Backport 'Enforce resources being found in the organization scope' to…

… v0.27 (decidim#11232)

decidim-admin/app/controllers/decidim/admin/static_page_topics_controller.rb

@@ -64,9 +64,7 @@ def destroy
       private
 
       def topic
-        @topic ||= StaticPageTopic.where(
-          organization: current_organization
-        ).find(params[:id])
+        @topic ||= current_organization.static_page_topics.find(params[:id])
       end
     end
   end

decidim-assemblies/app/controllers/decidim/assemblies/admin/assemblies_types_controller.rb

@@ -95,7 +95,7 @@ def available_assemblies_types
         end
 
         def current_assembly_type
-          @current_assembly_type ||= AssembliesType.find(params[:id])
+          @current_assembly_type ||= available_assemblies_types.find(params[:id])
         end
 
         def assembly_type_form

decidim-assemblies/app/controllers/decidim/assemblies/admin/assembly_members_controller.rb

@@ -79,7 +79,7 @@ def destroy
         private
 
         def collection
-          @collection ||= Decidim::AssemblyMember.where(assembly: current_assembly)
+          @collection ||= current_assembly.members
         end
       end
     end

decidim-budgets/app/controllers/decidim/budgets/admin/application_controller.rb

@@ -22,8 +22,6 @@ def projects
         end
 
         def project
-          return unless projects
-
           @project ||= projects.find(params[:id])
         end
       end

decidim-budgets/app/controllers/decidim/budgets/admin/attachment_collections_controller.rb

@@ -17,7 +17,7 @@ def collection_for
         end
 
         def project
-          @project ||= Decidim::Budgets::Project.find(params[:project_id])
+          @project ||= Decidim::Budgets::Project.joins(:budget).where(budget: { component: current_component }).find(params[:project_id])
         end
       end
     end

decidim-budgets/app/controllers/decidim/budgets/admin/attachments_controller.rb

@@ -17,8 +17,12 @@ def attached_to
           project
         end
 
+        def projects
+          @projects ||= Decidim::Budgets::Project.joins(:budget).where(budget: { component: current_component })
+        end
+
         def project
-          @project ||= Decidim::Budgets::Project.find(params[:project_id])
+          @project ||= projects.find(params[:project_id])
         end
       end
     end

decidim-budgets/app/controllers/decidim/budgets/admin/budgets_controller.rb

@@ -79,7 +79,7 @@ def budget
         end
 
         def orders
-          @orders ||= Order.where(decidim_budgets_budget_id: budgets)
+          @orders ||= Order.where(budget: budgets)
         end
 
         def pending_orders

decidim-budgets/app/controllers/decidim/budgets/line_items_controller.rb

@@ -44,11 +44,11 @@ def destroy
       private
 
       def project
-        @project ||= Project.includes(:budget).find_by(id: params[:project_id], decidim_budgets_budget_id: params[:budget_id])
+        @project ||= budget&.projects&.find_by(id: params[:project_id])
       end
 
       def budget
-        @budget ||= project.budget
+        @budget ||= Budget.find_by(id: params[:budget_id], component: current_component)
       end
     end
   end

decidim-budgets/app/controllers/decidim/budgets/orders_controller.rb

@@ -39,7 +39,7 @@ def destroy
       private
 
       def budget
-        @budget ||= Budget.find_by(id: params[:budget_id])
+        @budget ||= Budget.find_by(id: params[:budget_id], component: current_component)
       end
 
       def redirect_path

decidim-budgets/app/controllers/decidim/budgets/projects_controller.rb

@@ -37,7 +37,7 @@ def all_geocoded_projects
       end
 
       def project
-        @project ||= Project.find_by(id: params[:id])
+        @project ||= budget&.projects&.find_by(id: params[:id])
       end
 
       def search_collection

decidim-conferences/app/controllers/decidim/conferences/admin/conference_invites_controller.rb

@@ -10,29 +10,31 @@ class ConferenceInvitesController < Decidim::Conferences::Admin::ApplicationCont
 
         helper_method :conference
 
+        alias conference current_participatory_space
+
         def index
-          enforce_permission_to :read_invites, :conference, conference: conference
+          enforce_permission_to(:read_invites, :conference, conference: current_participatory_space)
 
           @query = params[:q]
           @status = params[:status]
-          @conference_invites = Decidim::Conferences::Admin::ConferenceInvites.for(conference.conference_invites, @query, @status).page(params[:page]).per(15)
+          @conference_invites = Decidim::Conferences::Admin::ConferenceInvites.for(current_participatory_space.conference_invites, @query, @status).page(params[:page]).per(15)
         end
 
         def new
-          enforce_permission_to :invite_attendee, :conference, conference: conference
+          enforce_permission_to(:invite_attendee, :conference, conference: current_participatory_space)
 
           @form = form(ConferenceRegistrationInviteForm).instance
         end
 
         def create
-          enforce_permission_to :invite_attendee, :conference, conference: conference
+          enforce_permission_to(:invite_attendee, :conference, conference: current_participatory_space)
 
           @form = form(ConferenceRegistrationInviteForm).from_params(params)
 
-          InviteUserToJoinConference.call(@form, conference, current_user) do
+          InviteUserToJoinConference.call(@form, current_participatory_space, current_user) do
             on(:ok) do
               flash[:notice] = I18n.t("conference_invites.create.success", scope: "decidim.conferences.admin")
-              redirect_to conference_conference_invites_path(conference)
+              redirect_to conference_conference_invites_path(current_participatory_space)
             end
 
             on(:invalid) do
@@ -41,12 +43,6 @@ def create
             end
           end
         end
-
-        private
-
-        def conference
-          @conference ||= Decidim::Conference.find_by(slug: params[:conference_slug])
-        end
       end
     end
   end

decidim-conferences/app/controllers/decidim/conferences/admin/conference_registrations_controller.rb

@@ -11,24 +11,26 @@ class ConferenceRegistrationsController < Decidim::Conferences::Admin::Applicati
 
         helper_method :conference
 
+        alias conference current_participatory_space
+
         def index
-          enforce_permission_to :read_conference_registrations, :conference, conference: conference
+          enforce_permission_to(:read_conference_registrations, :conference, conference: current_participatory_space)
 
-          @conference_registrations = paginate(Decidim::Conferences::ConferenceRegistration.where(conference: conference))
+          @conference_registrations = paginate(current_participatory_space.conference_registrations)
         end
 
         def export
-          enforce_permission_to :export_conference_registrations, :conference, conference: conference
+          enforce_permission_to(:export_conference_registrations, :conference, conference: current_participatory_space)
 
-          ExportConferenceRegistrations.call(conference, params[:format], current_user) do
+          ExportConferenceRegistrations.call(current_participatory_space, params[:format], current_user) do
             on(:ok) do |export_data|
               send_data export_data.read, type: "text/#{export_data.extension}", filename: export_data.filename("conference_registrations")
             end
           end
         end
 
         def confirm
-          enforce_permission_to :confirm, :conference_registration, conference_registration: conference_registration
+          enforce_permission_to(:confirm, :conference_registration, conference_registration: conference_registration)
 
           ConfirmConferenceRegistration.call(conference_registration, current_user) do
             on(:ok) do
@@ -45,14 +47,10 @@ def confirm
 
         private
 
-        def conference
-          @conference ||= Decidim::Conference.find_by(slug: params[:conference_slug])
-        end
-
         def conference_registration
           return if params[:id].blank?
 
-          @conference_registration ||= conference.conference_registrations.find_by(id: params[:id])
+          @conference_registration ||= current_participatory_space.conference_registrations.find_by(id: params[:id])
         end
       end
     end

decidim-conferences/app/controllers/decidim/conferences/admin/conference_speakers_controller.rb

@@ -85,7 +85,7 @@ def conference_speaker
         end
 
         def collection
-          @collection ||= Decidim::ConferenceSpeaker.where(conference: current_conference)
+          @collection ||= current_conference.speakers
         end
       end
     end

decidim-conferences/app/controllers/decidim/conferences/admin/media_links_controller.rb

@@ -75,7 +75,7 @@ def destroy
         private
 
         def collection
-          @collection ||= Decidim::Conferences::MediaLink.where(conference: current_conference)
+          @collection ||= current_conference.media_links
         end
       end
     end

decidim-conferences/app/controllers/decidim/conferences/admin/partners_controller.rb

@@ -76,7 +76,7 @@ def destroy
         private
 
         def collection
-          @collection ||= Decidim::Conferences::Partner.where(conference: current_conference)
+          @collection ||= current_conference.partners
         end
       end
     end

decidim-conferences/app/controllers/decidim/conferences/admin/registration_type_publications_controller.rb

@@ -45,7 +45,7 @@ def destroy
         private
 
         def collection
-          @collection ||= Decidim::Conferences::RegistrationType.where(conference: current_conference)
+          @collection ||= current_conference.registration_types
         end
       end
     end

decidim-conferences/app/controllers/decidim/conferences/admin/registration_types_controller.rb

@@ -77,7 +77,7 @@ def destroy
         private
 
         def collection
-          @collection ||= Decidim::Conferences::RegistrationType.where(conference: current_conference)
+          @collection ||= current_conference.registration_types
         end
       end
     end

decidim-conferences/app/controllers/decidim/conferences/conference_registrations_controller.rb

@@ -71,7 +71,7 @@ def ensure_signed_in
       end
 
       def conference
-        @conference ||= Conference.find_by(slug: params[:conference_slug])
+        @conference ||= Conference.find_by(slug: params[:conference_slug], organization: current_organization)
       end
 
       def registration_type

decidim-core/app/controllers/decidim/authorization_modals_controller.rb

@@ -17,7 +17,7 @@ def resource
     end
 
     def current_component
-      @current_component ||= Decidim::Component.find(params[:component_id])
+      @current_component ||= Decidim::Component.where(participatory_space: current_organization.participatory_spaces).find(params[:component_id])
     end
 
     def authorization_action

decidim-core/app/controllers/decidim/short_links_controller.rb

@@ -29,7 +29,7 @@ def show
     #
     # @return [Decidim::ShortLink] The short link matching the identifier
     def link
-      @link ||= Decidim::ShortLink.find_by(identifier: params[:id])
+      @link ||= Decidim::ShortLink.find_by(identifier: params[:id], organization: current_organization)
     end
   end
 end

decidim-core/app/models/decidim/organization.rb

@@ -87,6 +87,12 @@ def top_scopes
       @top_scopes ||= scopes.top_level
     end
 
+    def participatory_spaces
+      @participatory_spaces ||= Decidim.participatory_space_manifests.flat_map do |manifest|
+        manifest.participatory_spaces.call(self)
+      end
+    end
+
     def public_participatory_spaces
       @public_participatory_spaces ||= Decidim.participatory_space_manifests.flat_map do |manifest|
         manifest.participatory_spaces.call(self).public_spaces

decidim-elections/app/controllers/decidim/elections/admin/trustees_participatory_spaces_controller.rb

@@ -72,7 +72,7 @@ def destroy
         private
 
         def trustee_participatory_space
-          @trustee_participatory_space ||= TrusteesParticipatorySpace.find_by(id: params[:id])
+          @trustee_participatory_space ||= TrusteesParticipatorySpace.find_by(id: params[:id], participatory_space: current_participatory_space)
         end
 
         def trustees

decidim-elections/app/controllers/decidim/votings/admin/votings_landing_page_content_blocks_controller.rb

@@ -18,7 +18,7 @@ def content_block_scope
         end
 
         def scoped_resource
-          @scoped_resource ||= Voting.find_by(slug: params[:voting_slug])
+          @scoped_resource ||= Voting.find_by(slug: params[:voting_slug], organization: current_organization)
         end
 
         def enforce_permission_to_update_resource

decidim-elections/app/controllers/decidim/votings/admin/votings_landing_page_controller.rb

@@ -16,7 +16,7 @@ def content_block_scope
         end
 
         def scoped_resource
-          @scoped_resource ||= Voting.find_by(slug: params[:voting_slug])
+          @scoped_resource ||= Voting.find_by(slug: params[:voting_slug], organization: current_organization)
         end
 
         def enforce_permission_to_update_resource

decidim-elections/app/controllers/decidim/votings/polling_officer_zone/closures_controller.rb

@@ -111,7 +111,10 @@ def polling_officer
         end
 
         def election
-          @election ||= Decidim::Elections::Election.includes(questions: :answers).find_by(id: params[:election_id])
+          @election ||= Decidim::Elections::Election.joins(:component)
+                                                    .where(component: { participatory_space: current_organization.participatory_spaces })
+                                                    .includes(questions: :answers)
+                                                    .find_by(id: params[:election_id])
         end
 
         def polling_station

decidim-elections/app/controllers/decidim/votings/polling_officer_zone/in_person_votes_controller.rb

@@ -121,7 +121,10 @@ def voted_online?
         end
 
         def election
-          @election ||= Decidim::Elections::Election.find(params[:election_id])
+          @election ||= Decidim::Elections::Election.joins(:component)
+                                                    .where(component: { participatory_space: current_organization.participatory_spaces })
+                                                    .includes(questions: :answers)
+                                                    .find_by(id: params[:election_id])
         end
 
         def polling_officer

decidim-elections/app/controllers/decidim/votings/votings_controller.rb

@@ -103,7 +103,7 @@ def datum
       end
 
       def election
-        @election ||= Decidim::Elections::Election.find(params[:election_id])
+        @election ||= Decidim::Elections::Election.where(component: current_participatory_space.components).find(params[:election_id])
       end
 
       def elections

decidim-initiatives/app/controllers/decidim/initiatives/admin/committee_requests_controller.rb

@@ -41,7 +41,7 @@ def revoke
         private
 
         def membership_request
-          @membership_request ||= InitiativesCommitteeMember.find(params[:id])
+          @membership_request ||= InitiativesCommitteeMember.where(initiative: current_participatory_space).find(params[:id])
         end
       end
     end

decidim-initiatives/app/controllers/decidim/initiatives/admin/initiatives_type_scopes_controller.rb

@@ -69,7 +69,7 @@ def destroy
         private
 
         def current_initiative_type_scope
-          @current_initiative_type_scope ||= InitiativesTypeScope.find(params[:id])
+          @current_initiative_type_scope ||= InitiativesTypeScope.joins(:type).where(decidim_initiatives_types: { organization: current_organization }).find(params[:id])
         end
 
         def initiative_type_scope_form

decidim-initiatives/app/controllers/decidim/initiatives/admin/initiatives_types_controller.rb

@@ -84,7 +84,7 @@ def destroy
         private
 
         def current_initiative_type
-          @current_initiative_type ||= InitiativesType.find(params[:id])
+          @current_initiative_type ||= InitiativesType.where(organization: current_organization).find(params[:id])
         end
 
         def initiative_type_form

decidim-initiatives/app/controllers/decidim/initiatives/committee_requests_controller.rb

@@ -70,7 +70,7 @@ def revoke
       private
 
       def membership_request
-        @membership_request ||= InitiativesCommitteeMember.find(params[:id])
+        @membership_request ||= InitiativesCommitteeMember.where(initiative: current_participatory_space).find(params[:id])
       end
     end
   end

decidim-initiatives/app/controllers/decidim/initiatives/create_initiative_controller.rb

@@ -163,11 +163,11 @@ def scopes
       end
 
       def current_initiative
-        Initiative.find(session_initiative[:id]) if session_initiative.has_key?(:id)
+        Initiative.where(organization: current_organization).find_by(id: session_initiative[:id]) if session_initiative.has_key?(:id)
       end
 
       def initiative_type
-        @initiative_type ||= InitiativesType.find(initiative_type_id)
+        @initiative_type ||= InitiativesType.where(organization: current_organization).find_by(id: initiative_type_id)
       end
 
       def initiative_type_id