' to v0.26 #11947
• decidim-admin: Backport 'Redirect non-admin users to core's root_path' to v0.26 #11936
• decidim-conferences, decidim-meetings: Backport 'Fix empty address in conference's venues ' to v0.26 #11909
• decidim-system: Backport 'Add titles in system pages' to v0.26 #11954
• Backport 'Bump devise_invitable from v2.0.8 to v2.0.9' to v0.26 #11938
• decidim-templates: Backport 'Simplify the code related to questionnaire templates previews' to v0.26 #11927
• decidim-meetings: Backport 'Don't show map with only online meetings in Content Block' to v0.26 #11958
• Backport 'Fix duplicated endorsements' to v0.26 #11973
• decidim-core: Backport 'Fix dependency resolver trying to fetch gem paths from lazy specifications' to v0.26 #12061
• Backport 'Lock ChromeDriver to 119.0.6045.105' to v0.26 #12167
• Remove duplicated chromedriver setting in v0.26 #12186

Removed

Nothing.

Internal

• Backport "Lock ChromeDriver to the latest working version" to v0.26 #11393
• Backport 'Revert "Lock ChromeDriver to the latest working version"' to 0.26 #11620
• Fix spec for i18n change in Crowdin in release/0.26-stable #11906

Developer improvements

• Backport 'Revert "Lock ChromeDriver to the latest working version"' to 0.26 #11620
• Backport 'Add 127.0.0.1 and 0.0.0.0 as secondary hosts in the Organization's seeds' to v0.26 #11912

v0.28.0

Release Notes

See our blog post about the highlights for admins in this release.

⚠️ Mind that our last stable version (v0.27.0) is more than one year old. Lots of things have happened in Decidim, so we recommend that you follow all the steps in this guide for updating your application. Enjoy the new design and features!

Security fixes

This release addresses several security issues:

• CVE-2023-48220
• CVE-2023-47634
• CVE-2023-47635
• CVE-2023-51447

The details regarding the security vulnerability will be published on February 20th 2024, which is two months after the release date of this version. For more information, please refer to our Security Policy.

We highly recommend updating to this version as soon as possible to ensure the security of your system.

1. Upgrade notes

As usual, we recommend that you have a full backup, of the database, application code and static files.

To update, follow these steps:

1.1. Update your ruby and node versions

For ruby, if you're using rbenv, this is done with the following commands:

rbenv install 3.1.1
rbenv local 3.1.1

If not, you need to adapt it to your environment. See "2.1. Ruby update to 3.1"

For node, if you're using nvm, this is done with the following commands:

nvm install 18.17.1
nvm use 18.17.1

If not, you need to adapt it to your environment. See "2.2. Node update to 18.17"

1.2. Update your Gemfile

gem "decidim", "0.28.0"
gem "decidim-dev", "0.28.0"

Comment out any of the 3rd party decidim modules that you're using in your Gemfile. You can uncomment them later after you've updated them.
Before upgrading to decidim 0.28.0, you need to manually comment out the decidim-consulations if you have it installed. This gem has been removed from the core and you need to remove it from your Gemfile as well.

Please note that sometimes you may get some errors, so please make sure you fully understand the output of the commands before continuing.

When running bundle update decidim, you may get some errors like the one below:

Bundler could not find compatible versions for gem "faker":
  In snapshot (Gemfile.lock):
    faker (= 2.23.0)  # <<< This is the name of the name of the gem that you need to add to bundle update command

  In Gemfile:
    faker

    decidim-dev (= 0.28.0) was resolved to 0.28.0, which depends on
      faker (~> 3.2)

Please repeat the bundle command adding gems to the list until there the above error type disappears.

bundle update decidim faker

1.3. Manual changes

In order to successfully run decidim 0.28.0, you will need to manually edit the following files:

1.3.1. package.json

Edit the engines key to :

  "engines": {
    "node": "18.17.1",
    "npm": ">=9.6.7"
  }

Also remove, if present, the following lines:

   "babel": {
     "presets": [
       "./node_modules/@rails/webpacker/package/babel/preset.js"
     ]
   },

1.3.2. babel.config.json

Edit the file, and remove, if present, the following lines:

    [ "@babel/plugin-proposal-private-property-in-object", { "loose": true }],
    ["@babel/plugin-proposal-private-methods", { "loose": true }],
    ["@babel/plugin-proposal-class-properties", { "loose": true }]

1.3.3. postcss.config.js

Replace the file content with:

module.exports = {
  syntax: 'postcss-scss',
  plugins: [
    // postcss-import must be the very first plugin https://tailwindcss.com/docs/using-with-preprocessors#build-time-imports
    require('postcss-import'),
    require('tailwindcss'),
    require('postcss-flexbugs-fixes'),
    require('postcss-preset-env')({
      autoprefixer: {
        flexbox: 'no-2009'
      },
      stage: 3
    }),
    require('autoprefixer')
  ]
}

1.4. Commands to run

bundle update decidim
rm config/initializers/social_share_button.rb # for "4.2. Social Share Button change"
bin/rails decidim:upgrade
wget https://github.com/decidim/decidim/releases/download/v0.28.0/consulations_removal.bash -O consultations_removal.bash  # For "2.4. Consultation module removal"
bash consultations_removal.bash # For "2.4. Consultation module removal"
bin/rails db:migrate
bin/rails decidim:procfile:install # For "3.3. Added Procfile support"
bin/rails decidim:robots:replace # for "3.11. Anti-spam measures in the robots.txt"
sed -i -e "/rackup      DefaultRackup/d" config/puma.rb # for "3.14. Puma syntax change"

Then there are some actions that needs to be done that depend in your customizations and configurations:

• Do you have any custom design in your application or a custom module? If yes, then you'll need to adapt your design to the new framework, Tailwind CSS. Check out "5.1. Tailwind CSS instead of Foundation"

• Do you have the decidim-consultations module installed in your application? If yes, you need to remove it and change some migrations. Check out "2.4. Consultation module removal"

• Do you have any custom module or external javascript/font/stylesheet/assets? If yes, you need to configure it. Check out "3.10. Add Content Security Policy (CSP) support"

• Have you integrated the SMS gateway? Then you may be interested in "5.5. Extra context argument added to SMS gateway implementations"

• Have you customized the Decidim.password_blacklist configuration or DECIDIM_PASSWORD_BLACKLIST. Then you need to adapt it, check out "5.6. Configuration parameter change"

• Are you using the print feature in Initaitives? Then you need to enable it manually, check out "5.7. Change in Initiatives configuration"

• Do you have any custom module or component that uses Decidim permissions? If yes, we recommend checking out the "5.2. Automated authorization conflict handling for deleted users" so it's consistent with the rest of the modules.

• Do you have any custom configuration/code with the WYSIWYG editor used until now (Quill.js)? If yes, then you'll need to adapt it to the new library (TipTap). Check out "5.3. Tiptap rich text editor"

• Do you have any custom module that implements the Report functionality? If yes, we recommend checking out "5.4. Ability to hide content of a user from the public interface" so it's consistent with the rest of the modules.

In the production environment there are some data migrations that need to be done:

bin/rails decidim:upgrade:migrate_wysiwyg_content  # for "3.2. Content migration for rich text editor"
bin/rails decidim:upgrade:moderation:fix_blocked_user_panel # for "3.4. User moderation panel changes"
bin/rails decidim:content_blocks:initialize_default_content_blocks # for "3.6. Initialize content blocks on spaces or resources with landing page"
bin/rails decidim:proposals:upgrade:remove_valuator_orphan_records # for "3.8. Orphans valuator assignments cleanup"
bin/rails decidim:initiatives:upgrade:fix_broken_pages # for "3.9. Initiatives pages exception fix"
bin/rails decidim:upgrade:fix_duplicate_endorsements # for "3.12. Deduplicating endorsements"
bin/rails decidim:upgrade:fix_short_urls # for "3.13. Fix component short links"

In the production server, add the following scheduling task if you want to have participatory processes steps changing automatically

*/15 * * * * cd /home/user/decidim_application && RAILS_ENV=production bin/rails decidim_participatory_processes:change_active_step # for "4.1. Automatically change active step in participatory processes"

For running the application in the development application you now have the command:

./bin/dev

This is just a summary of all the most relevant changes done in this version. Keep reading to know the details of the relevant changes for your environmnet.

2. General notes

2.1. Ruby update to 3.1

We have updated the Ruby version to 3.1.1. Upgrading to this version will require either to install this Ruby version on your host, or change the decidim docker image to use ruby:3.1.1.

You can read more about this change on PR #9449.

2.2. Node update to 18.17

We have updated the Node version to 18.17.1 Upgrading to this version will require either to install this Node version on your host, or adapt your decidim docker image.

You can read more about this change on PR #11564.

2.3. Redesign

The design of the application has changed radically. The most relevant things to notice are:

• Improvements in the general user interface and experience, both for participants and administrators
• New module decidim-design, available by default in the development_app and optionally in other appllications. Avaialable at /design. I.e.: http://yourdomain.example.org/design
• Replacement of Foundation CSS by Tailwind CSS. You can read more about this change in the section "3.1. Tailwind CSS introduction" and also in "5.1. Tailwind CSS instead of Foundation".
• Introduction of Content Blocks for the Participatory Processes and Assemblies' landing pages. You can read more about this change in the section "3.6. Initialize content blocks on spaces or resources with landing page".
• Introduction of the mega-menu on desktop: improvements of the navigation based on breadcrumbs with extra information w...

v0.27.5

Security fixes

This release addresses several security issues:

• CVE-2023-48220
• CVE-2023-47634
• CVE-2023-47635
• CVE-2023-51447

The details regarding the security vulnerability will be published on February 20th 2024, which is two months after the release date of this version. For more information, please refer to our Security Policy.

Upgrade notes

As usual, we recommend that you have a full backup, of the database, application code and static files.

To update, follow these steps:

1. Update your Gemfile:

gem "decidim", "0.27.5"
gem "decidim-dev", "0.27.5"

2. Run these commands to upgrade and make sure you get all the latest migrations:

bundle update decidim
bin/rails decidim:upgrade
bin/rails db:migrate

And then follow the steps and commands detailed in these notes.

Deduplicating endorsements

We have identified a case when the same user can endorse the same resource multiple times. This is a bug that we have fixed in this release, but we need to clean up the existing duplicated endorsements. We have added a new task that helps you clean the duplicated endorsements.

bundle exec rails decidim:upgrade:fix_duplicate_endorsements

You can see more details about this change on PR #11853

Fix component short links

We have identified that some of the short links for components are not working properly. We have added a new task that helps you fix the short links for components.

bundle exec rails decidim:upgrade:fix_short_urls

You can see more details about this change on PR #12004

Changelog

Added

Nothing.

Changed

Nothing.

Fixed

• decidim-accountability, decidim-blogs, decidim-budgets, decidim-debates, decidim-meetings, decidim-sortitions: Backport 'Nullable component setting generates error :comments_max_length' to v0.27 #11239
• decidim-core: Raise exception in UserTimelineController if no user with the nickname provided #11465
• decidim-budgets: Backport 'Fix ambiguous id column on projects query' to v0.27 #11482
• decidim-core: Backport 'Encode non-ASCII characters on external links' to v0.27 #11499
• Backport 'Revert "Lock ChromeDriver to the latest working version"' to 0.27 #11619
• decidim-core: Backport 'Use left outer join instead of include in with_any_category scope' to v0.27 #11614
• decidim-admin, decidim-assemblies, decidim-conferences, decidim-core, decidim-generators, decidim-participatory processes: Backport 'Update the Twitter icons and brand name to X' to v0.27 #11616
• decidim-assemblies, decidim-participatory processes: Use with_any_scope instead of with_scope for assemblies and processes #11438
• decidim-core: Fix password confirm validation error message #11625
• decidim-core: Backport 'Fix PWA availability for organizations with forced sign in' to v0.27 #11805
• decidim-surveys: Backport 'Add alert when publish a survey with answers' to v0.27 #11895
• Backport 'Add "Tile usage" notice at the top of doc page for OSM maps and geocoding' to v0.27 #11890
• decidim-core: Backport 'Update HERE API autocomplete' to v0.27 #11908
• decidim-generators: Backport 'Fix Bootsnap configuration' to v0.27 #11896
• decidim-conferences, decidim-meetings: Backport 'Fix conference venues meetings visibility' to v0.27 #11914
• Backport 'Add 127.0.0.1 and 0.0.0.0 as secondary hosts in the Organization's seeds' to v0.27 #11911
• decidim-budgets, decidim-comments: Backport 'Fix 'download your data' when there are comments on budgets' to v0.27 #11903
• decidim-core: Backport 'Deletion of leftovers ZIP files in tmp directory' to v0.27 #11899
• decidim-admin: Backport 'Sort components in "Add component" alphabetically' to v0.27 #11923
• decidim-core: Backport 'Fix autocomplete result list duplicates' to v0.27 #11892
• decidim-system: Backport 'Add admin's password confirmation validation in system' to v0.27 #11929
• decidim-core: Backport 'Deletion of ZIP file in tmp folder OpenData export job' to v0.27 #11900
• decidim-core: Backport 'Return the coordinates from Photon geocoding in correct order' to v0.27 #11915
• decidim-core: Backport 'Raise an error if the export format is unknown' to v0.27 #11920
• decidim-elections, decidim-forms, decidim-meetings: Backport 'Use UTC in the serializers for the date fields' to v0.27 #11925
• decidim-templates: Backport 'Simplify the code related to questionnaire templates previews' to v0.27 #11930
• Backport 'Add missing activerecord budget locales for search' to v0.27 #11941
• decidim-meetings: Backport 'Display meeting button for unauthenticated users' to v0.27 #11945
• decidim-core: Backport 'Fix possible JavaScript console error with geocoding inputs' to v0.27 #11942
• decidim-system: Backport 'Extraction of i18n strings in system panel' to v0.27 #11951
• decidim-core: Backport 'Fix missing results on Geocoded when search without diacritics' to v0.27 #11949
• Backport 'Bump devise_invitable from v2.0.8 to v2.0.9' to v0.27 #11937
• decidim-budgets: Backport 'Fix Permissions screen on budgets throw errors' to v0.27 #11904
• decidim-initiatives: Backport 'Hide omnipresent in media print of initiatives' to v0.27 #11948
• decidim-core: Backport 'Fix search when moderations are hidden' to v0.27 #11919
• decidim-conferences, decidim-meetings: Backport 'Fix empty address in conference's venues ' to v0.27 #11910
• decidim-system: Backport 'Add titles in system pages' to v0.27 #11953
• decidim-meetings: Backport 'Don't show map with only online meetings in Content Block' to v0.27 #11961
• Backport 'Support deploy to a subdirectory - direct_uploads' to v0.27 #11931
• decidim-admin: Backport 'Redirect non-admin users to core's root_path' to v0.27 #11935
• Backport 'Fix duplicated endorsements' to v0.27 #11974
• decidim-initiatives: Backport 'Fix order initiatives by comments using the column instead of a subquery' to v0.27 #11983
• decidim-proposals: Backport 'Fix order proposals by comments and follows using the column instead of a query' to v0.27 #11993
• decidim-core: Backport 'Fix issues with the file uploader input display' to v0.27 #11731
• decidim-core: Backport 'Fix shortlink references' to v0.27 #12007
• decidim-assemblies: Backport 'Fix n+1 query on assemblies permissions' to v0.27 #12042
• decidim-meetings: Backport 'Add link explicitly in the meetings' icalendar event' to v0.27 #12047
• decidim-core: Fix filter by scope on search page #12036
• Backport 'Add prerequirements to the manual installation tutorial' to v0.27 #12070
• decidim-proposals: Backport 'Do not show the titles in the admin proposals page if there isn't any' to v0.27 #12046
• decidim-debates: Backport 'Show message when there are no deb...

v0.27.4

Security fixes

This release addresses one security issue:

• CVE-2023-36465

The details regarding the security vulnerability will be published on September 25th 2023, which is two months after the release date of this version. For more information, please refer to our Security Policy.

We highly recommend updating to this version as soon as possible to ensure the security of your system.

Upgrade notes

As usual, we recommend that you have a full backup, of the database, application code and static files.

To update, follow these steps:

1. Update your Gemfile:

gem "decidim", "0.27.4"
gem "decidim-dev", "0.27.4"

2. Run these commands to upgrade and make sure you get all the latest migrations:

bundle update decidim
bin/rails decidim:upgrade
bin/rails db:migrate

And then follow the steps and commands detailed in these notes.

Orphans valuator assignments cleanup

We have added a new task that helps you clean the valuator assignements records of roles that have been deleted.

You can run the task with the following command:

bundle exec rake decidim:proposals:upgrade:remove_valuator_orphan_records

You can see more details about this change on PR #10607

Initiatives pages exception fix

We have added a new tasks to fix a bug related to the pages component inside of the Initiatives module (decidim-initiatives).

You can run the task with the following command:

bundle exec rake decidim:initiatives:upgrade:fix_broken_pages

You can see more details about this change on PR #10928

Added

Nothing.

Changed

Nothing.

Fixed

• Backport 'Remove unused preset-env dependencies' to v0.27 #11005
• decidim-verifications: Backport 'Fix missing translations for SMS confirmation when signing a petition' to v0.27 #11011
• decidim-initiatives: Backport 'Fix for initiative menu not active on creation' to v0.27 #11019
• decidim-initiatives: Backport 'Change to display initiatives after creation' to v0.27 #11029
• decidim-elections: Backport 'Allow to publish an Election even if it hasn't valid Questions' to v0.27 #11031
• decidim-core: Backport 'Fix to Proposal cards CSS in Processes' to v0.27 #11021
• decidim-core: Backport 'Add translation string for URL error message' to v0.27 #11013
• decidim-blogs: Backport 'Add possibility of reporting blog posts ' to v0.27 #11025
• decidim-core, decidim-debates, decidim-initiatives, decidim-proposals, decidim-sortitions: Backport 'Fix user and group related migrations calling the actual record classes' to v0.27 #11009
• decidim-budgets: Backport 'Fix budgets zero single view' to v0.27 #11015
• decidim-conferences: Backport 'Fix partner type in Conferences' partners edit form' to v0.27 #11017
• decidim-core: Backport 'Fix do not count blocked users to stats' to v0.27 #11027
• decidim-core: Backport 'Fix error when SVG icon is not available in the file system' to v0.27 #11007
• decidim-elections: Backport 'Fix error message mismatch in election' to v0.27 #11033
• decidim-core: Backport 'Fix notifications page when vapid is not available' to v0.27 #10940
• decidim-initiatives: Backport 'Fix exception in Initiatives' Page' to v0.27 #11023
• decidim-admin: Backport 'Don't allow access to admin panel without ToS acceptance' to v0.27 #11042
• decidim-core: Backport 'Fix "No activity" message in Last Activities isn't shown sometimes' to v0.27 #11056
• decidim-budgets: Backport 'Show all projects if none is selected when the voting has finished' to v0.27 #11118
• decidim-core: Backport 'Fix for sending welcome emails for new participants' to v0.27 #11121
• decidim-elections: Backport 'Fix Admin dashboard disappear if you are in Trustee Zone' to v0.27 #11114
• decidim-core: Backport 'Avoid password change to be requested when user registration mode is disabled' to v0.27 #11120
• decidim-proposals: Backport 'Fix flaky collaborative drafts spec' to v0.27 #11127
• Backport 'Fix webpack version to <5.83.0' to v0.27 #11133
• decidim-participatory processes: Backport 'Fix the active filter for process groups' to v0.27 #11130
• decidim-core: Backport 'Verify modules are installed in StatsParticipantsCount query' to v0.27 #11157
• decidim-core: Backport 'Fix issues with overriding maps and loading Leaflet' to v0.27 #11131
• decidim-elections, decidim-initiatives: Backport 'CSV & JSON export function fix' to v0.27 #11185
• decidim-budgets: Backport 'Fix the unused keyword arguments for the budgets workflows' to v0.27 #11228
• decidim-budgets, decidim-elections: Backport 'Budgets component fix for Votings module' to v0.27 #11229
• decidim-elections: Backport 'Fix for saving an Election that wasn't blocked' to v0.27 #11187
• decidim-admin: Backport 'Fix blocked users not present in global moderation panel' to v0.27 #11234
• decidim-core, decidim-meetings, decidim-proposals: Backport 'Always allow image upload in WYSWYG editor' to v0.27 #11237
• decidim-core: Backport 'Fix linking to invariable image URLs' to v0.27 #11242
• decidim-core, decidim-surveys: Backport 'Fix running DB commands consecutively' to v0.27 #11236
• decidim-forms: Backport 'Fix memory leak with user answers serializer (at survey export)' to v0.27 #11241
• decidim-core: Backport 'Fix admin password change required for omniauth-only accounts' to v0.27 #11240
• decidim-core: Backport 'Prevent aria-describedby attribute being added to hidden inputs' to v0.27 #11243
• decidim-budgets, decidim-core, decidim-initiatives, decidim-proposals, decidim-sortitions: Backport 'Fix scope and category filtering links with ransack' to v0.27 #11248
• decidim-admin, decidim-assemblies, decidim-blogs, decidim-conferences, decidim-core, decidim-elections, decidim-initiatives, decidim-participatory processes, decidim-templates: Backport 'Enforce resources being found in the organization scope' to v0.27 #11232
• decidim-assemblies, decidim-conferences, decidim-participatory processes, decidim-proposals: Backport 'Fix proposals' valuators assignments not deleted when space admin is removed' to v0.27 #11332
• decidim-admin: Backport 'Fix HTML titles in admin panel' to v0.27 #11333
• decidim-admin: Backport 'Fix HTML titles in admin panel (part 2)' to v0.27 #11336

Removed

Nothing.

Developer improvements

• Backport "Update several gems" to v0.27 #11139

Internal

• decidim-admin, decidim-core: Backport 'Fix default seeds on first login (password_updated_at and accepted_tos_version)' to v0.27 #10854
• decidim-core: Backport 'Remove duplication of LastActivity queries' to v0.27 #11055
• decidim-proposals: Backport 'Fix flaky collaborative drafts spec' to v0.27 #11127

Previous versions

Please check release/0.27-stable for previous changes.

v0.26.8

Security fixes

This release addresses one security issue:

• CVE-2023-36465

The details regarding the security vulnerability will be published on September 25th 2023, which is two months after the release date of this version. For more information, please refer to our Security Policy.

We highly recommend updating to this version as soon as possible to ensure the security of your system.

Upgrade notes

As usual, we recommend that you have a full backup, of the database, application code and static files.

To update, follow these steps:

1. Update your Gemfile:

gem "decidim", "0.26.8"
gem "decidim-dev", "0.26.8"

2. Run these commands to upgrade and make sure you get all the latest migrations:

bundle update decidim
bin/rails decidim:upgrade
bin/rails db:migrate

And then follow the steps and commands detailed in these notes.

Orphans valuator assignments cleanup

We have added a new task that helps you clean the valuator assignements records of roles that have been deleted.

You can run the task with the following command:

bundle exec rake decidim:proposals:upgrade:remove_valuator_orphan_records

You can see more details about this change on PR #10607

Added

Nothing.

Changed

Nothing.

Fixed

• decidim-verifications: Backport 'Fix missing translations for SMS confirmation when signing a petition' to v0.26 #11012
• decidim-initiatives: Backport 'Fix for initiative menu not active on creation' to v0.26 #11020
• decidim-elections: Backport 'Allow to publish an Election even if it hasn't valid Questions' to v0.26 #11032
• decidim-core: Backport 'Fix to Proposal cards CSS in Processes' to v0.26 #11022
• decidim-core: Backport 'Add translation string for URL error message' to v0.26 #11014
• decidim-blogs: Backport 'Add possibility of reporting blog posts ' to v0.26 #11026
• decidim-core, decidim-debates, decidim-initiatives, decidim-proposals, decidim-sortitions: Backport 'Fix user and group related migrations calling the actual record classes' to v0.26 #11010
• decidim-budgets: Backport 'Fix budgets zero single view' to v0.26 #11016
• decidim-conferences: Backport 'Fix partner type in Conferences' partners edit form' to v0.26 #11018
• decidim-core: Backport 'Fix do not count blocked users to stats' to v0.26 #11028
• decidim-elections: Backport 'Fix error message mismatch in election' to v0.26 #11034
• decidim-admin: Backport 'Don't allow access to admin panel without ToS acceptance' to v0.26 #11047
• decidim-core: Backport 'Fix webpacker crashes on missing icons' to v0.26 #11045
• decidim-core: Backport 'Fix error when SVG icon is not available in the file system' to v0.26 #11008
• decidim-elections: Backport 'Fix Admin dashboard disappear if you are in Trustee Zone' to v0.26 #11113
• decidim-budgets: Backport 'Show all projects if none is selected when the voting has finished' to v0.26 #11119
• decidim-proposals: Backport 'Fix flaky collaborative drafts spec' to v0.26 #11128
• Backport 'Fix webpack version to <5.83.0' to v0.26 #11134
• decidim-participatory processes: Backport 'Fix the active filter for process groups' to v0.26 #11129
• decidim-core: Backport 'Fix uninitialized constant errors with custom set of modules' to v0.26 #11168
• decidim-core: Backport 'Verify modules are installed in StatsParticipantsCount query' to v0.26 #11158
• decidim-core: Backport 'Fix issues with overriding maps and loading Leaflet' to v0.26 #11132
• decidim-elections: Backport 'Fix for saving an Election that wasn't blocked' to v0.26 #11188
• decidim-elections, decidim-initiatives: Backport 'CSV & JSON export function fix' to v0.26 #11186
• decidim-budgets: Backport 'Fix the unused keyword arguments for the budgets workflows' to v0.26 #11227
• decidim-budgets, decidim-elections: Backport 'Budgets component fix for Votings module' to v0.26 #11230
• decidim-admin: Backport 'Fix blocked users not present in global moderation panel' to v0.26 #11235
• decidim-core, decidim-meetings, decidim-proposals: Backport 'Always allow image upload in WYSWYG editor' to v0.26 #11238
• decidim-assemblies, decidim-conferences, decidim-participatory processes, decidim-proposals: Backport 'Fix proposals' valuators assignments not deleted when space admin is removed' to v0.26 #11331
• decidim-admin: Backport 'Fix HTML titles in admin panel' to v0.26 #11334
• decidim-admin: Backport 'Fix HTML titles in admin panel (part 2)' to v0.26 #11335
• decidim-admin, decidim-assemblies, decidim-blogs, decidim-conferences, decidim-core, decidim-elections, decidim-initiatives, decidim-participatory processes, decidim-templates: Backport 'Enforce resources being found in the organization scope' to v0.26 #11231

Removed

Nothing.

Internal

• Backport 'Fix flaky collaborative drafts spec' to v0.26 #11128

Developer improvements

Nothing.

Previous versions

Please check release/0.26-stable for previous changes.

v0.27.3

Security fixes

This release addresses several security issues, including the following:

• CVE-2023-32693
• CVE-2023-34089
• CVE-2023-34090

The details regarding the security vulnerability will be published on July 11th 2023, which is two months after the release date of this version. For more information, please refer to our Security Policy.

We highly recommend updating to this version as soon as possible to ensure the security of your system.

Upgrade notes

As usual, we recommend that you have a full backup, of the database, application code and static files.

To update, follow these steps:

1. Update your Gemfile:

gem "decidim", "0.27.3"
gem "decidim-dev", "0.27.3"

2. Run these commands to upgrade and make sure you get all the latest migrations:

bundle update decidim
bin/rails decidim:upgrade
bin/rails db:migrate

And then follow the steps and commands detailed in these notes.

Changelog

Added

Nothing.

Changed

• decidim-core: Backport 'Improve the link handling' to v0.27 #10735

Fixed

• decidim-core: Backport 'Fix sass syntax errors' to v0.27 #10445
• decidim-participatory processes: Backport 'Fix: Ransack returns results for multiple organizations' to v0.27 #10447
• decidim-forms: Backport 'Fix survey conditional display' to v0.27 #10448
• decidim-core: Backport 'Fix pipeline asset router bug regarding for manifests containing the host' to v0.27 #10449
• decidim-budgets, decidim-core, decidim-elections, decidim-proposals: Backport 'Fix updating budget projects or other records containing attachments' to v0.27 #10451
• decidim-budgets, decidim-core, decidim-elections, decidim-proposals: Backport 'Fix styling bug with the remove/close buttons for attachments' to v0.27 #10452
• decidim-admin: Backport 'Fix deleting all content from help section triggers error' to v0.27 #10453
• decidim-admin: Backport 'Fix deprecation warning in the html5sortable NPM package' to v0.27 #10455
• decidim-proposals: Backport 'Fix participatory texts sections required field indicators' to v0.27 #10527
• decidim-initiatives: Backport 'Remove email from initiative's print page' to v0.27 #10535
• decidim-core, decidim-participatory processes: Backport 'Fix destroying scope types that have been associated with processes' to v0.27 #10530
• decidim-meetings: Backport 'Fix meeting form for admin to update registrations_enabled field' to v0.27 #10531
• decidim-admin, decidim-core, decidim-system: Backport 'Remove actions from admin and blocked users' to v0.27 #10536
• decidim-core: Backport 'Make buttons respect the organizations' primary color' to v0.27 #10546
• decidim-proposals: Backport 'Export proposal body without HTML tags' to v0.27 #10539
• decidim-proposals: Backport 'Fix: Set required to proposal limit field in Proposal component' to v0.27 #10549
• decidim-core: Backport 'Fix promoted admin password change right after registration' to v0.27 #10540
• decidim-admin, decidim-assemblies, decidim-conferences, decidim-core, decidim-elections, decidim-initiatives, decidim-participatory processes, decidim-proposals, decidim-system: Backport 'Fix dynamic upload file field required indicator + make option naming consistent' to v0.27 #10541
• decidim-debates, decidim-meetings, decidim-proposals: Backport 'Fix iframes stripped from admin entered proposals, meetings and debates' to v0.27 #10558
• decidim-forms: FIx sorting question choice validations #10227
• Fix missing documentation link #10621
• decidim-comments: Backport 'Fix for exporting deleted and hidden comments' to v0.27 #10658
• decidim-proposals: Backport 'Fix for exporting hidden moderated proposals' to v0.27 #10661
• decidim-proposals: Backport 'Fix flaky collaborative drafts specs' to v0.27 #10667
• decidim-admin: Backport 'Change I18n captions on moderation module' to v0.27 #10662
• decidim-proposals: Backport 'Fix empty proposals component configuration limits' to v0.27 #10666
• decidim-admin, decidim-core, decidim-elections, decidim-meetings: Backport 'Fix Redundant notifications when a component is (re)published' to v0.27 #10736
• decidim-core, decidim-debates, decidim-meetings, decidim-proposals: Backport 'User role is defined for digest notifications to scope translations correctly' to v0.27 #10738
• decidim-initiatives: Backport 'Fix initiatives display when not initialized' to v0.27 #10742
• decidim-admin, decidim-assemblies, decidim-blogs, decidim-budgets, decidim-conferences, decidim-consultations, decidim-core, decidim-elections, decidim-forms, decidim-initiatives, decidim-meetings, decidim-pages, decidim-proposals, decidim-sortitions: Backport 'Fix editor toolbar' to v0.27 #10743
• decidim-participatory processes: Backport 'Fix Empty participatory process group is created when importing a PP …' to v0.27 #10732
• decidim-assemblies, decidim-blogs, decidim-budgets, decidim-consultations, decidim-debates, decidim-elections, decidim-forms, decidim-pages, decidim-participatory processes, decidim-proposals, decidim-sortitions: Backport 'Fix Video embeds are not shown in short_description field' to v0.27 #10745
• decidim-consultations: Backport 'Add missing translations in consultations' to v0.27 #10790
• decidim-budgets, decidim-proposals: Backport 'Supports no longer visible for linked proposals if supports are disabled' to v0.27 #10777
• decidim-participatory processes: Backport 'Add metrics, statistics and process type to the participatory process importer' to v0.27 #10770
• Backport 'Fix menu spec after #9928' to v0.27 #10769
• decidim-meetings: Backport 'Fix meetings calendar filtering' to v0.27 #10772
• decidim-initiatives: Backport 'Fix initiative creation missing form fields' to v0.27 #10785
• decidim-initiatives: Backport 'Fix edge case in initiative creation' to v0.27 #10784
• decidim-proposals: Backport 'Fix notifications for the proposal answers importer' to v0.27 #10787
• decidim-initiatives: Backport 'Fix edit form in intitiatives' to v0.27 #10781
• decidim-comments: Backport 'Fix missing hide and show comments by threads' to v0.27 #10779
• decidim-core: Backport 'Fix ImageMagick errors when trying to identify image dimensions' to v0.27 #10556
• decidim-participatory processes: Backport 'Fix issues with unexpected date filter params for the process listing' to v0.27 #10807
• decidim-initiatives: Backport 'Fix initiative creation without fallback hash attribute' to v0.27 #10817
• decidim-core: Backport 'Fix: Inconsistent datetime distance_in_words translations' to 0.27 #10793
• decidim-core: Backport 'Refactor attachment title' to v0.27 #10664
• decidim-budgets: Backport 'Fix budget summary mail when a scope is defined and enabled' to v0.27 #10838
• decidim-core, decidim-proposals: Backport 'Fix File attachments in propos...

v0.26.7

Security fixes

This release addresses several security issues, including the following:

• CVE-2023-32693
• CVE-2023-34089

The details regarding the security vulnerability will be published on July 11th 2023, which is two months after the release date of this version. For more information, please refer to our Security Policy.

We highly recommend updating to this version as soon as possible to ensure the security of your system.

Upgrade notes

As usual, we recommend that you have a full backup, of the database, application code and static files.

To update, follow these steps:

1. Update your Gemfile:

gem "decidim", "0.26.7"
gem "decidim-dev", "0.26.7"

2. Run these commands to upgrade and make sure you get all the latest migrations:

bundle update decidim
bin/rails decidim:upgrade
bin/rails db:migrate

And then follow the steps and commands detailed in these notes.

Changelog

Added

Nothing.

Changed

• decidim-core: Backport 'Improve the link handling' to v0.26 #10734

Fixed

• decidim-core: Backport 'Fix sass syntax errors' to v0.26 #10446
• decidim-admin: Backport 'Fix deleting all content from help section triggers error' to v0.26 #10454
• decidim-admin: Backport 'Fix deprecation warning in the html5sortable NPM package' to v0.26 #10456
• decidim-proposals: Backport 'Fix participatory texts sections required field indicators' to v0.26 #10528
• decidim-initiatives: Backport 'Remove email from initiative's print page' to v0.26 #10534
• decidim-core, decidim-participatory processes: Backport 'Fix destroying scope types that have been associated with processes' to v0.26 #10529
• decidim-meetings: Backport 'Fix meeting form for admin to update registrations_enabled field' to v0.26 #10533
• decidim-admin, decidim-core, decidim-system: Backport 'Remove actions from admin and blocked users' to v0.26 #10537
• decidim-core: Backport 'Make buttons respect the organizations' primary color' to v0.26 #10545
• decidim-proposals: Backport 'Export proposal body without HTML tags' to v0.26 #10538
• decidim-proposals: Backport 'Fix: Set required to proposal limit field in Proposal component' to v0.26 #10550
• Fix missing documentation link #10622
• decidim-comments: Backport 'Fix for exporting deleted and hidden comments' to v0.26 #10659
• decidim-proposals: Backport 'Fix for exporting hidden moderated proposals' to v0.26 #10660
• decidim-proposals: Backport 'Fix flaky collaborative drafts specs' to v0.26 #10668
• decidim-admin: Backport 'Change I18n captions on moderation module' to v0.26 #10663
• decidim-proposals: Backport 'Fix empty proposals component configuration limits' to v0.26 #10665
• decidim-admin, decidim-core, decidim-elections, decidim-meetings: Backport 'Fix Redundant notifications when a component is (re)published' to v0.26 #10737
• decidim-initiatives: Backport 'Fix initiatives display when not initialized' to v0.26 #10741
• decidim-admin, decidim-assemblies, decidim-blogs, decidim-budgets, decidim-conferences, decidim-consultations, decidim-core, decidim-elections, decidim-forms, decidim-initiatives, decidim-meetings, decidim-pages, decidim-proposals, decidim-sortitions: Backport 'Fix editor toolbar' to v0.26 #10744
• decidim-participatory processes: Backport 'Fix Empty participatory process group is created when importing a PP …' to v0.26 #10733
• Backport 'Fix menu spec after #9928' to v0.26 #10768
• decidim-consultations: Backport 'Add missing translations in consultations' to v0.26 #10789
• decidim-budgets, decidim-proposals: Backport 'Supports no longer visible for linked proposals if supports are disabled' to v0.26 #10776
• decidim-initiatives: Backport 'Fix initiative creation missing form fields' to v0.26 #10786
• decidim-initiatives: Backport 'Fix edge case in initiative creation' to v0.26 #10783
• decidim-proposals: Backport 'Fix notifications for the proposal answers importer' to v0.26 #10788
• decidim-comments: Backport 'Fix missing hide and show comments by threads' to v0.26 #10780
• decidim-meetings, decidim-proposals: Backport 'Fix invalid rendering of meeting and proposal body texts' to v0.26 #10806
• decidim-core, decidim-meetings: Backport 'Fix iframe disabling producing invalid HTML' to v0.26 #10764
• decidim-participatory processes: Backport 'Fix issues with unexpected date filter params for the process listing' to v0.26 #10808
• decidim-initiatives: Backport 'Fix edit form in intitiatives' to v0.26 #10782
• decidim-participatory processes: Backport 'Fix usages of sanitize helper methods for editable content provided by admins' to v0.26 #10059
• decidim-debates, decidim-meetings, decidim-proposals: Backport 'Fix iframes stripped from admin entered proposals, meetings and debates' to v0.26 #10559
• decidim-core: Backport 'Fix: Inconsistent datetime distance_in_words translations' to 0.26 #10795
• decidim-assemblies, decidim-blogs, decidim-budgets, decidim-consultations, decidim-debates, decidim-elections, decidim-forms, decidim-pages, decidim-participatory processes, decidim-proposals, decidim-sortitions: Backport 'Fix Video embeds are not shown in short_description field' to v0.26 #10746
• decidim-budgets: Backport 'Fix budget summary mail when a scope is defined and enabled' to v0.26 #10840
• decidim-initiatives: Backport 'Change the participant initiatives editor toolbars type' to v0.26 #10845

Removed

Nothing.

Internal

• Backport 'Switch to the official Codecov action for CI' to v0.26 #10463
• Backport 'Fix flaky collaborative drafts specs' to v0.26 #10668
• Backport 'Fix menu spec after #9928' to v0.26 #10768

Developer improvements

Nothing.

Previous versions

Please check release/0.26-stable for previous changes.