Merge branch 'master' into federation

Larissa Reis
2 parents fa46a8f5 53a2c9a9
Showing 295 changed files with 3841 additions and 1771 deletions Show diff stats
app/api/entities.rb
app/api/helpers.rb
app/api/v1/people.rb
app/api/v1/tasks.rb
app/concerns/authenticated_system.rb
app/controllers/admin/categories_controller.rb
app/controllers/application_controller.rb
app/controllers/box_organizer_controller.rb
app/controllers/concerns/authenticated_system.rb
app/controllers/concerns/custom_design.rb
app/controllers/concerns/needs_profile.rb
app/controllers/my_profile/circles_controller.rb
app/controllers/my_profile/followers_controller.rb
app/controllers/my_profile/tasks_controller.rb
app/controllers/public/account_controller.rb
app/controllers/public/content_viewer_controller.rb
app/controllers/public/profile_controller.rb
app/helpers/action_tracker_helper.rb
app/helpers/application_helper.rb
app/helpers/boxes_helper.rb
@@ -111,6 +111,10 @@ module Api
           hash[value.custom_field.name]=value.value
         end
  
+        profile.public_fields.each do |field|
+          hash[field] = profile.send(field.to_sym)
+        end
+
         private_values = profile.custom_field_values - profile.public_values
         private_values.each do |value|
           if Entities.can_display_profile_field?(profile,options)
@@ -124,6 +128,7 @@ module Api
       expose :type
       expose :custom_header
       expose :custom_footer
+      expose :layout_template
       expose :permissions do |profile, options|
         Entities.permissions_for_entity(profile, options[:current_person],
         :allow_post_content?, :allow_edit?, :allow_destroy?)
@@ -258,12 +263,28 @@ module Api
       root 'tasks', 'task'
       expose :id
       expose :type
+      expose :requestor, using: Profile
+      expose :status
+      expose :created_at
+      expose :data
+      expose :accept_details
+      expose :reject_details
+      expose :accept_disabled?, as: :accept_disabled
+      expose :reject_disabled?, as: :reject_disabled
+      expose :target do |task, options|
+        type_map = {Profile => ::Profile, Environment => ::Environment}.find {|h| task.target.kind_of?(h.last)}
+        type_map.first.represent(task.target) unless type_map.nil?
+      end
     end
  
     class Environment < Entity
       expose :name
       expose :id
       expose :description
+      expose :layout_template
+      expose :signup_intro
+      expose :terms_of_use
+      expose :top_url, as: :host
       expose :settings, if: lambda { |instance, options| options[:is_admin] }
     end
  
@@ -4,7 +4,7 @@ require &#39;tempfile&#39;
 module Api
   module Helpers
     PRIVATE_TOKEN_PARAM = :private_token
-    DEFAULT_ALLOWED_PARAMETERS = [:parent_id, :from, :until, :content_type, :author_id, :identifier, :archived]
+    ALLOWED_PARAMETERS = [:parent_id, :from, :until, :content_type, :author_id, :identifier, :archived, :status]
  
     include SanitizeParams
     include Noosfero::Plugin::HotSpot
@@ -127,8 +127,8 @@ module Api
       present_partial article, with: Entities::Article, params: params, current_person: current_person
     end
  
-    def present_articles_for_asset(asset, method = 'articles')
-      articles = find_articles(asset, method)
+    def present_articles_for_asset(asset, method_or_relation = 'articles')
+      articles = find_articles(asset, method_or_relation)
       present_articles(articles)
     end
  
@@ -136,8 +136,8 @@ module Api
       present_partial paginate(articles), :with => Entities::Article, :params => params, current_person: current_person
     end
  
-    def find_articles(asset, method = 'articles')
-      articles = select_filtered_collection_of(asset, method, params)
+    def find_articles(asset, method_or_relation = 'articles')
+      articles = select_filtered_collection_of(asset, method_or_relation, params)
       if current_person.present?
         articles = articles.display_filter(current_person, nil)
       else
@@ -146,14 +146,17 @@ module Api
       articles
     end
  
-    def find_task(asset, id)
-      task = asset.tasks.find(id)
+    def find_task(asset, method_or_relation, id)
+      task = is_a_relation?(method_or_relation) ? method_or_relation : asset.send(method_or_relation)
+      task = task.find_by_id(id)
+      not_found! if task.blank?
       current_person.has_permission?(task.permission, asset) ? task : forbidden!
     end
  
     def post_task(asset, params)
       klass_type= params[:content_type].nil? ? 'Task' : params[:content_type]
       return forbidden! unless klass_type.constantize <= Task
+      return forbidden! if !current_person.has_permission?(:perform_task, asset)
  
       task = klass_type.constantize.new(params[:task])
       task.requestor_id = current_person.id
@@ -166,15 +169,24 @@ module Api
       present_partial task, :with => Entities::Task
     end
  
-    def present_task(asset)
-      task = find_task(asset, params[:id])
+    def find_tasks(asset, method_or_relation = 'tasks')
+      return forbidden! if !current_person.has_permission?(:perform_task, asset)
+      tasks = select_filtered_collection_of(asset, method_or_relation, params)
+      tasks = tasks.select {|t| current_person.has_permission?(t.permission, asset)}
+      tasks
+    end
+
+    def present_task(asset, method_or_relation = 'tasks')
+      task = find_task(asset, method_or_relation, params[:id])
       present_partial task, :with => Entities::Task
     end
  
-    def present_tasks(asset)
-      tasks = select_filtered_collection_of(asset, 'tasks', params)
-      tasks = tasks.select {|t| current_person.has_permission?(t.permission, asset)}
-      return forbidden! if tasks.empty? && !current_person.has_permission?(:perform_task, asset)
+    def present_tasks_for_asset(asset, method_or_relation = 'tasks')
+      tasks = find_tasks(asset, method_or_relation)
+      present_tasks(tasks)
+    end
+
+    def present_tasks(tasks)
       present_partial tasks, :with => Entities::Task
     end
  
@@ -183,7 +195,6 @@ module Api
       conditions = {}
       from_date = DateTime.parse(parsed_params.delete(:from)) if parsed_params[:from]
       until_date = DateTime.parse(parsed_params.delete(:until)) if parsed_params[:until]
-
       conditions[:type] = parse_content_type(parsed_params.delete(:content_type)) unless parsed_params[:content_type].nil?
  
       conditions[:created_at] = period(from_date, until_date) if from_date || until_date
@@ -193,7 +204,7 @@ module Api
     end
  
     # changing make_order_with_parameters to avoid sql injection
-    def make_order_with_parameters(object, method, params)
+    def make_order_with_parameters(object, method_or_relation, params)
       order = "created_at DESC"
       unless params[:order].blank?
         if params[:order].include? '\'' or params[:order].include? '"'
@@ -202,9 +213,9 @@ module Api
           order = 'RANDOM()'
         else
           field_name, direction = params[:order].split(' ')
-          assoc = object.class.reflect_on_association(method.to_sym)
-          if !field_name.blank? and assoc
-            if assoc.klass.attribute_names.include? field_name
+          assoc_class = extract_associated_classname(method_or_relation)
+          if !field_name.blank? and assoc_class
+            if assoc_class.attribute_names.include? field_name
               if direction.present? and ['ASC','DESC'].include? direction.upcase
                 order = "#{field_name} #{direction.upcase}"
               end
@@ -215,12 +226,14 @@ module Api
       return order
     end
  
-    def make_timestamp_with_parameters_and_method(params, method)
+    def make_timestamp_with_parameters_and_method(params, method_or_relation)
       timestamp = nil
       if params[:timestamp]
         datetime = DateTime.parse(params[:timestamp])
-        table_name = method.to_s.singularize.camelize.constantize.table_name
-        timestamp = "#{table_name}.updated_at >= '#{datetime}'"
+        table_name = extract_associated_tablename(method_or_relation)
+        assoc_class = extract_associated_classname(method_or_relation)
+        date_atrr = assoc_class.attribute_names.include?('updated_at') ? 'updated_at' : 'created_at'
+        timestamp = "#{table_name}.#{date_atrr} >= '#{datetime}'"
       end
  
       timestamp
@@ -245,12 +258,12 @@ module Api
       end
     end
  
-    def select_filtered_collection_of(object, method, params)
+    def select_filtered_collection_of(object, method_or_relation, params)
       conditions = make_conditions_with_parameter(params)
-      order = make_order_with_parameters(object,method,params)
-      timestamp = make_timestamp_with_parameters_and_method(params, method)
+      order = make_order_with_parameters(object,method_or_relation,params)
+      timestamp = make_timestamp_with_parameters_and_method(params, method_or_relation)
  
-      objects = object.send(method)
+      objects = is_a_relation?(method_or_relation) ? method_or_relation : object.send(method_or_relation)
       objects = by_reference(objects, params)
       objects = by_categories(objects, params)
  
@@ -305,12 +318,12 @@ module Api
     end
  
     def cant_be_saved_request!(attribute)
-      message = _("(Invalid request) %s can't be saved") % attribute
+      message = _("(Invalid request) %s can't be saved").html_safe % attribute
       render_api_error!(message, 400)
     end
  
     def bad_request!(attribute)
-      message = _("(Invalid request) %s not given") % attribute
+      message = _("(Invalid request) %s not given").html_safe % attribute
       render_api_error!(message, 400)
     end
  
@@ -396,10 +409,27 @@ module Api
     end
     private
  
+    def extract_associated_tablename(method_or_relation)
+      extract_associated_classname(method_or_relation).table_name
+    end
+
+    def extract_associated_classname(method_or_relation)
+      if is_a_relation?(method_or_relation)
+        method_or_relation.blank? ? '' : method_or_relation.first.class
+      else
+        method_or_relation.to_s.singularize.camelize.constantize
+      end
+    end
+
+    def is_a_relation?(method_or_relation)
+      method_or_relation.kind_of?(ActiveRecord::Relation)
+    end
+  
+
     def parser_params(params)
       parsed_params = {}
       params.map do |k,v|
-        parsed_params[k.to_sym] = v if DEFAULT_ALLOWED_PARAMETERS.include?(k.to_sym)
+        parsed_params[k.to_sym] = v if ALLOWED_PARAMETERS.include?(k.to_sym)
       end
       parsed_params
     end
@@ -136,6 +136,20 @@ module Api
               members = select_filtered_collection_of(profile, 'members', params)
               present members, :with => Entities::Person, :current_person => current_person
             end
+
+            post do
+              authenticate!
+              profile = environment.profiles.find_by id: params[:profile_id]
+              profile.add_member(current_person) rescue forbidden!
+              {pending: !current_person.is_member_of?(profile)}
+            end
+
+            delete do
+              authenticate!
+              profile = environment.profiles.find_by id: params[:profile_id]
+              profile.remove_member(current_person)
+              present current_person, :with => Entities::Person, :current_person => current_person
+            end
           end
         end
       end
 module Api
   module V1
     class Tasks < Grape::API
-#      before { authenticate! }
+      before { authenticate! }
  
-#      ARTICLE_TYPES = Article.descendants.map{|a| a.to_s}
+      MAX_PER_PAGE = 50
  
       resource :tasks do
  
-        # Collect tasks
+        paginate max_per_page: MAX_PER_PAGE
+        # Collect all tasks that current person has permission
         #
         # Parameters:
         #   from             - date where the search will begin. If nothing is passed the default date will be the date of the first article created
@@ -17,15 +18,22 @@ module Api
         # Example Request:
         #  GET host/api/v1/tasks?from=2013-04-04-14:41:43&until=2015-04-04-14:41:43&limit=10&private_token=e96fff37c2238fdab074d1dcea8e6317
         get do
-          tasks = select_filtered_collection_of(environment, 'tasks', params)
-          tasks = tasks.select {|t| current_person.has_permission?(t.permission, environment)}
-          present_partial tasks, :with => Entities::Task
+          tasks = Task.to(current_person)
+          present_tasks_for_asset(current_person, tasks)
         end
  
         desc "Return the task id"
         get ':id' do
-          task = find_task(environment, params[:id])
-          present_partial task, :with => Entities::Task
+          present_task(current_person, Task.to(current_person))
+        end
+
+        %w[finish cancel].each do |action|
+          desc "#{action.capitalize} a task"
+          put ":id/#{action}" do
+            task = find_task(current_person, Task.to(current_person), params[:id])
+            task.send(action, current_person) if (task.status == Task::Status::ACTIVE)
+            present_partial task, :with => Entities::Task
+          end
         end
       end
  
@@ -36,7 +44,8 @@ module Api
             resource :tasks do
               get do
                 profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
-                present_tasks(profile)
+                tasks = Task.to(profile)
+                present_tasks_for_asset(profile, tasks)
               end
  
               get ':id' do
@@ -1,185 +0,0 @@
-module AuthenticatedSystem
-
-  protected
-
-    extend ActiveSupport::Concern
-
-    included do
-      if self < ActionController::Base
-        around_filter :user_set_current
-        before_filter :override_user
-        before_filter :login_from_cookie
-      end
-
-      # Inclusion hook to make #current_user and #logged_in?
-      # available as ActionView helper methods.
-      helper_method :current_user, :logged_in?
-    end
-
-    # Returns true or false if the user is logged in.
-    # Preloads @current_user with the user model if they're logged in.
-    def logged_in?
-      current_user != nil
-    end
-
-    # Accesses the current user from the session.
-    def current_user user_id = session[:user]
-      @current_user ||= begin
-        user = nil
-        if session[:external]
-          user = User.new
-          external_person = ExternalPerson.find_by(id: session[:external])
-          if external_person
-            user.external_person_id = external_person.id
-            user.email = external_person.email
-          else
-            session[:external] = nil
-          end
-        else
-          user = User.find_by(id: user_id) if user_id
-        end
-        user.session = session if user
-        User.current = user
-        user
-      end
-    end
-
-    # Store the given user in the session.
-    def current_user=(new_user)
-      if new_user.nil?
-        session.delete(:user)
-      else
-        if new_user.id
-          session[:user] = new_user.id
-        else
-          session[:external] = new_user.external_person_id
-        end
-        new_user.session = session
-        new_user.register_login if new_user.id
-      end
-      @current_user = User.current = new_user
-    end
-
-    # See impl. from http://stackoverflow.com/a/2513456/670229
-    def user_set_current
-      User.current = current_user
-      yield
-    ensure
-      # to address the thread variable leak issues in Puma/Thin webserver
-      User.current = nil
-    end
-
-    # Check if the user is authorized.
-    #
-    # Override this method in your controllers if you want to restrict access
-    # to only a few actions or if you want to check if the user
-    # has the correct rights.
-    #
-    # Example:
-    #
-    #  # only allow nonbobs
-    #  def authorize?
-    #    current_user.login != "bob"
-    #  end
-    def authorized?
-      true
-    end
-
-    # Filter method to enforce a login requirement.
-    #
-    # To require logins for all actions, use this in your controllers:
-    #
-    #   before_filter :login_required
-    #
-    # To require logins for specific actions, use this in your controllers:
-    #
-    #   before_filter :login_required, :only => [ :edit, :update ]
-    #
-    # To skip this in a subclassed controller:
-    #
-    #   skip_before_filter :login_required
-    #
-    def login_required
-      username, passwd = get_auth_data
-      if username && passwd
-        self.current_user ||= User.authenticate(username, passwd) || nil
-      end
-      if logged_in? && authorized?
-        true
-      else
-        if params[:require_login_popup]
-          render :json => { :require_login_popup => true }
-        else
-          access_denied
-        end
-      end
-    end
-
-    # Redirect as appropriate when an access request fails.
-    #
-    # The default action is to redirect to the login screen.
-    #
-    # Override this method in your controllers if you want to have special
-    # behavior in case the user is not authorized
-    # to access the requested action.  For example, a popup window might
-    # simply close itself.
-    def access_denied
-      respond_to do |accepts|
-        accepts.html do
-          if request.xhr?
-            render :text => _('Access denied'), :status => 401
-          else
-            store_location
-            redirect_to :controller => '/account', :action => 'login'
-          end
-        end
-        accepts.xml do
-          headers["Status"]           = "Unauthorized"
-          headers["WWW-Authenticate"] = %(Basic realm="Web Password")
-          render :text => "Could't authenticate you", :status => '401 Unauthorized'
-        end
-      end
-      false
-    end
-
-    # Store the URI of the current request in the session.
-    #
-    # We can return to this location by calling #redirect_back_or_default.
-    def store_location(location = request.url)
-      session[:return_to] = location
-    end
-
-    # Redirect to the URI stored by the most recent store_location call or
-    # to the passed default.
-    def redirect_back_or_default(default)
-      if session[:return_to]
-        redirect_to(session.delete(:return_to))
-      else
-        redirect_to(default)
-      end
-    end
-
-    def override_user
-      return if params[:override_user].blank?
-      return unless logged_in? and user.is_admin? environment
-      @current_user = nil
-      current_user params[:override_user]
-    end
-
-    # When called with before_filter :login_from_cookie will check for an :auth_token
-    # cookie and log the user back in if apropriate
-    def login_from_cookie
-      return if cookies[:auth_token].blank? or logged_in?
-      user = User.where(remember_token: cookies[:auth_token]).first
-      self.current_user = user if user and user.remember_token?
-    end
-
-  private
-    @@http_auth_headers = %w(X-HTTP_AUTHORIZATION HTTP_AUTHORIZATION Authorization)
-    # gets BASIC auth info
-    def get_auth_data
-      auth_key  = @@http_auth_headers.detect { |h| request.env.has_key?(h) }
-      auth_data = request.env[auth_key].to_s.split unless auth_key.blank?
-      return auth_data && auth_data[0] == 'Basic' ? Base64.decode64(auth_data[1]).split(':')[0..1] : [nil, nil]
-    end
-end
@@ -44,7 +44,7 @@ class CategoriesController &lt; AdminController
       if request.post?
         @category.update!(params[:category])
         @saved = true
-        session[:notice] = _("Category %s saved." % @category.name)
+        session[:notice] = _("Category %s saved." % @category.name).html_safe
         redirect_to :action => 'index'
       end
     rescue Exception => e
@@ -15,6 +15,20 @@ class ApplicationController &lt; ActionController::Base
   before_filter :redirect_to_current_user
  
   before_filter :set_session_theme
+
+  # FIXME: only include necessary methods
+  include ApplicationHelper
+
+  # concerns
+  include PermissionCheck
+  include CustomDesign
+  include NeedsProfile
+
+  # implementations
+  include FindByContents
+  include Noosfero::Plugin::HotSpot
+  include SearchTermHelper
+
   def set_session_theme
     if params[:theme]
       session[:theme] = environment.theme_ids.include?(params[:theme]) ? params[:theme] : nil
@@ -49,7 +63,6 @@ class ApplicationController &lt; ActionController::Base
     end
   end
  
-  include ApplicationHelper
   layout :get_layout
   def get_layout
     return false if request.format == :js or request.xhr?
@@ -75,9 +88,6 @@ class ApplicationController &lt; ActionController::Base
   helper :document
   helper :language
  
-  include DesignHelper
-  include PermissionCheck
-
   before_filter :set_locale
   def set_locale
     FastGettext.available_locales = environment.available_locales
@@ -90,8 +100,6 @@ class ApplicationController &lt; ActionController::Base
     end
   end
  
-  include NeedsProfile
-
   attr_reader :environment
  
   # declares that the given <tt>actions</tt> cannot be accessed by other HTTP
@@ -108,6 +116,10 @@ class ApplicationController &lt; ActionController::Base
  
   protected
  
+  def accept_only_post
+    return render_not_found if !request.post?
+  end
+
   def verified_request?
     super || form_authenticity_token == request.headers['X-XSRF-TOKEN']
   end
@@ -154,8 +166,6 @@ class ApplicationController &lt; ActionController::Base
     end
   end
  
-  include Noosfero::Plugin::HotSpot
-
   # FIXME this filter just loads @plugins to children controllers and helpers
   def init_noosfero_plugins
     plugins
@@ -187,9 +197,6 @@ class ApplicationController &lt; ActionController::Base
     end
   end
  
-  include SearchTermHelper
-  include FindByContents
-
   def find_suggestions(query, context, asset, options={})
     plugins.dispatch_first(:find_suggestions, query, context, asset, options)
   end
@@ -109,7 +109,7 @@ class BoxOrganizerController &lt; ApplicationController
   def show_block_type_info
     type = params[:type]
     if type.blank? || !available_blocks.map(&:name).include?(type)
-      raise ArgumentError.new("Type %s is not allowed. Go away." % type)
+      raise ArgumentError.new("Type %s is not allowed. Go away.".html_safe % type)
     end
     @block = type.constantize.new
     @block.box = Box.new(:owner => boxes_holder)
@@ -122,7 +122,7 @@ class BoxOrganizerController &lt; ApplicationController
  
   def new_block(type, box)
     if !available_blocks.map(&:name).include?(type)
-      raise ArgumentError.new("Type %s is not allowed. Go away." % type)
+      raise ArgumentError.new("Type %s is not allowed. Go away.".html_safe % type)
     end
     block = type.constantize.new
     box.blocks << block
@@ -0,0 +1,185 @@
+module AuthenticatedSystem
+
+  protected
+
+    extend ActiveSupport::Concern
+
+    included do
+      if self < ActionController::Base
+        around_filter :user_set_current
+        before_filter :override_user
+        before_filter :login_from_cookie
+      end
+
+      # Inclusion hook to make #current_user and #logged_in?
+      # available as ActionView helper methods.
+      helper_method :current_user, :logged_in?
+    end
+
+    # Returns true or false if the user is logged in.
+    # Preloads @current_user with the user model if they're logged in.
+    def logged_in?
+      current_user != nil
+    end
+
+    # Accesses the current user from the session.
+    def current_user user_id = session[:user]
+      @current_user ||= begin
+        user = nil
+        if session[:external]
+          user = User.new
+          external_person = ExternalPerson.find_by(id: session[:external])
+          if external_person
+            user.external_person_id = external_person.id
+            user.email = external_person.email
+          else
+            session[:external] = nil
+          end
+        else
+          user = User.find_by(id: user_id) if user_id
+        end
+        user.session = session if user
+        User.current = user
+        user
+      end
+    end
+
+    # Store the given user in the session.
+    def current_user=(new_user)
+      if new_user.nil?
+        session.delete(:user)
+      else
+        if new_user.id
+          session[:user] = new_user.id
+        else
+          session[:external] = new_user.external_person_id
+        end
+        new_user.session = session
+        new_user.register_login if new_user.id
+      end
+      @current_user = User.current = new_user
+    end
+
+    # See impl. from http://stackoverflow.com/a/2513456/670229
+    def user_set_current
+      User.current = current_user
+      yield
+    ensure
+      # to address the thread variable leak issues in Puma/Thin webserver
+      User.current = nil
+    end
+
+    # Check if the user is authorized.
+    #
+    # Override this method in your controllers if you want to restrict access
+    # to only a few actions or if you want to check if the user
+    # has the correct rights.
+    #
+    # Example:
+    #
+    #  # only allow nonbobs
+    #  def authorize?
+    #    current_user.login != "bob"
+    #  end
+    def authorized?
+      true
+    end
+
+    # Filter method to enforce a login requirement.
+    #
+    # To require logins for all actions, use this in your controllers:
+    #
+    #   before_filter :login_required
+    #
+    # To require logins for specific actions, use this in your controllers:
+    #
+    #   before_filter :login_required, :only => [ :edit, :update ]
+    #
+    # To skip this in a subclassed controller:
+    #
+    #   skip_before_filter :login_required
+    #
+    def login_required
+      username, passwd = get_auth_data
+      if username && passwd
+        self.current_user ||= User.authenticate(username, passwd) || nil
+      end
+      if logged_in? && authorized?
+        true
+      else
+        if params[:require_login_popup]
+          render :json => { :require_login_popup => true }
+        else
+          access_denied
+        end
+      end
+    end
+
+    # Redirect as appropriate when an access request fails.
+    #
+    # The default action is to redirect to the login screen.
+    #
+    # Override this method in your controllers if you want to have special
+    # behavior in case the user is not authorized
+    # to access the requested action.  For example, a popup window might
+    # simply close itself.
+    def access_denied
+      respond_to do |accepts|
+        accepts.html do
+          if request.xhr?
+            render :text => _('Access denied'), :status => 401
+          else
+            store_location
+            redirect_to :controller => '/account', :action => 'login'
+          end
+        end
+        accepts.xml do
+          headers["Status"]           = "Unauthorized"
+          headers["WWW-Authenticate"] = %(Basic realm="Web Password")
+          render :text => "Could't authenticate you", :status => '401 Unauthorized'
+        end
+      end
+      false
+    end
+
+    # Store the URI of the current request in the session.
+    #
+    # We can return to this location by calling #redirect_back_or_default.
+    def store_location(location = request.url)
+      session[:return_to] = location
+    end
+
+    # Redirect to the URI stored by the most recent store_location call or
+    # to the passed default.
+    def redirect_back_or_default(default)
+      if session[:return_to]
+        redirect_to(session.delete(:return_to))
+      else
+        redirect_to(default)
+      end
+    end
+
+    def override_user
+      return if params[:override_user].blank?
+      return unless logged_in? and user.is_admin? environment
+      @current_user = nil
+      current_user params[:override_user]
+    end
+
+    # When called with before_filter :login_from_cookie will check for an :auth_token
+    # cookie and log the user back in if apropriate
+    def login_from_cookie
+      return if cookies[:auth_token].blank? or logged_in?
+      user = User.where(remember_token: cookies[:auth_token]).first
+      self.current_user = user if user and user.remember_token?
+    end
+
+  private
+    @@http_auth_headers = %w(X-HTTP_AUTHORIZATION HTTP_AUTHORIZATION Authorization)
+    # gets BASIC auth info
+    def get_auth_data
+      auth_key  = @@http_auth_headers.detect { |h| request.env.has_key?(h) }
+      auth_data = request.env[auth_key].to_s.split unless auth_key.blank?
+      return auth_data && auth_data[0] == 'Basic' ? Base64.decode64(auth_data[1]).split(':')[0..1] : [nil, nil]
+    end
+end
@@ -0,0 +1,50 @@
+module CustomDesign
+
+  extend ActiveSupport::Concern
+
+  included do
+    extend ClassMethods
+    include InstanceMethods
+    before_filter :load_custom_design if self.respond_to? :before_filter
+  end
+
+  module ClassMethods
+
+    def no_design_blocks
+      @no_design_blocks = true
+    end
+
+    def use_custom_design options = {}
+      @custom_design = options
+    end
+
+    def custom_design
+      @custom_design ||= {}
+    end
+
+    def uses_design_blocks?
+      !@no_design_blocks
+    end
+
+  end
+
+  module InstanceMethods
+
+    protected
+
+    def uses_design_blocks?
+      !@no_design_blocks && self.class.uses_design_blocks?
+    end
+
+    def load_custom_design
+      # see also: LayoutHelper#body_classes
+      @layout_template = self.class.custom_design[:layout_template]
+    end
+
+    def custom_design
+      @custom_design || self.class.custom_design
+    end
+
+  end
+
+end
@@ -0,0 +1,40 @@
+module NeedsProfile
+
+  module ClassMethods
+    def needs_profile
+      before_filter :load_profile
+    end
+  end
+
+  def self.included(including)
+    including.send(:extend, NeedsProfile::ClassMethods)
+  end
+
+  def boxes_holder
+    profile || environment # prefers profile, but defaults to environment
+  end
+
+  def profile
+    @profile
+  end
+
+  protected
+
+  def load_profile
+    if params[:profile]
+      params[:profile].downcase!
+      @profile ||= environment.profiles.where(identifier: params[:profile]).first
+    end
+
+    if @profile
+      profile_hostname = @profile.hostname
+      if profile_hostname && profile_hostname != request.host
+        params.delete(:profile)
+        redirect_to(Noosfero.url_options.merge(params).merge(:host => profile_hostname))
+      end
+    else
+      render_not_found
+    end
+  end
+
+end
@@ -0,0 +1,58 @@
+class CirclesController < MyProfileController
+
+  before_action :accept_only_post, :only => [:create, :update, :destroy]
+
+  def index
+    @circles = profile.circles
+  end
+
+  def new
+    @circle = Circle.new
+  end
+
+  def create
+    @circle = Circle.new(params[:circle].merge({ :person => profile }))
+    if @circle.save
+      redirect_to :action => 'index'
+    else
+      render :action => 'new'
+    end
+  end
+
+  def xhr_create
+    if request.xhr?
+      circle = Circle.new(params[:circle].merge({:person => profile }))
+      if circle.save
+        render :partial => "circle_checkbox", :locals => { :circle => circle },
+               :status => 201
+      else
+        render :text => _('The circle could not be saved'), :status => 400
+      end
+    else
+      render_not_found
+    end
+  end
+
+  def edit
+    @circle = Circle.find_by_id(params[:id])
+    render_not_found if @circle.nil?
+  end
+
+  def update
+    @circle = Circle.find_by_id(params[:id])
+    return render_not_found if @circle.nil?
+
+    if @circle.update(params[:circle])
+      redirect_to :action => 'index'
+    else
+      render :action => 'edit'
+    end
+  end
+
+  def destroy
+    @circle = Circle.find_by_id(params[:id])
+    return render_not_found if @circle.nil?
+    @circle.destroy
+    redirect_to :action => 'index'
+  end
+end
@@ -0,0 +1,43 @@
+class FollowersController < MyProfileController
+
+  before_action :only_for_person, :only => :index
+  before_action :accept_only_post, :only => [:update_category]
+
+  def index
+    @followed_people = profile.followed_profiles.order(:type)
+    @profile_types = {_('All profiles') => nil}.merge(Circle.profile_types).to_a
+
+    if params['filter'].present?
+      @followed_people = @followed_people.where(:type => params['filter'])
+      @active_filter = params['filter']
+    end
+
+    @followed_people = @followed_people.paginate(:per_page => 15, :page => params[:npage])
+  end
+
+  def set_category_modal
+    followed_profile = Profile.find(params[:followed_profile_id])
+    circles = Circle.where(:person => profile, :profile_type => followed_profile.class.name)
+    render :partial => 'followers/edit_circles_modal', :locals => { :circles => circles, :followed_profile => followed_profile }
+  end
+
+  def update_category
+    followed_profile = Profile.find_by(:id => params["followed_profile_id"])
+
+    selected_circles = params[:circles].map{ |circle_name, circle_id| Circle.find_by(:id => circle_id) }.select{ |c| c.present? }
+
+    if followed_profile
+      profile.update_profile_circles(followed_profile, selected_circles)
+      render :text => _("Circles of %s updated successfully") % followed_profile.name, :status => 200
+    else
+      render :text => _("Error: No profile to follow."), :status => 400
+    end
+  end
+
+  protected
+
+  def only_for_person
+    render_not_found unless profile.person?
+  end
+
+end
@@ -14,7 +14,7 @@ class TasksController &lt; MyProfileController
     @filter_text = params[:filter_text].presence
     @filter_responsible = params[:filter_responsible]
     @task_types = Task.pending_types_for(profile)
-    @tasks = Task.pending_all(profile, @filter_type, @filter_text).order_by('created_at', 'asc').paginate(:per_page => Task.per_page, :page => params[:page])
+    @tasks = Task.pending_all_by_filter(profile, @filter_type, @filter_text).order_by('created_at', 'asc').paginate(:per_page => Task.per_page, :page => params[:page])
     @tasks = @tasks.where(:responsible_id => @filter_responsible.to_i != -1 ? @filter_responsible : nil) if @filter_responsible.present?
     @tasks = @tasks.paginate(:per_page => Task.per_page, :page => params[:page])
     @failed = params ? params[:failed] : {}
@@ -101,7 +101,7 @@ class TasksController &lt; MyProfileController
   def search_tasks
     filter_type = params[:filter_type].presence
     filter_text = params[:filter_text].presence
-    result = Task.pending_all(profile,filter_type, filter_text)
+    result = Task.pending_all_by_filter(profile,filter_type, filter_text)
  
     render :json => result.map { |task| {:label => task.data[:name], :value => task.data[:name]} }
   end
@@ -205,7 +205,7 @@ class AccountController &lt; ApplicationController
         if params[:value].blank?
           @change_password.errors[:base] << _('Can not recover user password with blank value.')
         else
-          @change_password.errors[:base] << _('Could not find any user with %s equal to "%s".') % [fields_label, params[:value]]
+          @change_password.errors[:base] << _('Could not find any user with %s equal to "%s".').html_safe % [fields_label, params[:value]]
         end
       rescue ActiveRecord::RecordInvalid
         @change_password.errors[:base] << _('Could not perform password recovery for the user.')
@@ -128,9 +128,9 @@ class ContentViewerController &lt; ApplicationController
     end
  
     unless @page.display_to?(user)
-      if !profile.visible? || profile.secret? || (user && user.follows?(profile)) || user.blank?
+      if !profile.visible? || profile.secret? || (user && profile.in_social_circle?(user)) || user.blank?
         render_access_denied
-      else #!profile.public?
+      else
         private_profile_partial_parameters
         render :template => 'profile/_private_profile', :status => 403, :formats => [:html]
       end
@@ -3,7 +3,9 @@ class ProfileController &lt; PublicController
   needs_profile
   before_filter :check_access_to_profile, :except => [:join, :join_not_logged, :index, :add]
   before_filter :store_location, :only => [:join, :join_not_logged, :report_abuse, :send_mail]
-  before_filter :login_required, :only => [:add, :join, :leave, :unblock, :leave_scrap, :remove_scrap, :remove_activity, :view_more_activities, :view_more_network_activities, :report_abuse, :register_report, :leave_comment_on_activity, :send_mail]
+  before_filter :login_required, :only => [:add, :join, :leave, :unblock, :leave_scrap, :remove_scrap, :remove_activity, :view_more_activities, :view_more_network_activities, :report_abuse, :register_report, :leave_comment_on_activity, :send_mail, :follow, :unfollow]
+  before_filter :allow_followers?, :only => [:follow, :unfollow]
+  before_filter :accept_only_post, :only => [:follow, :unfollow]
  
   helper TagsHelper
   helper ActionTrackerHelper
@@ -42,8 +44,8 @@ class ProfileController &lt; PublicController
     feed_writer = FeedWriter.new
     data = feed_writer.write(
       tagged,
-      :title => _("%s's contents tagged with \"%s\"") % [profile.name, @tag],
-      :description => _("%s's contents tagged with \"%s\"") % [profile.name, @tag],
+      :title => _("%s's contents tagged with \"%s\"").html_safe % [profile.name, @tag],
+      :description => _("%s's contents tagged with \"%s\"").html_safe % [profile.name, @tag],
       :link => url_for(profile.url)
     )
     render :text => data, :content_type => "text/xml"
@@ -65,6 +67,14 @@ class ProfileController &lt; PublicController
     end
   end
  
+  def following
+    @followed_people = profile.followed_profiles.paginate(:per_page => per_page, :page => params[:npage], :total_entries => profile.followed_profiles.count)
+  end
+
+  def followed
+    @followed_by = profile.followers.paginate(:per_page => per_page, :page => params[:npage], :total_entries => profile.followers.count)
+  end
+
   def members
     if is_cache_expired?(profile.members_cache_key(params))
       sort = (params[:sort] == 'desc') ? params[:sort] : 'asc'
@@ -88,7 +98,7 @@ class ProfileController &lt; PublicController
  
   def join_modal
       profile.add_member(user)
-      session[:notice] = _('%s administrator still needs to accept you as member.') % profile.name
+      session[:notice] = _('%s administrator still needs to accept you as member.').html_safe % profile.name
       redirect_to :action => :index
   end
  
@@ -98,12 +108,12 @@ class ProfileController &lt; PublicController
  
       profile.add_member(user)
       if !profile.members.include?(user)
-        render :text => {:message => _('%s administrator still needs to accept you as member.') % profile.name}.to_json
+        render :text => {:message => _('%s administrator still needs to accept you as member.').html_safe % profile.name}.to_json
       else
-        render :text => {:message => _('You just became a member of %s.') % profile.name}.to_json
+        render :text => {:message => _('You just became a member of %s.').html_safe % profile.name}.to_json
       end
     else
-      render :text => {:message => _('You are already a member of %s.') % profile.name}.to_json
+      render :text => {:message => _('You are already a member of %s.').html_safe % profile.name}.to_json
     end
   end
  
@@ -125,7 +135,7 @@ class ProfileController &lt; PublicController
         render :text => current_person.leave(profile, params[:reload])
       end
     else
-      render :text => {:message => _('You are not a member of %s.') % profile.name}.to_json
+      render :text => {:message => _('You are not a member of %s.').html_safe % profile.name}.to_json
     end
   end
  
@@ -145,12 +155,41 @@ class ProfileController &lt; PublicController
     # FIXME this shouldn't be in Person model?
     if !user.memberships.include?(profile)
       AddFriend.create!(:person => user, :friend => profile)
-      render :text => _('%s still needs to accept being your friend.') % profile.name
+      render :text => _('%s still needs to accept being your friend.').html_safe % profile.name
     else
-      render :text => _('You are already a friend of %s.') % profile.name
+      render :text => _('You are already a friend of %s.').html_safe % profile.name
+    end
+  end
+
+  def follow
+    if profile.followed_by?(current_person)
+      render :text => _("You are already following %s.") % profile.name, :status => 400
+    else
+      selected_circles = params[:circles].map{ |circle_name, circle_id| Circle.find_by(:id => circle_id) }.select{ |c| c.present? }
+      if selected_circles.present?
+        current_person.follow(profile, selected_circles)
+        render :text => _("You are now following %s") % profile.name, :status => 200
+      else
+        render :text => _("Select at least one circle to follow %s.") % profile.name, :status => 400
+      end
     end
   end
  
+  def find_profile_circles
+    circles = Circle.where(:person => current_person, :profile_type => profile.class.name)
+    render :partial => 'blocks/profile_info_actions/circles', :locals => { :circles => circles, :profile_types => Circle.profile_types.to_a }
+  end
+
+  def unfollow
+    follower = params[:follower_id].present? ? Person.find_by(id: params[:follower_id]) : current_person
+
+    if follower && follower.follows?(profile)
+      follower.unfollow(profile)
+    end
+    redirect_url = params["redirect_to"] ? params["redirect_to"] : profile.url
+    redirect_to redirect_url
+  end
+
   def check_friendship
     unless logged_in?
       render :text => ''
@@ -178,7 +217,7 @@ class ProfileController &lt; PublicController
   def unblock
     if current_person.is_admin?(profile.environment)
       profile.unblock
-      session[:notice] = _("You have unblocked %s successfully. ") % profile.name
+      session[:notice] = _("You have unblocked %s successfully. ").html_safe % profile.name
       redirect_to :controller => 'profile', :action => 'index'
     else
       message = _('You are not allowed to unblock enterprises in this environment.')
@@ -448,4 +487,8 @@ class ProfileController &lt; PublicController
     [:image, :domains, :preferred_domain, :environment]
   end
  
+  def allow_followers?
+    render_not_found unless profile.allow_followers?
+  end
+
 end
@@ -14,13 +14,23 @@ module ActionTrackerHelper
     }
   end
  
+  def new_follower_description ta
+    n_('has 1 new follower:<br />%{name}', 'has %{num} new followers:<br />%{name}', ta.get_follower_name.size).html_safe % {
+      num: ta.get_follower_name.size,
+      name: safe_join(ta.collect_group_with_index(:follower_name) do |n,i|
+        link_to image_tag(ta.get_follower_profile_custom_icon[i] || default_or_themed_icon("/images/icons-app/person-icon.png")),
+          ta.get_follower_url[i], title: n
+      end)
+    }
+  end
+
   def join_community_description ta
-    n_('has joined 1 community:<br />%{name}'.html_safe, 'has joined %{num} communities:<br />%{name}'.html_safe, ta.get_resource_name.size) % {
+    n_('has joined 1 community:<br />%{name}', 'has joined %{num} communities:<br />%{name}', ta.get_resource_name.size).html_safe % {
       num: ta.get_resource_name.size,
-      name: ta.collect_group_with_index(:resource_name) do |n,i|
+      name: safe_join(ta.collect_group_with_index(:resource_name) do |n,i|
        link = link_to image_tag(ta.get_resource_profile_custom_icon[i] || default_or_themed_icon("/images/icons-app/community-icon.png")),
                 ta.get_resource_url[i], title: n
-      end.join.html_safe
+      end)
     }
   end
  
@@ -68,9 +78,9 @@ module ActionTrackerHelper
   end
  
   def favorite_enterprise_description ta
-    _('favorited enterprise %{title}') % {
+    (_('favorited enterprise %{title}') % {
       title: link_to(truncate(ta.get_enterprise_name), ta.get_enterprise_url),
-    }
+    }).html_safe
   end
  
 end
@@ -880,7 +880,7 @@ module ApplicationHelper
         link_to_all = link_to(content_tag('strong', _('See all')), :controller => 'memberships', :profile => user.identifier)
       end
       link = list.map do |element|
-        link_to(content_tag('strong', _('<span>Manage</span> %s') % element.short_name(25)), element.admin_url, :class => "icon-menu-"+element.class.identification.underscore, :title => _('Manage %s') % element.short_name)
+        link_to(content_tag('strong', _('<span>Manage</span> %s').html_safe % element.short_name(25)), element.admin_url, :class => "icon-menu-"+element.class.identification.underscore, :title => _('Manage %s').html_safe % element.short_name)
       end
       if link_to_all
         link << link_to_all
@@ -921,7 +921,7 @@ module ApplicationHelper
     logout_link = link_to(logout_icon.html_safe, { :controller => 'account', :action => 'logout'} , :id => "logout", :title => _("Leave the system"))
     join_result = safe_join(
       [welcome_span.html_safe, render_environment_features(:usermenu).html_safe, admin_link.html_safe,
-        manage_enterprises.html_safe, manage_communities.html_safe, ctrl_panel_link.html_safe,
+        manage_enterprises, manage_communities, ctrl_panel_link.html_safe,
         pending_tasks_count.html_safe, logout_link.html_safe], "")
     join_result
   end
@@ -285,7 +285,7 @@ module BoxesHelper
     end
  
     if block.respond_to?(:help)
-      buttons << modal_inline_icon(:help, _('Help on this block'), {}, "#help-on-box-#{block.id}") << content_tag('div', content_tag('h2', _('Help')) + content_tag('div', block.help, :style => 'margin-bottom: 1em;') + modal_close_button(_('Close')), :style => 'display: none;', :id => "help-on-box-#{block.id}")
+      buttons << modal_inline_icon(:help, _('Help on this block'), {}, "#help-on-box-#{block.id}") << content_tag('div', content_tag('h2', _('Help')) + content_tag('div', block.help.html_safe, :style => 'margin-bottom: 1em;') + modal_close_button(_('Close')), :style => 'display: none;', :id => "help-on-box-#{block.id}")
     end
  
     if block.embedable?
@@ -1,50 +0,0 @@
-module DesignHelper
-
-  extend ActiveSupport::Concern
-
-  included do
-    extend ClassMethods
-    include InstanceMethods
-    before_filter :load_custom_design if self.respond_to? :before_filter
-  end
-
-  module ClassMethods
-
-    def no_design_blocks
-      @no_design_blocks = true
-    end
-
-    def use_custom_design options = {}
-      @custom_design = options
-    end
-
-    def custom_design
-      @custom_design ||= {}
-    end
-
-    def uses_design_blocks?
-      !@no_design_blocks
-    end
-
-  end
-
-  module InstanceMethods
-
-    protected
-
-    def uses_design_blocks?
-      !@no_design_blocks && self.class.uses_design_blocks?
-    end
-
-    def load_custom_design
-      # see also: LayoutHelper#body_classes
-      @layout_template = self.class.custom_design[:layout_template]
-    end
-
-    def custom_design
-      @custom_design || self.class.custom_design
-    end
-
-  end
-
-end
@@ -128,14 +128,14 @@ module FormsHelper
       counter += 1
       row << item
       if counter % per_row == 0
-        rows << content_tag('tr', row.join("\n"))
+        rows << content_tag('tr', row.join("\n").html_safe)
         counter = 0
         row = []
       end
     end
-    rows << content_tag('tr', row.join("\n"))
+    rows << content_tag('tr', row.join("\n").html_safe)
  
-    content_tag('table',rows.join("\n"))
+    content_tag('table',rows.join("\n").html_safe)
   end
  
   def date_field(name, value, datepicker_options = {}, html_options = {})
@@ -11,7 +11,7 @@ module ProfileHelper
   PERSON_CATEGORIES[:location] = [:address, :address_reference, :zip_code, :city, :state, :district, :country, :nationality]
   PERSON_CATEGORIES[:work] = [:organization, :organization_website, :professional_activity]
   PERSON_CATEGORIES[:study] = [:schooling, :formation, :area_of_study]
-  PERSON_CATEGORIES[:network] = [:friends, :communities, :enterprises]
+  PERSON_CATEGORIES[:network] = [:friends, :followers, :followed_profiles, :communities, :enterprises]
   PERSON_CATEGORIES.merge!(COMMON_CATEGORIES)
  
   ORGANIZATION_CATEGORIES = {}
@@ -42,7 +42,8 @@ module ProfileHelper
     :created_at => _('Profile created at'),
     :members_count => _('Members'),
     :privacy_setting => _('Privacy setting'),
-    :article_tags => _('Tags')
+    :article_tags => _('Tags'),
+    :followed_profiles => _('Following')
   }
  
   EXCEPTION = {
@@ -144,6 +145,14 @@ module ProfileHelper
     link_to(n_('One picture', '%{num} pictures', gallery.images.published.count) % { :num => gallery.images.published.count }, gallery.url)
   end
  
+  def treat_followers(followers)
+    link_to(profile.followers.count, {:action=>"followed", :controller=>"profile", :profile=>"#{profile.identifier}"})
+  end
+
+  def treat_followed_profiles(followed_profiles)
+    link_to(profile.followed_profiles.count, {:action=>"following", :controller=>"profile", :profile=>"#{profile.identifier}"})
+  end
+
   def treat_events(events)
     link_to events.published.count, :controller => 'events', :action => 'events'
   end
@@ -19,8 +19,8 @@ class NotifyActivityToProfilesJob &lt; Struct.new(:tracked_action_id)
     # Notify the user
     ActionTrackerNotification.create(:profile_id => tracked_action.user.id, :action_tracker_id => tracked_action.id)
  
-    # Notify all friends
-    ActionTrackerNotification.connection.execute("insert into action_tracker_notifications(profile_id, action_tracker_id) select f.friend_id, #{tracked_action.id} from friendships as f where person_id=#{tracked_action.user.id} and f.friend_id not in (select atn.profile_id from action_tracker_notifications as atn where atn.action_tracker_id = #{tracked_action.id})")
+    # Notify all followers
+    ActionTrackerNotification.connection.execute("INSERT INTO action_tracker_notifications(profile_id, action_tracker_id) SELECT DISTINCT c.person_id, #{tracked_action.id} FROM profiles_circles AS p JOIN circles as c ON c.id = p.circle_id WHERE p.profile_id = #{tracked_action.user.id} AND (c.person_id NOT IN (SELECT atn.profile_id FROM action_tracker_notifications AS atn WHERE atn.action_tracker_id = #{tracked_action.id}))")
  
     if tracked_action.user.is_a? Organization
       ActionTrackerNotification.connection.execute "insert into action_tracker_notifications(profile_id, action_tracker_id) " +
@@ -47,8 +47,8 @@ class Contact
         content_type: 'text/html',
         to: contact.dest.notification_emails,
         reply_to: contact.email,
-        subject: "[#{contact.dest.short_name(30)}] " + contact.subject,
-        from: "#{contact.name} <#{contact.dest.environment.noreply_email}>"
+        subject: "[#{contact.dest.short_name(30)}] #{contact.subject}".html_safe,
+        from: "#{contact.name} <#{contact.dest.environment.noreply_email}>".html_safe
       }
  
       if contact.sender
@@ -30,7 +30,7 @@ class EnvironmentMailing &lt; Mailing
   end
  
   def signature_message
-    _('Sent by %s.') % source.name
+    _('Sent by %s.').html_safe % source.name
   end
  
   def url
@@ -2,7 +2,8 @@ require_dependency &#39;mailing_job&#39;
  
 class Mailing < ApplicationRecord
  
-  acts_as_having_settings :field => :data
+  extend ActsAsHavingSettings::ClassMethods
+  acts_as_having_settings field: :data
  
   attr_accessible :subject, :body, :data
  
@@ -23,11 +24,11 @@ class Mailing &lt; ApplicationRecord
   end
  
   def generate_from
-    "#{source.name} <#{if source.is_a? Environment then source.noreply_email else source.contact_email end}>"
+    "#{source.name} <#{if source.is_a? Environment then source.noreply_email else source.contact_email end}>".html_safe
   end
  
   def generate_subject
-    '[%s] %s' % [source.name, subject]
+    '[%s] %s'.html_safe % [source.name, subject]
   end
  
   def signature_message
@@ -30,7 +30,7 @@ class OrganizationMailing &lt; Mailing
   end
  
   def signature_message
-    _('Sent by community %s.') % source.name
+    _('Sent by community %s.').html_safe % source.name
   end
  
   include Rails.application.routes.url_helpers
@@ -12,8 +12,8 @@ class PendingTaskNotifier &lt; ApplicationMailer
  
     mail(
       to: person.email,
-      from: "#{person.environment.name} <#{person.environment.noreply_email}>",
-      subject: _("[%s] Pending tasks") % person.environment.name
+      from: "#{person.environment.name} <#{person.environment.noreply_email}>".html_safe,
+      subject: _("[%s] Pending tasks").html_safe % person.environment.name
     )
   end
  
@@ -14,8 +14,8 @@ class ScrapNotifier &lt; ApplicationMailer
     @url = sender.environment.top_url
     mail(
       to: receiver.email,
-      from: "#{sender.environment.name} <#{sender.environment.noreply_email}>",
-      subject: _("[%s] You received a scrap!") % [sender.environment.name]
+      from: "#{sender.environment.name} <#{sender.environment.noreply_email}>".html_safe,
+      subject: _("[%s] You received a scrap!").html_safe % [sender.environment.name]
     )
   end
 end
@@ -14,7 +14,7 @@ class TaskMailer &lt; ApplicationMailer
     mail(
       to: task.target.notification_emails.compact,
       from: self.class.generate_from(task),
-      subject: "[%s] %s" % [task.environment.name, task.target_notification_description]
+      subject: "[%s] %s".html_safe % [task.environment.name, task.target_notification_description]
     )
   end
  
@@ -27,7 +27,7 @@ class TaskMailer &lt; ApplicationMailer
     mail(
       to: task.friend_email,
       from: self.class.generate_from(task),
-      subject: '[%s] %s' % [ task.requestor.environment.name, task.target_notification_description ]
+      subject: '[%s] %s'.html_safe % [ task.requestor.environment.name, task.target_notification_description ]
     )
   end
  
@@ -43,7 +43,7 @@ class TaskMailer &lt; ApplicationMailer
     mail_with_template(
       to: task.requestor.notification_emails,
       from: self.class.generate_from(task),
-      subject: '[%s] %s' % [task.requestor.environment.name, task.target_notification_description],
+      subject: '[%s] %s'.html_safe % [task.requestor.environment.name, task.target_notification_description],
       email_template: task.email_template,
       template_params: {:environment => task.requestor.environment, :task => task, :message => @message, :url => @url, :requestor => task.requestor}
     )
@@ -13,8 +13,8 @@ class UserMailer &lt; ApplicationMailer
  
     mail(
       to: user_email,
-      from: "#{user.environment.name} <#{user.environment.contact_email}>",
-      subject: _("[%{environment}] Welcome to %{environment} mail!") % { :environment => user.environment.name }
+      from: "#{user.environment.name} <#{user.environment.contact_email}>".html_safe,
+      subject: _("[%{environment}] Welcome to %{environment} mail!").html_safe % { :environment => user.environment.name }
     )
   end
  
@@ -30,7 +30,7 @@ class UserMailer &lt; ApplicationMailer
     mail_with_template(
       from: "#{user.environment.name} <#{user.environment.contact_email}>",
       to: user.email,
-      subject: _("[%s] Activate your account") % [user.environment.name],
+      subject: _("[%s] Activate your account").html_safe % [user.environment.name],
       template_params: {:environment => user.environment, :activation_code => @activation_code, :redirection => @redirection, :join => @join, :person => user.person, :url => @url},
       email_template: user.environment.email_templates.find_by_template_type(:user_activation),
     )
@@ -44,8 +44,8 @@ class UserMailer &lt; ApplicationMailer
     mail(
       content_type: 'text/html',
       to: user.email,
-      from: "#{user.environment.name} <#{user.environment.contact_email}>",
-      subject: email_subject.blank? ? _("Welcome to environment %s") % [user.environment.name] : email_subject,
+      from: "#{user.environment.name} <#{user.environment.contact_email}>".html_safe,
+      subject: email_subject.blank? ? _("Welcome to environment %s").html_safe % [user.environment.name] : email_subject,
       body: @body
     )
   end
@@ -63,8 +63,8 @@ class UserMailer &lt; ApplicationMailer
     mail(
       content_type: 'text/html',
       to: user.email,
-      from: "#{user.environment.name} <#{user.environment.contact_email}>",
-      subject: _("[%s] What about grow up your network?") % user.environment.name
+      from: "#{user.environment.name} <#{user.environment.contact_email}>".html_safe,
+      subject: _("[%s] What about grow up your network?").html_safe % user.environment.name
     )
   end
  
@@ -25,7 +25,7 @@ class AbuseComplaint &lt; Task
   end
  
   def title
-    abuse_reports.count > 1 ? (_('Abuse complaint (%s)') % abuse_reports.count) :_('Abuse complaint')
+    abuse_reports.count > 1 ? (_('Abuse complaint (%s)').html_safe % abuse_reports.count) :_('Abuse complaint')
   end
  
   def linked_subject
@@ -57,15 +57,15 @@ class AbuseComplaint &lt; Task
   end
  
   def task_activated_message
-    _('Your profile was reported by the users of %s due to inappropriate behavior. The administrators of the environment are now reviewing the report. To solve this misunderstanding, please contact the administrators.') % environment.name
+    _('Your profile was reported by the users of %s due to inappropriate behavior. The administrators of the environment are now reviewing the report. To solve this misunderstanding, please contact the administrators.').html_safe % environment.name
   end
  
   def task_finished_message
-    _('Your profile was disabled by the administrators of %s due to inappropriate behavior. To solve this misunderstanding please contact them.') % environment.name
+    _('Your profile was disabled by the administrators of %s due to inappropriate behavior. To solve this misunderstanding please contact them.').html_safe % environment.name
   end
  
   def target_notification_description
-    _('%s was reported due to inappropriate behavior.') % reported.name
+    _('%s was reported due to inappropriate behavior.').html_safe % reported.name
   end
  
   def target_notification_message
@@ -22,6 +22,7 @@ class AddMember &lt; Task
       self.roles = [Profile::Roles.member(organization.environment.id).id]
     end
     target.affiliate(requestor, self.roles.select{|r| !r.to_i.zero? }.map{|i| Role.find(i)})
+    person.follow(organization, Circle.find_or_create_by(:person => person, :name =>_('memberships'), :profile_type => 'Community'))
   end
  
   def title
@@ -56,7 +57,7 @@ class AddMember &lt; Task
   def target_notification_description
     requestor_email = " (#{requestor.email})" if requestor.may_display_field_to?("email")
  
-    _("%{requestor}%{requestor_email} wants to be a member of '%{organization}'.") % {:requestor => requestor.name, :requestor_email => requestor_email, :organization => organization.name}
+    _("%{requestor}%{requestor_email} wants to be a member of '%{organization}'.").html_safe % {:requestor => requestor.name, :requestor_email => requestor_email, :organization => organization.name}
   end
  
   def target_notification_message
@@ -13,7 +13,9 @@ class Article &lt; ApplicationRecord
                   :image_builder, :show_to_followers, :archived,
                   :author, :display_preview, :published_at, :person_followers
  
+  extend ActsAsHavingImage::ClassMethods
   acts_as_having_image
+
   include Noosfero::Plugin::HotSpot
  
   SEARCHABLE_FIELDS = {
@@ -91,7 +93,8 @@ class Article &lt; ApplicationRecord
   has_many :article_categorizations_including_virtual, :class_name => 'ArticleCategorization'
   has_many :categories_including_virtual, :through => :article_categorizations_including_virtual, :source => :category
  
-  acts_as_having_settings :field => :setting
+  extend ActsAsHavingSettings::ClassMethods
+  acts_as_having_settings field: :setting
  
   settings_items :display_hits, :type => :boolean, :default => true
   settings_items :author_name, :type => :string, :default => ""
@@ -242,6 +245,7 @@ class Article &lt; ApplicationRecord
   acts_as_taggable
   N_('Tag list')
  
+  extend ActsAsFilesystem::ActsMethods
   acts_as_filesystem
  
   acts_as_versioned
@@ -534,13 +538,13 @@ class Article &lt; ApplicationRecord
  
   scope :display_filter, lambda {|user, profile|
     return published if (user.nil? && profile && profile.public?)
-    return [] if user.nil? || (profile && !profile.public? && !user.follows?(profile))
+    return [] if user.nil? || (profile && !profile.public? && !profile.in_social_circle?(user))
     where(
       [
        "published = ? OR last_changed_by_id = ? OR profile_id = ? OR ?
         OR  (show_to_followers = ? AND ? AND profile_id IN (?))", true, user.id, user.id,
         profile.nil? ?  false : user.has_permission?(:view_private_content, profile),
-        true, (profile.nil? ? true : user.follows?(profile)),  ( profile.nil? ? (user.friends.select('profiles.id')) : [profile.id])
+        true, (profile.nil? ? true : profile.in_social_circle?(user)),  ( profile.nil? ? (user.friends.select('profiles.id')) : [profile.id])
       ]
     )
   }
@@ -17,6 +17,7 @@ class Block &lt; ApplicationRecord
   belongs_to :mirror_block, :class_name => "Block"
   has_many :observers, :class_name => "Block", :foreign_key => "mirror_block_id"
  
+  extend ActsAsHavingSettings::ClassMethods
   acts_as_having_settings
  
   scope :enabled, -> { where :enabled => true }
@@ -88,7 +89,7 @@ class Block &lt; ApplicationRecord
   end
  
   def display_to_user?(user)
-    display_user == 'all' || (user.nil? && display_user == 'not_logged') || (user && display_user == 'logged') || (user && display_user == 'followers' && user.follows?(owner))
+    display_user == 'all' || (user.nil? && display_user == 'not_logged') || (user && display_user == 'logged') || (user && display_user == 'followers' && owner.in_social_circle?(user))
   end
  
   def display_always(context)
@@ -2,7 +2,9 @@ class Blog &lt; Folder
  
   attr_accessible :visualization_format
  
+  extend ActsAsHavingPosts::ClassMethods
   acts_as_having_posts
+
   include PostsLimit
  
   #FIXME This should be used until there is a migration to fix all blogs that
@@ -21,6 +21,7 @@ class Category &lt; ApplicationRecord
  
   scope :on_level, -> parent { where :parent_id => parent }
  
+  extend ActsAsFilesystem::ActsMethods
   acts_as_filesystem
  
   has_many :article_categorizations
@@ -35,6 +36,7 @@ class Category &lt; ApplicationRecord
   has_many :people, :through => :profile_categorizations, :source => :profile, :class_name => 'Person'
   has_many :communities, :through => :profile_categorizations, :source => :profile, :class_name => 'Community'
  
+  extend ActsAsHavingImage::ClassMethods
   acts_as_having_image
  
   before_save :normalize_display_color
@@ -0,0 +1,37 @@
+class Circle < ApplicationRecord
+  has_many :profile_followers
+  belongs_to :person
+
+  attr_accessible :name, :person, :profile_type
+
+  validates :name, presence: true
+  validates :person_id, presence: true
+  validates :profile_type, presence: true
+  validates :person_id, :uniqueness => {:scope => :name, :message => "can't add two circles with the same name"}
+
+  validate :profile_type_must_be_in_list
+
+  scope :by_owner, -> person{
+    where(:person => person)
+  }
+
+  scope :with_name, -> name{
+    where(:name => name)
+  }
+
+  def self.profile_types
+    {
+      _("Person") => Person.name,
+      _("Community") => Community.name,
+      _("Enterprise") => Enterprise.name
+    }
+  end
+
+  def profile_type_must_be_in_list
+    valid_profile_types = Circle.profile_types.values
+    unless self.profile_type.in? valid_profile_types
+      self.errors.add(:profile_type, "invalid profile type")
+    end
+  end
+
+end
@@ -38,6 +38,7 @@ class Comment &lt; ApplicationRecord
  
   validate :article_archived?
  
+  extend ActsAsHavingSettings::ClassMethods
   acts_as_having_settings
  
   xss_terminate :only => [ :body, :title, :name ], :on => 'validation'
@@ -2,7 +2,7 @@ class Community &lt; Organization
  
   attr_accessible :accessor_id, :accessor_type, :role_id, :resource_id, :resource_type
   attr_accessible :address_reference, :district, :tag_list, :language, :description
-  attr_accessible :requires_email
+
   after_destroy :check_invite_member_for_destroy
  
   def self.type_name
@@ -13,9 +13,6 @@ class Community &lt; Organization
   N_('Language')
  
   settings_items :language
-  settings_items :requires_email, :type => :boolean
-
-  alias_method :requires_email?, :requires_email
  
   extend SetProfileRegionFromCityState::ClassMethods
   set_profile_region_from_city_state
@@ -0,0 +1,265 @@
+module ActsAsFilesystem
+
+  module ActsMethods
+
+    # Declares the ActiveRecord model to acts like a filesystem: objects are
+    # arranged in a tree (liks acts_as_tree), and . The underlying table must
+    # have the following fields:
+    #
+    # * name (+:string+) - the title of the object
+    # * slug (+:string+)- the title turned in a URL-friendly string (downcased,
+    #   non-ascii chars transliterated into ascii, all sequences of
+    #   non-alphanumericd characters changed into dashed)
+    # * path (+:text+)- stores the full path of the object (the full path of
+    #   the parent, a "/" and the slug of the object)
+    # * children_count - a cache of the number of children elements.
+    def acts_as_filesystem
+      # a filesystem is a tree
+      acts_as_tree :counter_cache => :children_count
+
+      extend ClassMethods
+      include InstanceMethods
+      if self.has_path?
+        after_update :update_children_path
+        before_create :set_path
+        include InstanceMethods::PathMethods
+      end
+
+      before_save :set_ancestry
+    end
+
+  end
+
+  module ClassMethods
+
+    def build_ancestry(parent_id = nil, ancestry = '')
+      ActiveRecord::Base.transaction do
+        self.base_class.where(parent_id: parent_id).each do |node|
+          node.update_column :ancestry, ancestry
+
+          build_ancestry node.id, (ancestry.empty? ? "#{node.formatted_ancestry_id}" :
+                                   "#{ancestry}#{node.ancestry_sep}#{node.formatted_ancestry_id}")
+        end
+      end
+
+      #raise "Couldn't reach and set ancestry on every record" if self.base_class.where('ancestry is null').count != 0
+    end
+
+    def has_path?
+      (['name', 'slug', 'path'] - self.column_names).blank?
+    end
+
+  end
+
+  module InstanceMethods
+
+    def ancestry_column
+      'ancestry'
+    end
+    def ancestry_sep
+      '.'
+    end
+    def has_ancestry?
+      self.class.column_names.include? self.ancestry_column
+    end
+
+    def formatted_ancestry_id
+      "%010d" % self.id if self.id
+    end
+
+    def ancestry
+      self[ancestry_column]
+    end
+    def ancestor_ids
+      return nil if !has_ancestry? or ancestry.nil?
+      @ancestor_ids ||= ancestry.split(ancestry_sep).map{ |id| id.to_i }
+    end
+
+    def ancestry=(value)
+      self[ancestry_column] = value
+    end
+    def set_ancestry
+      return unless self.has_ancestry?
+      if self.ancestry.nil? or (new_record? or parent_id_changed?) or recalculate_path
+        self.ancestry = self.hierarchy(true)[0...-1].map{ |p| p.formatted_ancestry_id }.join(ancestry_sep)
+      end
+    end
+
+    def descendents_options
+      ["#{self.ancestry_column} LIKE ?", "%#{self.formatted_ancestry_id}%"]
+    end
+    def descendents
+      self.class.where descendents_options
+    end
+
+    # calculates the level of the record in the records hierarchy. Top-level
+    # records have level 0; the children of the top-level records have
+    # level 1; the children of records with level 1 have level 2, and so on.
+    #
+    #      A    level 0
+    #     / \
+    #    B   C  level 1
+    #   / \ / \
+    #   E F G H level 2
+    #     ...
+    def level
+      self.hierarchy.size - 1
+    end
+
+    # Is this record a top-level record?
+    def top_level?
+      self.parent.nil?
+    end
+
+    # Is this record a leaf in the hierarchy tree of records?
+    #
+    # Being a leaf means that this record has no subrecord.
+    def leaf?
+      self.children.empty?
+    end
+
+    def top_ancestor
+      if has_ancestry? and !ancestry.blank?
+        self.class.base_class.find_by id: self.top_ancestor_id
+      else
+        self.hierarchy.first
+      end
+    end
+    def top_ancestor_id
+      if has_ancestry? and !ancestry.nil?
+        self.ancestor_ids.first
+      else
+        self.hierarchy.first.id
+      end
+    end
+
+    # returns the full hierarchy from the top-level item to this one. For
+    # example, if item1 has a children item2 and item2 has a children item3,
+    # then item3's hierarchy would be [item1, item2, item3].
+    #
+    # If +reload+ is passed as +true+, then the hierarchy is reload (usefull
+    # when the ActiveRecord object was modified in some way, or just after
+    # changing parent)
+    def hierarchy(reload = false)
+      @hierarchy = nil if reload or recalculate_path
+
+      if @hierarchy.nil?
+        @hierarchy = []
+
+        if !reload and !recalculate_path and ancestor_ids
+          objects = self.class.base_class.where(id: ancestor_ids)
+          ancestor_ids.each{ |id| @hierarchy << objects.find{ |t| t.id == id } }
+          @hierarchy << self
+        else
+          item = self
+          while item
+            @hierarchy.unshift(item)
+            item = item.parent
+          end
+        end
+      end
+
+      @hierarchy
+    end
+
+    def map_traversal(&block)
+      result = []
+      current_level = [self]
+
+      while !current_level.empty?
+        result += current_level
+        ids = current_level.select {|item| item.children_count > 0}.map(&:id)
+        break if ids.empty?
+        current_level = self.class.base_class.where(parent_id: ids)
+      end
+      block ||= (lambda { |x| x })
+      result.map(&block)
+    end
+
+    def all_children
+      res = map_traversal
+      res.shift
+      res
+    end
+
+    #####
+    # Path methods
+    # These methods are used when _path_, _name_ and _slug_ attributes exist
+    # and should be calculated based on the tree
+    #####
+    module PathMethods
+      # used to know when to trigger batch renaming
+      attr_accessor :recalculate_path
+
+      # calculates the full path to this record using parent's path.
+      def calculate_path
+        self.hierarchy.map{ |obj| obj.slug }.join('/')
+      end
+      def set_path
+        if self.path == self.slug && !self.top_level?
+          self.path = self.calculate_path
+        end
+      end
+      def explode_path
+        path.split(/\//)
+      end
+
+      def update_children_path
+        if self.recalculate_path
+          self.children.each do |child|
+            child.path = child.calculate_path
+            child.recalculate_path = true
+            child.save!
+          end
+        end
+        self.recalculate_path = false
+      end
+
+      # calculates the full name of a record by accessing the name of all its
+      # ancestors.
+      #
+      # If you have this record hierarchy:
+      #   Record "A"
+      #     Record "B"
+      #       Record "C"
+      #
+      # Then Record "C" will have "A/B/C" as its full name.
+      def full_name(sep = '/')
+        self.hierarchy.map {|item| item.name || '?' }.join(sep)
+      end
+
+      # gets the name without leading parents. Useful when dividing records
+      # in top-level groups and full names must not include the top-level
+      # record which is already a emphasized label
+      def full_name_without_leading(count, sep = '/')
+        parts = self.full_name(sep).split(sep)
+        count.times { parts.shift }
+        parts.join(sep)
+      end
+
+      def set_name(value)
+        if self.name != value
+          self.recalculate_path = true
+        end
+        self[:name] = value
+      end
+
+      # sets the name of the record. Also sets #slug accordingly.
+      def name=(value)
+        self.set_name(value)
+        unless self.name.blank?
+          self.slug = self.name.to_slug
+        end
+      end
+
+      # sets the slug of the record. Also sets the path with the new slug value.
+      def slug=(value)
+        self[:slug] = value
+        unless self.slug.blank?
+          self.path = self.calculate_path
+        end
+      end
+    end
+  end
+end
+
@@ -0,0 +1,37 @@
+module ActsAsHavingBoxes
+
+  module ClassMethods
+    def acts_as_having_boxes
+      has_many :boxes, -> { order :position }, as: :owner, dependent: :destroy
+      self.send(:include, ActsAsHavingBoxes)
+    end
+  end
+
+  module BlockArray
+    def find(id)
+      select { |item| item.id == id.to_i }.first
+    end
+  end
+
+  def blocks(reload = false)
+    if (reload)
+      @blocks = nil
+    end
+    if @blocks.nil?
+      @blocks = boxes.includes(:blocks).inject([]) do |acc,obj|
+        acc.concat(obj.blocks)
+      end
+      @blocks.send(:extend, BlockArray)
+    end
+    @blocks
+  end
+
+  # returns 3 unless the class table has a boxes_limit column. In that case
+  # return the value of the column.
+  def boxes_limit layout_template = nil
+    layout_template ||= self.layout_template
+    @boxes_limit ||= LayoutTemplate.find(layout_template).number_of_boxes || 3
+  end
+
+end
+
@@ -0,0 +1,25 @@
+module ActsAsHavingImage
+
+  module ClassMethods
+    def acts_as_having_image
+      belongs_to :image, dependent: :destroy
+      scope :with_image, -> { where "#{table_name}.image_id IS NOT NULL" }
+      scope :without_image, -> { where "#{table_name}.image_id IS NULL" }
+      attr_accessible :image_builder
+      include ActsAsHavingImage
+    end
+  end
+
+  def image_builder=(img)
+    if image && image.id == img[:id]
+      image.attributes = img
+    else
+      build_image(img)
+    end unless img[:uploaded_data].blank?
+    if img[:remove_image] == 'true'
+      self.image_id = nil
+    end
+  end
+
+end
+
@@ -0,0 +1,49 @@
+module ActsAsHavingPosts
+
+  module ClassMethods
+    def acts_as_having_posts(scope = nil)
+      has_many :posts, -> {
+        s = order('published_at DESC, id DESC').where('articles.type != ?', 'RssFeed')
+        s = s.instance_exec(&scope) if scope
+        s
+      }, class_name: 'Article', foreign_key: 'parent_id', source: :children
+
+      attr_accessor :feed_attrs
+
+      after_create do |blog|
+        blog.children << RssFeed.new(:name => 'feed', :profile => blog.profile)
+        blog.feed = blog.feed_attrs
+      end
+
+      settings_items :posts_per_page, :type => :integer, :default => 5
+
+      self.send(:include, ActsAsHavingPosts)
+    end
+  end
+
+  def has_posts?
+    true
+  end
+
+  def feed
+    children.where(:type => 'RssFeed').first
+  end
+
+  def feed=(attrs)
+    if attrs
+      if self.feed
+        self.feed.update(attrs)
+      else
+        self.feed_attrs = attrs
+      end
+    end
+    self.feed
+  end
+
+  def name=(value)
+    self.set_name(value)
+    self.slug = self.slug.blank? ? self.name.to_slug : self.slug.to_slug
+  end
+
+end
+
@@ -0,0 +1,89 @@
+# declare missing types
+module ActiveRecord
+  module Type
+    class Symbol < Value
+      def cast_value value
+        value.to_sym
+      end
+    end
+    class Array < Value
+      def cast_value value
+        ::Array.wrap(value)
+      end
+    end
+    class Hash < Value
+      def cast_value value
+        h = ::Hash[value]
+        h.symbolize_keys!
+        h
+      end
+    end
+  end
+end
+
+module ActsAsHavingSettings
+
+  def self.type_cast value, type
+    # do not cast nil
+    return value if value.nil?
+    type.send :cast_value, value
+  end
+
+  module ClassMethods
+
+    def acts_as_having_settings(*args)
+      options = args.last.is_a?(Hash) ? args.pop : {}
+      field = (options[:field] || :settings).to_sym
+
+      serialize field, Hash
+      class_attribute :settings_field
+      self.settings_field = field
+
+      class_eval do
+        def settings_field
+          self[self.class.settings_field] ||= Hash.new
+        end
+
+        def setting_changed? setting_field
+          setting_field = setting_field.to_sym
+          changed_settings = self.changes[self.class.settings_field]
+          return false if changed_settings.nil?
+
+          old_setting_value = changed_settings.first.nil? ? nil : changed_settings.first[setting_field]
+          new_setting_value = changed_settings.last[setting_field]
+          old_setting_value != new_setting_value
+        end
+      end
+
+      settings_items *args
+    end
+
+    def settings_items *names
+
+      options = names.extract_options!
+      default = options[:default]
+      type = options[:type]
+      type = if type.present? then ActiveRecord::Type.const_get(type.to_s.camelize.to_sym).new else nil end
+
+      names.each do |setting|
+        # symbolize key
+        setting = setting.to_sym
+
+        define_method setting do
+          h = send self.class.settings_field
+          val = h[setting]
+          # translate default value if it is used
+          if not val.nil? then val elsif default.is_a? String then gettext default else default end
+        end
+
+        define_method "#{setting}=" do |value|
+          h = send self.class.settings_field
+          h[setting] = if type then ActsAsHavingSettings.type_cast value, type else value end
+        end
+      end
+    end
+
+  end
+
+end
+
@@ -0,0 +1,57 @@
+module CodeNumbering
+  module ClassMethods
+    def code_numbering field, options = {}
+      class_attribute :code_numbering_field
+      class_attribute :code_numbering_options
+
+      self.code_numbering_field = field
+      self.code_numbering_options = options
+
+      before_create :create_code_numbering
+
+      include CodeNumbering::InstanceMethods
+    end
+  end
+
+  module InstanceMethods
+
+    def code
+      self.attributes[self.code_numbering_field.to_s]
+    end
+
+    def code_scope
+      scope = self.code_numbering_options[:scope]
+      case scope
+      when Symbol
+        self.send scope
+      when Proc
+        instance_exec &scope
+      else
+        self.class
+      end
+    end
+
+    def code_maximum
+      self.code_scope.maximum(self.code_numbering_field) || 0
+    end
+
+    def create_code_numbering
+      max = self.code_numbering_options[:start].to_i - 1 if self.code_numbering_options[:start]
+      max = self.code_maximum
+      self.send "#{self.code_numbering_field}=", max+1
+    end
+
+    def reset_scope_code_numbering
+      max = self.code_numbering_options[:start].to_i - 1 if self.code_numbering_options[:start]
+      max ||= 1
+
+      self.code_scope.order(:created_at).each do |record|
+        record.update_column self.code_numbering_field, max
+        max += 1
+      end
+      self.reload
+    end
+
+  end
+end
+
@@ -0,0 +1,124 @@
+module Customizable
+
+  def self.included(base)
+    base.attr_accessible :custom_values
+    base.extend ClassMethods
+  end
+
+  module ClassMethods
+    def acts_as_customizable(options = {})
+      attr_accessor :custom_values
+      has_many :custom_field_values, :dependent => :delete_all, :as => :customized
+      send :include, Customizable::InstanceMethods
+      after_save :save_custom_values
+      validate :valid_custom_values?
+    end
+
+    def active_custom_fields environment
+      environment.custom_fields.select{|cf| customized_ancestors_list.include?(cf.customized_type) && cf.active}
+    end
+
+    def required_custom_fields environment
+      environment.custom_fields.select{|cf| customized_ancestors_list.include?(cf.customized_type) && cf.required}
+    end
+
+    def signup_custom_fields environment
+      environment.custom_fields.select{|cf| customized_ancestors_list.include?(cf.customized_type) && cf.signup}
+    end
+
+    def custom_fields environment
+      environment.custom_fields.select{|cf| customized_ancestors_list.include?(cf.customized_type)}
+    end
+
+    def customized_ancestors_list
+      current=self
+      result=[]
+      while current.instance_methods.include? :custom_value do
+        result << current.name
+        current=current.superclass
+      end
+      result
+    end
+
+  end
+
+  module InstanceMethods
+
+    def valid_custom_values?
+      is_valid = true
+      parse_custom_values.each do |cv|
+        unless cv.valid?
+          name = cv.custom_field.name
+          errors.add(name, cv.errors.messages[name.to_sym].first)
+          is_valid = false
+        end
+      end
+      is_valid
+    end
+
+    def customized_class
+      current=self.class
+      while current.instance_methods.include? :custom_fields do
+        result=current
+        current=current.superclass
+      end
+      result.name
+    end
+
+    def is_public(field_name)
+      cv = self.custom_field_values.detect{|cv| cv.custom_field.name==field_name}
+      cv.nil? ? false : cv.public
+    end
+
+    def public_values
+      self.custom_field_values.select{|cv| cv.public}
+    end
+
+    def custom_value(field_name)
+      cv = self.custom_field_values.detect{|cv| cv.custom_field.name==field_name}
+      cv.nil? ? default_value_for(field_name) : cv.value
+    end
+
+    def default_value_for(field_name)
+      field=self.class.custom_fields(environment).detect {|c| c.name == field_name}
+      field.nil? ? nil : field.default_value
+    end
+
+    def parse_custom_values
+      return_list = []
+      return return_list if custom_values.blank?
+      custom_values.each_pair do |key, value|
+        custom_field = environment.custom_fields.detect{|cf|cf.name==key}
+        next if custom_field.blank?
+        custom_field_value = self.custom_field_values(true).detect{|cv| cv.custom_field.name==key}
+
+        if custom_field_value.nil?
+          custom_field_value = CustomFieldValue.new
+          custom_field_value.custom_field = custom_field
+          custom_field_value.customized = self
+        end
+
+        if value.is_a?(Hash)
+          custom_field_value.value = value['value'].to_s
+          if value.has_key?('public')
+            is_public = value['public']=="true" || value['public']==true
+            custom_field_value.public = is_public
+          else
+            custom_field_value.public = false
+          end
+        else
+          custom_field_value.value = value.to_s
+          custom_field_value.public = false
+        end
+        return_list << custom_field_value
+      end
+      return_list
+    end
+
+    def save_custom_values
+      parse_custom_values.each(&:save)
+    end
+
+  end
+end
+
@@ -0,0 +1,55 @@
+module DelayedAttachmentFu
+
+  module ClassMethods
+    def delay_attachment_fu_thumbnails
+      include DelayedAttachmentFu::InstanceMethods
+      after_create do |file|
+        if file.thumbnailable?
+          Delayed::Job.enqueue CreateThumbnailsJob.new(file.class.name, file.id)
+        end
+      end
+    end
+  end
+
+  module InstanceMethods
+    # skip processing with RMagick
+    def process_attachment
+    end
+
+    def after_process_attachment
+      save_to_storage
+      @temp_paths.clear
+      @saved_attachment = nil
+      run_callbacks :after_attachment_saved
+    end
+
+    def create_thumbnails
+      if thumbnailable?
+        self.class.with_image(full_filename) do |img|
+          self.width = img.columns
+          self.height = img.rows
+          self.save!
+        end
+        self.class.attachment_options[:thumbnails].each do |suffix, size|
+          self.create_or_update_thumbnail(self.full_filename, suffix, size)
+        end
+        self.thumbnails_processed = true
+        self.save!
+      end
+    end
+
+    def public_filename(size=nil)
+      force, size = true, nil if size == :uploaded
+      if !self.thumbnailable? || self.thumbnails_processed || force
+        super size
+      else
+        size ||= :thumb
+        '/images/icons-app/image-loading-%s.png' % size
+      end
+    end
+
+
+  end
+end
+
+
@@ -0,0 +1,44 @@
+module SetProfileRegionFromCityState
+
+  module ClassMethods
+    def set_profile_region_from_city_state
+      before_save :region_from_city_and_state
+
+      include InstanceMethods
+      alias_method_chain :city=, :region
+      alias_method_chain :state=, :region
+    end
+  end
+
+  module InstanceMethods
+    include Noosfero::Plugin::HotSpot
+
+    def city_with_region=(value)
+      self.city_without_region = value
+      @change_region = true
+    end
+
+    def state_with_region=(value)
+      self.state_without_region = value
+      @change_region = true
+    end
+
+    def region_from_city_and_state
+      if @change_region
+        self.region = nil
+        state = search_region(State, self.state)
+        self.region = search_region(City.where(:parent_id => state.id), self.city) if state
+      end
+    end
+
+    private
+
+    def search_region(scope, query)
+      return nil if !query
+      query = query.downcase.strip
+      scope.where(['lower(name)=? OR lower(abbreviation)=? OR lower(acronym)=?', query, query, query]).first
+    end
+
+  end
+
+end
@@ -0,0 +1,8 @@
+module TranslatableContent
+
+  def translatable?
+    return false if self.profile && !self.profile.environment.languages.present?
+    parent.nil? || !parent.forum?
+  end
+
+end
@@ -0,0 +1,37 @@
+module WhiteListFilter
+
+  def check_iframe_on_content(content, trusted_sites)
+    if content.blank? || !content.include?('iframe')
+      return content
+    end
+    content.gsub!(/<iframe[^>]*>\s*<\/iframe>/i) do |iframe|
+      result = ''
+      unless iframe =~ /src=['"].*src=['"]/
+        trusted_sites.each do |trusted_site|
+          re_dom = trusted_site.gsub('.', '\.')
+          if iframe =~ /src=["'](https?:)?\/\/(www\.)?#{re_dom}\//
+            result = iframe
+          end
+        end
+      end
+      result
+    end
+    content
+  end
+
+  module ClassMethods
+    def filter_iframes(*opts)
+      options = opts.last.is_a?(Hash) && opts.pop || {}
+      white_list_method = options[:whitelist] || :iframe_whitelist
+      opts.each do |field|
+        before_validation do |obj|
+          obj.check_iframe_on_content(obj.send(field), obj.send(white_list_method))
+        end
+      end
+    end
+  end
+
+  def self.included(c)
+    c.send(:extend, WhiteListFilter::ClassMethods)
+  end
+end
@@ -12,6 +12,7 @@ class CreateCommunity &lt; Task
   attr_accessible :environment, :requestor, :target
   attr_accessible :reject_explanation, :template_id
  
+  extend ActsAsHavingImage::ClassMethods
   acts_as_having_image
  
   DATA_FIELDS = Community.fields + ['name', 'closed', 'description']
@@ -174,8 +174,4 @@ class Enterprise &lt; Organization
     ''
   end
  
-  def followed_by? person
-    super or self.fans.where(id: person.id).count > 0
-  end
-
 end
@@ -203,6 +203,7 @@ class Environment &lt; ApplicationRecord
   # Relationships and applied behaviour
   # #################################################
  
+  extend ActsAsHavingBoxes::ClassMethods
   acts_as_having_boxes
  
   after_create do |env|
@@ -254,7 +255,8 @@ class Environment &lt; ApplicationRecord
   # #################################################
  
   # store the Environment settings as YAML-serialized Hash.
-  acts_as_having_settings :field => :settings
+  extend ActsAsHavingSettings::ClassMethods
+  acts_as_having_settings field: :settings
  
   # introduce and explain to users something about the signup
   settings_items :signup_intro, :type => String
-require 'noosfero/translatable_content'
 require 'builder'
  
 class Event < Article
@@ -138,7 +137,7 @@ class Event &lt; Article
     false
   end
  
-  include Noosfero::TranslatableContent
+  include TranslatableContent
   include MaybeAddHttp
  
 end
@@ -7,6 +7,10 @@ class FavoriteEnterprisePerson &lt; ApplicationRecord
   belongs_to :enterprise
   belongs_to :person
  
+  after_create do |favorite|
+    favorite.person.follow(favorite.enterprise, Circle.find_or_create_by(:person => favorite.person, :name =>_('favorites'), :profile_type => 'Enterprise'))
+  end
+
   protected
  
   def is_trackable?
@@ -10,7 +10,8 @@ class Folder &lt; Article
     errors.add(:parent, "A folder should not belong to a blog.") if parent && parent.blog?
   end
  
-  acts_as_having_settings :field => :setting
+  extend ActsAsHavingSettings::ClassMethods
+  acts_as_having_settings field: :setting
  
   xss_terminate :only => [ :name, :body ], :with => 'white_list', :on => 'validation'
  
 class Forum < Folder
  
+  extend ActsAsHavingPosts::ClassMethods
   acts_as_having_posts -> { reorder 'updated_at DESC' }
+
   include PostsLimit
  
   attr_accessible :has_terms_of_use, :terms_of_use, :topic_creation
@@ -9,11 +9,22 @@ class Friendship &lt; ApplicationRecord
   after_create do |friendship|
     Friendship.update_cache_counter(:friends_count, friendship.person, 1)
     Friendship.update_cache_counter(:friends_count, friendship.friend, 1)
+
+    circles = friendship.group.blank? ? ['friendships'] : friendship.group.split(',').map(&:strip)
+    circles.each do |circle|
+      friendship.person.follow(friendship.friend, Circle.find_or_create_by(:person => friendship.person, :name => circle, :profile_type => 'Person'))
+    end
   end
  
   after_destroy do |friendship|
     Friendship.update_cache_counter(:friends_count, friendship.person, -1)
     Friendship.update_cache_counter(:friends_count, friendship.friend, -1)
+
+    groups = friendship.group.blank? ? ['friendships'] : friendship.group.split(',').map(&:strip)
+    groups.each do |group|
+      circle = Circle.find_by(:person => friendship.person, :name => group )
+      friendship.person.remove_profile_from_circle(friendship.friend, circle) if circle
+    end
   end
  
   def self.remove_friendship(person1, person2)
@@ -23,6 +23,7 @@ class Image &lt; ApplicationRecord
  
   validates_attachment :size => N_("{fn} of uploaded file was larger than the maximum size of 5.0 MB").fix_i18n
  
+  extend DelayedAttachmentFu::ClassMethods
   delay_attachment_fu_thumbnails
  
   postgresql_attachment_fu
@@ -2,6 +2,10 @@
 class Organization < Profile
  
   attr_accessible :moderated_articles, :foundation_year, :contact_person, :acronym, :legal_form, :economic_activity, :management_information, :cnpj, :display_name, :enable_contact_us
+  attr_accessible :requires_email
+
+  settings_items :requires_email, type: :boolean
+  alias_method :requires_email?, :requires_email
  
   SEARCH_FILTERS = {
     :order => %w[more_recent more_popular more_active],
@@ -10,7 +10,6 @@ class Person &lt; Profile
     :display => %w[compact]
   }
  
-
   def self.type_name
     _('Person')
   end
@@ -94,6 +93,7 @@ class Person &lt; Profile
   has_many :following_articles, :class_name => 'Article', :through => :article_followers, :source => :article
   has_many :friendships, :dependent => :destroy
   has_many :friends, :class_name => 'Person', :through => :friendships
+  has_many :circles
  
   scope :online, -> {
     joins(:user).where("users.chat_status != '' AND users.chat_status_at >= ?", DateTime.now - User.expires_chat_status_every.minutes)
@@ -181,6 +181,33 @@ class Person &lt; Profile
     end
   end
  
+  def follow(profile, circles)
+    circles = [circles] unless circles.is_a?(Array)
+    circles.each do |new_circle|
+      ProfileFollower.create(profile: profile, circle: new_circle)
+    end
+  end
+
+  def update_profile_circles(profile, new_circles)
+    profile_circles = ProfileFollower.with_profile(profile).with_follower(self).map(&:circle)
+    circles_to_add = new_circles - profile_circles
+    circles_to_remove = profile_circles - new_circles
+    circles_to_add.each do |new_circle|
+      ProfileFollower.create(profile: profile, circle: new_circle)
+    end
+
+    ProfileFollower.where('circle_id IN (?) AND profile_id = ?',
+                          circles_to_remove.map(&:id), profile.id).destroy_all
+  end
+
+  def unfollow(profile)
+    ProfileFollower.with_follower(self).with_profile(profile).destroy_all
+  end
+
+  def remove_profile_from_circle(profile, circle)
+    ProfileFollower.with_profile(profile).with_circle(circle).destroy_all
+  end
+
   def already_request_friendship?(person)
     person.tasks.where(requestor_id: self.id, type: 'AddFriend', status: Task::Status::ACTIVE).first
   end
@@ -574,9 +601,12 @@ class Person &lt; Profile
     }
   end
  
-  protected
+  def followed_profiles
+    Profile.followed_by self
+  end
  
-  def followed_by?(profile)
-    self == profile || self.is_a_friend?(profile)
+  def in_social_circle?(person)
+    self.is_a_friend?(person) || super
   end
+
 end
@@ -6,7 +6,7 @@ class Profile &lt; ApplicationRecord
   include ProfileEntity
  
   attr_accessible :public_profile, :nickname, :custom_footer, :custom_header, :address, :zip_code, :contact_phone, :image_builder, :description, :closed, :template_id, :lat, :lng, :is_template, :fields_privacy, :preferred_domain_id, :category_ids, :country, :city, :state, :national_region_code, :email, :contact_email, :redirect_l10n, :notification_time,
-    :custom_url_redirection, :email_suggestions, :allow_members_to_invite, :invite_friends_only, :secret, :profile_admin_mail_notification, :redirection_after_login
+    :custom_url_redirection, :email_suggestions, :allow_members_to_invite, :invite_friends_only, :secret, :profile_admin_mail_notification, :redirection_after_login, :allow_followers
  
   # use for internationalizable human type names in search facets
   # reimplement on subclasses
@@ -89,6 +89,8 @@ class Profile &lt; ApplicationRecord
   }
  
   acts_as_accessible
+
+  include Customizable
   acts_as_customizable
  
   include Noosfero::Plugin::HotSpot
@@ -184,6 +186,21 @@ class Profile &lt; ApplicationRecord
     Person.members_of(self).by_role(roles)
   end
  
+  extend ActsAsHavingSettings::ClassMethods
+  acts_as_having_settings field: :data
+
+  def settings
+    data
+  end
+
+  settings_items :redirect_l10n, :type => :boolean, :default => false
+  settings_items :public_content, :type => :boolean, :default => true
+  settings_items :description
+  settings_items :fields_privacy, :type => :hash, :default => {}
+  settings_items :email_suggestions, :type => :boolean, :default => false
+  settings_items :profile_admin_mail_notification, :type => :boolean, :default => true
+
+  extend ActsAsHavingBoxes::ClassMethods
   acts_as_having_boxes
  
   acts_as_taggable
@@ -202,6 +219,23 @@ class Profile &lt; ApplicationRecord
   scope :more_active, -> { order 'activities_count DESC' }
   scope :more_recent, -> { order "created_at DESC" }
  
+  scope :followed_by, -> person{
+    distinct.select('profiles.*').
+    joins('left join profiles_circles ON profiles_circles.profile_id = profiles.id').
+    joins('left join circles ON circles.id = profiles_circles.circle_id').
+    where('circles.person_id = ?', person.id)
+  }
+
+  scope :in_circle, -> circle{
+    distinct.select('profiles.*').
+    joins('left join profiles_circles ON profiles_circles.profile_id = profiles.id').
+    joins('left join circles ON circles.id = profiles_circles.circle_id').
+    where('circles.id = ?', circle.id)
+  }
+
+  settings_items :allow_followers, :type => :boolean, :default => true
+  alias_method :allow_followers?, :allow_followers
+
   acts_as_trackable :dependent => :destroy
  
   has_many :profile_activities
@@ -214,6 +248,9 @@ class Profile &lt; ApplicationRecord
  
   has_many :email_templates, :foreign_key => :owner_id
  
+  has_many :profile_followers
+  has_many :followers, -> { uniq }, :class_name => 'Person', :through => :profile_followers, :source => :person
+
   # Although this should be a has_one relation, there are no non-silly names for
   # a foreign key on article to reference the template to which it is
   # welcome_page... =P
@@ -228,19 +265,6 @@ class Profile &lt; ApplicationRecord
     scrap.nil? ? Scrap.all_scraps(self) : Scrap.all_scraps(self).find(scrap)
   end
  
-  acts_as_having_settings :field => :data
-
-  def settings
-    data
-  end
-
-  settings_items :redirect_l10n, :type => :boolean, :default => false
-  settings_items :public_content, :type => :boolean, :default => true
-  settings_items :description
-  settings_items :fields_privacy, :type => :hash, :default => {}
-  settings_items :email_suggestions, :type => :boolean, :default => false
-  settings_items :profile_admin_mail_notification, :type => :boolean, :default => true
-
   validates_length_of :description, :maximum => 550, :allow_nil => true
  
   # Valid identifiers must match this format.
@@ -281,6 +305,7 @@ class Profile &lt; ApplicationRecord
  
   has_many :files, :class_name => 'UploadedFile'
  
+  extend ActsAsHavingImage::ClassMethods
   acts_as_having_image
  
   has_many :tasks, :dependent => :destroy, :as => 'target'
@@ -695,12 +720,13 @@ private :generate_url, :url_options
  
   # Adds a person as member of this Profile.
   def add_member(person, attributes={})
-    if self.has_members?
+    if self.has_members? && !self.secret
       if self.closed? && members.count > 0
         AddMember.create!(:person => person, :organization => self) unless self.already_request_membership?(person)
       else
         self.affiliate(person, Profile::Roles.admin(environment.id), attributes) if members.count == 0
         self.affiliate(person, Profile::Roles.member(environment.id), attributes)
+        person.follow(self, Circle.find_or_create_by(:person => person, :name =>_('memberships'), :profile_type => 'Community'))
       end
       person.tasks.pending.of("InviteMember").select { |t| t.data[:community_id] == self.id }.each { |invite| invite.cancel }
       remove_from_suggestion_list person
@@ -983,7 +1009,11 @@ private :generate_url, :url_options
   end
  
   def followed_by?(person)
-    person.is_member_of?(self)
+    (person == self) || (person.in? self.followers)
+  end
+
+  def in_social_circle?(person)
+    (person == self) || (person.is_member_of?(self))
   end
  
   def display_private_info_to?(user)
@@ -1009,4 +1039,23 @@ private :generate_url, :url_options
     suggestion.disable if suggestion
   end
  
+  def allow_invitation_from(person)
+    false
+  end
+
+  def allow_post_content?(person = nil)
+    person.kind_of?(Profile) && person.has_permission?('post_content', self)
+  end
+
+  def allow_edit?(person = nil)
+    person.kind_of?(Profile) && person.has_permission?('edit_profile', self)
+  end
+
+  def allow_destroy?(person = nil)
+    person.kind_of?(Profile) && person.has_permission?('destroy_profile', self)
+  end
+
+  def in_circle?(circle, follower)
+    ProfileFollower.with_follower(follower).with_circle(circle).with_profile(self).present?
+  end
 end
@@ -0,0 +1,28 @@
+class ProfileFollower < ApplicationRecord
+  self.table_name = :profiles_circles
+  track_actions :new_follower, :after_create, :keep_params => ["follower.name", "follower.url", "follower.profile_custom_icon"], :custom_user => :profile
+
+  attr_accessible :profile, :circle
+
+  belongs_to :profile
+  belongs_to :circle
+
+  has_one :person, through: :circle
+  alias follower person
+
+  validates_presence_of :profile_id, :circle_id
+  validates :profile_id, :uniqueness => {:scope => :circle_id, :message => "can't put a profile in the same circle twice"}
+
+  scope :with_follower, -> person{
+    joins(:circle).where('circles.person_id = ?', person.id)
+  }
+
+  scope :with_profile, -> profile{
+    where(:profile => profile)
+  }
+
+  scope :with_circle, -> circle{
+    where(:circle => circle)
+  }
+
+end
@@ -17,7 +17,8 @@ class ProfileSuggestion &lt; ApplicationRecord
     self.class.generate_profile_suggestions(profile_suggestion.person)
   end
  
-  acts_as_having_settings :field => :categories
+  extend ActsAsHavingSettings::ClassMethods
+  acts_as_having_settings field: :categories
  
   validate :must_be_a_valid_category, :on => :create
   def must_be_a_valid_category
@@ -11,7 +11,8 @@
 # will need to declare <ttserialize</tt> itself).
 class Task < ApplicationRecord
  
-  acts_as_having_settings :field => :data
+  extend ActsAsHavingSettings::ClassMethods
+  acts_as_having_settings field: :data
  
   module Status
     # the status of tasks just created
@@ -313,7 +314,7 @@ class Task &lt; ApplicationRecord
         where "LOWER(#{field}) LIKE ?", "%#{value.downcase}%"
       end
   }
-  scope :pending_all, -> profile, filter_type, filter_text {
+  scope :pending_all_by_filter, -> profile, filter_type, filter_text {
     self.to(profile).without_spam.pending.of(filter_type).like('data', filter_text)
   }
  
@@ -322,10 +323,17 @@ class Task &lt; ApplicationRecord
     if profile.person?
       envs_ids = Environment.all.select{ |env| profile.is_admin?(env) }.map{ |env| "target_id = #{env.id}"}.join(' OR ')
       environment_condition = envs_ids.blank? ? nil : "(target_type = 'Environment' AND (#{envs_ids}))"
+
+      organizations = profile.memberships.all.select do |organization| 
+        profile.has_permission?(:perform_task, organization) 
+      end
+      organization_ids = organizations.map{ |organization| "target_id = #{organization.id}"}.join(' OR ')
+
+      organization_conditions = organization_ids.blank? ? nil : "(target_type = 'Profile' AND (#{organization_ids}))"
     end
     profile_condition = "(target_type = 'Profile' AND target_id = #{profile.id})"
  
-    where [environment_condition, profile_condition].compact.join(' OR ')
+    where [environment_condition, organization_conditions, profile_condition].compact.join(' OR ')
   }
  
   scope :from_closed_date, -> closed_from {
-require 'noosfero/translatable_content'
-
 # a base class for all text article types.
 class TextArticle < Article
  
@@ -9,7 +7,7 @@ class TextArticle &lt; Article
     _('Article')
   end
  
-  include Noosfero::TranslatableContent
+  include TranslatableContent
  
   def self.icon_name(article = nil)
     if article && !article.parent.nil? && article.parent.kind_of?(Blog)
-require 'white_list_filter'
-
 class TinyMceArticle < TextArticle
  
   def self.short_description
@@ -84,6 +84,7 @@ class UploadedFile &lt; Article
  
   validates_attachment :size => N_("{fn} of uploaded file was larger than the maximum size of %{size}").sub('%{size}', self.max_size.to_humanreadable).fix_i18n
  
+  extend DelayedAttachmentFu::ClassMethods
   delay_attachment_fu_thumbnails
  
   postgresql_attachment_fu
@@ -3,7 +3,7 @@
     var answer = parseInt(form.answer.value);
     var val = form.answer.value;
     if (!answer || (val.length != 4) || val > <%= Time.now.year %> || val < 1900) {
-      alert(<%= (_('The year must be between %d and %d') % [1900, Time.now.year]).inspect %>);
+      alert(<%= (_('The year must be between %d and %d').html_safe % [1900, Time.now.year]).inspect %>);
       return false;
     } else {
       return true;
@@ -28,9 +28,9 @@
  
   <p>  <strong><%= _('Pay atention! You have only one chance!') %></strong> </p>
  
-  <p><%= _("This is a question to know if you really are part of this enterprise. Pay atention because you have only one chance to answer right and activate your enterprise. If you answer wrong you will not be able to activate the enterprise automaticaly and must get in touch with the admins of %s by email or phone.") % environment.name %> </p>
+  <p><%= _("This is a question to know if you really are part of this enterprise. Pay atention because you have only one chance to answer right and activate your enterprise. If you answer wrong you will not be able to activate the enterprise automaticaly and must get in touch with the admins of %s by email or phone.").html_safe % environment.name %> </p>
  
-  <%= ApplicationHelper::NoosferoFormBuilder::output_field(@question == :foundation_year ? (_("What year your enterprise was founded? It must have 4 digits, eg 1990. %s") % environment.tip_message_enterprise_activation_question) : _('What is the CNPJ of your enterprise?'), text_field_tag(:answer, nil, :id => 'enterprise-activation-answer')) %>
+  <%= ApplicationHelper::NoosferoFormBuilder::output_field(@question == :foundation_year ? (_("What year your enterprise was founded? It must have 4 digits, eg 1990. %s").html_safe % environment.tip_message_enterprise_activation_question) : _('What is the CNPJ of your enterprise?'), text_field_tag(:answer, nil, :id => 'enterprise-activation-answer')) %>
  
     <%= hidden_field_tag :enterprise_code, params[:enterprise_code] %>
  
 <div class='description'>
   <%= _('This text will be sent to new users if the feature "Send welcome e-mail to new users" is enabled on environment.') %><br/><br/>
-  <%= _('Including %s on body, it will be replaced by the real name of the e-mail recipient.') % content_tag('code', '{user_name}') %>
+  <%= _('Including %s on body, it will be replaced by the real name of the e-mail recipient.').html_safe % content_tag('code', '{user_name}') %>
 </div>
  
 <%= labelled_form_field(_('Subject'), text_field(:environment, :signup_welcome_text_subject, :style => 'width:100%')) %>
@@ -0,0 +1,11 @@
+<div class="circles" id='circles-list'>
+
+  <%= form_for :circles, :url => {:controller => 'profile', :action => 'follow'}, :html => {:id => "follow-circles-form"}  do |f|%>
+    <%= render partial: "blocks/profile_info_actions/select_circles", :locals => {:circles => circles, :followed_profile => profile, :follower => current_person } %>
+
+    <div id="circle-actions">
+      <%= submit_button :ok, _("Follow") %>
+      <input type="button" value="<%= _("Cancel") %>" id="cancel-set-circle" class="button with-text icon-cancel"/>
+    </div>
+  <% end %>
+</div>
 <li><%= report_abuse(profile, :button) %></li>
+<% if logged_in? && (user != profile) && profile.allow_followers? %>
+  <li>
+    <% follow = user.follows?(profile) %>
+    <%= button(:unfollow, content_tag('span', _('Unfollow')), {:profile => profile.identifier, :controller => 'profile', :action => 'unfollow'}, :method => :post, :id => 'action-unfollow', :title => _("Unfollow"), :style => follow ? "" : "display: none;") %>
+    <%= button(:ok, content_tag('span', _('Follow')), {:profile => profile.identifier, :controller => 'profile', :action => 'find_profile_circles'}, :id => 'action-follow', :title => _("Follow"), :style => follow ? "display: none;" : "") %>
+    <div id="circles-container" style="display: none;">
+    </div>
+  </li>
+<% end %>
 <%= render_environment_features(:profile_actions) %>
@@ -0,0 +1,22 @@
+<div class="circles" id='circles-list'>
+  <p><%= _("Select the circles for %s") % followed_profile.name %></p>
+  <div id="circles-checkboxes">
+    <% circles.each do |circle| %>
+      <div class="circle">
+        <%= labelled_check_box circle.name, "circles[#{circle.name}]", circle.id, followed_profile.in_circle?(circle, follower) %>
+      </div>
+    <% end %>
+  </div>
+
+  <%= button(:add, _('New Circle'), '#', :id => "new-circle") %>
+
+  <div id="new-circle-form" style="display: none;">
+    <%= labelled_text_field _('Circle name') , 'circle[name]', "",:id => 'text-field-name-new-circle'%>
+    <%= hidden_field_tag('circle[profile_type]', followed_profile.class.name) %>
+
+    <%= button_bar do %>
+      <%= button(:save, _('Create'), {:profile => follower.identifier, :controller => 'circles', :action => 'xhr_create'}, :id => "new-circle-submit") %>
+      <%= button(:cancel, _('Cancel'), '#', :id => "new-circle-cancel") %>
+    <% end %>
+  </div>
+</div>
@@ -15,7 +15,7 @@
   <div id="block-info-description">
     <h2><%= _('Description') %></h2>
     <p><%= @block.class.description %></p>
-    <p><%= @block.help if @block.class.method_defined?(:help) %></p>
+    <p><%= @block.help.html_safe if @block.class.method_defined?(:help) %></p>
   </div>
  
 </div>
@@ -0,0 +1,3 @@
+<div class="circle">
+  <%= labelled_check_box circle.name, "circles[#{circle.name}]", circle.id %>
+</div>
@@ -0,0 +1,14 @@
+<%= error_messages_for :circle %>
+
+<%= labelled_form_for :circle, :url => (mode == :edit) ? {:action => 'update', :id => circle} : {:action => 'create'} do |f| %>
+
+  <%= required_fields_message %>
+
+  <%= required f.text_field(:name) %>
+
+  <%= required labelled_form_field _("Profile type"), f.select(:profile_type, Circle.profile_types.to_a) %>
+
+  <%= button_bar do %>
+    <%= submit_button('save', (mode == :edit) ? _('Save changes') : _('Create circle'), :cancel => {:action => 'index'} ) %>
+  <% end %>
+<% end %>
@@ -0,0 +1,3 @@
+<h1><%= _("Edit circle") %></h1>
+
+<%= render :partial => 'form', :locals => { :mode => :edit, :circle => @circle, :profile_types => @profile_types } %>
@@ -0,0 +1,30 @@
+<h1><%= _('Manage circles') %></h1>
+
+<table>
+  <tr>
+    <th><%= _('Circle name') %></th>
+    <th><%= _('Profile type') %></th>
+    <th><%= _('Actions') %></th>
+  </tr>
+  <% @circles.each do |circle| %>
+    <tr>
+      <td>
+        <%= circle.name %>
+      </td>
+      <td>
+        <%= _(circle.profile_type) %>
+      </td>
+      <td>
+        <div style="text-align: center;">
+          <%= button_without_text :edit, _('Edit'), :action => 'edit', :id => circle %>
+          <%= button_without_text :delete, _('Delete'), { :action => 'destroy', :id => circle }, { "data-method" => "POST" } %>
+        </div>
+      </td>
+    </tr>
+  <% end %>
+</table>
+
+<%= button_bar do %>
+  <%= button :add, _('Create a new circle'), :action => 'new' %>
+  <%= button :back, _('Back to control panel'), :controller => 'profile_editor' %>
+<% end %>
@@ -0,0 +1,3 @@
+<h1><%= _("New circle") %></h1>
+
+<%= render :partial => 'form', :locals => { :mode => :new, :circle => @circle, :profile_types => @profile_types } %>
@@ -58,7 +58,7 @@
 <div id="blog-image-builder">
   <%= f.fields_for :image_builder, @article.image do |i| %>
     <%= file_field_or_thumbnail(_('Cover image:'), @article.image, i)%>
-    <%= _("Max size: %s (.jpg, .gif, .png)")% Image.max_size.to_humanreadable %>
+    <%= _("Max size: %s (.jpg, .gif, .png)").html_safe % Image.max_size.to_humanreadable %>
   <% end %>
 </div>
  
-<h2><%= _('Processed validation request for %s ') % @processed.name %> (<%= status(@processed) %>)</h2>
+<h2><%= _('Processed validation request for %s ').html_safe % @processed.name %> (<%= status(@processed) %>)</h2>
  
 <%= link_to _('Back'), :action => 'index' %>
  
-<h1><%= _('Adding %s as a favorite enterprise') % @favorite_enterprise.name %></h1>
+<h1><%= _('Adding %s as a favorite enterprise').html_safe % @favorite_enterprise.name %></h1>
  
 <p>
-<%= _('Are you sure you want to add %s as your favorite enterprise?') % @favorite_enterprise.name %>
+<%= _('Are you sure you want to add %s as your favorite enterprise?').html_safe % @favorite_enterprise.name %>
 </p>
  
 <%= form_tag do %>
   <%= hidden_field_tag(:confirmation, 1) %>
  
-  <%= submit_button(:ok, _("Yes, I am sure"), :title => _("I want to add %s as a favorite enterprise") % @favorite_enterprise.name) %>
+  <%= submit_button(:ok, _("Yes, I am sure"), :title => _("I want to add %s as a favorite enterprise").html_safe % @favorite_enterprise.name) %>
   <%= button(:cancel, _("No, I don't want"), :action => 'index') %>
 <% end %>
@@ -4,15 +4,15 @@
   current_index = images.index(image.encapsulated_file)
   total_of_images = images.count
   link_to_previous = if current_index >= 1
-   link_to(_('&laquo; Previous'), images[current_index - 1].view_url, :class => 'previous')
+   link_to(_('&laquo; Previous').html_safe, images[current_index - 1].view_url, :class => 'previous')
   else
-    content_tag('span', _('&laquo; Previous'), :class => 'previous')
+    content_tag('span', _('&laquo; Previous').html_safe, :class => 'previous')
   end
  
   link_to_next = if current_index < total_of_images - 1
-    link_to(_('Next &raquo;'), images[current_index + 1].view_url, :class => 'next')
+    link_to(_('Next &raquo;').html_safe, images[current_index + 1].view_url, :class => 'next')
   else
-    content_tag('span', _('Next &raquo;'), :class => 'next')
+    content_tag('span', _('Next &raquo;').html_safe, :class => 'next')
   end
 %>
  
@@ -0,0 +1,14 @@
+<div class="circles" id='circles-list'>
+  <%= form_for :circles, :url => {:controller => 'followers', :action => 'update_category'}, :html => {:id => "follow-circles-form"}  do |f|%>
+    <%= render partial: "blocks/profile_info_actions/select_circles", :locals => {:circles => circles, :followed_profile => followed_profile, :follower => profile }  %>
+
+    <%= hidden_field_tag('followed_profile_id', followed_profile.id) %>
+
+    <div id="circle-actions">
+      <div id="actions-container">
+        <%= submit_button('save', _('Save')) %>
+        <%= modal_close_button  _("Cancel") %>
+      </div>
+    </div>
+  <% end %>
+</div>
@@ -0,0 +1,17 @@
+<ul class="profile-list">
+  <% profiles.each do |followed_profile| %>
+    <li>
+    <%= link_to_profile profile_image(followed_profile) + tag('br') + followed_profile.short_name,
+                        followed_profile.identifier, :class => 'profile-link' %>
+    <div class="controll">
+      <%= button_without_text :remove, content_tag('span',_('unfollow')),
+        { :controller => "profile", :profile => followed_profile.identifier, :follower_id => profile.id,
+          :action => 'unfollow', :redirect_to => url_for({:controller => "followers", :profile => profile.identifier}) },
+          :method => :post, :title => _('remove') %>
+      <%= modal_icon_button :edit, _('change category'),
+             url_for(:controller => 'followers', :action => 'set_category_modal',
+                     :followed_profile_id => followed_profile.id) %>
+    </div><!-- end class="controll" -->
+    </li>
+  <% end %>
+</ul>
@@ -0,0 +1,27 @@
+<div id="manage_followed people">
+
+<h1><%= _("%s is following") % profile.name %></h1>
+
+<% cache_timeout(profile.manage_friends_cache_key(params), 4.hours) do %>
+  <% if @followed_people.empty? %>
+    <p>
+      <em>
+        <%= _("You don't follow anybody yet.") %>
+      </em>
+    </p>
+  <% end %>
+
+  <%= button_bar do %>
+    <%= button(:back, _('Back to control panel'), :controller => 'profile_editor') %>
+    <%= button(:search, _('Find people'), :controller => 'search', :action => 'assets', :asset => 'people') %>
+  <% end %>
+
+  <%= labelled_select(_('Profile type')+': ', :filter_profile_type, :last, :first, @active_filter, @profile_types, :id => "profile-type-filter") %>
+
+  <%= render :partial => 'profile_list', :locals => { :profiles => @followed_people } %>
+
+  <br style="clear:both" />
+  <%= pagination_links @followed_people, :param_name => 'npage' %>
+<% end %>
+
+</div>
 <div id="remove_friend">
  
-<h1><%= _('Removing friend: %s') % @friend.name %></h1>
+<h1><%= _('Removing friend: %s').html_safe % @friend.name %></h1>
  
 <%= profile_image @friend, :thumb, :class => 'friend_picture' %>
  
 <p>
-<%= _('Are you sure you want to remove %s from your friends list?') % @friend.name %>
+<%= _('Are you sure you want to remove %s from your friends list?').html_safe % @friend.name %>
 </p>
  
 <p>
 <em>
-<%= _('Note that %s will still have you as a friend, unless he/she also wants to remove you from his/her friend list.') % @friend.name %>
+<%= _('Note that %s will still have you as a friend, unless he/she also wants to remove you from his/her friend list.').html_safe % @friend.name %>
 </em>
 </p>
  
 <% default_message = defined?(default_message) ? default_message : false %>
  
 <div id='thanks-for-signing'>
-  <h1><%= _("Welcome to %s!") % environment.name %></h1>
+  <h1><%= _("Welcome to %s!").html_safe % environment.name %></h1>
   <% if environment.has_custom_welcome_screen? && !default_message %>
     <%= environment.settings[:signup_welcome_screen_body].html_safe %>
   <% else %>
@@ -10,21 +10,21 @@
         <p><%= _("Firstly, some tips for getting started:") %></p>
         <h4><%= _("Confirm your account!") %></h4>
         <p><%= _("You should receive a welcome email from us shortly. Please take a second to follow the link within to confirm your account.") %></p>
-        <p><%= _("You won't appear as %s until your account is confirmed.") % link_to(_('user'), {:controller => :search, :action => :people, :filter => 'more_recent'}, :target => '_blank') %></p>
+        <p><%= _("You won't appear as %s until your account is confirmed.").html_safe % link_to(_('user'), {:controller => :search, :action => :people, :filter => 'more_recent'}, :target => '_blank') %></p>
       <% else %>
         <h4><%= _("Wait for admin approvement!") %></h4>
         <p><%= _("The administrators will evaluate your signup request for approvement.") %></p>
-        <p><%= _("You won't appear as %s until your account is approved.") % link_to(_('user'), {:controller => :search, :action => :people, :filter => 'more_recent'}, :target => '_blank') %></p>
+        <p><%= _("You won't appear as %s until your account is approved.").html_safe % link_to(_('user'), {:controller => :search, :action => :people, :filter => 'more_recent'}, :target => '_blank') %></p>
       <% end %>
       <h4><%= _("What to do next?") %></h4>
-      <p><%= _("Access your %s and see your face on the network!") %
+      <p><%= _("Access your %s and see your face on the network!").html_safe %
         (user.present? ? link_to(_('Profile'), {:controller => 'profile', :profile => user.identifier}, :target => '_blank') : 'Profile') %>
-      <%= _("You can also explore your %s to customize your profile. Here are some %s on what you can do there.") %
+      <%= _("You can also explore your %s to customize your profile. Here are some %s on what you can do there.").html_safe %
         [user.present? ? link_to(_('Control Panel'), {:controller => 'profile_editor', :profile => user.identifier}, :target => '_blank') : 'Control Panel',
           link_to(_('tips'), {:controller => 'doc', :action => 'topic', :section => 'user', :topic => 'editing-person-info'}, :target => '_blank')] %></p>
-      <p><%= _("%s your Gmail, Yahoo and Hotmail contacts!") % link_to(_('Invite and find'), {:controller => 'doc', :action => 'topic', :section => 'user', :topic => 'invite-contacts'}, :target => '_blank') %></p>
-      <p><%= _("Learn the guidelines. Read the %s for more details on how to use this social network!") % link_to(_('Documentation'), {:controller => 'doc'}, :target => '_blank') %></p>
+      <p><%= _("%s your Gmail, Yahoo and Hotmail contacts!").html_safe % link_to(_('Invite and find'), {:controller => 'doc', :action => 'topic', :section => 'user', :topic => 'invite-contacts'}, :target => '_blank') %></p>
+      <p><%= _("Learn the guidelines. Read the %s for more details on how to use this social network!").html_safe % link_to(_('Documentation'), {:controller => 'doc'}, :target => '_blank') %></p>
       <p><%= _("Start exploring and have fun!") %></p>
   <% end %>
-  <%= render :partial => 'shared/template_welcome_page', :locals => {:template => @person_template, :header => _("What can I do as a %s?")} %>
+  <%= render :partial => 'shared/template_welcome_page', :locals => {:template => @person_template, :header => _("What can I do as a %s?").html_safe} %>
 </div>
@@ -5,7 +5,7 @@
   <td>
     <p>
     <span style="font-size: 14px;"><%= link_to activity.user.short_name(20), activity.user.url %></span>
-    <span style="font-size: 14px;"><%= _("has published on community %s") % link_to(activity.target.profile.short_name(20), activity.target.profile.url, :style => "color: #333; font-weight: bold; text-decoration: none;") if activity.target.profile.is_a?(Community) %></span>
+    <span style="font-size: 14px;"><%= _("has published on community %s").html_safe % link_to(activity.target.profile.short_name(20), activity.target.profile.url, :style => "color: #333; font-weight: bold; text-decoration: none;") if activity.target.profile.is_a?(Community) %></span>
     <span style="font-size: 10px; color: #929292; float:right;"><%= time_ago_in_words(activity.created_at) %></span>
     </p>
     <p>
@@ -0,0 +1 @@
+<%= render :partial => 'default_activity', :locals => { :activity => activity } %>
 <% if activity.comments_count > 2 %>
   <div style="font-size: 10px;">
     <% if activity.params['url'].blank?  %>
-      <%= _("%s comments") % activity.comments_count %>
+      <%= _("%s comments").html_safe % activity.comments_count %>
     <% else %>
-      <%= link_to(_("View all %s comments") % activity.comments_count, activity.params['url']) %>
+      <%= link_to(_("View all %s comments").html_safe % activity.comments_count, activity.params['url']) %>
     <% end %>
   </div>
 <% else %>
@@ -5,7 +5,7 @@
       <%= link_to @url, :style => "text-decoration: none;" do %>
         <span style="font-weight:bold;font-size: 28px;margin: 0;color: white;background-color: #AAAAAA;padding: 5px;"><%= @environment.name %></span>
       <% end %>
-      <span style="font-weight:bold;color: #333;font-size:19px;margin-left: 8px;"><%= _("%s's Notifications") % @profile.name %></h3>
+      <span style="font-weight:bold;color: #333;font-size:19px;margin-left: 8px;"><%= _("%s's Notifications").html_safe % @profile.name %></h3>
     </div>
     <div style="margin: 0 20px 20px 20px;border-top:1px solid #e2e2e2;">
       <% if @tasks.present? %>
@@ -34,7 +34,7 @@
  
       <div style="color:#444444;font-size:11px;margin-bottom: 20px;">
         <p style="margin:0"><%= _("Greetings,") %></p>
-        <p style="margin:0"><%= _('%s team.') % @environment.name %></p>
+        <p style="margin:0"><%= _('%s team.').html_safe % @environment.name %></p>
         <p style="margin:0"><%= link_to @url, url_for(@url) %></p>
       </div>
     </div>
@@ -0,0 +1,18 @@
+<% cache_timeout(profile.friends_cache_key(params), 4.hours) do %>
+  <ul class='profile-list'>
+    <% follow.each do |follower| %>
+      <%= profile_image_link(follower) %>
+    <% end%>
+  </ul>
+
+  <div id='pagination-profiles'>
+    <%= pagination_links follow, :param_name => 'npage' %>
+  </div>
+<% end %>
+
+<%= button_bar do %>
+  <%= button :back, _('Go back'), { :controller => 'profile' } %>
+  <% if user == profile %>
+    <%= button :edit, _('Manage followed people'), :controller => 'friends', :action => 'index', :profile => profile.identifier %>
+  <% end %>
+<% end %>
@@ -0,0 +1 @@
+<%= render :partial => 'default_activity', :locals => { :activity => activity, :tab_action => tab_action } %>
@@ -13,5 +13,5 @@
     <%= button(:add, content_tag('span', _('Add friend')), profile.add_url, :class => 'add-friend', :title => _("Add friend"), :style => 'position: relative;') %>
   <% end %>
   <%= button :back, _('Go back'), :back %>
-  <%= button :home, _("Go to %s home page") % environment.name, :controller => 'home' %>
+  <%= button :home, _("Go to %s home page").html_safe % environment.name, :controller => 'home' %>
 <% end %>
@@ -5,7 +5,7 @@
 <% if activity.comments_count > 0 %>
 <div id="profile-wall-activities-comments-more-<%= activity.id %>" class="profile-wall-activities-comments" >
   <div class='view-all-comments icon-chat'>
-     <%= link_to(n_('View comment', "View all %s comments", activity.comments_count) % activity.comments_count, :profile => profile.identifier, :controller => 'profile', :action => 'more_comments', :activity => activity, :comment_page => (1)) %>
+     <%= link_to(n_('View comment', "View all %s comments".html_safe, activity.comments_count) % activity.comments_count, :profile => profile.identifier, :controller => 'profile', :action => 'more_comments', :activity => activity, :comment_page => (1)) %>
   </div>
 </div>
 <% end %>
@@ -23,7 +23,7 @@
   <% if scrap.replies.count > 0 %>
     <div id="profile-wall-activities-comments-more-<%= activity.id %>" class="profile-wall-activities-comments">
       <div class='view-all-comments icon-chat'>
-        <%= link_to(n_('View comment', "View all %s comments", scrap.replies.count) % scrap.replies.count, :profile => profile.identifier, :controller => 'profile', :action => 'more_replies', :activity => activity, :comment_page => (1)) %>
+        <%= link_to(n_('View comment', "View all %s comments".html_safe, scrap.replies.count) % scrap.replies.count, :profile => profile.identifier, :controller => 'profile', :action => 'more_replies', :activity => activity, :comment_page => (1)) %>
       </div>
     </div>
   <% end %>
@@ -0,0 +1,7 @@
+<div class="common-profile-list-block">
+
+<h1><%= _("%s is followed by") % profile.name %></h1>
+
+<%= render :partial => 'follow', :locals => {:follow => @followed_by} %>
+
+</div>
...	...	@@ -111,6 +111,10 @@ module Api
111	111	hash[value.custom_field.name]=value.value
112	112	end
113	113
	114	+ profile.public_fields.each do \|field\|
	115	+ hash[field] = profile.send(field.to_sym)
	116	+ end
	117	+
114	118	private_values = profile.custom_field_values - profile.public_values
115	119	private_values.each do \|value\|
116	120	if Entities.can_display_profile_field?(profile,options)
...	...	@@ -124,6 +128,7 @@ module Api
124	128	expose :type
125	129	expose :custom_header
126	130	expose :custom_footer
	131	+ expose :layout_template
127	132	expose :permissions do \|profile, options\|
128	133	Entities.permissions_for_entity(profile, options[:current_person],
129	134	:allow_post_content?, :allow_edit?, :allow_destroy?)
...	...	@@ -258,12 +263,28 @@ module Api
258	263	root 'tasks', 'task'
259	264	expose :id
260	265	expose :type
	266	+ expose :requestor, using: Profile
	267	+ expose :status
	268	+ expose :created_at
	269	+ expose :data
	270	+ expose :accept_details
	271	+ expose :reject_details
	272	+ expose :accept_disabled?, as: :accept_disabled
	273	+ expose :reject_disabled?, as: :reject_disabled
	274	+ expose :target do \|task, options\|
	275	+ type_map = {Profile => ::Profile, Environment => ::Environment}.find {\|h\| task.target.kind_of?(h.last)}
	276	+ type_map.first.represent(task.target) unless type_map.nil?
	277	+ end
261	278	end
262	279
263	280	class Environment < Entity
264	281	expose :name
265	282	expose :id
266	283	expose :description
	284	+ expose :layout_template
	285	+ expose :signup_intro
	286	+ expose :terms_of_use
	287	+ expose :top_url, as: :host
267	288	expose :settings, if: lambda { \|instance, options\| options[:is_admin] }
268	289	end
269	290
...	...
...	...	@@ -4,7 +4,7 @@ require 'tempfile'
4	4	module Api
5	5	module Helpers
6	6	PRIVATE_TOKEN_PARAM = :private_token
7		- DEFAULT_ALLOWED_PARAMETERS = [:parent_id, :from, :until, :content_type, :author_id, :identifier, :archived]
	7	+ ALLOWED_PARAMETERS = [:parent_id, :from, :until, :content_type, :author_id, :identifier, :archived, :status]
8	8
9	9	include SanitizeParams
10	10	include Noosfero::Plugin::HotSpot
...	...	@@ -127,8 +127,8 @@ module Api
127	127	present_partial article, with: Entities::Article, params: params, current_person: current_person
128	128	end
129	129
130		- def present_articles_for_asset(asset, method = 'articles')
131		- articles = find_articles(asset, method)
	130	+ def present_articles_for_asset(asset, method_or_relation = 'articles')
	131	+ articles = find_articles(asset, method_or_relation)
132	132	present_articles(articles)
133	133	end
134	134
...	...	@@ -136,8 +136,8 @@ module Api
136	136	present_partial paginate(articles), :with => Entities::Article, :params => params, current_person: current_person
137	137	end
138	138
139		- def find_articles(asset, method = 'articles')
140		- articles = select_filtered_collection_of(asset, method, params)
	139	+ def find_articles(asset, method_or_relation = 'articles')
	140	+ articles = select_filtered_collection_of(asset, method_or_relation, params)
141	141	if current_person.present?
142	142	articles = articles.display_filter(current_person, nil)
143	143	else
...	...	@@ -146,14 +146,17 @@ module Api
146	146	articles
147	147	end
148	148
149		- def find_task(asset, id)
150		- task = asset.tasks.find(id)
	149	+ def find_task(asset, method_or_relation, id)
	150	+ task = is_a_relation?(method_or_relation) ? method_or_relation : asset.send(method_or_relation)
	151	+ task = task.find_by_id(id)
	152	+ not_found! if task.blank?
151	153	current_person.has_permission?(task.permission, asset) ? task : forbidden!
152	154	end
153	155
154	156	def post_task(asset, params)
155	157	klass_type= params[:content_type].nil? ? 'Task' : params[:content_type]
156	158	return forbidden! unless klass_type.constantize <= Task
	159	+ return forbidden! if !current_person.has_permission?(:perform_task, asset)
157	160
158	161	task = klass_type.constantize.new(params[:task])
159	162	task.requestor_id = current_person.id
...	...	@@ -166,15 +169,24 @@ module Api
166	169	present_partial task, :with => Entities::Task
167	170	end
168	171
169		- def present_task(asset)
170		- task = find_task(asset, params[:id])
	172	+ def find_tasks(asset, method_or_relation = 'tasks')
	173	+ return forbidden! if !current_person.has_permission?(:perform_task, asset)
	174	+ tasks = select_filtered_collection_of(asset, method_or_relation, params)
	175	+ tasks = tasks.select {\|t\| current_person.has_permission?(t.permission, asset)}
	176	+ tasks
	177	+ end
	178	+
	179	+ def present_task(asset, method_or_relation = 'tasks')
	180	+ task = find_task(asset, method_or_relation, params[:id])
171	181	present_partial task, :with => Entities::Task
172	182	end
173	183
174		- def present_tasks(asset)
175		- tasks = select_filtered_collection_of(asset, 'tasks', params)
176		- tasks = tasks.select {\|t\| current_person.has_permission?(t.permission, asset)}
177		- return forbidden! if tasks.empty? && !current_person.has_permission?(:perform_task, asset)
	184	+ def present_tasks_for_asset(asset, method_or_relation = 'tasks')
	185	+ tasks = find_tasks(asset, method_or_relation)
	186	+ present_tasks(tasks)
	187	+ end
	188	+
	189	+ def present_tasks(tasks)
178	190	present_partial tasks, :with => Entities::Task
179	191	end
180	192
...	...	@@ -183,7 +195,6 @@ module Api
183	195	conditions = {}
184	196	from_date = DateTime.parse(parsed_params.delete(:from)) if parsed_params[:from]
185	197	until_date = DateTime.parse(parsed_params.delete(:until)) if parsed_params[:until]
186		-
187	198	conditions[:type] = parse_content_type(parsed_params.delete(:content_type)) unless parsed_params[:content_type].nil?
188	199
189	200	conditions[:created_at] = period(from_date, until_date) if from_date \|\| until_date
...	...	@@ -193,7 +204,7 @@ module Api
193	204	end
194	205
195	206	# changing make_order_with_parameters to avoid sql injection
196		- def make_order_with_parameters(object, method, params)
	207	+ def make_order_with_parameters(object, method_or_relation, params)
197	208	order = "created_at DESC"
198	209	unless params[:order].blank?
199	210	if params[:order].include? '\'' or params[:order].include? '"'
...	...	@@ -202,9 +213,9 @@ module Api
202	213	order = 'RANDOM()'
203	214	else
204	215	field_name, direction = params[:order].split(' ')
205		- assoc = object.class.reflect_on_association(method.to_sym)
206		- if !field_name.blank? and assoc
207		- if assoc.klass.attribute_names.include? field_name
	216	+ assoc_class = extract_associated_classname(method_or_relation)
	217	+ if !field_name.blank? and assoc_class
	218	+ if assoc_class.attribute_names.include? field_name
208	219	if direction.present? and ['ASC','DESC'].include? direction.upcase
209	220	order = "#{field_name} #{direction.upcase}"
210	221	end
...	...	@@ -215,12 +226,14 @@ module Api
215	226	return order
216	227	end
217	228
218		- def make_timestamp_with_parameters_and_method(params, method)
	229	+ def make_timestamp_with_parameters_and_method(params, method_or_relation)
219	230	timestamp = nil
220	231	if params[:timestamp]
221	232	datetime = DateTime.parse(params[:timestamp])
222		- table_name = method.to_s.singularize.camelize.constantize.table_name
223		- timestamp = "#{table_name}.updated_at >= '#{datetime}'"
	233	+ table_name = extract_associated_tablename(method_or_relation)
	234	+ assoc_class = extract_associated_classname(method_or_relation)
	235	+ date_atrr = assoc_class.attribute_names.include?('updated_at') ? 'updated_at' : 'created_at'
	236	+ timestamp = "#{table_name}.#{date_atrr} >= '#{datetime}'"
224	237	end
225	238
226	239	timestamp
...	...	@@ -245,12 +258,12 @@ module Api
245	258	end
246	259	end
247	260
248		- def select_filtered_collection_of(object, method, params)
	261	+ def select_filtered_collection_of(object, method_or_relation, params)
249	262	conditions = make_conditions_with_parameter(params)
250		- order = make_order_with_parameters(object,method,params)
251		- timestamp = make_timestamp_with_parameters_and_method(params, method)
	263	+ order = make_order_with_parameters(object,method_or_relation,params)
	264	+ timestamp = make_timestamp_with_parameters_and_method(params, method_or_relation)
252	265
253		- objects = object.send(method)
	266	+ objects = is_a_relation?(method_or_relation) ? method_or_relation : object.send(method_or_relation)
254	267	objects = by_reference(objects, params)
255	268	objects = by_categories(objects, params)
256	269
...	...	@@ -305,12 +318,12 @@ module Api
305	318	end
306	319
307	320	def cant_be_saved_request!(attribute)
308		- message = _("(Invalid request) %s can't be saved") % attribute
	321	+ message = _("(Invalid request) %s can't be saved").html_safe % attribute
309	322	render_api_error!(message, 400)
310	323	end
311	324
312	325	def bad_request!(attribute)
313		- message = _("(Invalid request) %s not given") % attribute
	326	+ message = _("(Invalid request) %s not given").html_safe % attribute
314	327	render_api_error!(message, 400)
315	328	end
316	329
...	...	@@ -396,10 +409,27 @@ module Api
396	409	end
397	410	private
398	411
	412	+ def extract_associated_tablename(method_or_relation)
	413	+ extract_associated_classname(method_or_relation).table_name
	414	+ end
	415	+
	416	+ def extract_associated_classname(method_or_relation)
	417	+ if is_a_relation?(method_or_relation)
	418	+ method_or_relation.blank? ? '' : method_or_relation.first.class
	419	+ else
	420	+ method_or_relation.to_s.singularize.camelize.constantize
	421	+ end
	422	+ end
	423	+
	424	+ def is_a_relation?(method_or_relation)
	425	+ method_or_relation.kind_of?(ActiveRecord::Relation)
	426	+ end
	427	+
	428	+
399	429	def parser_params(params)
400	430	parsed_params = {}
401	431	params.map do \|k,v\|
402		- parsed_params[k.to_sym] = v if DEFAULT_ALLOWED_PARAMETERS.include?(k.to_sym)
	432	+ parsed_params[k.to_sym] = v if ALLOWED_PARAMETERS.include?(k.to_sym)
403	433	end
404	434	parsed_params
405	435	end
...	...
...	...	@@ -136,6 +136,20 @@ module Api
136	136	members = select_filtered_collection_of(profile, 'members', params)
137	137	present members, :with => Entities::Person, :current_person => current_person
138	138	end
	139	+
	140	+ post do
	141	+ authenticate!
	142	+ profile = environment.profiles.find_by id: params[:profile_id]
	143	+ profile.add_member(current_person) rescue forbidden!
	144	+ {pending: !current_person.is_member_of?(profile)}
	145	+ end
	146	+
	147	+ delete do
	148	+ authenticate!
	149	+ profile = environment.profiles.find_by id: params[:profile_id]
	150	+ profile.remove_member(current_person)
	151	+ present current_person, :with => Entities::Person, :current_person => current_person
	152	+ end
139	153	end
140	154	end
141	155	end
...	...
1	1	module Api
2	2	module V1
3	3	class Tasks < Grape::API
4		-# before { authenticate! }
	4	+ before { authenticate! }
5	5
6		-# ARTICLE_TYPES = Article.descendants.map{\|a\| a.to_s}
	6	+ MAX_PER_PAGE = 50
7	7
8	8	resource :tasks do
9	9
10		- # Collect tasks
	10	+ paginate max_per_page: MAX_PER_PAGE
	11	+ # Collect all tasks that current person has permission
11	12	#
12	13	# Parameters:
13	14	# from - date where the search will begin. If nothing is passed the default date will be the date of the first article created
...	...	@@ -17,15 +18,22 @@ module Api
17	18	# Example Request:
18	19	# GET host/api/v1/tasks?from=2013-04-04-14:41:43&until=2015-04-04-14:41:43&limit=10&private_token=e96fff37c2238fdab074d1dcea8e6317
19	20	get do
20		- tasks = select_filtered_collection_of(environment, 'tasks', params)
21		- tasks = tasks.select {\|t\| current_person.has_permission?(t.permission, environment)}
22		- present_partial tasks, :with => Entities::Task
	21	+ tasks = Task.to(current_person)
	22	+ present_tasks_for_asset(current_person, tasks)
23	23	end
24	24
25	25	desc "Return the task id"
26	26	get ':id' do
27		- task = find_task(environment, params[:id])
28		- present_partial task, :with => Entities::Task
	27	+ present_task(current_person, Task.to(current_person))
	28	+ end
	29	+
	30	+ %w[finish cancel].each do \|action\|
	31	+ desc "#{action.capitalize} a task"
	32	+ put ":id/#{action}" do
	33	+ task = find_task(current_person, Task.to(current_person), params[:id])
	34	+ task.send(action, current_person) if (task.status == Task::Status::ACTIVE)
	35	+ present_partial task, :with => Entities::Task
	36	+ end
29	37	end
30	38	end
31	39
...	...	@@ -36,7 +44,8 @@ module Api
36	44	resource :tasks do
37	45	get do
38	46	profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
39		- present_tasks(profile)
	47	+ tasks = Task.to(profile)
	48	+ present_tasks_for_asset(profile, tasks)
40	49	end
41	50
42	51	get ':id' do
...	...
...	...	@@ -1,185 +0,0 @@
1		-module AuthenticatedSystem
2		-
3		- protected
4		-
5		- extend ActiveSupport::Concern
6		-
7		- included do
8		- if self < ActionController::Base
9		- around_filter :user_set_current
10		- before_filter :override_user
11		- before_filter :login_from_cookie
12		- end
13		-
14		- # Inclusion hook to make #current_user and #logged_in?
15		- # available as ActionView helper methods.
16		- helper_method :current_user, :logged_in?
17		- end
18		-
19		- # Returns true or false if the user is logged in.
20		- # Preloads @current_user with the user model if they're logged in.
21		- def logged_in?
22		- current_user != nil
23		- end
24		-
25		- # Accesses the current user from the session.
26		- def current_user user_id = session[:user]
27		- @current_user \|\|= begin
28		- user = nil
29		- if session[:external]
30		- user = User.new
31		- external_person = ExternalPerson.find_by(id: session[:external])
32		- if external_person
33		- user.external_person_id = external_person.id
34		- user.email = external_person.email
35		- else
36		- session[:external] = nil
37		- end
38		- else
39		- user = User.find_by(id: user_id) if user_id
40		- end
41		- user.session = session if user
42		- User.current = user
43		- user
44		- end
45		- end
46		-
47		- # Store the given user in the session.
48		- def current_user=(new_user)
49		- if new_user.nil?
50		- session.delete(:user)
51		- else
52		- if new_user.id
53		- session[:user] = new_user.id
54		- else
55		- session[:external] = new_user.external_person_id
56		- end
57		- new_user.session = session
58		- new_user.register_login if new_user.id
59		- end
60		- @current_user = User.current = new_user
61		- end
62		-
63		- # See impl. from http://stackoverflow.com/a/2513456/670229
64		- def user_set_current
65		- User.current = current_user
66		- yield
67		- ensure
68		- # to address the thread variable leak issues in Puma/Thin webserver
69		- User.current = nil
70		- end
71		-
72		- # Check if the user is authorized.
73		- #
74		- # Override this method in your controllers if you want to restrict access
75		- # to only a few actions or if you want to check if the user
76		- # has the correct rights.
77		- #
78		- # Example:
79		- #
80		- # # only allow nonbobs
81		- # def authorize?
82		- # current_user.login != "bob"
83		- # end
84		- def authorized?
85		- true
86		- end
87		-
88		- # Filter method to enforce a login requirement.
89		- #
90		- # To require logins for all actions, use this in your controllers:
91		- #
92		- # before_filter :login_required
93		- #
94		- # To require logins for specific actions, use this in your controllers:
95		- #
96		- # before_filter :login_required, :only => [ :edit, :update ]
97		- #
98		- # To skip this in a subclassed controller:
99		- #
100		- # skip_before_filter :login_required
101		- #
102		- def login_required
103		- username, passwd = get_auth_data
104		- if username && passwd
105		- self.current_user \|\|= User.authenticate(username, passwd) \|\| nil
106		- end
107		- if logged_in? && authorized?
108		- true
109		- else
110		- if params[:require_login_popup]
111		- render :json => { :require_login_popup => true }
112		- else
113		- access_denied
114		- end
115		- end
116		- end
117		-
118		- # Redirect as appropriate when an access request fails.
119		- #
120		- # The default action is to redirect to the login screen.
121		- #
122		- # Override this method in your controllers if you want to have special
123		- # behavior in case the user is not authorized
124		- # to access the requested action. For example, a popup window might
125		- # simply close itself.
126		- def access_denied
127		- respond_to do \|accepts\|
128		- accepts.html do
129		- if request.xhr?
130		- render :text => _('Access denied'), :status => 401
131		- else
132		- store_location
133		- redirect_to :controller => '/account', :action => 'login'
134		- end
135		- end
136		- accepts.xml do
137		- headers["Status"] = "Unauthorized"
138		- headers["WWW-Authenticate"] = %(Basic realm="Web Password")
139		- render :text => "Could't authenticate you", :status => '401 Unauthorized'
140		- end
141		- end
142		- false
143		- end
144		-
145		- # Store the URI of the current request in the session.
146		- #
147		- # We can return to this location by calling #redirect_back_or_default.
148		- def store_location(location = request.url)
149		- session[:return_to] = location
150		- end
151		-
152		- # Redirect to the URI stored by the most recent store_location call or
153		- # to the passed default.
154		- def redirect_back_or_default(default)
155		- if session[:return_to]
156		- redirect_to(session.delete(:return_to))
157		- else
158		- redirect_to(default)
159		- end
160		- end
161		-
162		- def override_user
163		- return if params[:override_user].blank?
164		- return unless logged_in? and user.is_admin? environment
165		- @current_user = nil
166		- current_user params[:override_user]
167		- end
168		-
169		- # When called with before_filter :login_from_cookie will check for an :auth_token
170		- # cookie and log the user back in if apropriate
171		- def login_from_cookie
172		- return if cookies[:auth_token].blank? or logged_in?
173		- user = User.where(remember_token: cookies[:auth_token]).first
174		- self.current_user = user if user and user.remember_token?
175		- end
176		-
177		- private
178		- @@http_auth_headers = %w(X-HTTP_AUTHORIZATION HTTP_AUTHORIZATION Authorization)
179		- # gets BASIC auth info
180		- def get_auth_data
181		- auth_key = @@http_auth_headers.detect { \|h\| request.env.has_key?(h) }
182		- auth_data = request.env[auth_key].to_s.split unless auth_key.blank?
183		- return auth_data && auth_data[0] == 'Basic' ? Base64.decode64(auth_data[1]).split(':')[0..1] : [nil, nil]
184		- end
185		-end
...	...	@@ -44,7 +44,7 @@ class CategoriesController < AdminController
44	44	if request.post?
45	45	@category.update!(params[:category])
46	46	@saved = true
47		- session[:notice] = _("Category %s saved." % @category.name)
	47	+ session[:notice] = _("Category %s saved." % @category.name).html_safe
48	48	redirect_to :action => 'index'
49	49	end
50	50	rescue Exception => e
...	...
...	...	@@ -15,6 +15,20 @@ class ApplicationController < ActionController::Base
15	15	before_filter :redirect_to_current_user
16	16
17	17	before_filter :set_session_theme
	18	+
	19	+ # FIXME: only include necessary methods
	20	+ include ApplicationHelper
	21	+
	22	+ # concerns
	23	+ include PermissionCheck
	24	+ include CustomDesign
	25	+ include NeedsProfile
	26	+
	27	+ # implementations
	28	+ include FindByContents
	29	+ include Noosfero::Plugin::HotSpot
	30	+ include SearchTermHelper
	31	+
18	32	def set_session_theme
19	33	if params[:theme]
20	34	session[:theme] = environment.theme_ids.include?(params[:theme]) ? params[:theme] : nil
...	...	@@ -49,7 +63,6 @@ class ApplicationController < ActionController::Base
49	63	end
50	64	end
51	65
52		- include ApplicationHelper
53	66	layout :get_layout
54	67	def get_layout
55	68	return false if request.format == :js or request.xhr?
...	...	@@ -75,9 +88,6 @@ class ApplicationController < ActionController::Base
75	88	helper :document
76	89	helper :language
77	90
78		- include DesignHelper
79		- include PermissionCheck
80		-
81	91	before_filter :set_locale
82	92	def set_locale
83	93	FastGettext.available_locales = environment.available_locales
...	...	@@ -90,8 +100,6 @@ class ApplicationController < ActionController::Base
90	100	end
91	101	end
92	102
93		- include NeedsProfile
94		-
95	103	attr_reader :environment
96	104
97	105	# declares that the given <tt>actions</tt> cannot be accessed by other HTTP
...	...	@@ -108,6 +116,10 @@ class ApplicationController < ActionController::Base
108	116
109	117	protected
110	118
	119	+ def accept_only_post
	120	+ return render_not_found if !request.post?
	121	+ end
	122	+
111	123	def verified_request?
112	124	super \|\| form_authenticity_token == request.headers['X-XSRF-TOKEN']
113	125	end
...	...	@@ -154,8 +166,6 @@ class ApplicationController < ActionController::Base
154	166	end
155	167	end
156	168
157		- include Noosfero::Plugin::HotSpot
158		-
159	169	# FIXME this filter just loads @plugins to children controllers and helpers
160	170	def init_noosfero_plugins
161	171	plugins
...	...	@@ -187,9 +197,6 @@ class ApplicationController < ActionController::Base
187	197	end
188	198	end
189	199
190		- include SearchTermHelper
191		- include FindByContents
192		-
193	200	def find_suggestions(query, context, asset, options={})
194	201	plugins.dispatch_first(:find_suggestions, query, context, asset, options)
195	202	end
...	...
...	...	@@ -109,7 +109,7 @@ class BoxOrganizerController < ApplicationController
109	109	def show_block_type_info
110	110	type = params[:type]
111	111	if type.blank? \|\| !available_blocks.map(&:name).include?(type)
112		- raise ArgumentError.new("Type %s is not allowed. Go away." % type)
	112	+ raise ArgumentError.new("Type %s is not allowed. Go away.".html_safe % type)
113	113	end
114	114	@block = type.constantize.new
115	115	@block.box = Box.new(:owner => boxes_holder)
...	...	@@ -122,7 +122,7 @@ class BoxOrganizerController < ApplicationController
122	122
123	123	def new_block(type, box)
124	124	if !available_blocks.map(&:name).include?(type)
125		- raise ArgumentError.new("Type %s is not allowed. Go away." % type)
	125	+ raise ArgumentError.new("Type %s is not allowed. Go away.".html_safe % type)
126	126	end
127	127	block = type.constantize.new
128	128	box.blocks << block
...	...
...	...	@@ -0,0 +1,185 @@
	1	+module AuthenticatedSystem
	2	+
	3	+ protected
	4	+
	5	+ extend ActiveSupport::Concern
	6	+
	7	+ included do
	8	+ if self < ActionController::Base
	9	+ around_filter :user_set_current
	10	+ before_filter :override_user
	11	+ before_filter :login_from_cookie
	12	+ end
	13	+
	14	+ # Inclusion hook to make #current_user and #logged_in?
	15	+ # available as ActionView helper methods.
	16	+ helper_method :current_user, :logged_in?
	17	+ end
	18	+
	19	+ # Returns true or false if the user is logged in.
	20	+ # Preloads @current_user with the user model if they're logged in.
	21	+ def logged_in?
	22	+ current_user != nil
	23	+ end
	24	+
	25	+ # Accesses the current user from the session.
	26	+ def current_user user_id = session[:user]
	27	+ @current_user \|\|= begin
	28	+ user = nil
	29	+ if session[:external]
	30	+ user = User.new
	31	+ external_person = ExternalPerson.find_by(id: session[:external])
	32	+ if external_person
	33	+ user.external_person_id = external_person.id
	34	+ user.email = external_person.email
	35	+ else
	36	+ session[:external] = nil
	37	+ end
	38	+ else
	39	+ user = User.find_by(id: user_id) if user_id
	40	+ end
	41	+ user.session = session if user
	42	+ User.current = user
	43	+ user
	44	+ end
	45	+ end
	46	+
	47	+ # Store the given user in the session.
	48	+ def current_user=(new_user)
	49	+ if new_user.nil?
	50	+ session.delete(:user)
	51	+ else
	52	+ if new_user.id
	53	+ session[:user] = new_user.id
	54	+ else
	55	+ session[:external] = new_user.external_person_id
	56	+ end
	57	+ new_user.session = session
	58	+ new_user.register_login if new_user.id
	59	+ end
	60	+ @current_user = User.current = new_user
	61	+ end
	62	+
	63	+ # See impl. from http://stackoverflow.com/a/2513456/670229
	64	+ def user_set_current
	65	+ User.current = current_user
	66	+ yield
	67	+ ensure
	68	+ # to address the thread variable leak issues in Puma/Thin webserver
	69	+ User.current = nil
	70	+ end
	71	+
	72	+ # Check if the user is authorized.
	73	+ #
	74	+ # Override this method in your controllers if you want to restrict access
	75	+ # to only a few actions or if you want to check if the user
	76	+ # has the correct rights.
	77	+ #
	78	+ # Example:
	79	+ #
	80	+ # # only allow nonbobs
	81	+ # def authorize?
	82	+ # current_user.login != "bob"
	83	+ # end
	84	+ def authorized?
	85	+ true
	86	+ end
	87	+
	88	+ # Filter method to enforce a login requirement.
	89	+ #
	90	+ # To require logins for all actions, use this in your controllers:
	91	+ #
	92	+ # before_filter :login_required
	93	+ #
	94	+ # To require logins for specific actions, use this in your controllers:
	95	+ #
	96	+ # before_filter :login_required, :only => [ :edit, :update ]
	97	+ #
	98	+ # To skip this in a subclassed controller:
	99	+ #
	100	+ # skip_before_filter :login_required
	101	+ #
	102	+ def login_required
	103	+ username, passwd = get_auth_data
	104	+ if username && passwd
	105	+ self.current_user \|\|= User.authenticate(username, passwd) \|\| nil
	106	+ end
	107	+ if logged_in? && authorized?
	108	+ true
	109	+ else
	110	+ if params[:require_login_popup]
	111	+ render :json => { :require_login_popup => true }
	112	+ else
	113	+ access_denied
	114	+ end
	115	+ end
	116	+ end
	117	+
	118	+ # Redirect as appropriate when an access request fails.
	119	+ #
	120	+ # The default action is to redirect to the login screen.
	121	+ #
	122	+ # Override this method in your controllers if you want to have special
	123	+ # behavior in case the user is not authorized
	124	+ # to access the requested action. For example, a popup window might
	125	+ # simply close itself.
	126	+ def access_denied
	127	+ respond_to do \|accepts\|
	128	+ accepts.html do
	129	+ if request.xhr?
	130	+ render :text => _('Access denied'), :status => 401
	131	+ else
	132	+ store_location
	133	+ redirect_to :controller => '/account', :action => 'login'
	134	+ end
	135	+ end
	136	+ accepts.xml do
	137	+ headers["Status"] = "Unauthorized"
	138	+ headers["WWW-Authenticate"] = %(Basic realm="Web Password")
	139	+ render :text => "Could't authenticate you", :status => '401 Unauthorized'
	140	+ end
	141	+ end
	142	+ false
	143	+ end
	144	+
	145	+ # Store the URI of the current request in the session.
	146	+ #
	147	+ # We can return to this location by calling #redirect_back_or_default.
	148	+ def store_location(location = request.url)
	149	+ session[:return_to] = location
	150	+ end
	151	+
	152	+ # Redirect to the URI stored by the most recent store_location call or
	153	+ # to the passed default.
	154	+ def redirect_back_or_default(default)
	155	+ if session[:return_to]
	156	+ redirect_to(session.delete(:return_to))
	157	+ else
	158	+ redirect_to(default)
	159	+ end
	160	+ end
	161	+
	162	+ def override_user
	163	+ return if params[:override_user].blank?
	164	+ return unless logged_in? and user.is_admin? environment
	165	+ @current_user = nil
	166	+ current_user params[:override_user]
	167	+ end
	168	+
	169	+ # When called with before_filter :login_from_cookie will check for an :auth_token
	170	+ # cookie and log the user back in if apropriate
	171	+ def login_from_cookie
	172	+ return if cookies[:auth_token].blank? or logged_in?
	173	+ user = User.where(remember_token: cookies[:auth_token]).first
	174	+ self.current_user = user if user and user.remember_token?
	175	+ end
	176	+
	177	+ private
	178	+ @@http_auth_headers = %w(X-HTTP_AUTHORIZATION HTTP_AUTHORIZATION Authorization)
	179	+ # gets BASIC auth info
	180	+ def get_auth_data
	181	+ auth_key = @@http_auth_headers.detect { \|h\| request.env.has_key?(h) }
	182	+ auth_data = request.env[auth_key].to_s.split unless auth_key.blank?
	183	+ return auth_data && auth_data[0] == 'Basic' ? Base64.decode64(auth_data[1]).split(':')[0..1] : [nil, nil]
	184	+ end
	185	+end
...	...
...	...	@@ -0,0 +1,50 @@
	1	+module CustomDesign
	2	+
	3	+ extend ActiveSupport::Concern
	4	+
	5	+ included do
	6	+ extend ClassMethods
	7	+ include InstanceMethods
	8	+ before_filter :load_custom_design if self.respond_to? :before_filter
	9	+ end
	10	+
	11	+ module ClassMethods
	12	+
	13	+ def no_design_blocks
	14	+ @no_design_blocks = true
	15	+ end
	16	+
	17	+ def use_custom_design options = {}
	18	+ @custom_design = options
	19	+ end
	20	+
	21	+ def custom_design
	22	+ @custom_design \|\|= {}
	23	+ end
	24	+
	25	+ def uses_design_blocks?
	26	+ !@no_design_blocks
	27	+ end
	28	+
	29	+ end
	30	+
	31	+ module InstanceMethods
	32	+
	33	+ protected
	34	+
	35	+ def uses_design_blocks?
	36	+ !@no_design_blocks && self.class.uses_design_blocks?
	37	+ end
	38	+
	39	+ def load_custom_design
	40	+ # see also: LayoutHelper#body_classes
	41	+ @layout_template = self.class.custom_design[:layout_template]
	42	+ end
	43	+
	44	+ def custom_design
	45	+ @custom_design \|\| self.class.custom_design
	46	+ end
	47	+
	48	+ end
	49	+
	50	+end
...	...