Merge branch 'production' of gitlab.com:participa/noosfero into production

* 'production' of gitlab.com:participa/noosfero: (173 commits) update submodule update submodule add rubygems source fixed tasks_controller_test added random as a possible value for make_order_with_parameters added sql injection protection to method make_order_with_parameters HOTFIX: removing wrong comment HOTFIX: fix tests fix new content url in not found content submodule: updating submodule Adapting views and helpers to datime format Remove admins.map that generate a SQL query for each user causing performance problems. Translated using Weblate (Armenian) scheduler: scope into Noosfero change event start date and ende date to datetime search: realign search box and search button Avoid unecessary user save after update person scrap_test: destroy actiontracker to stabilize #last Remove letfover selectordie files Update proposals discussion plugin ...

Merge branch 'production' of gitlab.com:participa/noosfero into production
* 'production' of gitlab.com:participa/noosfero: (173 commits) update submodule update submodule add rubygems source fixed tasks_controller_test added random as a possible value for make_order_with_parameters added sql injection protection to method make_order_with_parameters HOTFIX: removing wrong comment HOTFIX: fix tests fix new content url in not found content submodule: updating submodule Adapting views and helpers to datime format Remove admins.map that generate a SQL query for each user causing performance problems. Translated using Weblate (Armenian) scheduler: scope into Noosfero change event start date and ende date to datetime search: realign search box and search button Avoid unecessary user save after update person scrap_test: destroy actiontracker to stabilize #last Remove letfover selectordie files Update proposals discussion plugin ...
Evandro Junior
2 parents 3a14efd3 9db1b539
Showing 185 changed files with 64518 additions and 62530 deletions Show diff stats
.gitlab-ci.yml
.gitmodules
.travis.yml
Gemfile
app/controllers/admin/environment_email_templates_controller.rb
app/controllers/email_templates_controller.rb
app/controllers/my_profile/manage_products_controller.rb
app/controllers/my_profile/profile_email_templates_controller.rb
app/controllers/my_profile/tasks_controller.rb
app/controllers/public/contact_controller.rb
app/controllers/public/profile_controller.rb
app/controllers/public/search_controller.rb
app/helpers/application_helper.rb
app/helpers/content_viewer_helper.rb
app/helpers/dates_helper.rb
app/helpers/email_template_helper.rb
app/helpers/events_helper.rb
app/helpers/forms_helper.rb
app/helpers/task_helper.rb
app/mailers/task_mailer.rb
 before_script:
   - mkdir -p tmp/pids log
   - bundle check || bundle install
+# workaround for plugins with Gemfile
+  - perl -pi -e 's/--local //' script/noosfero-plugins
   - script/noosfero-plugins disableall
   - bundle exec rake makemo &>/dev/null
 # database
@@ -28,3 +28,9 @@
 [submodule "public/proposal-app"]
 	path = public/proposal-app
 	url = https://gitlab.com/participa/proposal-app.git
+[submodule "plugins/gravatar-provider"]
+	path = plugins/gravatar-provider
+	url = https://gitlab.com/noosfero-plugins/gravatar-provider.git
+[submodule "plugins/juventude"]
+	path = plugins/juventude
+	url = https://gitlab.com/noosfero-plugins/juventude.git
@@ -2,7 +2,6 @@ language: ruby
 rvm:
 # for 2.2 support we need to upgrade the pg gem
   - 2.1.6
-cache: bundler
  
 sudo: false
 addons:
@@ -19,9 +18,20 @@ addons:
       - libsqlite3-dev
       - libxslt1-dev
  
+before_install:
+  - gem env
+
+# workaround for https://github.com/travis-ci/travis-ci/issues/4536
+before_install:
+  - export GEM_HOME=$PWD/vendor/bundle/ruby/2.1.0
+  - gem install bundler
+cache: bundler
+
 before_script:
   - mkdir -p tmp/pids log
-  - bundle check || bundle install
+# workaround for plugins with Gemfile
+  - perl -pi -e 's/cat .+ > \$gemfile/echo "source \\"https:\/\/rubygems.org\\"" > \$gemfile && cat \$source\/Gemfile >> \$gemfile/' script/noosfero-plugins
+  - perl -pi -e 's/--local --quiet/install --jobs=3 --retry=3/' script/noosfero-plugins
   - script/noosfero-plugins disableall
   - bundle exec rake makemo &>/dev/null
 # database
@@ -28,6 +28,11 @@ gem &#39;grape-entity&#39;
 gem 'grape_logging', :git => 'https://github.com/aceunreal/grape_logging.git', :ref => '100091b'
 gem 'rack-cors'
 gem 'rack-contrib'
+gem 'liquid',                    '~> 3.0.3'
+#gem 'grape-swagger-rails'
+
+# FIXME list here all actual dependencies (i.e. the ones in debian/control),
+# with their GEM names (not the Debian package names)
  
 gem 'api-pagination',           '~> 4.1.1'
  
@@ -0,0 +1,15 @@
+class EnvironmentEmailTemplatesController < EmailTemplatesController
+
+  protect 'manage_email_templates', :environment
+
+  protected
+
+  def owner
+    environment
+  end
+
+  before_filter :only => :index do
+    @back_to = url_for(:controller => :admin_panel)
+  end
+
+end
@@ -0,0 +1,62 @@
+class EmailTemplatesController < ApplicationController
+
+  def index
+    @email_templates = owner.email_templates
+  end
+
+  def show
+    @email_template = owner.email_templates.find(params[:id])
+
+    respond_to do |format|
+      format.html # show.html.erb
+      format.json { render json: @email_template }
+    end
+  end
+
+  def show_parsed
+    @email_template = owner.email_templates.find(params[:id])
+    template_params = {:profile => owner, :environment => environment}
+    render json: {:parsed_body => @email_template.parsed_body(template_params), :parsed_subject => @email_template.parsed_subject(template_params)}
+  end
+
+  def new
+    @email_template = owner.email_templates.build(:owner => owner)
+  end
+
+  def edit
+    @email_template = owner.email_templates.find(params[:id])
+  end
+
+  def create
+    @email_template = owner.email_templates.build(params[:email_template])
+    @email_template.owner = owner
+
+    if @email_template.save
+      session[:notice] = _('Email template was successfully created.')
+      redirect_to url_for(:action => :index)
+    else
+      render action: "new"
+    end
+  end
+
+  def update
+    @email_template = owner.email_templates.find(params[:id])
+
+    if @email_template.update_attributes(params[:email_template])
+      session[:notice] = _('Email template was successfully updated.')
+      redirect_to url_for(:action => :index)
+    else
+      render action: "edit"
+    end
+  end
+
+  def destroy
+    @email_template = owner.email_templates.find(params[:id])
+    @email_template.destroy
+
+    respond_to do |format|
+      format.html { redirect_to url_for(:action => :index)}
+      format.json { head :no_content }
+    end
+  end
+end
@@ -206,7 +206,8 @@ class ManageProductsController &lt; ApplicationController
   end
  
   def certifiers_for_selection
-    @qualifier = Qualifier.exists?(params[:id]) ? Qualifier.find(params[:id]) : nil
+    # updated to use hash as argument to exists? to avoid sql injection vunerabillity (http://brakemanscanner.org/docs/warning_types/sql_injection/)
+    @qualifier = Qualifier.exists?(:id => params[:id]) ? Qualifier.find(params[:id]) : nil
     render :update do |page|
       page.replace_html params[:certifier_area], :partial => 'certifiers_for_selection'
     end
@@ -0,0 +1,16 @@
+class ProfileEmailTemplatesController < EmailTemplatesController
+
+  needs_profile
+  protect 'manage_email_templates', :profile
+
+  protected
+
+  def owner
+    profile
+  end
+
+  before_filter :only => :index do
+    @back_to = url_for(:controller => :profile_editor)
+  end
+
+end
 class TasksController < MyProfileController
  
   protect [:perform_task, :view_tasks], :profile, :only => [:index, :save_tags, :search_tags]
-  protect :perform_task, :profile, :except => [:index, :save_tags, :search_tags]
+  protect :perform_task, :profile, :only => [:processed, :change_responsible, :close, :new, :list_requested, :ticket_details, :search_tags]
  
   def index
+    @rejection_email_templates = profile.email_templates.find_all_by_template_type(:task_rejection)
+    @acceptance_email_templates = profile.email_templates.find_all_by_template_type(:task_acceptance)
+
     @filter_type = params[:filter_type].presence
     @filter_text = params[:filter_text].presence
     @filter_responsible = params[:filter_responsible]
@@ -19,13 +22,17 @@ class TasksController &lt; MyProfileController
  
     @failed = params ? params[:failed] : {}
  
-    @responsible_candidates = profile.members.by_role(profile.roles.reject {|r| !r.has_permission?('perform_task')}) if profile.organization?
+    @responsible_candidates = profile.members.by_role(profile.roles.reject {|r| !r.has_permission?('perform_task') && !r.has_permission?('view_tasks')}) if profile.organization?
  
     @view_only = !current_person.has_permission?(:perform_task, profile)
   end
  
   def processed
-    @tasks = Task.to(profile).without_spam.closed.sort_by(&:created_at)
+    @tasks = Task.to(profile).without_spam.closed.order('tasks.created_at DESC')
+    @filter = params[:filter] || {}
+    @tasks = filter_tasks(@filter, @tasks)
+    @tasks = @tasks.paginate(:per_page => Task.per_page, :page => params[:page])
+    @task_types = Task.closed_types_for(profile)
   end
  
   def change_responsible
@@ -78,6 +85,7 @@ class TasksController &lt; MyProfileController
     end
  
     url = { :action => 'index' }
+
     if failed.blank?
       session[:notice] = _("All decisions were applied successfully.")
     else
@@ -109,9 +117,9 @@ class TasksController &lt; MyProfileController
   end
  
   def search_tasks
-
-    params[:filter_type] = params[:filter_type].blank? ? nil : params[:filter_type]
-    result = Task.pending_all(profile,params)
+    filter_type = params[:filter_type].presence
+    filter_text = params[:filter_text].presence
+    result = Task.pending_all(profile,filter_type, filter_text)
  
     render :json => result.map { |task| {:label => task.data[:name], :value => task.data[:name]} }
   end
@@ -125,10 +133,9 @@ class TasksController &lt; MyProfileController
  
       ActsAsTaggableOn.remove_unused_tags = true
  
-      task = Task.to(profile).find_by_id params[:task_id]
-      save = user.tag(task, with: params[:tag_list], on: :tags)
-
-      if save
+      task = profile.tasks.find_by_id(params[:task_id])
+      
+      if task && task.update_attributes(:tag_list => params[:tag_list])
         result[:success] = true
       end
     end
@@ -149,7 +156,39 @@ class TasksController &lt; MyProfileController
     result = ActsAsTaggableOn::Tag.find(:all, :conditions => ['LOWER(name) LIKE ?', "%#{arg}%"])
  
     render :text => prepare_to_token_input_by_label(result).to_json, :content_type => 'application/json'
+  end
+
+  protected
+
+  def filter_by_closed_date(filter, tasks)
+    filter[:closed_from] = Date.parse(filter[:closed_from]) unless filter[:closed_from].blank?
+    filter[:closed_until] = Date.parse(filter[:closed_until]) unless filter[:closed_until].blank?
+
+    tasks = tasks.where('tasks.end_date >= ?', filter[:closed_from].beginning_of_day) unless filter[:closed_from].blank?
+    tasks = tasks.where('tasks.end_date <= ?', filter[:closed_until].end_of_day) unless filter[:closed_until].blank?
+    tasks
+  end
+
+  def filter_by_creation_date(filter, tasks)
+    filter[:created_from] = Date.parse(filter[:created_from]) unless filter[:created_from].blank?
+    filter[:created_until] = Date.parse(filter[:created_until]) unless filter[:created_until].blank?
+
+    tasks = tasks.where('tasks.created_at >= ?', filter[:created_from].beginning_of_day) unless filter[:created_from].blank?
+    tasks = tasks.where('tasks.created_at <= ?', filter[:created_until].end_of_day) unless filter[:created_until].blank?
+    tasks
+  end
  
+  def filter_tasks(filter, tasks)
+    tasks = tasks.includes(:requestor, :closed_by)
+    tasks = tasks.of(filter[:type].presence)
+    tasks = tasks.where(:status => filter[:status]) unless filter[:status].blank?
+    tasks = filter_by_creation_date(filter, tasks)
+    tasks = filter_by_closed_date(filter, tasks)
+
+    tasks = tasks.like('profiles.name', filter[:requestor]) unless filter[:requestor].blank?
+    tasks = tasks.like('closed_bies_tasks.name', filter[:closed_by]) unless filter[:closed_by].blank?
+    tasks = tasks.like('tasks.data', filter[:text]) unless filter[:text].blank?
+    tasks
   end
  
 end
@@ -6,8 +6,9 @@ class ContactController &lt; PublicController
   def new
     @contact = build_contact
     if request.post? && params[:confirm] == 'true'
-      @contact.city = (!params[:city].blank? && City.exists?(params[:city])) ? City.find(params[:city]).name : nil
-      @contact.state = (!params[:state].blank? && State.exists?(params[:state])) ? State.find(params[:state]).name : nil
+      # updated to use hash as argument to exists? to avoid sql injection vunerabillity (http://brakemanscanner.org/docs/warning_types/sql_injection/)
+      @contact.city = (!params[:city].blank? && City.exists?(:id => params[:city])) ? City.find(params[:city]).name : nil
+      @contact.state = (!params[:state].blank? && State.exists?(:id => params[:state])) ? State.find(params[:state]).name : nil
       if @contact.deliver
         session[:notice] = _('Contact successfully sent')
         redirect_to :action => 'new'
@@ -356,6 +356,7 @@ class ProfileController &lt; PublicController
  
   def send_mail
     @mailing = profile.mailings.build(params[:mailing])
+    @email_templates = profile.email_templates.find_all_by_template_type(:organization_members)
     if request.post?
       @mailing.locale = locale
       @mailing.person = user
@@ -95,10 +95,10 @@ class SearchController &lt; PublicController
  
   def events
     if params[:year].blank? && params[:year].blank? && params[:day].blank?
-      @date = Date.today
+      @date = DateTime.now
     else
-      year = (params[:year] ? params[:year].to_i : Date.today.year)
-      month = (params[:month] ? params[:month].to_i : Date.today.month)
+      year = (params[:year] ? params[:year].to_i : DateTime.now.year)
+      month = (params[:month] ? params[:month].to_i : DateTime.now.month)
       day = (params[:day] ? params[:day].to_i : 1)
       @date = build_date(year, month, day)
     end
@@ -109,9 +109,7 @@ class SearchController &lt; PublicController
       @events = @category ?
         environment.events.by_day(@date).in_category(Category.find(@category_id)).paginate(:per_page => per_page, :page => params[:page]) :
         environment.events.by_day(@date).paginate(:per_page => per_page, :page => params[:page])
-    end
-
-    if params[:year] || params[:month]
+    elsif params[:year] || params[:month]
       @events = @category ?
         environment.events.by_month(@date).in_category(Category.find(@category_id)).paginate(:per_page => per_page, :page => params[:page]) :
         environment.events.by_month(@date).paginate(:per_page => per_page, :page => params[:page])
@@ -44,6 +44,8 @@ module ApplicationHelper
  
   include PluginsHelper
  
+  include TaskHelper
+
   def locale
     (@page && !@page.language.blank?) ? @page.language : FastGettext.locale
   end
@@ -606,24 +608,14 @@ module ApplicationHelper
         trigger_class = 'enterprise-trigger'
       end
     end
-
-    extra_info_tag = ''
-    img_class = 'profile-image'
-
-    if extra_info.is_a? Hash
-      extra_info_tag = content_tag( 'span', extra_info[:value], :class => 'extra_info '+extra_info[:class])
-      img_class +=' '+extra_info[:class]
-    else
-      extra_info_tag = content_tag( 'span', extra_info, :class => 'extra_info' )
-    end
-    #extra_info = extra_info.nil? ? '' : content_tag( 'span', extra_info, :class => 'extra_info' )
+    extra_info = extra_info.nil? ? '' : content_tag( 'span', extra_info, :class => 'extra_info' )
     links = links_for_balloon(profile)
     content_tag('div', content_tag(tag,
                                    (environment.enabled?(:show_balloon_with_profile_links_when_clicked) ? popover_menu(_('Profile links'),profile.short_name,links,{:class => trigger_class, :url => url}) : "") +
     link_to(
-      content_tag( 'span', profile_image( profile, size ), :class => img_class ) +
+      content_tag( 'span', profile_image( profile, size ), :class => 'profile-image' ) +
       content_tag( 'span', h(name), :class => ( profile.class == Person ? 'fn' : 'org' ) ) +
-      extra_info_tag + profile_sex_icon( profile ) + profile_cat_icons( profile ),
+      extra_info + profile_sex_icon( profile ) + profile_cat_icons( profile ),
       profile.url,
       :class => 'profile_link url',
       :help => _('Click on this icon to go to the <b>%s</b>\'s home page') % profile.name,
@@ -51,7 +51,7 @@ module ContentViewerHelper
     elsif date_format == 'past_time'
       left_time = true
     end
-    content_tag('span', show_date(article.published_at, use_numbers , year, left_time), :class => 'date')
+    content_tag('span', show_time(article.published_at, use_numbers , year, left_time), :class => 'date')
   end
  
   def link_to_comments(article, args = {})
@@ -43,9 +43,14 @@ module DatesHelper
   end
  
   # formats a datetime for displaying.
-  def show_time(time)
-    if time
-      _('%{day} %{month} %{year}, %{hour}:%{minutes}') % { :year => time.year, :month => month_name(time.month), :day => time.day, :hour => time.hour, :minutes => time.strftime("%M") }
+  def show_time(time, use_numbers = false, year = true, left_time = false)
+    if time && use_numbers
+      _('%{month}/%{day}/%{year}, %{hour}:%{minutes}') % { :year => (year ? time.year : ''), :month => time.month, :day => time.day, :hour => time.hour, :minutes => time.strftime("%M") }
+    elsif time && left_time
+      date_format = time_ago_in_words(time)
+    elsif time
+      date_format = year ? _('%{month_name} %{day}, %{year} %{hour}:%{minutes}') : _('%{month_name} %{day} %{hour}:%{minutes}')
+      date_format % { :day => time.day, :month_name => month_name(time.month), :year => time.year, :hour => time.hour, :minutes => time.strftime("%M") }
     else
       ''
     end
@@ -53,7 +58,7 @@ module DatesHelper
  
   def show_period(date1, date2 = nil, use_numbers = false)
     if (date1 == date2) || (date2.nil?)
-      show_date(date1, use_numbers)
+      show_time(date1, use_numbers)
     else
       if date1.year == date2.year
         if date1.month == date2.month
@@ -72,8 +77,8 @@ module DatesHelper
         end
       else
         _('from %{date1} to %{date2}') % {
-          :date1 => show_date(date1, use_numbers),
-          :date2 => show_date(date2, use_numbers)
+          :date1 => show_time(date1, use_numbers),
+          :date2 => show_time(date2, use_numbers)
         }
       end
     end
@@ -106,18 +111,18 @@ module DatesHelper
  
   def build_date(year, month, day = 1)
     if year.blank? and month.blank? and day.blank?
-      Date.today
+      DateTime.now
     else
       if year.blank?
-        year = Date.today.year
+        year = DateTime.now.year
       end
       if month.blank?
-        month = Date.today.month
+        month = DateTime.now.month
       end
       if day.blank?
         day = 1
       end
-      Date.new(year.to_i, month.to_i, day.to_i)
+      DateTime.new(year.to_i, month.to_i, day.to_i)
     end
   end
  
@@ -0,0 +1,12 @@
+module EmailTemplateHelper
+
+  def mail_with_template(params={})
+    if params[:email_template].present?
+      params[:body] = params[:email_template].parsed_body(params[:template_params])
+      params[:subject] = params[:email_template].parsed_subject(params[:template_params])
+      params[:content_type] = "text/html"
+    end
+    mail(params.except(:email_template))
+  end
+
+end
@@ -16,7 +16,7 @@ module EventsHelper
  
     content_tag( 'tr',
       content_tag('td',
-        content_tag('div', show_date(article.start_date) + ( article.end_date.nil? ?  '' : (_(" to ") + show_date(article.end_date))),:class => 'event-date' ) +
+        content_tag('div', show_time(article.start_date) + ( article.end_date.nil? ?  '' : (_(" to ") + show_time(article.end_date))),:class => 'event-date' ) +
         content_tag('div',link_to(article.name,article.url),:class => 'event-title') +
         content_tag('div',(article.address.nil? or article.address == '')  ? '' : (_('Place: ') + article.address),:class => 'event-place')
       )
@@ -30,7 +30,7 @@ module EventsHelper
         # the day itself
         date,
         # is there any events in this date?
-        events.any? {|event| event.date_range.include?(date)},
+        events.any? {|event| event.date_range.cover?(date)},
         # is this date in the current month?
         true
       ]
@@ -151,7 +151,7 @@ module FormsHelper
     datepicker_options[:close_text] ||= _('Done')
     datepicker_options[:constrain_input] ||= true
     datepicker_options[:current_text] ||= _('Today')
-    datepicker_options[:date_format] ||= 'mm/dd/yy'
+    datepicker_options[:date_format] ||= 'yy/mm/dd'
     datepicker_options[:day_names] ||= [_('Sunday'), _('Monday'), _('Tuesday'), _('Wednesday'), _('Thursday'), _('Friday'), _('Saturday')]
     datepicker_options[:day_names_min] ||= [_('Su'), _('Mo'), _('Tu'), _('We'), _('Th'), _('Fr'), _('Sa')]
     datepicker_options[:day_names_short] ||= [_('Sun'), _('Mon'), _('Tue'), _('Wed'), _('Thu'), _('Fri'), _('Sat')]
@@ -236,7 +236,7 @@ module FormsHelper
         weekHeader: #{datepicker_options[:week_header].to_json},
         yearRange: #{datepicker_options[:year_range].to_json},
         yearSuffix: #{datepicker_options[:year_suffix].to_json}
-      })
+      }).datepicker('setDate', new Date('#{value}'))
     </script>
     ".html_safe
     result
@@ -0,0 +1,23 @@
+module TaskHelper
+
+  def task_email_template(description, email_templates, task, include_blank=true)
+    return '' unless email_templates.present?
+
+    content_tag(
+      :div,
+      labelled_form_field(description, select_tag("tasks[#{task.id}][task][email_template_id]", options_from_collection_for_select(email_templates, :id, :name), :include_blank => include_blank, 'data-url' => url_for(:controller => 'profile_email_templates', :action => 'show_parsed', :profile => profile.identifier))),
+      :class => 'template-selection'
+    )
+  end
+
+  def task_action action
+    base_url = { action: action }
+    url_for(base_url.merge(filter_params))
+  end
+
+  def filter_params
+    filter_fields = ['filter_type', 'filter_text', 'filter_responsible', 'filter_tags']
+    params.select {|filter| filter if filter_fields.include? filter }
+  end
+
+end
 class TaskMailer < ActionMailer::Base
  
+  include EmailTemplateHelper
+
   def target_notification(task, message)
     @message = extract_message(message)
     @target = task.target.name
@@ -34,10 +36,12 @@ class TaskMailer &lt; ActionMailer::Base
     @environment = task.requestor.environment.name
     @url = url_for(:host => task.requestor.environment.default_hostname, :controller => 'home')
  
-    mail(
+    mail_with_template(
       to: task.requestor.notification_emails,
       from: self.class.generate_from(task),
-      subject: '[%s] %s' % [task.requestor.environment.name, task.target_notification_description]
+      subject: '[%s] %s' % [task.requestor.environment.name, task.target_notification_description],
+      email_template: task.email_template,
+      template_params: {:environment => task.requestor.environment, :task => task, :message => @message, :url => @url, :requestor => task.requestor}
     )
   end
  
 class UserMailer < ActionMailer::Base
+
+  include EmailTemplateHelper
+
   def activation_email_notify(user)
     user_email = "#{user.login}@#{user.email_domain}"
     @name = user.name
@@ -22,10 +25,12 @@ class UserMailer &lt; ActionMailer::Base
     @redirection = (true if user.return_to)
     @join = (user.community_to_join if user.community_to_join)
  
-    mail(
+    mail_with_template(
       from: "#{user.environment.name} <#{user.environment.contact_email}>",
       to: user.email,
       subject: _("[%s] Activate your account") % [user.environment.name],
+      template_params: {:environment => user.environment, :activation_code => @activation_code, :redirection => @redirection, :join => @join},
+      email_template: user.environment.email_templates.find_by_template_type(:user_activation),
     )
   end
  
@@ -645,6 +645,14 @@ class Article &lt; ActiveRecord::Base
     can_display_hits? && display_hits
   end
  
+  def display_media_panel?
+    can_display_media_panel? && environment.enabled?('media_panel')
+  end
+
+  def can_display_media_panel?
+    false
+  end
+
   def image?
     false
   end
@@ -813,6 +821,10 @@ class Article &lt; ActiveRecord::Base
     "content_viewer/view_page"
   end
  
+  def to_liquid
+    HashWithIndifferentAccess.new :name => name, :abstract => abstract, :body => body, :id => id, :parent_id => parent_id, :author => author
+  end
+
   private
  
   def sanitize_tag_list
@@ -28,6 +28,13 @@ class ChangePassword &lt; Task
   validates_presence_of :password_confirmation, :on => :update, :if => lambda { |change| change.status != Task::Status::CANCELLED }
   validates_confirmation_of :password, :if => lambda { |change| change.status != Task::Status::CANCELLED }
  
+  before_save :set_email_template
+
+  def set_email_template
+    template = environment.email_templates.find_by_template_type(:user_change_password)
+    data[:email_template_id] = template.id unless template.nil?
+  end
+
   def environment
     requestor.environment unless requestor.nil?
   end
@@ -0,0 +1,50 @@
+class EmailTemplate < ActiveRecord::Base
+
+  belongs_to :owner, :polymorphic => true
+
+  attr_accessible :template_type, :subject, :body, :owner, :name
+
+  validates_presence_of :name
+
+  validates :name, uniqueness: { scope: [:owner_type, :owner_id] }
+
+  validates :template_type, uniqueness: { scope: [:owner_type, :owner_id] }, if: :unique_by_type?
+
+  def parsed_body(params)
+    @parsed_body ||= parse(body, params)
+  end
+
+  def parsed_subject(params)
+    @parsed_subject ||= parse(subject, params)
+  end
+
+  def self.available_types
+    {
+      :task_rejection => {:description => _('Task Rejection'), :owner_type => Profile},
+      :task_acceptance => {:description => _('Task Acceptance'), :owner_type => Profile},
+      :organization_members => {:description => _('Organization Members'), :owner_type => Profile},
+      :user_activation => {:description => _('User Activation'), :unique => true, :owner_type => Environment},
+      :user_change_password => {:description => _('Change User Password'), :unique => true, :owner_type => Environment}
+    }
+  end
+
+  def available_types
+    HashWithIndifferentAccess.new EmailTemplate.available_types.select {|k, v| owner.kind_of?(v[:owner_type])}
+  end
+
+  def type_description
+    available_types.fetch(template_type, {})[:description]
+  end
+
+  def unique_by_type?
+    available_types.fetch(template_type, {})[:unique]
+  end
+
+  protected
+
+  def parse(source, params)
+    template = Liquid::Template.parse(source)
+    template.render(HashWithIndifferentAccess.new(params))
+  end
+
+end
@@ -35,4 +35,8 @@ class EnterpriseHomepage &lt; Article
     false
   end
  
+  def can_display_media_panel?
+    true
+  end
+
 end
@@ -21,6 +21,7 @@ class Environment &lt; ActiveRecord::Base
  
   has_many :tasks, :dependent => :destroy, :as => 'target'
   has_many :search_terms, :as => :context
+  has_many :email_templates, :foreign_key => :owner_id
  
   IDENTIFY_SCRIPTS = /(php[0-9s]?|[sp]htm[l]?|pl|py|cgi|rb)/
  
@@ -50,6 +51,7 @@ class Environment &lt; ActiveRecord::Base
     'manage_environment_licenses' => N_('Manage environment licenses'),
     'manage_environment_trusted_sites' => N_('Manage environment trusted sites'),
     'edit_appearance'      => N_('Edit appearance'),
+    'manage_email_templates' => N_('Manage Email Templates'),
   }
  
   module Roles
@@ -985,6 +987,10 @@ class Environment &lt; ActiveRecord::Base
     self.licenses.any?
   end
  
+  def to_liquid
+    HashWithIndifferentAccess.new :name => name
+  end
+
   private
  
   def default_language_available
@@ -3,13 +3,14 @@ require &#39;builder&#39;
  
 class Event < Article
  
-  attr_accessible :start_date, :end_date, :link, :address
+  attr_accessible :start_date, :end_date, :link, :address, :presenter
  
   def self.type_name
     _('Event')
   end
  
   settings_items :address, :type => :string
+  settings_items :presenter, :type => :string
  
   def link=(value)
     self.setting[:link] = maybe_add_http(value)
@@ -23,7 +24,7 @@ class Event &lt; Article
  
   def initialize(*args)
     super(*args)
-    self.start_date ||= Date.today
+    self.start_date ||= DateTime.now
   end
  
   validates_presence_of :title, :start_date
@@ -35,7 +36,7 @@ class Event &lt; Article
   end
  
   scope :by_day, lambda { |date|
-    { :conditions => ['start_date = :date AND end_date IS NULL OR (start_date <= :date AND end_date >= :date)', {:date => date}],
+    { :conditions => [' start_date >= :start_date AND start_date <= :end_date AND end_date IS NULL OR (start_date <= :end_date  AND end_date >= :start_date)', {:start_date => date.beginning_of_day, :end_date => date.end_of_day}],
       :order => 'start_date ASC'
     }
   }
@@ -80,7 +81,7 @@ class Event &lt; Article
  
   def self.date_range(year, month)
     if year.nil? || month.nil?
-      today = Date.today
+      today = DateTime.now
       year = today.year
       month = today.month
     else
@@ -88,7 +89,7 @@ class Event &lt; Article
       month = month.to_i
     end
  
-    first_day = Date.new(year, month, 1)
+    first_day = DateTime.new(year, month, 1)
     last_day = first_day + 1.month - 1.day
  
     first_day..last_day
@@ -134,6 +135,10 @@ class Event &lt; Article
     true
   end
  
+  def can_display_media_panel?
+    true
+  end
+
   include Noosfero::TranslatableContent
   include MaybeAddHttp
  
@@ -178,7 +178,11 @@ class Organization &lt; Profile
   end
  
   def notification_emails
+    # TODO: Add performance improvement here!
+    #emails = [contact_email].select(&:present?) + admins([:user]).pluck(:email)
+    # Revert change to make the tests pass
     emails = [contact_email].select(&:present?) + admins.map(&:email)
+
     if emails.empty?
       emails << environment.contact_email
     end
@@ -19,12 +19,13 @@ class Person &lt; Profile
   acts_as_trackable :after_add => Proc.new {|p,t| notify_activity(t)}
   acts_as_accessor
  
-  acts_as_tagger
  
-  scope :members_of, lambda { |resources|
+  scope :members_of, lambda { |resources, extra_joins = nil|
     resources = [resources] if !resources.kind_of?(Array)
     conditions = resources.map {|resource| "role_assignments.resource_type = '#{resource.class.base_class.name}' AND role_assignments.resource_id = #{resource.id || -1}"}.join(' OR ')
-    { :select => 'DISTINCT profiles.*', :joins => :role_assignments, :conditions => [conditions] }
+    joins = [:role_assignments]
+    joins += extra_joins if extra_joins.is_a? Array
+    { :select => 'DISTINCT profiles.*', :joins => joins, :conditions => [conditions] }
   }
  
   scope :not_members_of, lambda { |resources|
@@ -33,10 +34,11 @@ class Person &lt; Profile
     { :select => 'DISTINCT profiles.*', :conditions => ['"profiles"."id" NOT IN (SELECT DISTINCT profiles.id FROM "profiles" INNER JOIN "role_assignments" ON "role_assignments"."accessor_id" = "profiles"."id" AND "role_assignments"."accessor_type" = (\'Profile\') WHERE "profiles"."type" IN (\'Person\') AND (%s))' % conditions] }
   }
  
-  scope :by_role, lambda { |roles|
+  scope :by_role, lambda { |roles, extra_joins = nil|
     roles = [roles] unless roles.kind_of?(Array)
-    { :select => 'DISTINCT profiles.*', :joins => :role_assignments, :conditions => ['role_assignments.role_id IN (?)',
-roles] }
+    joins = [:role_assignments]
+    joins += extra_joins if extra_joins.is_a? Array
+    { :select => 'DISTINCT profiles.*', :joins => joins, :conditions => ['role_assignments.role_id IN (?)',roles] }
   }
  
   scope :not_friends_of, lambda { |resources|
@@ -216,7 +218,7 @@ roles] }
   contact_informatioin
   ]
  
-  xss_terminate :only => [ :custom_footer, :custom_header, :description, :preferred_domain, :nickname, :sex, :nationality, :country, :state, :city, :district, :zip_code, :address, :address_reference, :cell_phone, :comercial_phone, :personal_website, :jabber_id, :schooling, :formation, :custom_formation, :area_of_study, :custom_area_of_study, :professional_activity, :organization, :organization_website, :contact_phone, :contact_information ], :with => 'white_list'
+  xss_terminate :only => [ :custom_footer, :custom_header, :description, :nickname, :sex, :nationality, :country, :state, :city, :district, :zip_code, :address, :address_reference, :cell_phone, :comercial_phone, :personal_website, :jabber_id, :schooling, :formation, :custom_formation, :area_of_study, :custom_area_of_study, :professional_activity, :organization, :organization_website, :contact_phone, :contact_information ], :with => 'white_list'
  
   validates_multiparameter_assignments
  
@@ -310,7 +312,7 @@ roles] }
   end
  
   after_update do |person|
-    person.user.save!
+    person.user.save! unless person.user.changes.blank?
   end
  
   def is_admin?(environment = nil)
@@ -13,8 +13,11 @@ class ProductCategory &lt; Category
   scope :by_environment, lambda { |environment| {
     :conditions => ['environment_id = ?', environment.id]
   }}
+
+  # updated scope method to avoid sql injection vunerabillity (http://brakemanscanner.org/docs/warning_types/sql_injection/)
+  # explicited to_i on level argument
   scope :unique_by_level, lambda { |level| {
-    :select => "DISTINCT ON (filtered_category) split_part(path, '/', #{level}) AS filtered_category, categories.*"
+    :select => "DISTINCT ON (filtered_category) split_part(path, '/', #{level.to_i}) AS filtered_category, categories.*"
   }}
  
   def all_products
@@ -3,7 +3,7 @@
 # which by default is the one returned by Environment:default.
 class Profile < ActiveRecord::Base
  
-  attr_accessible :name, :identifier, :public_profile, :nickname, :custom_footer, :custom_header, :address, :zip_code, :contact_phone, :image_builder, :description, :closed, :template_id, :environment, :lat, :lng, :is_template, :fields_privacy, :preferred_domain_id, :category_ids, :country, :city, :state, :national_region_code, :email, :contact_email, :redirect_l10n, :notification_time, :redirection_after_login, :email_suggestions, :allow_members_to_invite, :invite_friends_only, :secret, :custom_fields
+  attr_accessible :name, :identifier, :public_profile, :nickname, :custom_footer, :custom_header, :address, :zip_code, :contact_phone, :image_builder, :description, :closed, :template_id, :environment, :lat, :lng, :is_template, :fields_privacy, :preferred_domain_id, :category_ids, :country, :city, :state, :national_region_code, :email, :contact_email, :redirect_l10n, :notification_time, :redirection_after_login, :email_suggestions, :allow_members_to_invite, :invite_friends_only, :secret, :custom_fields, :administrator_mail_notification, :region
  
   # use for internationalizable human type names in search facets
   # reimplement on subclasses
@@ -107,6 +107,7 @@ class Profile &lt; ActiveRecord::Base
     'invite_members'       => N_('Invite members'),
     'send_mail_to_members' => N_('Send e-Mail to members'),
     'manage_custom_roles'  => N_('Manage custom roles'),
+    'manage_email_templates' => N_('Manage Email Templates'),
   }
  
   acts_as_accessible
@@ -191,8 +192,8 @@ class Profile &lt; ActiveRecord::Base
     alias_method_chain :count, :distinct
   end
  
-  def members_by_role(roles)
-    Person.members_of(self).by_role(roles)
+  def members_by_role(roles, with_entities = nil)
+    Person.members_of(self, with_entities).by_role(roles, with_entities)
   end
  
   acts_as_having_boxes
@@ -223,6 +224,8 @@ class Profile &lt; ActiveRecord::Base
  
   has_many :comments_received, :class_name => 'Comment', :through => :articles, :source => :comments
  
+  has_many :email_templates, :foreign_key => :owner_id
+
   # Although this should be a has_one relation, there are no non-silly names for
   # a foreign key on article to reference the template to which it is
   # welcome_page... =P
@@ -250,6 +253,7 @@ class Profile &lt; ActiveRecord::Base
   settings_items :description
   settings_items :fields_privacy, :type => :hash, :default => {}
   settings_items :email_suggestions, :type => :boolean, :default => false
+  settings_items :administrator_mail_notification, :type => :boolean, :default => true
  
   validates_length_of :description, :maximum => 550, :allow_nil => true
  
@@ -543,6 +547,10 @@ class Profile &lt; ActiveRecord::Base
     self.articles.find(:all, options)
   end
  
+  def to_liquid
+    HashWithIndifferentAccess.new :name => name, :identifier => identifier
+  end
+
   class << self
  
     # finds a profile by its identifier. This method is a shortcut to
@@ -685,15 +693,15 @@ private :generate_url, :url_options
   after_create :insert_default_article_set
   def insert_default_article_set
     if template
-      copy_articles_from template
+      self.save! if copy_articles_from template
     else
       default_set_of_articles.each do |article|
         article.profile = self
         article.advertise = false
         article.save!
       end
+      self.save!
     end
-    self.save!
   end
  
   # Override this method in subclasses of Profile to create a default article
@@ -714,10 +722,12 @@ private :generate_url, :url_options
   end
  
   def copy_articles_from other
+    return false if other.top_level_articles.empty?
     other.top_level_articles.each do |a|
       copy_article_tree a
     end
     self.articles.reload
+    true
   end
  
   def copy_article_tree(article, parent=nil)
@@ -762,6 +772,29 @@ private :generate_url, :url_options
     end
   end
  
+  # Adds many people to profile by id's
+  def add_members_by_id(people_ids)
+
+    unless people_ids.nil? && people_ids.empty?
+
+      people = Person.where(id: people_ids)
+      people.each do |person|
+
+        add_member(person) unless person.is_member_of?(self)
+      end
+    end
+  end
+
+  # Adds many people to profile by email's
+  def add_members_by_email(people_emails)
+
+    people = User.where(email: people_emails)
+    people.each do |user|
+
+      add_member(user.person) unless user.person.is_member_of?(self)
+    end
+  end
+
   def remove_member(person)
     self.disaffiliate(person, Profile::Roles.all_roles(environment.id))
   end
@@ -893,11 +926,11 @@ private :generate_url, :url_options
     self.forums.count.nonzero?
   end
  
-  def admins
+  def admins(with_entities = nil)
     return [] if environment.blank?
     admin_role = Profile::Roles.admin(environment.id)
     return [] if admin_role.blank?
-    self.members_by_role(admin_role)
+    self.members_by_role(admin_role, with_entities)
   end
  
   def enable_contact?
@@ -42,6 +42,8 @@ class Task &lt; ActiveRecord::Base
  
   attr_protected :status
  
+  settings_items :email_template_id, :type => :integer
+
   def initialize(*args)
     super
     self.status = (args.first ? args.first[:status] : nil) || Task::Status::ACTIVE
@@ -68,14 +70,28 @@ class Task &lt; ActiveRecord::Base
       begin
         target_msg = task.target_notification_message
         if target_msg && task.target && !task.target.notification_emails.empty?
-          TaskMailer.target_notification(task, target_msg).deliver
+          if target_profile_accepts_notification?(task)
+            TaskMailer.target_notification(task, target_msg).deliver
+          end
         end
-      rescue NotImplementedError => ex
+      rescue Exception => ex
         Rails.logger.info ex.to_s
       end
     end
   end
  
+  def target_profile_accepts_notification?(task)
+    if target_is_profile?(task)
+      return task.target.administrator_mail_notification
+    else
+      true
+    end
+  end
+
+  def target_is_profile?(task)
+    task.target.kind_of? Profile
+  end
+
   # this method finished the task. It calls #perform, which must be overriden
   # by subclasses. At the end a message (as returned by #finish_message) is
   # sent to the requestor with #notify_requestor.
@@ -282,15 +298,56 @@ class Task &lt; ActiveRecord::Base
     end
   end
  
+  def email_template
+    @email_template ||= email_template_id.present? ? EmailTemplate.find_by_id(email_template_id) : nil
+  end
+
+  def to_liquid
+    HashWithIndifferentAccess.new({
+      :requestor => requestor,
+      :reject_explanation => reject_explanation,
+      :code => code
+    })
+  end
+
   scope :pending, :conditions => { :status =>  Task::Status::ACTIVE }
   scope :hidden, :conditions => { :status =>  Task::Status::HIDDEN }
   scope :finished, :conditions => { :status =>  Task::Status::FINISHED }
   scope :canceled, :conditions => { :status =>  Task::Status::CANCELLED }
   scope :closed, :conditions => { :status =>  [Task::Status::CANCELLED, Task::Status::FINISHED] }
   scope :opened, :conditions => { :status =>  [Task::Status::ACTIVE, Task::Status::HIDDEN] }
-  scope :of, lambda { |type| conditions = type ? "type LIKE '#{type}'" : "1=1"; {:conditions =>  [conditions]} }
+
+  # # updated scope method to avoid sql injection vunerabillity (http://brakemanscanner.org/docs/warning_types/sql_injection/)
+  # def self.of type
+  #   if type
+  #     where  "type LIKE ?", type
+  #   else
+  #     all
+  #   end
+  # end
+  #
+  # # updated scope method to avoid sql injection vunerabillity (http://brakemanscanner.org/docs/warning_types/sql_injection/)
+  # def self.order_by attribute_name, sort_order
+  #   if Task.column_names.include? attribute_name
+  #     # TODO  future versions of rails accepts a hash as param to order method
+  #     # which helps to prevent sql injection in an shorter way
+  #     sort_order_filtered = ("ASC".eql? "#{sort_order}".upcase) ? 'asc' : 'desc'
+  #     sort_expression = Task.column_names.collect {|column_name| "#{column_name} #{sort_order_filtered}" if column_name.eql? attribute_name}
+  #     order(sort_expression.join) unless sort_expression.join.empty?
+  #   end
+  # end
+  #
+  # # updated scope method to avoid sql injection vunerabillity (http://brakemanscanner.org/docs/warning_types/sql_injection/)
+  # def self.like field, value
+  #   if value and Tasks.column_names.include? field
+  #     where("LOWER(?) LIKE ?", "#{field}", "%#{value.downcase}%")
+  #   end
+  # end
+
+  scope :of, lambda { |type| conditions = type ? "tasks.type LIKE '#{type}'" : "1=1"; {:conditions =>  [conditions]} }
   scope :order_by, lambda { |attribute, ord| {:order => "#{attribute} #{ord}"} }
   scope :like, lambda { |field, value| where("LOWER(#{field}) LIKE ?", "%#{value.downcase}%") if value}
+
   scope :pending_all, lambda { |profile, filter_type, filter_text|
     self.to(profile).without_spam.pending.of(filter_type).like('data', filter_text)
   }
@@ -310,6 +367,10 @@ class Task &lt; ActiveRecord::Base
     Task.to(profile).pending.select('distinct type').map { |t| [t.class.name, t.title] }
   end
  
+  def self.closed_types_for(profile)
+    Task.to(profile).closed.select('distinct type').map { |t| [t.class.name, t.title] }
+  end
+
   def opened?
     status == Task::Status::ACTIVE || status == Task::Status::HIDDEN
   end
@@ -24,6 +24,10 @@ class TextileArticle &lt; TextArticle
     true
   end
  
+  def can_display_media_panel?
+    true
+  end
+
   protected
  
   def convert_to_html(textile)
@@ -28,4 +28,8 @@ class TinyMceArticle &lt; TextArticle
     true
   end
  
+  def can_display_media_panel?
+    true
+  end
+
 end
@@ -102,18 +102,20 @@ class User &lt; ActiveRecord::Base
   # Virtual attribute for the unencrypted password
   attr_accessor :password, :name
  
-  validates_presence_of     :login, :email
-  validates_format_of       :login, :with => Profile::IDENTIFIER_FORMAT, :if => (lambda {|user| !user.login.blank?})
+  validates_presence_of     :login
+  validates_presence_of     :email
+  validates_format_of       :login, :message => _('incorrect format'), :with => Profile::IDENTIFIER_FORMAT, :if => (lambda {|user| !user.login.blank?})
   validates_presence_of     :password,                   :if => :password_required?
   validates_presence_of     :password_confirmation,      :if => :password_required?
-  validates_length_of       :password, :within => 4..40, :if => :password_required?
+  validates_length_of       :password, :message => _('length must be within 4 to 40 characters'), :within => 4..40, :if => :password_required?
   validates_confirmation_of :password,                   :if => :password_required?
-  validates_length_of       :login,    :within => 2..40, :if => (lambda {|user| !user.login.blank?})
-  validates_length_of       :email,    :within => 3..100, :if => (lambda {|user| !user.email.blank?})
-  validates_uniqueness_of   :login, :email, :case_sensitive => false, :scope => :environment_id
+  validates_length_of       :login, :message => _('length must be within 2 to 40 characters'), :within => 2..40, :if => (lambda {|user| !user.login.blank?})
+  validates_length_of       :email, :message => _('length must be within 3 to 100 characters'),:within => 3..100, :if => (lambda {|user| !user.email.blank?})
+  validates_uniqueness_of   :login, :case_sensitive => false, :scope => :environment_id
+  validates_uniqueness_of   :email, :case_sensitive => false, :scope => :environment_id
   before_save :encrypt_password
   before_save :normalize_email, if: proc{ |u| u.email.present? }
-  validates_format_of :email, :with => Noosfero::Constants::EMAIL_FORMAT, :if => (lambda {|user| !user.email.blank?})
+  validates_format_of :email, :message => _('incorrect format'), :with => Noosfero::Constants::EMAIL_FORMAT, :if => (lambda {|user| !user.email.blank?})
  
   validates_inclusion_of :terms_accepted, :in => [ '1' ], :if => lambda { |u| ! u.terms_of_use.blank? }, :message => N_('{fn} must be checked in order to signup.').fix_i18n
  
@@ -392,7 +394,7 @@ class User &lt; ActiveRecord::Base
  
     def deliver_activation_code
       return if person.is_template?
-      UserMailer.activation_code(self).deliver unless self.activation_code.blank?
+      Delayed::Job.enqueue(UserMailer::Job.new(self, :activation_code)) unless self.activation_code.blank?
     end
  
     def delay_activation_check
@@ -12,6 +12,7 @@
   <tr><td><%= link_to _('Licenses'), :controller =>'licenses' %></td></tr>
   <tr><td><%= link_to _('Trusted sites'), :controller =>'trusted_sites' %></td></tr>
   <tr><td><%= link_to _('Blocks'), :controller => 'features', :action => 'manage_blocks' %></td></tr>
+  <tr><td><%= link_to _('Email templates'), :controller =>'environment_email_templates' %></td></tr>
 </table>
  
 <h2><%= _('Profiles') %></h2>
@@ -8,9 +8,9 @@
 <%= render :partial => 'general_fields' %>
 <%= render :partial => 'translatable' %>
  
-<%= labelled_form_field(_('Start date'), pick_date(:article, :start_date)) %>
+<%= date_range_field('article[start_date]', 'article[end_date]', @article.start_date, @article.end_date, _('%Y-%m-%d %H:%M'), {:time => true}, {:id => 'article_start_date'} ) %>
  
-<%= labelled_form_field(_('End date'), pick_date(:article, :end_date)) %>
+<%= labelled_form_field(_('Presenter:'), text_field(:article, :presenter)) %>
  
 <%= labelled_form_field(_('Event website:'), text_field(:article, :link)) %>
  
 <%= error_messages_for 'article' %>
  
-<% show_media_panel = environment.enabled?('media_panel') && [TinyMceArticle, TextileArticle, Event, EnterpriseHomepage, ProposalsDiscussionPlugin::Topic, ProposalsDiscussionPlugin::Discussion].any?{|klass| @article.kind_of?(klass)} %>
-
-<div class='<%= (show_media_panel ? 'with_media_panel' : 'no_media_panel') %>'>
+<div class='<%= (@article.display_media_panel? ? 'with_media_panel' : 'no_media_panel') %>'>
 <%= labelled_form_for 'article', :html => { :multipart => true, :class => @type } do |f| %>
  
   <%= hidden_field_tag("type", @type) if @type %>
@@ -68,7 +66,7 @@
 <% end %>
 </div>
  
-<% if show_media_panel %>
+<% if @article.display_media_panel? %>
   <%= render :partial => 'text_editor_sidebar' %>
 <% end %>
  
 <span class="publishing-info">
   <span class="date">
-    <%= show_date(@page.published_at) %>
+    <%= show_time(@page.published_at) %>
   </span>
   <span class="author">
     <%= _(", by %s") % (@page.author ? link_to(@page.author_name, @page.author_url) : @page.author_name) %>
@@ -0,0 +1,31 @@
+<%= form_for(@email_template, :url => {:action => @email_template.persisted? ? :update : :create, :id => @email_template.id}) do |f| %>
+
+  <%= error_messages_for :email_template if @email_template.errors.any? %>
+
+  <div class="template-fields">
+    <div class="header-fields">
+      <%= labelled_form_field(_('Template Name:'), f.text_field(:name)) %>
+      <%= labelled_form_field(_('Template Type:'), f.select(:template_type, @email_template.available_types.map {|k,v| [v[:description], k]}, :include_blank => true)) %>
+      <%= labelled_form_field(_('Subject:'), f.text_field(:subject)) %>
+    </div>
+    <div class="available-params">
+      <div class="reference">
+        <a target="_blank" href="https://github.com/Shopify/liquid/wiki/Liquid-for-Designers"><%= _('Template language reference') %></a>
+      </div>
+      <div class="label">
+        <%= _('The following parameters may be used in subject and body:') %>
+      </div>
+      <div class="values">
+        {{profile.name}}, {{profile.identifier}}, {{environment.name}}
+      </div>
+    </div>
+    <%= render :file => 'shared/tiny_mce' %>
+    <%= labelled_form_field(_('Body:'), f.text_area(:body, :class => 'mceEditor')) %>
+  </div>
+
+  <div class="actions">
+    <%= submit_button(:save, _('Save')) %>
+    <%= button(:back, _('Back'), :action => :index) %>
+  </div>
+
+<% end %>
@@ -0,0 +1,3 @@
+<h1><%= _('Editing Email Template') %></h1>
+
+<%= render 'form' %>
@@ -0,0 +1,27 @@
+<div class="email-templates">
+  <h1><%= _('Email Templates') %></h1>
+
+  <table>
+    <tr>
+      <th><%= _('Name') %></th>
+      <th><%= _('Type') %></th>
+      <th><%= _('Actions') %></th>
+    </tr>
+
+  <% @email_templates.each do |email_template| %>
+    <tr>
+      <td><%= email_template.name %></td>
+      <td><%= email_template.type_description %></td>
+      <td>
+        <%= button_without_text(:edit, _('Edit'), {:action => :edit, :id => email_template.id}) %>
+        <%= button_without_text(:remove, _('Remove'), {:action => :destroy, :id => email_template.id}, method: :delete, data: { confirm: 'Are you sure?' }) %>
+      </td>
+    </tr>
+  <% end %>
+  </table>
+
+  <br />
+
+  <%= button(:new, _('New template'), :action => :new) %>
+  <%= button(:back, _('Back'), @back_to) %>
+</div>
@@ -0,0 +1,3 @@
+<h1><%= _('New Email Template') %></h1>
+
+<%= render 'form' %>
@@ -0,0 +1,5 @@
+<p id="notice"><%= notice %></p>
+
+
+<%= link_to 'Edit', url_for(:action => :edit, :id => @email_template.id) %> |
+<%= link_to 'Back', url_for(:action => :index) %>
@@ -4,6 +4,12 @@
  
 <%= error_messages_for :mailing %>
  
+<% if @email_templates.present? %>
+  <div class="template-selection">
+    <%= labelled_form_field(_('Select a template:'), select_tag(:template, options_from_collection_for_select(@email_templates, :id, :name), :include_blank => true, 'data-url' => url_for(:controller => 'profile_email_templates', :action => 'show_parsed'))) %>
+  </div>
+<% end %>
+
 <%= form_for :mailing, :url => {:action => 'send_mail'}, :html => {:id => 'mailing-form'} do |f| %>
  
   <%= labelled_form_field(_('Subject:'), f.text_field(:subject)) %>
 <h2><%= _('Moderation options') %></h2>
 <% if profile.community? %>
   <div style='margin-bottom: 1em'>
+    <h4><%= _('Email Configuration:')%></h4>
+  </div>
+  <div style='margin-bottom: 0.5em'>
+    <%= check_box(:profile_data, :administrator_mail_notification, :style => 'float: left') %>
+    <div style='margin-left: 30px'>
+      <%= _('Send administrator Email for every task (Default: yes)') %>
+    </div>
+  </div>
+
+  <div style='margin-bottom: 1em'>
     <h4><%= _('Invitation moderation:')%></h4>
   </div>
   <div style='margin-bottom: 0.5em'>
@@ -72,6 +72,8 @@
  
   <%= control_panel_button(_('Edit welcome page'), 'welcome-page', :action => 'welcome_page') if has_welcome_page %>
  
+  <%= control_panel_button(_('Email Templates'), 'email-templates', :controller => :profile_email_templates) if profile.organization? %>
+
   <% @plugins.dispatch(:control_panel_buttons).each do |button| %>
     <%= control_panel_button(button[:title], button[:icon], button[:url], button[:html_options]) %>
   <% end %>
@@ -20,6 +20,7 @@
                 :loading => "jQuery('#members-list').addClass('loading')",
                 :success => "jQuery('#tr-#{m.identifier}').show()",
                 :complete => "jQuery('#members-list').removeClass('loading')",
+                :confirm => _('Are you sure you want to remove this user?'),
                 :url => { :id => m }.merge(remove_action)) if m != user %>
         </div>
       </td>
 <div id='not-found'>
-    <h1><%= _('Nonexistent content: %s') % (content_tag('tt', @path)) %></h1>
+    <h1><%= _('There is no such page: %s') % (content_tag('tt', @path)) %></h1>
     <p>
     <%= _('.You may have clicked an expired link or mistyped the address.') %>
-    <%= _('.This page does not exist. Would you like to: Create a new conteúdoou Locate existing content.') %>
+    <%= _('.This page does not exist. Would you like to: Create a new content or locate existing content.') %>
     <!-- <%= _('If you clicked a link that was in another site, or was given to you by someone else, it would be nice if you tell them that their link is not valid anymore.') %>  -->
     </p>
  
@@ -11,7 +11,7 @@
       <%= button :home, _('Go to the home page'), '/' %>
        <% if logged_in? %>
           <% parent_id = ((@article && @article.allow_children?) ? @article : nil) %>
-          <%= modal_button('new', _('New content'), :controller => 'cms', :action => 'new', :parent_id => parent_id, :cms => true) %>
+          <%= modal_button('new', _('New content'), myprofile_path(:profile => current_person.identifier, :controller => 'cms', :action => 'new', :parent_id => parent_id)) %>
       <% end %>
     <% end %>
     <form action="/search">
+<%= task_email_template(_('Select an acceptance email template:'), @acceptance_email_templates, task) %>
+
 <%= render :file => 'shared/tiny_mce' %>
  
 <%= labelled_form_field(_('Create a link'), f.check_box(:create_link)) %>
@@ -0,0 +1,23 @@
+<div class="title">
+  <%= task_information(task) %>
+</div>
+<div class="status">
+  <%= _(Task::Status.names[task.status]) %>
+</div>
+<div class="dates">
+  <span class="created">
+    <span class="label"><%= _('Created:') %></span>
+    <span class="value"><%= show_date(task.created_at) %></span>
+  </span>
+  &nbsp; &#151; &nbsp;
+  <span class="processed">
+    <span class="label"><%= _('Processed:') %></span>
+    <span class="value"><%= show_date(task.end_date) %></span>
+  </span>
+</div>
+<% if task.closed_by.present? %>
+  <div class="closed-by">
+    <span class="label"><%= _('Closed by:') %></span>
+    <span class="value"><%= link_to(task.closed_by.name, task.closed_by.url) %></span>
+  </div>
+<% end %>
+<%= task_email_template(_('Select a rejection email template:'), @rejection_email_templates, task) %>
+
 <%= labelled_form_field(_('Rejection explanation'), f.text_area(:reject_explanation, :rows => 5)) %>
@@ -50,7 +50,7 @@
     <em><%= _('No pending tasks for %s') % profile.name %></em>
   </p>
 <% else %>
-  <%= form_tag :action => 'close' do%>
+  <%= form_tag task_action('close') do%>
     <% button_bar(:class => 'task-actions') do %>
       <%# FiXME button(:edit, _('View my requests'), :action => 'list_requested') %>
       <%# FIXME button('menu-mail',  _('Send request'), :action => 'new') %>
@@ -67,7 +67,9 @@
       <% end %>
  
       <div class="task_boxes">
-        <%= render :partial => 'task', :collection => @tasks %>
+        <% @tasks.each do |task| %>
+          <%= render :partial => partial_for_class(task.class, nil, nil), :locals => {:task => task} %>
+        <% end %>
       </div>
  
       <% unless @view_only %>
+<%= stylesheet_link_tag 'tasks' %>
+
+<div class="task-processed">
 <h1><%= _("%s's processed tasks") % profile.name %></h1>
  
+<div class="task-processed-filter">
+<%
+  type_collection = [[nil, _('All')]] + @task_types
+%>
+  <%= form_tag '#', :method => 'get' do %>
+    <%= field_set_tag _('Filter'), :class => 'filter_fields' do %>
+      <div>
+        <%= labelled_select(_('Type of task')+': ', 'filter[type]', :first, :last, @filter[:type],  type_collection, {:id => 'filter-type'}) %>
+        <%= labelled_select(_('Status:'), 'filter[status]', :last, :first, @filter[:status], [[_('Any'), nil], [_(Task::Status.names[Task::Status::CANCELLED]), 2], [_(Task::Status.names[Task::Status::FINISHED]), 3] ]) %>
+      </div>
+
+      <div>
+        <%= labelled_text_field(_('Text Filter:'), 'filter[text]', @filter[:text]) %>
+      </div>
+
+      <div>
+        <%= labelled_text_field(_('Requestor:'), 'filter[requestor]', @filter[:requestor]) %>
+        <%= labelled_text_field(_('Closed by:'), 'filter[closed_by]', @filter[:closed_by]) %>
+      </div>
+
+      <%= labelled_form_field(_('Creation date'), date_range_field('filter[created_from]', 'filter[created_until]', @filter[:created_from], @filter[:created_until], '%Y-%m-%d', { :change_month => true, :change_year => true, :date_format => 'yy-mm-dd' }, { :size => 14, :from_id => 'filter_created_from', :to_id => 'filter_created_until' })) %>
+      <%= labelled_form_field(_('Processed date'), date_range_field('filter[closed_from]', 'filter[closed_until]', @filter[:closed_from], @filter[:closed_until], '%Y-%m-%d', { :change_month => true, :change_year => true, :date_format => 'yy-mm-dd' }, { :size => 14, :from_id => 'filter_closed_from', :to_id => 'filter_closed_until' })) %>
+
+      <div class="actions">
+        <%= submit_button(:search, _('Search')) %>
+      </div>
+    <% end %>
+  <% end %>
+</div>
+
 <p>
 <% if @tasks.empty? %>
   <em><%= _('No processed tasks.') %></em>
 <% else %>
-  <ul>
+  <ul class="task-list">
     <% @tasks.each do |item| %>
-      <li>
-        <strong><%= task_information(item) %></strong> <br/>
-        <small>
-          <%= _('Created:')   +' '+ show_date(item.created_at) %>
-          &nbsp; &#151; &nbsp;
-          <%= _('Processed:') +' '+ show_date(item.end_date) %>
-        </small>
+      <li class="task status-<%= item.status%>">
+        <%= render :partial => partial_for_class(item.class, nil, 'processed'), :locals => {:task => item} %>
       </li>
     <% end %>
   </ul>
+  <%= pagination_links(@tasks)%>
 <% end %>
 </p>
  
 <% button_bar do %>
   <%= button(:back, _('Back'), :action => 'index') %>
 <% end %>
+
+</div>
@@ -62,7 +62,7 @@ module Noosfero
     # Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
     # Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
     # config.time_zone = 'Central Time (US & Canada)'
-    config.time_zone = 'Brasilia'
+    #config.time_zone = 'Brasilia'
  
  
     # The default locale is :en and all translations from config/locales/*.rb,yml are auto loaded.
-Rails.application.eager_load!
+Rails.application.eager_load! if ActiveRecord::Base.connection.table_exists? 'categories'
@@ -0,0 +1,8 @@
+require_dependency 'noosfero/scheduler/defer'
+
+if defined? Unicorn
+  ObjectSpace.each_object Unicorn::HttpServer do |s|
+    s.extend Noosfero::Scheduler::Defer::Unicorn
+  end
+end
+
@@ -0,0 +1,14 @@
+class CreateEmailTemplate < ActiveRecord::Migration
+
+  def change
+    create_table :email_templates do |t|
+      t.string :name
+      t.string :template_type
+      t.string :subject
+      t.text :body
+      t.references :owner, :polymorphic => true
+      t.timestamps
+    end
+  end
+
+end
@@ -0,0 +1,37 @@
+class EventPeriodWithSupportToDatetime < ActiveRecord::Migration
+  def up
+    change_table :articles do |t|
+      t.change :start_date, :datetime
+    end
+
+    change_table :articles do |t|
+      t.change :end_date, :datetime
+    end
+
+    change_table :article_versions do |t|
+      t.change :start_date, :datetime
+    end
+
+    change_table :article_versions do |t|
+      t.change :end_date, :datetime
+    end
+  end
+
+  def down
+    change_table :articles do |t|
+      t.change :start_date, :date
+    end
+
+    change_table :articles do |t|
+      t.change :end_date, :date
+    end
+
+    change_table :article_versions do |t|
+      t.change :start_date, :date
+    end
+
+    change_table :article_versions do |t|
+      t.change :end_date, :date
+    end
+  end
+end
 \ No newline at end of file
@@ -0,0 +1,10 @@
+class ChangeTaskEndDateFromDateToDateTime < ActiveRecord::Migration
+
+  def up
+      change_column :tasks, :end_date, :datetime
+  end
+
+  def down
+    change_column :tasks, :end_date, :date
+  end
+end
@@ -0,0 +1,27 @@
+class ChangeArticleDateToDatetime < ActiveRecord::Migration
+
+  def up
+    change_table :articles do |t|
+      t.change :start_date, :datetime
+      t.change :end_date, :datetime
+    end
+
+    change_table :article_versions do |t|
+      t.change :start_date, :datetime
+      t.change :end_date, :datetime
+    end
+  end
+
+  def down
+    change_table :articles do |t|
+      t.change :start_date, :date
+      t.change :end_date, :date
+    end
+
+    change_table :article_versions do |t|
+      t.change :start_date, :date
+      t.change :end_date, :date
+    end
+  end
+
+end
@@ -37,7 +37,7 @@ Feature: comment
     And I fill in "Title" with "Hey ho, let's go!"
     And I fill in "Enter your comment" with "Hey ho, let's go!"
     When I press "Post comment"
-    Then I should see "Hey ho, let's go"
+    Then I should see "Hey ho, let"
  
   @selenium-fixme
   Scenario: redirect to right place after comment a picture
 class ActivitiesCounterCacheJob
+
+  # Changed to prevent sql injection vunerabillity (http://brakemanscanner.org/docs/warning_types/sql_injection/)
   def perform
-    person_activities_counts = ActiveRecord::Base.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.user_id WHERE (action_tracker.created_at >= '#{ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db)}') AND ( (profiles.type = 'Person' ) ) GROUP BY profiles.id;")
-    organization_activities_counts = ActiveRecord::Base.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.target_id WHERE (action_tracker.created_at >= '#{ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db)}') AND ( (profiles.type = 'Community' OR profiles.type = 'Enterprise' OR profiles.type = 'Organization' ) ) GROUP BY profiles.id;")
+    person_activities_counts = ActiveRecord::Base.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.user_id WHERE (action_tracker.created_at >= #{ActiveRecord::Base.connection.quote(ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db))}) AND ( (profiles.type = 'Person' ) ) GROUP BY profiles.id;")
+    organization_activities_counts = ActiveRecord::Base.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.target_id WHERE (action_tracker.created_at >= #{ActiveRecord::Base.connection.quote(ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db))}) AND ( (profiles.type = 'Community' OR profiles.type = 'Enterprise' OR profiles.type = 'Organization' ) ) GROUP BY profiles.id;")
     activities_counts = person_activities_counts.entries + organization_activities_counts.entries
     activities_counts.each do |count|
-      ActiveRecord::Base.connection.execute("UPDATE profiles SET activities_count=#{count['count'].to_i} WHERE profiles.id=#{count['id']};")
+      update_sql = ActiveRecord::Base.__send__(:sanitize_sql, ["UPDATE profiles SET activities_count=? WHERE profiles.id=?;", count['count'].to_i, count['id'] ], '')
+      ActiveRecord::Base.connection.execute(update_sql)
     end
     Delayed::Job.enqueue(ActivitiesCounterCacheJob.new, {:priority => -3, :run_at => 1.day.from_now})
   end
+
 end
@@ -4,7 +4,12 @@ class AddMembersJob &lt; Struct.new(:people_ids, :profile_id, :locale)
     Noosfero.with_locale(locale) do
  
       profile = Profile.find(profile_id)
-      profile.add_members people_ids
+
+      if people_ids.first =~ /\@/
+        profile.add_members_by_email people_ids
+      else
+        profile.add_members_by_id people_ids
+      end
  
     end
   end
@@ -12,6 +12,8 @@ module Noosfero
       use GrapeLogging::Middleware::RequestLogger, { logger: logger }
  
       rescue_from :all do |e|
+        puts e.inspect
+        puts e.backtrace.inspect
         logger.error e
       end
  
@@ -160,8 +160,27 @@ require &#39;grape&#39;
         conditions
       end
  
-      def make_order_with_parameters(params)
-        params[:order] || "created_at DESC"
+      # changing make_order_with_parameters to avoid sql injection
+      def make_order_with_parameters(object, method, params)
+        order = "created_at DESC"
+        unless params[:order].blank?
+          if params[:order].include? '\'' or params[:order].include? '"'
+            order = "created_at DESC"
+          elsif ['RANDOM()', 'RANDOM'].include? params[:order].upcase
+            order = 'RANDOM()'
+          else
+            field_name, direction = params[:order].split(' ')
+            assoc = object.class.reflect_on_association(method.to_sym)
+            if !field_name.blank? and assoc
+              if assoc.klass.attribute_names.include? field_name
+                if direction.present? and ['ASC','DESC'].include? direction.upcase
+                  order = "#{field_name} #{direction.upcase}"
+                end
+              end
+            end
+          end
+        end
+        return order
       end
  
       def by_reference(scope, params)
@@ -176,7 +195,7 @@ require &#39;grape&#39;
  
       def select_filtered_collection_of(object, method, params)
         conditions = make_conditions_with_parameter(params)
-        order = make_order_with_parameters(params)
+        order = make_order_with_parameters(object,method,params)
  
         objects = object.send(method)
         objects = by_reference(objects, params)
@@ -32,11 +32,10 @@ module Noosfero
       params do
         requires :email, type: String, desc: _("Email")
         requires :login, type: String, desc: _("Login")
-        requires :password, type: String, desc: _("Password")
-        requires :password_confirmation, type: String, desc: _("Password confirmation")
+        #requires :password, type: String, desc: _("Password")
+        #requires :password_confirmation, type: String, desc: _("Password confirmation")
       end
       post "/register" do
-        unique_attributes! User, [:email, :login]
         attrs = attributes_for_keys [:email, :login, :password, :password_confirmation] + environment.signup_person_fields
         remote_ip = (request.respond_to?(:remote_ip) && request.remote_ip) || (env && env['REMOTE_ADDR'])
         # test_captcha will render_api_error! and exit in case of any problem
@@ -138,11 +138,12 @@ class Noosfero::Plugin
         filters = [filters]
       end
       filters.each do |plugin_filter|
+        plugin_filter[:options] ||= {}
+        plugin_filter[:options][:if] = -> { environment.plugin_enabled? plugin.module_name }
+
         filter_method = "#{plugin.identifier}_#{plugin_filter[:method_name]}".to_sym
-        controller_class.send(plugin_filter[:type], filter_method, (plugin_filter[:options] || {}))
-        controller_class.send(:define_method, filter_method) do
-          instance_exec(&plugin_filter[:block]) if environment.plugin_enabled?(plugin)
-        end
+        controller_class.send plugin_filter[:type], filter_method, plugin_filter[:options]
+        controller_class.send :define_method, filter_method, &plugin_filter[:block]
       end
     end
  
@@ -11,6 +11,10 @@ class Noosfero::Plugin
       @identifier ||= (if self.parents.first.instance_of? Module then self.parents.first else self end).name.underscore
     end
  
+    def module_name
+      @name ||= (if self.parents.first != Object then self.parents.first else self end).to_s
+    end
+
     def public_name
       @public_name ||= self.identifier.gsub '_plugin', ''
     end
@@ -0,0 +1,97 @@
+# based on https://github.com/discourse/discourse/blob/master/lib/scheduler/defer.rb
+
+module Noosfero
+  module Scheduler
+    module Deferrable
+      def initialize
+        # FIXME: do some other way when not using Unicorn
+        @async = (not Rails.env.test?) and defined? Unicorn
+        @queue = Queue.new
+        @mutex = Mutex.new
+        @paused = false
+        @thread = nil
+      end
+
+      def pause
+        stop!
+        @paused = true
+      end
+
+      def resume
+        @paused = false
+      end
+
+      # for test
+      def async= val
+        @async = val
+      end
+
+      def later desc = nil, &blk
+        if @async
+          start_thread unless (@thread && @thread.alive?) || @paused
+          @queue << [blk, desc]
+        else
+          blk.call
+        end
+      end
+
+      def stop!
+        @thread.kill if @thread and @thread.alive?
+        @thread = nil
+      end
+
+      # test only
+      def stopped?
+        !(@thread and @thread.alive?)
+      end
+
+      def do_all_work
+        while !@queue.empty?
+          do_work _non_block=true
+        end
+      end
+
+      private
+
+      def start_thread
+        @mutex.synchronize do
+          return if @thread && @thread.alive?
+          @thread = Thread.new do
+            while true
+              do_work
+            end
+          end
+          @thread.priority = -2
+        end
+      end
+
+      # using non_block to match Ruby #deq
+      def do_work non_block=false
+        job, desc = @queue.deq non_block
+        begin
+          job.call
+        rescue => ex
+          ExceptionNotifier.notify_exception ex, message: "Running deferred code '#{desc}'"
+        end
+      rescue => ex
+        ExceptionNotifier.notify_exception ex, message: "Processing deferred code queue"
+      end
+    end
+
+    class Defer
+
+      module Unicorn
+        def process_client client
+          ::Noosfero::Scheduler::Defer.pause
+          super client
+          ::Noosfero::Scheduler::Defer.do_all_work
+          ::Noosfero::Scheduler::Defer.resume
+        end
+      end
+
+      extend Deferrable
+      initialize
+    end
+
+  end
+end
@@ -0,0 +1,2 @@
+gem 'slim'
+
@@ -0,0 +1,30 @@
+class AnalyticsPlugin::TimeOnPageController < ProfileController
+
+  before_filter :skip_page_view
+
+  def page_load
+    # to avoid concurrency problems with the original deferred request, also defer this
+    Noosfero::Scheduler::Defer.later do
+      page_view = profile.page_views.where(request_id: params[:id]).first
+      page_view.request = request
+      page_view.page_load!
+    end
+
+    render nothing: true
+  end
+
+  def report
+    page_view = profile.page_views.where(request_id: params[:id]).first
+    page_view.request = request
+    page_view.increase_time_on_page!
+
+    render nothing: true
+  end
+
+  protected
+
+  def skip_page_view
+    @analytics_skip_page_view = true
+  end
+
+end
@@ -0,0 +1,47 @@
+class InitAnalyticsPlugin < ActiveRecord::Migration
+
+  def up
+    create_table :analytics_plugin_visits do |t|
+      t.integer :profile_id
+    end
+
+    create_table :analytics_plugin_page_views do |t|
+      t.string :type
+      t.integer :visit_id
+      t.integer :track_id
+      t.integer :referer_page_view_id
+      t.string :request_id
+
+      t.integer :user_id
+      t.integer :session_id
+      t.integer :profile_id
+
+      t.text :url
+      t.text :referer_url
+
+      t.text :user_agent
+      t.string :remote_ip
+
+      t.datetime :request_started_at
+      t.datetime :request_finished_at
+      t.datetime :page_loaded_at
+      t.integer :time_on_page, default: 0
+
+      t.text :data, default: {}.to_yaml
+    end
+    add_index :analytics_plugin_page_views, :request_id
+    add_index :analytics_plugin_page_views, :referer_page_view_id
+
+    add_index :analytics_plugin_page_views, :user_id
+    add_index :analytics_plugin_page_views, :session_id
+    add_index :analytics_plugin_page_views, :profile_id
+    add_index :analytics_plugin_page_views, :url
+    add_index :analytics_plugin_page_views, [:user_id, :session_id, :profile_id, :url], name: :analytics_plugin_referer_find
+  end
+
+  def down
+    drop_table :analytics_plugin_visits
+    drop_table :analytics_plugin_page_views
+  end
+
+end
@@ -0,0 +1,15 @@
+module AnalyticsPlugin
+
+  TimeOnPageUpdateInterval = 2.minutes * 1000
+
+  extend Noosfero::Plugin::ParentMethods
+
+  def self.plugin_name
+    I18n.t'analytics_plugin.lib.plugin.name'
+  end
+
+  def self.plugin_description
+    I18n.t'analytics_plugin.lib.plugin.description'
+  end
+
+end
@@ -0,0 +1,43 @@
+
+class AnalyticsPlugin::Base < Noosfero::Plugin
+
+  def body_ending
+    return unless profile and profile.analytics_enabled?
+    lambda do
+      render 'analytics_plugin/body_ending'
+    end
+  end
+
+  def js_files
+    ['analytics'].map{ |j| "javascripts/#{j}" }
+  end
+
+  def application_controller_filters
+    [{
+      type: 'around_filter', options: {}, block: -> &block do
+        request_started_at = Time.now
+        block.call
+        request_finished_at = Time.now
+
+        return if @analytics_skip_page_view
+        return unless profile and profile.analytics_enabled?
+
+        Noosfero::Scheduler::Defer.later 'analytics: register page view' do
+          page_view = profile.page_views.build request: request, profile_id: profile,
+            request_started_at: request_started_at, request_finished_at: request_finished_at
+
+          unless profile.analytics_anonymous?
+            # FIXME: use session.id in Rails 4
+            session_id = Marshal.load(Base64.decode64 request['_session_id'])['session_id'] rescue nil
+            #session_id = request.session_options[:id]
+            page_view.user = user
+            page_view.session_id = session_id
+          end
+
+          page_view.save!
+        end
+      end,
+    }]
+  end
+
+end
@@ -0,0 +1,30 @@
+require_dependency 'profile'
+require_dependency 'community'
+
+([Profile] + Profile.descendants).each do |subclass|
+subclass.class_eval do
+
+  has_many :visits, foreign_key: :profile_id, class_name: 'AnalyticsPlugin::Visit'
+  has_many :page_views, foreign_key: :profile_id, class_name: 'AnalyticsPlugin::PageView'
+
+end
+end
+
+class Profile
+
+  def analytics_settings attrs = {}
+    @analytics_settings ||= Noosfero::Plugin::Settings.new self, AnalyticsPlugin, attrs
+    attrs.each{ |a, v| @analytics_settings.send "#{a}=", v }
+    @analytics_settings
+  end
+  alias_method :analytics_settings=, :analytics_settings
+
+  def analytics_enabled?
+    self.analytics_settings.enabled
+  end
+
+  def analytics_anonymous?
+    self.analytics_settings.anonymous
+  end
+
+end
@@ -0,0 +1,11 @@
+
+en: &en
+  analytics_plugin:
+    lib:
+      plugin:
+        name: 'Access tracking'
+        description: 'Register the access of selected profiles'
+
+en-US:
+  <<: *en
+
@@ -0,0 +1,10 @@
+
+pt: &pt
+  analytics_plugin:
+    lib:
+      plugin:
+        name: 'Rastreio de accesso'
+        description: 'Registra o acesso de perfis selecionados'
+
+pt-BR:
+  <<: *pt
@@ -0,0 +1,67 @@
+class AnalyticsPlugin::PageView < ActiveRecord::Base
+
+  serialize :data
+
+  attr_accessible *self.column_names
+  attr_accessible :user, :profile
+
+  attr_accessor :request
+  attr_accessible :request
+
+  acts_as_having_settings field: :options
+
+  belongs_to :visit, class_name: 'AnalyticsPlugin::Visit'
+  belongs_to :referer_page_view, class_name: 'AnalyticsPlugin::PageView'
+
+  belongs_to :user, class_name: 'Person'
+  belongs_to :session, primary_key: :session_id, foreign_key: :session_id, class_name: 'Session'
+  belongs_to :profile
+
+  validates_presence_of :visit
+  validates_presence_of :request, on: :create
+  validates_presence_of :url
+
+  before_validation :extract_request_data, on: :create
+  before_validation :fill_referer_page_view, on: :create
+  before_validation :fill_visit, on: :create
+
+  def request_duration
+    self.request_finished_at - self.request_started_at
+  end
+
+  def page_load!
+    self.page_loaded_at = Time.now
+    self.update_column :page_loaded_at, self.page_loaded_at
+  end
+
+  def increase_time_on_page!
+    now = Time.now
+    initial_time = self.page_loaded_at || self.request_finished_at
+    return unless now > initial_time
+
+    self.time_on_page = now - initial_time
+    self.update_column :time_on_page, self.time_on_page
+  end
+
+  protected
+
+  def extract_request_data
+    self.url = self.request.url.sub /\/+$/, ''
+    self.referer_url = self.request.referer
+    self.user_agent = self.request.headers['User-Agent']
+    self.request_id = self.request.env['action_dispatch.request_id']
+    self.remote_ip = self.request.remote_ip
+  end
+
+  def fill_referer_page_view
+    self.referer_page_view = AnalyticsPlugin::PageView.order('request_started_at DESC').
+      where(url: self.referer_url, session_id: self.session_id, user_id: self.user_id, profile_id: self.profile_id).first if self.referer_url.present?
+  end
+
+  def fill_visit
+    self.visit = self.referer_page_view.visit if self.referer_page_view
+    self.visit ||= AnalyticsPlugin::Visit.new profile: profile
+  end
+
+end
+
@@ -0,0 +1,11 @@
+class AnalyticsPlugin::Visit < ActiveRecord::Base
+
+  attr_accessible *self.column_names
+  attr_accessible :profile
+
+  default_scope -> { includes :page_views }
+
+  belongs_to :profile
+  has_many :page_views, class_name: 'AnalyticsPlugin::PageView', dependent: :destroy
+
+end
@@ -0,0 +1,29 @@
+# translation of analytic.po to portuguese
+# Krishnamurti Lelis Lima Vieira Nunes <krishna@colivre.coop.br>, 2007.
+# noosfero - Brazilian Portuguese translation
+# Copyright (C) 2007,
+# Forum Brasileiro de Economia Solidaria <http://www.fbes.org.br/>
+# Copyright (C) 2007,
+# Ynternet.org Foundation <http://www.ynternet.org/>
+# This file is distributed under the same license as noosfero itself.
+# Joenio Costa <joenio@colivre.coop.br>, 2008.
+#
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: 1.0-690-gcb6e853\n"
+"POT-Creation-Date: 2015-03-05 12:10-0300\n"
+"PO-Revision-Date: 2015-07-21 09:23-0300\n"
+"Last-Translator: Michal Čihař <michal@cihar.com>\n"
+"Language-Team: Portuguese <https://hosted.weblate.org/projects/noosfero"
+"/plugin-solr/pt/>\n"
+"Language: pt\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=n != 1;\n"
+"X-Generator: Weblate 2.3-dev\n"
+
+msgid "Select the set of communities and users to track"
+msgstr "Seleciona o conjunto de comunidades e usuários para rastrear"
+
@@ -0,0 +1,39 @@
+analytics = {
+  requestId: '',
+
+  timeOnPage: {
+    updateInterval: 0,
+    baseUrl: '',
+
+    report: function() {
+      $.ajax(analytics.timeOnPage.baseUrl+'/report', {
+        type: 'POST', data: {id: analytics.requestId},
+        success: function(data) {
+
+          analytics.timeOnPage.poll()
+        },
+      })
+    },
+
+    poll: function() {
+      if (analytics.timeOnPage.updateInterval)
+        setTimeout(analytics.timeOnPage.report, analytics.timeOnPage.updateInterval)
+    },
+  },
+
+  init: function() {
+    analytics.timeOnPage.poll()
+  },
+
+  pageLoad: function() {
+    $.ajax(analytics.timeOnPage.baseUrl+'/page_load', {
+      type: 'POST', data: {id: analytics.requestId},
+      success: function(data) {
+      },
+    });
+  }
+
+};
+
+$(document).ready(analytics.pageLoad)
+
@@ -0,0 +1,48 @@
+require 'test_helper'
+require 'content_viewer_controller'
+
+class ContentViewerControllerTest < ActionController::TestCase
+
+  def setup
+    @controller = ContentViewerController.new
+    @request    = ActionController::TestRequest.new
+    @response   = ActionController::TestResponse.new
+
+    @environment = Environment.default
+    @environment.enabled_plugins += ['AnalyticsPlugin']
+    @environment.save!
+
+    @user = create_user('testinguser').person
+    login_as @user.identifier
+
+    @community = build Community, identifier: 'testcomm', name: 'test'
+    @community.analytics_settings.enabled = true
+    @community.analytics_settings.anonymous = false
+    @community.save!
+    @community.add_member @user
+  end
+
+  should 'register page view correctly' do
+    @request.env['HTTP_REFERER'] = 'http://google.com'
+    first_url = 'http://test.host'
+    get :view_page, profile: @community.identifier, page: []
+    assert_equal 1, @community.page_views.count
+    assert_equal 1, @community.visits.count
+
+    first_page_view = @community.page_views.order(:id).first
+    assert_equal @request.referer, first_page_view.referer_url
+
+    @request.env['HTTP_REFERER'] = first_url
+    get :view_page, profile: @community.identifier, page: @community.articles.last.path.split('/')
+    assert_equal 2, @community.page_views.count
+    assert_equal 1, @community.visits.count
+
+    second_page_view = @community.page_views.order(:id).last
+    assert_equal first_page_view, second_page_view.referer_page_view
+
+    assert_equal @user, second_page_view.user
+
+    assert second_page_view.request_duration > 0 and second_page_view.request_duration < 1
+  end
+
+end
@@ -0,0 +1,6 @@
+javascript:
+  analytics.timeOnPage.baseUrl = #{url_for(controller: 'analytics_plugin/time_on_page').to_json}
+  analytics.timeOnPage.updateInterval = #{AnalyticsPlugin::TimeOnPageUpdateInterval.to_json}
+  analytics.requestId = #{request.env['action_dispatch.request_id'].to_json}
+  analytics.init()
+
@@ -7,8 +7,8 @@ msgstr &quot;&quot;
 "Project-Id-Version: 1.1-166-gaf47713\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2015-06-01 17:26-0300\n"
-"PO-Revision-Date: 2015-07-03 00:34+0200\n"
-"Last-Translator: Christophe DANIEL <papaeng@gmail.com>\n"
+"PO-Revision-Date: 2015-03-07 12:26+0200\n"
+"Last-Translator: Tuux <tuxa@galaxie.eu.org>\n"
 "Language-Team: French <https://hosted.weblate.org/projects/noosfero/plugin-"
 "comment-classification/fr/>\n"
 "Language: fr\n"
@@ -16,7 +16,7 @@ msgstr &quot;&quot;
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=n > 1;\n"
-"X-Generator: Weblate 2.4-dev\n"
+"X-Generator: Weblate 2.3-dev\n"
  
 #: plugins/comment_classification/lib/comment_classification_plugin.rb:11
 msgid "A plugin that allow classification of comments."
@@ -80,7 +80,7 @@ msgstr &quot;Statuts&quot;
  
 #: plugins/comment_classification/views/comment_classification_plugin_myprofile/_status_form.html.erb:7
 msgid "Reason:"
-msgstr "Raison :"
+msgstr "Raison:"
  
 #: plugins/comment_classification/views/comment_classification_plugin_myprofile/add_status.html.erb:1
 msgid "Status for comment"
@@ -121,7 +121,7 @@ msgstr &quot;Couleur&quot;
  
 #: plugins/comment_classification/views/comment_classification_plugin_labels/_form.html.erb:8
 msgid "Enable this label?"
-msgstr "Activer ce label ?"
+msgstr "Activer ce label?"
  
 #: plugins/comment_classification/views/comment_classification_plugin_labels/edit.html.erb:1
 msgid "Editing label %s"
@@ -149,7 +149,7 @@ msgstr &quot;Label&quot;
 #: plugins/comment_classification/views/comment_classification_plugin_labels/index.html.erb:11
 #: plugins/comment_classification/views/comment_classification_plugin_status/index.html.erb:10
 msgid "Enabled"
-msgstr "Activé(e)"
+msgstr "Activé"
  
 #: plugins/comment_classification/views/comment_classification_plugin_labels/index.html.erb:12
 #: plugins/comment_classification/views/comment_classification_plugin_status/index.html.erb:12
@@ -162,7 +162,7 @@ msgstr &quot;Êtes-vous sûr(e) que vous voulez retirer ce label ?&quot;
  
 #: plugins/comment_classification/views/comment_classification_plugin_status/_form.html.erb:7
 msgid "Enable this status?"
-msgstr "Activer ce statut ?"
+msgstr "Activer ce statut?"
  
 #: plugins/comment_classification/views/comment_classification_plugin_status/edit.html.erb:1
 msgid "Editing status %s"
@@ -177,12 +177,13 @@ msgid &quot;(no status registered yet)&quot;
 msgstr "(il n'y a pas de statut enregistré pour le moment)"
  
 #: plugins/comment_classification/views/comment_classification_plugin_status/index.html.erb:11
+#, fuzzy
 msgid "Reason enabled?"
-msgstr "Raison activée ?"
+msgstr "%s n'était pas activé(e)"
  
 #: plugins/comment_classification/views/comment_classification_plugin_status/index.html.erb:21
 msgid "Are you sure you want to remove this status?"
-msgstr "Êtes-vous sûr(e) de vouloir supprimer ce statut ?"
+msgstr "Êtes-vous sûr(e) de vouloir supprimer ce statut?"
  
 #: plugins/comment_classification/views/comment/comments_labels_select.html.erb:3
 msgid "[Select ...]"
+source 'https://rubygems.org'
 gem 'twitter', '~> 5.8.0'
 gem 'proxifier', '~> 1.0.3'
@@ -76,20 +76,20 @@ class CommunityTrackPlugin::Step &lt; Folder
   end
  
   def active?
-    (start_date..end_date).include?(Date.today)
+    (start_date.to_date..end_date.to_date).include?(Date.today)
   end
  
   def finished?
-    Date.today > end_date
+    Date.today > end_date.to_date
   end
  
   def waiting?
-    Date.today < start_date
+    Date.today < start_date.to_date
   end
  
   def schedule_activation
     return if !changes['start_date'] && !changes['end_date']
-    if Date.today <= end_date || accept_comments
+    if Date.today <= end_date.to_date || accept_comments
       schedule_date = !accept_comments ? start_date : end_date + 1.day
       CommunityTrackPlugin::ActivationJob.find(id).destroy_all
       Delayed::Job.enqueue(CommunityTrackPlugin::ActivationJob.new(self.id), :run_at => schedule_date)
@@ -7,7 +7,7 @@ msgstr &quot;&quot;
 "Project-Id-Version: 1.1-166-gaf47713\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2015-06-01 17:26-0300\n"
-"PO-Revision-Date: 2015-07-03 00:36+0200\n"
+"PO-Revision-Date: 2015-06-29 14:17+0200\n"
 "Last-Translator: Christophe DANIEL <papaeng@gmail.com>\n"
 "Language-Team: French <https://hosted.weblate.org/projects/noosfero/plugin-"
 "custom-forms/fr/>\n"
@@ -20,12 +20,13 @@ msgstr &quot;&quot;
  
 #: plugins/custom_forms/lib/custom_forms_plugin/form.rb:67
 msgid "Invalid string format of access."
-msgstr "Format de chaîne d'accès non valide."
+msgstr ""
  
 #: plugins/custom_forms/lib/custom_forms_plugin/form.rb:71
 #: plugins/custom_forms/lib/custom_forms_plugin/form.rb:76
+#, fuzzy
 msgid "There is no profile with the provided id."
-msgstr "Il n'y a pas le profil avec l'ID fourni."
+msgstr "Il y a un problème avec les lignes suivantes : "
  
 #: plugins/custom_forms/lib/custom_forms_plugin/form.rb:81
 msgid "Invalid type format of access."
@@ -7,8 +7,8 @@ msgstr &quot;&quot;
 "Project-Id-Version: 1.1-166-gaf47713\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2015-06-01 17:26-0300\n"
-"PO-Revision-Date: 2015-07-03 00:31+0200\n"
-"Last-Translator: Christophe DANIEL <papaeng@gmail.com>\n"
+"PO-Revision-Date: 2015-03-07 02:11+0200\n"
+"Last-Translator: Tuux <tuxa@galaxie.eu.org>\n"
 "Language-Team: French <https://hosted.weblate.org/projects/noosfero/plugin-"
 "display-content/fr/>\n"
 "Language: fr\n"
@@ -16,14 +16,14 @@ msgstr &quot;&quot;
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=n > 1;\n"
-"X-Generator: Weblate 2.4-dev\n"
+"X-Generator: Weblate 2.3-dev\n"
  
 #: plugins/display_content/lib/display_content_plugin.rb:10
 msgid ""
 "A plugin that adds a block where you could choose any of your content and "
 "display it."
 msgstr ""
-"Un plugin qui permet d'ajouter une zone ou vous pourrez y afficher le "
+"Un greffon qui permet d'ajouter une zone ou vous pourrez y afficher le "
 "contenue de votre choix."
  
 #: plugins/display_content/lib/display_content_block.rb:34
@@ -48,33 +48,33 @@ msgstr &quot;Résumé&quot;
  
 #: plugins/display_content/lib/display_content_block.rb:151
 msgid "Read more"
-msgstr "Lire plus"
+msgstr "En lire plus"
  
 #: plugins/display_content/lib/display_content_block.rb:194
 msgid "%{month}/%{day}/%{year}"
-msgstr "%{day}/%{month}/%{year}"
+msgstr "%{mois}/%{jour}/%{année}"
  
 #: plugins/display_content/lib/display_content_block.rb:194
 msgid "%{month}/%{day}"
-msgstr "%{day}/%{month}"
+msgstr "%{mois}/%{jour}"
  
 #: plugins/display_content/lib/display_content_block.rb:197
 msgid "%{month_name} %{day}, %{year}"
-msgstr "%{day} %{month_name} %{year}"
+msgstr "%{nom_du_mois} %{jour}, %{année}"
  
 #: plugins/display_content/lib/display_content_block.rb:197
 msgid "%{month_name} %{day}"
-msgstr "%{day} %{month_name}"
+msgstr "%{nom_du_mois} %{jour}"
  
 #: plugins/display_content/views/box_organizer/_display_content_block.html.erb:5
 msgid "Choose which attributes should be displayed and drag to reorder them:"
 msgstr ""
 "Choisissez quels attribues doivent êtres afficher et glisser/déposer pour "
-"les réorganiser :"
+"les réorganiser:"
  
 #: plugins/display_content/views/box_organizer/_display_content_block.html.erb:21
 msgid "Choose which content should be displayed:"
-msgstr "Choisissez le contenu à afficher :"
+msgstr "Choisissez le contenu à afficher:"
  
 #: plugins/display_content/views/box_organizer/_display_content_block.html.erb:23
 msgid "Choose directly"
@@ -86,7 +86,7 @@ msgstr &quot;Choisir par type de contenu&quot;
  
 #: plugins/display_content/views/box_organizer/_display_content_block.html.erb:28
 msgid "Order by:"
-msgstr "Trier par :"
+msgstr "Trier par:"
  
 #: plugins/display_content/views/box_organizer/_display_content_block.html.erb:29
 msgid "Most recent"
@@ -98,7 +98,7 @@ msgstr &quot;Le plus ancien&quot;
  
 #: plugins/display_content/views/box_organizer/_choose_by_content_type.html.erb:1
 msgid "Display content types:"
-msgstr "Afficher le type de contenu :"
+msgstr "Afficher le types de contenue:"
  
 #: plugins/display_content/views/box_organizer/_choose_by_content_type.html.erb:7
 msgid "more"
@@ -106,8 +106,9 @@ msgstr &quot;plus&quot;
  
 #: plugins/display_content/views/box_organizer/_choose_directly.html.erb:5
 msgid "Dinamically load children of selected folders"
-msgstr "charger dynamiquement les sous répertoires des répertoires sélectionnés"
+msgstr ""
+"Dynamiquement charger les sous répertoires des répertoires sélectionnés"
  
 #: plugins/display_content/views/box_organizer/_choose_directly.html.erb:9
 msgid "Limit:"
-msgstr "Limite :"
+msgstr "Limite:"
-Subproject commit 1f2171520eb4719fefc5a32f26ef2a002cd61f0d
+Subproject commit 7a9aa2a643ccbbe6d4ee2f085a5a15540a6b349d
@@ -0,0 +1 @@
+Subproject commit 7d1cef867e1325f623638366faeb5387a9261b0a
@@ -0,0 +1 @@
+Subproject commit 8fb44a478abb5ccd345b8ffaf1f37817d273ad30
+source 'https://rubygems.org'
 gem 'omniauth', '~> 1.2.2'
 gem 'omniauth-facebook', '~> 2.0.0'
 gem "omniauth-google-oauth2", '~> 0.2.6'
@@ -22,7 +22,7 @@ class OauthClientPluginPublicController &lt; PublicController
     if session.delete(:oauth_client_popup) || params[:oauth_client_popup]
       current_user.private_token_expired? if current_user.present?
       private_token = current_user.present? ? current_user.private_token : ''
-      render 'oauth_client_plugin_public/finish', :locals => {:private_token => private_token, :user => params[:user]}, :layout => false
+      render 'oauth_client_plugin_public/finish', :locals => {:private_token => private_token}, :layout => false
     else
       redirect_to :controller => :home
     end
@@ -42,22 +42,47 @@ class OauthClientPluginPublicController &lt; PublicController
     else
       session[:notice] = _("Can't login with #{provider.name}")
     end
-    session[:oauth_client_popup] = true if request.env["omniauth.params"]['oauth_client_popup']
-    session[:return_to] = url_for(:controller => :oauth_client_plugin_public, :action => :finish)
+    session[:oauth_client_popup] = true if request.env.fetch("omniauth.params", {})['oauth_client_popup']
+    session[:return_to] = url_for(
+                            :controller => :oauth_client_plugin_public,
+                            :action => :finish,
+                            :user =>  {
+                                        :login => current_user.login,
+                                        :person => {:identifier => current_user.person.identifier, :name => current_user.person.name}
+                                      } ,
+                            :profile_data => {:name => current_user.person.name},
+                            :oauth_client_popup => session[:oauth_client_popup]
+                            )
  
     redirect_to :controller => :account, :action => :login
   end
  
   def signup(auth)
     login = auth.info.email.split('@').first
+
+    # reading provider from session and writing to cache to read when
+    # api calls register to confirm signup
+    auth_cach_hash = auth.to_hash
+    auth_cach_hash[:provider_id] = session[:provider_id]
+    signup_token = OauthClientPlugin::SignupDataStore.store_oauth_data(auth.info.email, auth_cach_hash)
+
     session[:oauth_data] = auth
-    session[:oauth_client_popup] = true if request.env["omniauth.params"]['oauth_client_popup']
+    session[:oauth_client_popup] = true if request.env.fetch("omniauth.params", {})['oauth_client_popup']
     session[:return_to] = url_for(:controller => :oauth_client_plugin_public, :action => :finish)
     name = auth.info.name
     name ||= auth.extra && auth.extra.raw_info ? auth.extra.raw_info.name : ''
  
     if session[:oauth_client_popup]
-      redirect_to :controller => :oauth_client_plugin_public, :action => :finish, :user => {:login => login, :email => auth.info.email, :oauth_providers => [session[:provider_id]]}, :profile_data => {:name => name}, :oauth_client_popup => session[:oauth_client_popup]
+      redirect_to :controller => :oauth_client_plugin_public,
+                  :action => :finish,
+                  :user => {
+                    :signup_token => signup_token,
+                    :login => login,
+                    :email => auth.info.email,
+                    :oauth_providers => [session[:provider_id]]
+                  },
+                  :profile_data => {:name => name},
+                  :oauth_client_popup => session[:oauth_client_popup]
     else
       redirect_to :controller => :account, :action => :signup, :user => {:login => login, :email => auth.info.email}, :profile_data => {:name => name}
     end
@@ -0,0 +1,12 @@
+class AddOauthAuthFieldsToUserProvider < ActiveRecord::Migration
+
+  def self.up
+    change_table :oauth_client_plugin_user_providers do |t|
+      t.text :oauth_data
+    end
+  end
+
+  def self.down
+    remove_column :oauth_client_plugin_user_providers, :oauth_data
+  end
+end
@@ -4,4 +4,10 @@ class Environment
  
   has_many :oauth_providers, :class_name => 'OauthClientPlugin::Provider'
  
+  def signup_person_fields_with_oauth
+    signup_person_fields_without_oauth + [:oauth_signup_token]
+  end
+
+  alias_method_chain :signup_person_fields, :oauth
+  
 end
@@ -6,24 +6,54 @@ class User
   has_many :oauth_providers, :through => :oauth_user_providers, :source => :provider
  
   def password_required_with_oauth?
+    # user creation through api does not set oauth_providers
+    check_providers
     password_required_without_oauth? && oauth_providers.empty?
   end
  
+  def oauth_data
+    @oauth_data
+  end
+
+  def oauth_signup_token= value
+    @oauth_signup_token = value
+  end
+
+  def oauth_signup_token
+    @oauth_signup_token
+  end
+
   alias_method_chain :password_required?, :oauth
  
   after_create :activate_oauth_user
  
+  # user creation through api does not set oauth_providers
+  # so it is being shared through a distributed cache
+  def check_providers
+    if oauth_providers.empty? && oauth_signup_token.present?
+      #check if is oauth user, reading oauth_data recorded at cache store
+      @oauth_data = OauthClientPlugin::SignupDataStore.get_oauth_data(self.email, self.oauth_signup_token)
+      if @oauth_data
+        provider_id = @oauth_data.delete(:provider_id)
+        self.oauth_providers = [OauthClientPlugin::Provider.find(provider_id)]
+      end
+    end
+  end
+
   def activate_oauth_user
-    unless oauth_providers.empty?
-      activate
-      oauth_providers.each do |provider|
-        OauthClientPlugin::UserProvider.create!(:user => self, :provider => provider, :enabled => true)
+    self.oauth_providers.each do |provider|
+      OauthClientPlugin::UserProvider.create! do |user_provider|
+        user_provider.user = self
+        user_provider.provider = provider
+        user_provider.enabled = true
+        user_provider.oauth_data = oauth_data
       end
     end
+    activate unless oauth_providers.empty?
   end
  
   def make_activation_code_with_oauth
-    oauth_providers.blank? ? make_activation_code_without_oauth : nil
+    self.oauth_providers.blank? ? make_activation_code_without_oauth : nil
   end
  
   alias_method_chain :make_activation_code, :oauth
@@ -84,8 +84,11 @@ class OauthClientPlugin &lt; Noosfero::Plugin
  
         if auth.present? && params[:user].present?
           params[:user][:oauth_providers] = [OauthClientPlugin::Provider.find(session[:provider_id])]
+
           if request.post? && auth.info.email != params[:user][:email]
-            raise "Wrong email for oauth signup"
+            unless params[:user][:email].blank?
+              raise "Wrong email for oauth signup. EMAIL: #{params[:user][:email]}"
+            end
           end
         end
       }
@@ -0,0 +1,34 @@
+# A Distributed Cache Store is needed
+# to save oauth autenthication to be
+# used on OAUTH flow using the Noosfero REST API.
+# Because of the nature session less of api implementation
+# When using more than one server is strongly recomended
+# provide your Rails application with a distributed Cache Store,
+# otherwise you will have to rely on client/server affinify provided by
+# network infrastructure
+class OauthClientPlugin::SignupDataStore
+
+    def self.key_name_for email, signup_token
+      "#{email}_#{signup_token}"
+    end
+
+    def self.get_oauth_data email, signup_token
+      key_name = key_name_for(email, signup_token)
+      puts "OAUTH_KEY_NAME :::: #{key_name}"
+      oauth_data = Rails.cache.fetch(key_name)
+      Rails.cache.delete(key_name)
+      oauth_data
+    end
+
+    def self.store_oauth_data email, auth_obj
+      signup_token = SecureRandom.hex
+      Rails.cache.write(key_name_for(email, signup_token), auth_obj, :expires_in => 300)
+      signup_token
+    end
+
+    def self.delete_cache_for email
+      Rails.cache.delete(cache_name_for(email))
+    end
+
+
+end
@@ -7,4 +7,5 @@ class OauthClientPlugin::UserProvider &lt; Noosfero::Plugin::ActiveRecord
  
    attr_accessible :user, :provider, :enabled
  
+   acts_as_having_settings :field => :oauth_data
 end
1	1	before_script:
2	2	- mkdir -p tmp/pids log
3	3	- bundle check \|\| bundle install
	4	+# workaround for plugins with Gemfile
	5	+ - perl -pi -e 's/--local //' script/noosfero-plugins
4	6	- script/noosfero-plugins disableall
5	7	- bundle exec rake makemo &>/dev/null
6	8	# database
...	...
...	...	@@ -28,3 +28,9 @@
28	28	[submodule "public/proposal-app"]
29	29	path = public/proposal-app
30	30	url = https://gitlab.com/participa/proposal-app.git
	31	+[submodule "plugins/gravatar-provider"]
	32	+ path = plugins/gravatar-provider
	33	+ url = https://gitlab.com/noosfero-plugins/gravatar-provider.git
	34	+[submodule "plugins/juventude"]
	35	+ path = plugins/juventude
	36	+ url = https://gitlab.com/noosfero-plugins/juventude.git
...	...
...	...	@@ -2,7 +2,6 @@ language: ruby
2	2	rvm:
3	3	# for 2.2 support we need to upgrade the pg gem
4	4	- 2.1.6
5		-cache: bundler
6	5
7	6	sudo: false
8	7	addons:
...	...	@@ -19,9 +18,20 @@ addons:
19	18	- libsqlite3-dev
20	19	- libxslt1-dev
21	20
	21	+before_install:
	22	+ - gem env
	23	+
	24	+# workaround for https://github.com/travis-ci/travis-ci/issues/4536
	25	+before_install:
	26	+ - export GEM_HOME=$PWD/vendor/bundle/ruby/2.1.0
	27	+ - gem install bundler
	28	+cache: bundler
	29	+
22	30	before_script:
23	31	- mkdir -p tmp/pids log
24		- - bundle check \|\| bundle install
	32	+# workaround for plugins with Gemfile
	33	+ - perl -pi -e 's/cat .+ > \$gemfile/echo "source \\"https:\/\/rubygems.org\\"" > \$gemfile && cat \$source\/Gemfile >> \$gemfile/' script/noosfero-plugins
	34	+ - perl -pi -e 's/--local --quiet/install --jobs=3 --retry=3/' script/noosfero-plugins
25	35	- script/noosfero-plugins disableall
26	36	- bundle exec rake makemo &>/dev/null
27	37	# database
...	...
...	...	@@ -28,6 +28,11 @@ gem 'grape-entity'
28	28	gem 'grape_logging', :git => 'https://github.com/aceunreal/grape_logging.git', :ref => '100091b'
29	29	gem 'rack-cors'
30	30	gem 'rack-contrib'
	31	+gem 'liquid', '~> 3.0.3'
	32	+#gem 'grape-swagger-rails'
	33	+
	34	+# FIXME list here all actual dependencies (i.e. the ones in debian/control),
	35	+# with their GEM names (not the Debian package names)
31	36
32	37	gem 'api-pagination', '~> 4.1.1'
33	38
...	...
...	...	@@ -0,0 +1,15 @@
	1	+class EnvironmentEmailTemplatesController < EmailTemplatesController
	2	+
	3	+ protect 'manage_email_templates', :environment
	4	+
	5	+ protected
	6	+
	7	+ def owner
	8	+ environment
	9	+ end
	10	+
	11	+ before_filter :only => :index do
	12	+ @back_to = url_for(:controller => :admin_panel)
	13	+ end
	14	+
	15	+end
...	...
...	...	@@ -0,0 +1,62 @@
	1	+class EmailTemplatesController < ApplicationController
	2	+
	3	+ def index
	4	+ @email_templates = owner.email_templates
	5	+ end
	6	+
	7	+ def show
	8	+ @email_template = owner.email_templates.find(params[:id])
	9	+
	10	+ respond_to do \|format\|
	11	+ format.html # show.html.erb
	12	+ format.json { render json: @email_template }
	13	+ end
	14	+ end
	15	+
	16	+ def show_parsed
	17	+ @email_template = owner.email_templates.find(params[:id])
	18	+ template_params = {:profile => owner, :environment => environment}
	19	+ render json: {:parsed_body => @email_template.parsed_body(template_params), :parsed_subject => @email_template.parsed_subject(template_params)}
	20	+ end
	21	+
	22	+ def new
	23	+ @email_template = owner.email_templates.build(:owner => owner)
	24	+ end
	25	+
	26	+ def edit
	27	+ @email_template = owner.email_templates.find(params[:id])
	28	+ end
	29	+
	30	+ def create
	31	+ @email_template = owner.email_templates.build(params[:email_template])
	32	+ @email_template.owner = owner
	33	+
	34	+ if @email_template.save
	35	+ session[:notice] = _('Email template was successfully created.')
	36	+ redirect_to url_for(:action => :index)
	37	+ else
	38	+ render action: "new"
	39	+ end
	40	+ end
	41	+
	42	+ def update
	43	+ @email_template = owner.email_templates.find(params[:id])
	44	+
	45	+ if @email_template.update_attributes(params[:email_template])
	46	+ session[:notice] = _('Email template was successfully updated.')
	47	+ redirect_to url_for(:action => :index)
	48	+ else
	49	+ render action: "edit"
	50	+ end
	51	+ end
	52	+
	53	+ def destroy
	54	+ @email_template = owner.email_templates.find(params[:id])
	55	+ @email_template.destroy
	56	+
	57	+ respond_to do \|format\|
	58	+ format.html { redirect_to url_for(:action => :index)}
	59	+ format.json { head :no_content }
	60	+ end
	61	+ end
	62	+end
...	...
...	...	@@ -206,7 +206,8 @@ class ManageProductsController < ApplicationController
206	206	end
207	207
208	208	def certifiers_for_selection
209		- @qualifier = Qualifier.exists?(params[:id]) ? Qualifier.find(params[:id]) : nil
	209	+ # updated to use hash as argument to exists? to avoid sql injection vunerabillity (http://brakemanscanner.org/docs/warning_types/sql_injection/)
	210	+ @qualifier = Qualifier.exists?(:id => params[:id]) ? Qualifier.find(params[:id]) : nil
210	211	render :update do \|page\|
211	212	page.replace_html params[:certifier_area], :partial => 'certifiers_for_selection'
212	213	end
...	...
...	...	@@ -0,0 +1,16 @@
	1	+class ProfileEmailTemplatesController < EmailTemplatesController
	2	+
	3	+ needs_profile
	4	+ protect 'manage_email_templates', :profile
	5	+
	6	+ protected
	7	+
	8	+ def owner
	9	+ profile
	10	+ end
	11	+
	12	+ before_filter :only => :index do
	13	+ @back_to = url_for(:controller => :profile_editor)
	14	+ end
	15	+
	16	+end
...	...
1	1	class TasksController < MyProfileController
2	2
3	3	protect [:perform_task, :view_tasks], :profile, :only => [:index, :save_tags, :search_tags]
4		- protect :perform_task, :profile, :except => [:index, :save_tags, :search_tags]
	4	+ protect :perform_task, :profile, :only => [:processed, :change_responsible, :close, :new, :list_requested, :ticket_details, :search_tags]
5	5
6	6	def index
	7	+ @rejection_email_templates = profile.email_templates.find_all_by_template_type(:task_rejection)
	8	+ @acceptance_email_templates = profile.email_templates.find_all_by_template_type(:task_acceptance)
	9	+
7	10	@filter_type = params[:filter_type].presence
8	11	@filter_text = params[:filter_text].presence
9	12	@filter_responsible = params[:filter_responsible]
...	...	@@ -19,13 +22,17 @@ class TasksController < MyProfileController
19	22
20	23	@failed = params ? params[:failed] : {}
21	24
22		- @responsible_candidates = profile.members.by_role(profile.roles.reject {\|r\| !r.has_permission?('perform_task')}) if profile.organization?
	25	+ @responsible_candidates = profile.members.by_role(profile.roles.reject {\|r\| !r.has_permission?('perform_task') && !r.has_permission?('view_tasks')}) if profile.organization?
23	26
24	27	@view_only = !current_person.has_permission?(:perform_task, profile)
25	28	end
26	29
27	30	def processed
28		- @tasks = Task.to(profile).without_spam.closed.sort_by(&:created_at)
	31	+ @tasks = Task.to(profile).without_spam.closed.order('tasks.created_at DESC')
	32	+ @filter = params[:filter] \|\| {}
	33	+ @tasks = filter_tasks(@filter, @tasks)
	34	+ @tasks = @tasks.paginate(:per_page => Task.per_page, :page => params[:page])
	35	+ @task_types = Task.closed_types_for(profile)
29	36	end
30	37
31	38	def change_responsible
...	...	@@ -78,6 +85,7 @@ class TasksController < MyProfileController
78	85	end
79	86
80	87	url = { :action => 'index' }
	88	+
81	89	if failed.blank?
82	90	session[:notice] = _("All decisions were applied successfully.")
83	91	else
...	...	@@ -109,9 +117,9 @@ class TasksController < MyProfileController
109	117	end
110	118
111	119	def search_tasks
112		-
113		- params[:filter_type] = params[:filter_type].blank? ? nil : params[:filter_type]
114		- result = Task.pending_all(profile,params)
	120	+ filter_type = params[:filter_type].presence
	121	+ filter_text = params[:filter_text].presence
	122	+ result = Task.pending_all(profile,filter_type, filter_text)
115	123
116	124	render :json => result.map { \|task\| {:label => task.data[:name], :value => task.data[:name]} }
117	125	end
...	...	@@ -125,10 +133,9 @@ class TasksController < MyProfileController
125	133
126	134	ActsAsTaggableOn.remove_unused_tags = true
127	135
128		- task = Task.to(profile).find_by_id params[:task_id]
129		- save = user.tag(task, with: params[:tag_list], on: :tags)
130		-
131		- if save
	136	+ task = profile.tasks.find_by_id(params[:task_id])
	137	+
	138	+ if task && task.update_attributes(:tag_list => params[:tag_list])
132	139	result[:success] = true
133	140	end
134	141	end
...	...	@@ -149,7 +156,39 @@ class TasksController < MyProfileController
149	156	result = ActsAsTaggableOn::Tag.find(:all, :conditions => ['LOWER(name) LIKE ?', "%#{arg}%"])
150	157
151	158	render :text => prepare_to_token_input_by_label(result).to_json, :content_type => 'application/json'
	159	+ end
	160	+
	161	+ protected
	162	+
	163	+ def filter_by_closed_date(filter, tasks)
	164	+ filter[:closed_from] = Date.parse(filter[:closed_from]) unless filter[:closed_from].blank?
	165	+ filter[:closed_until] = Date.parse(filter[:closed_until]) unless filter[:closed_until].blank?
	166	+
	167	+ tasks = tasks.where('tasks.end_date >= ?', filter[:closed_from].beginning_of_day) unless filter[:closed_from].blank?
	168	+ tasks = tasks.where('tasks.end_date <= ?', filter[:closed_until].end_of_day) unless filter[:closed_until].blank?
	169	+ tasks
	170	+ end
	171	+
	172	+ def filter_by_creation_date(filter, tasks)
	173	+ filter[:created_from] = Date.parse(filter[:created_from]) unless filter[:created_from].blank?
	174	+ filter[:created_until] = Date.parse(filter[:created_until]) unless filter[:created_until].blank?
	175	+
	176	+ tasks = tasks.where('tasks.created_at >= ?', filter[:created_from].beginning_of_day) unless filter[:created_from].blank?
	177	+ tasks = tasks.where('tasks.created_at <= ?', filter[:created_until].end_of_day) unless filter[:created_until].blank?
	178	+ tasks
	179	+ end
152	180
	181	+ def filter_tasks(filter, tasks)
	182	+ tasks = tasks.includes(:requestor, :closed_by)
	183	+ tasks = tasks.of(filter[:type].presence)
	184	+ tasks = tasks.where(:status => filter[:status]) unless filter[:status].blank?
	185	+ tasks = filter_by_creation_date(filter, tasks)
	186	+ tasks = filter_by_closed_date(filter, tasks)
	187	+
	188	+ tasks = tasks.like('profiles.name', filter[:requestor]) unless filter[:requestor].blank?
	189	+ tasks = tasks.like('closed_bies_tasks.name', filter[:closed_by]) unless filter[:closed_by].blank?
	190	+ tasks = tasks.like('tasks.data', filter[:text]) unless filter[:text].blank?
	191	+ tasks
153	192	end
154	193
155	194	end
...	...
...	...	@@ -6,8 +6,9 @@ class ContactController < PublicController
6	6	def new
7	7	@contact = build_contact
8	8	if request.post? && params[:confirm] == 'true'
9		- @contact.city = (!params[:city].blank? && City.exists?(params[:city])) ? City.find(params[:city]).name : nil
10		- @contact.state = (!params[:state].blank? && State.exists?(params[:state])) ? State.find(params[:state]).name : nil
	9	+ # updated to use hash as argument to exists? to avoid sql injection vunerabillity (http://brakemanscanner.org/docs/warning_types/sql_injection/)
	10	+ @contact.city = (!params[:city].blank? && City.exists?(:id => params[:city])) ? City.find(params[:city]).name : nil
	11	+ @contact.state = (!params[:state].blank? && State.exists?(:id => params[:state])) ? State.find(params[:state]).name : nil
11	12	if @contact.deliver
12	13	session[:notice] = _('Contact successfully sent')
13	14	redirect_to :action => 'new'
...	...