Merge branch 'master' into staging

Leandro Santos
2 parents 24ead125 1af9c045
Showing 35 changed files with 584 additions and 464 deletions Show diff stats
app/api/v1/profiles.rb
app/concerns/authenticated_system.rb
app/controllers/application_controller.rb
app/controllers/my_profile/profile_themes_controller.rb
app/helpers/application_helper.rb
app/helpers/article_helper.rb
app/helpers/theme_loader_helper.rb
app/models/add_member.rb
app/models/environment.rb
app/models/person_notifier.rb
config/application.rb
lib/authenticated_system.rb
plugins/analytics/views/analytics_plugin/_body_ending.html.slim
plugins/metadata/lib/metadata_plugin/base.rb
plugins/products/test/unit/profile_test.rb
plugins/products/views/profile_editor/_products_profile_info_contents.html.slim
plugins/products/views/profile_editor/products_profile_info_contents.html.slim
plugins/responsive/lib/ext/application_helper.rb
plugins/responsive/lib/ext/boxes_helper.rb
plugins/responsive/lib/ext/chat_helper.rb
@@ -22,6 +22,15 @@ module Api
             not_found!
           end
         end
+        
+        desc "Update profile information"
+        post ':id' do
+          authenticate!
+          profile = environment.profiles.find_by(id: params[:id])
+          return forbidden! unless current_person.has_permission?(:edit_profile, profile)
+          profile.update_attributes!(params[:profile])
+          present profile, :with => Entities::Profile, :current_person => current_person
+        end
         delete ':id' do
           authenticate!
@@ -0,0 +1,160 @@
+module AuthenticatedSystem
+
+  protected
+
+    def self.included base
+      if base < ActionController::Base
+        base.around_filter :user_set_current
+        base.before_filter :login_from_cookie
+      end
+
+      # Inclusion hook to make #current_user and #logged_in?
+      # available as ActionView helper methods.
+      base.helper_method :current_user, :logged_in?
+    end
+
+    # Returns true or false if the user is logged in.
+    # Preloads @current_user with the user model if they're logged in.
+    def logged_in?
+      current_user != nil
+    end
+
+    # Accesses the current user from the session.
+    def current_user
+      @current_user ||= begin
+        id = session[:user]
+        user = User.where(id: id).first if id
+        user.session = session if user
+        User.current = user
+        user
+      end
+    end
+
+    # Store the given user in the session.
+    def current_user=(new_user)
+      if new_user.nil?
+        session.delete(:user)
+      else
+        session[:user] = new_user.id
+        new_user.session = session
+        new_user.register_login
+      end
+      @current_user = User.current = new_user
+    end
+
+    # See impl. from http://stackoverflow.com/a/2513456/670229
+    def user_set_current
+      User.current = current_user
+      yield
+    ensure
+      # to address the thread variable leak issues in Puma/Thin webserver
+      User.current = nil
+    end
+
+    # Check if the user is authorized.
+    #
+    # Override this method in your controllers if you want to restrict access
+    # to only a few actions or if you want to check if the user
+    # has the correct rights.
+    #
+    # Example:
+    #
+    #  # only allow nonbobs
+    #  def authorize?
+    #    current_user.login != "bob"
+    #  end
+    def authorized?
+      true
+    end
+
+    # Filter method to enforce a login requirement.
+    #
+    # To require logins for all actions, use this in your controllers:
+    #
+    #   before_filter :login_required
+    #
+    # To require logins for specific actions, use this in your controllers:
+    #
+    #   before_filter :login_required, :only => [ :edit, :update ]
+    #
+    # To skip this in a subclassed controller:
+    #
+    #   skip_before_filter :login_required
+    #
+    def login_required
+      username, passwd = get_auth_data
+      if username && passwd
+        self.current_user ||= User.authenticate(username, passwd) || nil
+      end
+      if logged_in? && authorized?
+        true
+      else
+        if params[:require_login_popup]
+          render :json => { :require_login_popup => true }
+        else
+          access_denied
+        end
+      end
+    end
+
+    # Redirect as appropriate when an access request fails.
+    #
+    # The default action is to redirect to the login screen.
+    #
+    # Override this method in your controllers if you want to have special
+    # behavior in case the user is not authorized
+    # to access the requested action.  For example, a popup window might
+    # simply close itself.
+    def access_denied
+      respond_to do |accepts|
+        accepts.html do
+          if request.xhr?
+            render :text => _('Access denied'), :status => 401
+          else
+            store_location
+            redirect_to :controller => '/account', :action => 'login'
+          end
+        end
+        accepts.xml do
+          headers["Status"]           = "Unauthorized"
+          headers["WWW-Authenticate"] = %(Basic realm="Web Password")
+          render :text => "Could't authenticate you", :status => '401 Unauthorized'
+        end
+      end
+      false
+    end
+
+    # Store the URI of the current request in the session.
+    #
+    # We can return to this location by calling #redirect_back_or_default.
+    def store_location(location = request.url)
+      session[:return_to] = location
+    end
+
+    # Redirect to the URI stored by the most recent store_location call or
+    # to the passed default.
+    def redirect_back_or_default(default)
+      if session[:return_to]
+        redirect_to(session.delete(:return_to))
+      else
+        redirect_to(default)
+      end
+    end
+
+    # When called with before_filter :login_from_cookie will check for an :auth_token
+    # cookie and log the user back in if apropriate
+    def login_from_cookie
+      return if cookies[:auth_token].blank? or logged_in?
+      user = User.where(remember_token: cookies[:auth_token]).first
+      self.current_user = user if user and user.remember_token?
+    end
+
+  private
+    @@http_auth_headers = %w(X-HTTP_AUTHORIZATION HTTP_AUTHORIZATION Authorization)
+    # gets BASIC auth info
+    def get_auth_data
+      auth_key  = @@http_auth_headers.detect { |h| request.env.has_key?(h) }
+      auth_data = request.env[auth_key].to_s.split unless auth_key.blank?
+      return auth_data && auth_data[0] == 'Basic' ? Base64.decode64(auth_data[1]).split(':')[0..1] : [nil, nil]
+    end
+end
@@ -18,6 +18,13 @@ class ApplicationController &lt; ActionController::Base
   end
   before_filter :redirect_to_current_user
+  before_filter :set_session_theme
+  def set_session_theme
+    if params[:theme]
+      session[:theme] = environment.theme_ids.include?(params[:theme]) ? params[:theme] : nil
+    end
+  end
+
   def require_login_for_environment
     login_required
   end
@@ -63,12 +63,12 @@ class ProfileThemesController &lt; ThemesController
   end
   def start_test
-    session[:theme] = params[:id]
+    session[:user_theme] = params[:id]
     redirect_to :controller => 'content_viewer', :profile => profile.identifier, :action => 'view_page'
   end
   def stop_test
-    session[:theme] = nil
+    session[:user_theme] = nil
     redirect_to :action => 'index'
   end
@@ -346,7 +346,7 @@ module ApplicationHelper
   end
   def is_testing_theme
-    !controller.session[:theme].nil?
+    !controller.session[:user_theme].nil?
   end
   def theme_owner
@@ -595,8 +595,8 @@ module ApplicationHelper
     end
     if block
-      field_html ||= ''
-      field_html += capture(&block)
+      field_html ||= ''.html_safe
+      field_html   = [field_html, capture(&block)].safe_join
     end
     if controller.action_name == 'signup' || controller.action_name == 'new_community' || (controller.controller_name == "enterprise_registration" && controller.action_name == 'index') || (controller.controller_name == 'home' && controller.action_name == 'index' && user.nil?)
@@ -605,7 +605,9 @@ module ApplicationHelper
       end
     else
       if profile.active_fields.include?(name)
-        result = content_tag('div', field_html + profile_field_privacy_selector(profile, name), :class => 'field-with-privacy-selector')
+        result = content_tag :div, class: 'field-with-privacy-selector' do
+          [field_html, profile_field_privacy_selector(profile, name)].safe_join
+        end
       end
     end
@@ -613,10 +615,6 @@ module ApplicationHelper
       result = required(result)
     end
-    if block
-      concat(result)
-    end
-
     result
   end
@@ -983,6 +981,7 @@ module ApplicationHelper
     values = {}
     values.merge!(task.information[:variables]) if task.information[:variables]
     values.merge!({:requestor => link_to(task.requestor.name, task.requestor.url)}) if task.requestor
+    values.merge!({:target => link_to(task.target.name, task.target.url)}) if (task.target && task.target.respond_to?(:url))
     values.merge!({:subject => content_tag('span', task.subject, :class=>'task_target')}) if task.subject
     values.merge!({:linked_subject => link_to(content_tag('span', task.linked_subject[:text], :class => 'task_target'), task.linked_subject[:url])}) if task.linked_subject
     (task.information[:message] % values).html_safe
@@ -188,9 +188,9 @@ module ArticleHelper
   def following_button(page, user)
     if !user.blank? and user != page.author
       if page.is_followed_by? user
-        button :cancel, unfollow_button_text(page), {:controller => 'profile', :profile => page.profile.identifier, :action => 'unfollow_article', :article_id => page.id, :profile => page.profile.identifier}
+        button :cancel, unfollow_button_text(page), {controller: :profile, profile: page.profile.identifier, action: :unfollow_article, article_id: page.id}
       else
-        button :add, follow_button_text(page), {:controller => 'profile', :profile => page.profile.identifier, :action => 'follow_article', :article_id => page.id, :profile => page.profile.identifier}
+        button :add, follow_button_text(page), {controller: :profile, profile: page.profile.identifier, action: :follow_article, article_id: page.id}
       end
     end
   end
@@ -2,8 +2,8 @@ module ThemeLoaderHelper
   def current_theme
     @current_theme ||=
       begin
-        if session[:theme]
-          session[:theme]
+        if session[:user_theme]
+          session[:user_theme]
         else
           # utility for developers: set the theme to 'random' in development mode and
           # you will get a different theme every request. This is interesting for
@@ -11,8 +11,8 @@ module ThemeLoaderHelper
           if Rails.env.development? && environment.theme == 'random'
             @random_theme ||= Dir.glob('public/designs/themes/*').map { |f| File.basename(f) }.rand
             @random_theme
-          elsif Rails.env.development? && respond_to?(:params) && params[:theme] && File.exists?(Rails.root.join('public/designs/themes', params[:theme]))
-            params[:theme]
+          elsif Rails.env.development? && respond_to?(:params) && params[:user_theme] && File.exists?(Rails.root.join('public/designs/themes', params[:user_theme]))
+            params[:user_theme]
           else
             if profile && !profile.theme.nil?
               profile.theme
@@ -34,8 +34,10 @@ module ThemeLoaderHelper
   end
   def theme_path
-    if session[:theme]
+    if session[:user_theme]
       '/user_themes/' + current_theme
+    elsif session[:theme]
+      '/designs/themes/' + session[:theme]
     else
       '/designs/themes/' + current_theme
     end
@@ -37,6 +37,10 @@ class AddMember &lt; Task
     true
   end
+  def reject_details
+    true
+  end
+
   def footer
     true
   end
@@ -72,8 +76,9 @@ class AddMember &lt; Task
   end
   def task_cancelled_message
-    _("Your request to enter community \"%{target} with the profile \"%{requestor}\" was not accepted. Please contact any profile admin from %{url} for more information.") %
-    {:target => self.target.name, :url => self.target.url,
-     :requestor => self.requestor.name}
+    _("Your request to enter community \"%{target}\" with the profile \"%{requestor}\" was not accepted. Please contact any profile admin from %{target} for more information. The following explanation was given: \n\n\"%{explanation}\"") %
+    {:target => self.target.name,
+     :requestor => self.requestor.name,
+     :explanation => self.reject_explanation}
   end
 end
@@ -750,6 +750,10 @@ class Environment &lt; ApplicationRecord
     end
   end
+  def theme_ids
+    settings[:themes] || []
+  end
+
   def themes=(values)
     settings[:themes] = values
   end
@@ -82,7 +82,7 @@ class PersonNotifier
     helper ActionTrackerHelper
     def session
-      {:theme => nil}
+      {:user_theme => nil}
     end
     def content_summary(person, notifications, tasks)
@@ -40,7 +40,6 @@ module Noosfero
     # Custom directories with classes and modules you want to be autoloadable.
     config.autoload_paths << config.root.join('lib')
     config.autoload_paths << config.root.join('app')
-    config.autoload_paths << config.root.join('app/jobs')
     config.autoload_paths << config.root.join('app/sweepers')
     config.autoload_paths.concat Dir["#{config.root}/app/controllers/**/"]
     config.autoload_paths << config.root.join('test', 'mocks', Rails.env)
@@ -1,160 +0,0 @@
-module AuthenticatedSystem
-
-  protected
-
-    def self.included base
-      if base < ActionController::Base
-        base.around_filter :user_set_current
-        base.before_filter :login_from_cookie
-      end
-
-      # Inclusion hook to make #current_user and #logged_in?
-      # available as ActionView helper methods.
-      base.helper_method :current_user, :logged_in?
-    end
-
-    # Returns true or false if the user is logged in.
-    # Preloads @current_user with the user model if they're logged in.
-    def logged_in?
-      current_user != nil
-    end
-
-    # Accesses the current user from the session.
-    def current_user
-      @current_user ||= begin
-        id = session[:user]
-        user = User.where(id: id).first if id
-        user.session = session if user
-        User.current = user
-        user
-      end
-    end
-
-    # Store the given user in the session.
-    def current_user=(new_user)
-      if new_user.nil?
-        session.delete(:user)
-      else
-        session[:user] = new_user.id
-        new_user.session = session
-        new_user.register_login
-      end
-      @current_user = User.current = new_user
-    end
-
-    # See impl. from http://stackoverflow.com/a/2513456/670229
-    def user_set_current
-      User.current = current_user
-      yield
-    ensure
-      # to address the thread variable leak issues in Puma/Thin webserver
-      User.current = nil
-    end
-
-    # Check if the user is authorized.
-    #
-    # Override this method in your controllers if you want to restrict access
-    # to only a few actions or if you want to check if the user
-    # has the correct rights.
-    #
-    # Example:
-    #
-    #  # only allow nonbobs
-    #  def authorize?
-    #    current_user.login != "bob"
-    #  end
-    def authorized?
-      true
-    end
-
-    # Filter method to enforce a login requirement.
-    #
-    # To require logins for all actions, use this in your controllers:
-    #
-    #   before_filter :login_required
-    #
-    # To require logins for specific actions, use this in your controllers:
-    #
-    #   before_filter :login_required, :only => [ :edit, :update ]
-    #
-    # To skip this in a subclassed controller:
-    #
-    #   skip_before_filter :login_required
-    #
-    def login_required
-      username, passwd = get_auth_data
-      if username && passwd
-        self.current_user ||= User.authenticate(username, passwd) || nil
-      end
-      if logged_in? && authorized?
-        true
-      else
-        if params[:require_login_popup]
-          render :json => { :require_login_popup => true }
-        else
-          access_denied
-        end
-      end
-    end
-
-    # Redirect as appropriate when an access request fails.
-    #
-    # The default action is to redirect to the login screen.
-    #
-    # Override this method in your controllers if you want to have special
-    # behavior in case the user is not authorized
-    # to access the requested action.  For example, a popup window might
-    # simply close itself.
-    def access_denied
-      respond_to do |accepts|
-        accepts.html do
-          if request.xhr?
-            render :text => _('Access denied'), :status => 401
-          else
-            store_location
-            redirect_to :controller => '/account', :action => 'login'
-          end
-        end
-        accepts.xml do
-          headers["Status"]           = "Unauthorized"
-          headers["WWW-Authenticate"] = %(Basic realm="Web Password")
-          render :text => "Could't authenticate you", :status => '401 Unauthorized'
-        end
-      end
-      false
-    end
-
-    # Store the URI of the current request in the session.
-    #
-    # We can return to this location by calling #redirect_back_or_default.
-    def store_location(location = request.url)
-      session[:return_to] = location
-    end
-
-    # Redirect to the URI stored by the most recent store_location call or
-    # to the passed default.
-    def redirect_back_or_default(default)
-      if session[:return_to]
-        redirect_to(session.delete(:return_to))
-      else
-        redirect_to(default)
-      end
-    end
-
-    # When called with before_filter :login_from_cookie will check for an :auth_token
-    # cookie and log the user back in if apropriate
-    def login_from_cookie
-      return if cookies[:auth_token].blank? or logged_in?
-      user = User.where(remember_token: cookies[:auth_token]).first
-      self.current_user = user if user and user.remember_token?
-    end
-
-  private
-    @@http_auth_headers = %w(X-HTTP_AUTHORIZATION HTTP_AUTHORIZATION Authorization)
-    # gets BASIC auth info
-    def get_auth_data
-      auth_key  = @@http_auth_headers.detect { |h| request.env.has_key?(h) }
-      auth_data = request.env[auth_key].to_s.split unless auth_key.blank?
-      return auth_data && auth_data[0] == 'Basic' ? Base64.decode64(auth_data[1]).split(':')[0..1] : [nil, nil]
-    end
-end
 javascript:
-  analytics.timeOnPage.baseUrl = #{url_for(controller: 'analytics_plugin/time_on_page').to_json}
+  analytics.timeOnPage.baseUrl = #{url_for(profile: profile.identifier, controller: 'analytics_plugin/time_on_page').to_json}
   analytics.timeOnPage.updateInterval = #{AnalyticsPlugin::TimeOnPageUpdateIntervalMs.to_json}
   analytics.requestId = #{request.env['action_dispatch.request_id'].to_json}
   analytics.init()
-
 class MetadataPlugin::Base < Noosfero::Plugin
   def self.plugin_name
@@ -71,6 +70,6 @@ end
 ActiveSupport.run_load_hooks :metadata_plugin, MetadataPlugin
 ActiveSupport.on_load :active_record do
-  ApplicationRecord.extend MetadataPlugin::Specs::ClassMethods
+  ActiveRecord::Base.extend MetadataPlugin::Specs::ClassMethods
 end
@@ -22,9 +22,8 @@ class ProfileTest &lt; ActiveSupport::TestCase
   end
   should 'collect the highlighted products with image' do
-    env = Environment.default
     e1 = fast_create(Enterprise)
-    p1 = create(Product, name: 'test_prod1', product_category_id: @product_category.id, enterprise: e1)
+    create(Product, name: 'test_prod1', product_category_id: @product_category.id, enterprise: e1)
     products = []
     3.times {|n|
       products.push(create(Product, name: "product #{n}", profile_id: e1.id,
@@ -36,7 +35,8 @@ class ProfileTest &lt; ActiveSupport::TestCase
     create(Product, name: "product 5", profile_id: e1.id, product_category_id: @product_category.id, image_builder: {
       uploaded_data: fixture_file_upload('/files/rails.png', 'image/png')
     })
-    assert_equal products, e1.highlighted_products_with_image
+
+    assert_equivalent products, e1.highlighted_products_with_image
   end
   should 'have many inputs through products' do
@@ -0,0 +1,3 @@
+- if profile.enterprise?
+  h2= _('Products/Services catalog')
+  = labelled_form_field(_('Number of products/services displayed per page on catalog'), text_field(:profile_data, :products_per_catalog_page, size: 3))
@@ -1,3 +0,0 @@
-- if profile.enterprise?
-  h2= _('Products/Services catalog')
-  = labelled_form_field(_('Number of products/services displayed per page on catalog'), text_field(:profile_data, :products_per_catalog_page, size: 3))
@@ -5,7 +5,7 @@ module ApplicationHelper
   protected
   module ResponsiveMethods
-    FORM_CONTROL_CLASS = "form-control"
+    FORM_CONTROL_CLASS = 'form-control'
     def button(type, label, url, html_options = {})
       return super unless theme_responsive?
@@ -13,15 +13,14 @@ module ApplicationHelper
       option = html_options.delete(:option) || 'default'
       size = html_options.delete(:size) || 'xs'
       the_class = "with-text btn btn-#{size} btn-#{option} icon-#{type}"
-      if html_options.has_key?(:class)
-        the_class << ' ' << html_options[:class]
-      end
-      #button_without_text type, label, url, html_options.merge(:class => the_class)
+      the_class << ' ' << html_options[:class] if html_options.has_key?(:class)
+
+      #button_without_text type, label, url, html_options.merge(class: the_class)
       the_title = html_options[:title] || label
       if html_options[:disabled]
-        content_tag('a', content_tag('span', label), html_options.merge(class: the_class, title: the_title))
+        content_tag(:a, content_tag(:span, label), html_options.merge(class: the_class, title: the_title))
       else
-        link_to(content_tag('span', label), url, html_options.merge(class: the_class, title: the_title))
+        link_to(content_tag(:span, label), url, html_options.merge(class: the_class, title: the_title))
       end
     end
@@ -36,7 +35,7 @@ module ApplicationHelper
       end
       the_title = html_options[:title] || label
       if html_options[:disabled]
-        content_tag('a', '', html_options.merge(class: the_class, title: the_title))
+        content_tag(:a, '', html_options.merge(class: the_class, title: the_title))
       else
         link_to('', url, html_options.merge(class: the_class, title: the_title))
       end
@@ -91,7 +90,7 @@ module ApplicationHelper
       if html_options.has_key?(:class)
         the_class << ' ' << html_options[:class]
       end
-      content_tag('div', '', html_options.merge(class: the_class))
+      content_tag(:div, '', html_options.merge(class: the_class))
     end
     def icon_button(type, text, url, html_options = {})
@@ -104,16 +103,21 @@ module ApplicationHelper
         the_class << ' ' << html_options[:class]
       end
-      link_to(content_tag('span', text), url, html_options.merge(class: the_class, title: text))
+      link_to(content_tag(:span, text), url, html_options.merge(class: the_class, title: text))
     end
-    def button_bar(options = {}, &block)
+    def button_bar options = {}, &block
       return super unless theme_responsive?
-      options[:class].nil? ?
-          options[:class]='button-bar' :
-          options[:class]+=' button-bar'
-      concat(content_tag('div', capture(&block).to_s + tag('br', style: 'clear: left;'), options))
+      options[:class] ||= ''
+      options[:class] << 'button-bar'
+
+      content_tag :div, options do
+        [
+          capture(&block).to_s,
+          tag('br', style: 'clear: left;'),
+        ].safe_join
+      end
     end
     def expirable_button(content, action, text, url, html_options = {})
@@ -128,143 +132,93 @@ module ApplicationHelper
     def search_contents_menu
       return super unless theme_responsive?
-      host = environment.default_hostname
-
-      output = '<li class="dropdown">'
-      output += link_to(_('Contents'), '#', :class=>"dropdown-toggle icon-menu-articles", title: _('Contents'), :'data-toggle'=>"dropdown", :'data-hover'=>"dropdown")
-      output += '<ul class="dropdown-menu" role="menu">'
-
-      output += '<li>' + link_to(_('All contents'), {host: host, controller: "search", action: 'contents', category_path: ''}) + '</li>'
-
+      host  = environment.default_hostname
       links = [
-        {s_('contents|More recent') => {:href => url_for({host: host, :controller => 'search', :action => 'contents', :filter => 'more_recent'})}},
-        {s_('contents|More viewed') => {:href => url_for({host: host, :controller => 'search', :action => 'contents', :filter => 'more_popular'})}},
-        {s_('contents|Most commented') => {:href => url_for({host: host, :controller => 'search', :action => 'contents', :filter => 'more_comments'})}}
+        [_('All contents'),             {host: host, controller: :search, action: :contents, category_path: ''}],
+        [s_('contents|More recent'),    {host: host, controller: :search, action: :contents, filter: 'more_recent'}],
+        [s_('contents|More viewed'),    {host: host, controller: :search, action: :contents, filter: 'more_popular'}],
+        [s_('contents|Most commented'), {host: host, controller: :search, action: :contents, filter: 'more_comments'}],
       ]
       if logged_in?
-        links.push(_('New content') => modal_options({href: url_for({controller: 'cms', action: 'new', profile: current_user.login, cms: true})}))
+        links.push [_('New content'), '', modal_options({href: url_for({controller: 'cms', action: 'new', profile: current_user.login, cms: true})})]
       end
-      links.each do |link|
-        link.each do |name, options|
-          output += content_tag(:li,content_tag(:a,name,options))
-        end
+      content_tag :li, class: 'dropdown' do
+        [
+          link_to('#', class: 'dropdown-toggle icon-menu-articles', title: _('Contents'), data: {toggle: 'dropdown', hover: 'dropdown'}) do
+            content_tag :span, _('Contents')
+          end,
+          content_tag(:ul, class: 'dropdown-menu', role: 'menu') do
+            links.map do |(name, url)|
+              content_tag :li do
+                link_to name, url
+              end
+            end.safe_join
+          end,
+        ].safe_join
       end
-
-      output += '</ul>'
-      output += '</li>'
-      output
     end
     def search_people_menu
       return super unless theme_responsive?
-      host = environment.default_hostname
-
-      output = '<li class="dropdown">'
-      output += link_to(_('People'), '#', :class=>"dropdown-toggle icon-menu-people", title: _('People'), :'data-toggle'=>"dropdown", :'data-hover'=>"dropdown")
-      output += '<ul class="dropdown-menu" role="menu">'
-
-      output += '<li>' + link_to(_('All people'), {host: host, controller: "search", action: 'people', category_path: ''}) + '</li>'
-
+      host  = environment.default_hostname
       links = [
-        {s_('people|More recent') => {:href => url_for({host: host, :controller => 'search', :action => 'people', :filter => 'more_recent'})}},
-        {s_('people|More active') => {:href => url_for({host: host, :controller => 'search', :action => 'people', :filter => 'more_active'})}},
-        {s_('people|More popular') => {:href => url_for({host: host, :controller => 'search', :action => 'people', :filter => 'more_popular'})}}
+        [_('All people'),           {host: host, controller: :search, action: :people, category_path: ''}],
+        [s_('people|More recent'),  {host: host, controller: :search, action: :people, filter: 'more_recent'}],
+        [s_('people|More active'),  {host: host, controller: :search, action: :people, filter: 'more_active'}],
+        [s_('people|More popular'), {host: host, controller: :search, action: :people, filter: 'more_popular'}],
       ]
       if logged_in?
-        links.push(_('My friends') => {href: url_for({profile: current_user.login, controller: 'friends'})})
-        links.push(_('Invite friends') => {href: url_for({profile: current_user.login, controller: 'invite', action: 'friends'})})
+        links.push [_('My friends'),     {profile: current_user.login, controller: 'friends'}]
+        links.push [_('Invite friends'), {profile: current_user.login, controller: 'invite', action: 'friends'}]
       end
-      links.each do |link|
-        link.each do |name, url|
-          output += '<li><a href="'+url[:href]+'">' + name + '</a></li>'
-        end
+      content_tag :li, class: 'dropdown' do
+        [
+          link_to('#', class: "dropdown-toggle icon-menu-people", title: _('People'), data: {toggle: 'dropdown', hover: 'dropdown'}) do
+            content_tag :span, _('People')
+          end,
+          content_tag(:ul, class: 'dropdown-menu', role: 'menu') do
+            links.map do |params|
+              content_tag :li do
+                link_to *params
+              end
+            end.safe_join
+          end
+        ].safe_join
       end
-
-      output += '</ul>'
-      output += '</li>'
-      output
     end
     def search_communities_menu
       return super unless theme_responsive?
-      host = environment.default_hostname
-
-      output = '<li class="dropdown">'
-      output += link_to(_('Communities'), '#', :class=>"dropdown-toggle icon-menu-community", title: _('Communities'), :'data-toggle'=>"dropdown", :'data-hover'=>"dropdown")
-      output += '<ul class="dropdown-menu" role="menu">'
-
-      output += '<li>' + link_to(_('All communities'), {host: host, controller: "search", action: 'communities', category_path: ''}) + '</li>'
-
+      host  = environment.default_hostname
       links = [
-        {s_('communities|More recent') => {:href => url_for({host: host, :controller => 'search', :action => 'communities', :filter => 'more_recent'})}},
-        {s_('communities|More active') => {:href => url_for({host: host, :controller => 'search', :action => 'communities', :filter => 'more_active'})}},
-        {s_('communities|More popular') => {:href => url_for({host: host, :controller => 'search', :action => 'communities', :filter => 'more_popular'})}}
+        [_('All communities'),           {host: host, controller: :search, action: :communities, category_path: ''}],
+        [s_('communities|More recent'),  {host: host, controller: :search, action: :communities, filter: 'more_recent'}],
+        [s_('communities|More active'),  {host: host, controller: :search, action: :communities, filter: 'more_active'}],
+        [s_('communities|More popular'), {host: host, controller: :search, action: :communities, filter: 'more_popular'}],
       ]
       if logged_in?
-        links.push(_('My communities') => {href: url_for({profile: current_user.login, controller: 'memberships'})})
-        links.push(_('New community') => {href: url_for({profile: current_user.login, controller: 'memberships', action: 'new_community'})})
+        links.push [_('My communities'), {profile: current_user.login, controller: 'memberships'}]
+        links.push [_('New community'),  {profile: current_user.login, controller: 'memberships', action: 'new_community'}]
       end
-      links.each do |link|
-        link.each do |name, url|
-          output += '<li><a href="'+url[:href]+'">' + name + '</a></li>'
-        end
-      end
-
-      output += '</ul>'
-      output += '</li>'
-      output
-    end
-
-    def usermenu_logged_in
-      return super unless theme_responsive?
-
-      output = '<li class="dropdown">'
-
-      pending_tasks_count = ''
-      count = user ? Task.to(user).pending.count : -1
-      if count > 0
-        pending_tasks_count = "<span class=\"badge\" onclick=\"document.location='#{url_for(user.tasks_url)}'\" title=\"#{_("Manage your pending tasks")}\">" + count.to_s + '</span>'
+      content_tag :li, class: 'dropdown' do
+        [
+          link_to('#', class: 'dropdown-toggle icon-menu-community', title: _('Communities'), data: {toggle: 'dropdown', hover: 'dropdown'}) do
+            content_tag :span, _('Communities')
+          end,
+          content_tag(:ul, class: 'dropdown-menu', role: 'menu') do
+            links.map do |params|
+              content_tag :li do
+                link_to *params
+              end
+            end.safe_join
+          end
+        ].safe_join
       end
-
-      output += link_to("<img class=\"menu-user-gravatar\" src=\"#{user.profile_custom_icon(gravatar_default)}\"><strong>#{user.identifier}</strong> #{pending_tasks_count}", '#', id: "homepage-link", title: _('Go to your homepage'), :class=>"dropdown-toggle", :'data-toggle'=>"dropdown", :'data-target'=>"", :'data-hover'=>"dropdown")
-
-
-      output += '<ul class="dropdown-menu" role="menu">'
-      output += '<li>' + link_to('<span class="icon-person">'+_('Profile')+'</span>', user.public_profile_url, id: "homepage-link", title: _('Go to your homepage')) + '</li>'
-
-      output += '<li class="divider"></li>'
-
-      #TODO
-      #render_environment_features(:usermenu) +
-
-      #admin_link
-      admin_link_str = admin_link
-      output += admin_link_str.present? ? '<li>' + admin_link_str + '</li>' : ''
-
-      #control_panel link
-      output += '<li>' + link_to('<i class="icon-menu-ctrl-panel"></i><strong>' + _('Control panel') + '</strong>', user.admin_url, class: 'ctrl-panel', title: _("Configure your personal account and content")) + '</li>'
-
-      output += chat_user_status_menu('icon-menu-offline', _('Offline'))
-
-      #manage_enterprises
-      manage_enterprises_str = manage_enterprises
-      output += manage_enterprises_str.present? ? '<li>' + manage_enterprises_str + '</li>' : ''
-
-      #manage_communities
-      manage_communities_str = manage_communities
-      output += manage_communities_str.present? ? '<li>' + manage_communities_str + '</li>' : ''
-
-      output += '<li class="divider"></li>'
-
-      output += '<li>' + link_to('<i class="icon-menu-logout"></i><strong>' + _('Logout') + '</strong>', { controller: 'account', action: 'logout'} , id: "logout", title: _("Leave the system")) + '</li>'
-
-      output += '</ul>'
-      output
     end
     def manage_link(list, kind, title)
@@ -274,17 +228,22 @@ module ApplicationHelper
         link_to_all = nil
         if list.count > 5
           list = list.first(5)
-          link_to_all = link_to(content_tag('strong', _('See all')), :controller => 'memberships', :profile => user.identifier)
+          link_to_all = link_to(content_tag(:strong, _('See all')), controller: 'memberships', profile: user.identifier)
         end
         link = list.map do |element|
-          link_to(content_tag('strong', element.short_name(25)), element.admin_url, :class => "icon-menu-"+element.class.identification.underscore, :title => _('Manage %s') % element.short_name)
+          link_to(content_tag(:strong, element.short_name(25)), element.admin_url, class: "icon-menu-"+element.class.identification.underscore, title: _('Manage %s') % element.short_name)
         end
         if link_to_all
           link << link_to_all
         end
-        content_tag('li', nil, class: 'divider') +
-        content_tag('li', title, class: 'dropdown-header') +
-        link.map{ |l| content_tag 'li', l }.join
+
+        [
+          content_tag(:li, nil, class: 'divider'),
+          content_tag(:li, title, class: 'dropdown-header'),
+          link.map do |l|
+            content_tag :li, l
+          end.safe_join
+        ].safe_join
       end
     end
@@ -301,15 +260,24 @@ module ApplicationHelper
             unless html_options[:style].present? and html_options[:style] =~ /display *: *none/
               menu_content << '<br/>' unless first
               first = false
-              menu_content << content_tag(:a,link_label,html_options)
+              menu_content << content_tag(:a, link_label,html_options)
             end
           end
         end
       end
       option = html_options.delete(:option) || 'default'
-      size = html_options.delete(:size) || 'xs'
-      "<button class='btn btn-#{size} btn-#{option} btn-popover-menu icon-parent-folder' data-toggle='popover' data-html='true' data-placement='top' data-trigger='focus' data-content=\""+CGI::escapeHTML(menu_content)+'" data-title="'+menu_title+'"></button>'
+      size   = html_options.delete(:size) || 'xs'
+      button_tag '',
+        class: "btn btn-#{size} btn-#{option} btn-popover-menu icon-parent-folder",
+        data:  {
+          html:      'true',
+          toggle:    'popover',
+          placement: 'top',
+          trigger:   'focus',
+          content:   menu_content,
+          title:     menu_title,
+        }
     end
@@ -406,12 +374,7 @@ module ApplicationHelper
   end
   include ResponsiveChecks
-  if RUBY_VERSION >= '2.0.0'
-    prepend ResponsiveMethods
-  else
-    extend ActiveSupport::Concern
-    included { include ResponsiveMethods }
-  end
+  prepend ResponsiveMethods
   # TODO: apply theme_responsive? condition
   class NoosferoFormBuilder
@@ -440,13 +403,16 @@ module ApplicationHelper
       if options[:horizontal]
         label_html = content_tag :label, gettext(text), class: 'control-label col-sm-3 col-md-2 col-lg-2', for: field_id
-        result = content_tag :div, label_html + content_tag('div',field_html, class: 'col-sm-9 col-md-6 col-lg-6'), class: 'form-group'
+        content    = [
+          label_html,
+          content_tag(:div, field_html.html_safe, class: 'col-sm-9 col-md-6 col-lg-6'),
+        ].safe_join
+        content_tag :div, content, class: 'form-group'
       else
         label_html = content_tag :label, gettext(text), class: 'control-label', for: field_id
-        result = content_tag :div, label_html + field_html, class: 'form-group'
+        content    = [label_html, field_html.html_safe].safe_join
+        content_tag :div, content, class: 'form-group'
       end
-
-      result
     end
   end
@@ -62,12 +62,7 @@ module BoxesHelper
   end
   include ResponsiveChecks
-  if RUBY_VERSION >= '2.0.0'
-    prepend ResponsiveMethods
-  else
-    extend ActiveSupport::Concern
-    included { include ResponsiveMethods }
-  end
+  prepend ResponsiveMethods
 end
@@ -23,12 +23,7 @@ module ChatHelper
   end
   include ResponsiveChecks
-  if RUBY_VERSION >= '2.0.0'
-    prepend ResponsiveMethods
-  else
-    extend ActiveSupport::Concern
-    included { include ResponsiveMethods }
-  end
+  prepend ResponsiveMethods
 end
@@ -11,8 +11,15 @@ module FormsHelper
       return super unless theme_responsive?
       options[:id] ||= 'radio-' + FormsHelper.next_id_number
-      content_tag( 'label', radio_button_tag( name, value, checked, options ) + '  ' +
- human_name, for: options[:id], class: 'radio-inline' )
+      content_tag :div, class:'radio-inline' do
+        content_tag :label, for: options[:id] do
+          [
+            radio_button_tag(name, value, checked, options),
+            ' ',
+            human_name,
+          ].safe_join
+        end
+      end
     end
     # add -inline class
@@ -20,8 +27,18 @@ module FormsHelper
       return super unless theme_responsive?
       options[:id] ||= 'checkbox-' + FormsHelper.next_id_number
-      hidden_field_tag(name, '0') +
-        content_tag( 'label', check_box_tag( name, value, checked, options ) + '  ' + human_name, for: options[:id], class: 'checkbox-inline')
+      [
+        hidden_field_tag(name, '0'),
+        content_tag(:div, class:'checkbox-inline') do
+          content_tag :label, for: options[:id] do
+            [
+              check_box_tag(name, value, checked, options),
+              ' ',
+              human_name,
+            ].safe_join
+          end
+        end
+      ].safe_join
     end
     def submit_button(type, label, html_options = {})
@@ -43,42 +60,34 @@ module FormsHelper
       html_options.delete(:cancel)
       bt_submit = button_tag(label, html_options.merge(class: the_class))
-      bt_submit + bt_cancel
+      [bt_submit + bt_cancel].safe_join
     end
-    %w[select select_tag text_field_tag number_field_tag password_field_tag].each do |method|
-      define_method method do |*args, &block|
-        #return super(*args, &block) unless theme_responsive?
+      bt_submit + bt_cancel
+    end
-        options = args.extract_options!
-        if options['class']
-          options['class'] = "#{options['class']} form-control"
-        else
-          options[:class] = "#{options[:class]} form-control"
-        end
-        super(*(args << options), &block)
+    %w[
+      select_tag
+      text_field_tag text_area_tag
+      number_field_tag password_field_tag url_field_tag email_field_tag
+      month_field_tag date_field_tag
+    ].each do |method|
+      define_method method do |name, value=nil, options={}, &block|
+        responsive_add_field_class! options
+        super(name, value, options, &block).html_safe
       end
     end
     %w[select_month select_year].each do |method|
       define_method method do |date, options={}, html_options={}|
-        if html_options['class']
-          html_options['class'] = "#{html_options['class']} form-control"
-        else
-          html_options[:class] = "#{html_options[:class]} form-control"
-        end
-        super date, options, html_options
+        responsive_add_field_class! html_options
+        super(date, options, html_options).html_safe
       end
     end
   end
   include ResponsiveChecks
-  if RUBY_VERSION >= '2.0.0'
-    prepend ResponsiveMethods
-  else
-    extend ActiveSupport::Concern
-    included { include ResponsiveMethods }
-  end
+  prepend ResponsiveMethods
 end
@@ -4,16 +4,15 @@ module InputHelper
   protected
   def input_group_addon addon, options = {}, &block
-    content_tag :div,
-      content_tag(:span, addon, class: 'input-group-addon') + yield,
-    class: 'input-group'
+    content_tag :div, class: 'input-group' do
+      [
+        content_tag(:span, addon, class: 'input-group-addon'),
+        capture(&block),
+      ].safe_join
+    end
   end
 end
-module ApplicationHelper
-
-  include InputHelper
-
-end
+ApplicationHelper.include InputHelper
@@ -13,7 +13,7 @@ class ResponsivePlugin &lt; Noosfero::Plugin
   end
   def head_ending
-    '<meta name="viewport" content="width=device-width, initial-scale=1">'
+    '<meta name="viewport" content="width=device-width, initial-scale=1">'.html_safe
   end
   def body_ending
@@ -1,71 +0,0 @@
-<div>
-<nav id="top-bar" class="navbar navbar-default" role="navigation">
-  <div class="container">
-    <!-- Brand and toggle get grouped for better mobile display -->
-    <div class="navbar-header">
-      <button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#navbar-user-collapse">
-        <span class="sr-only"><%= _('User menu') %></span>
-        <span class="fa fa-user navbar-toggle-icon"></span>
-      </button>
-      <button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#navbar-search-collapse">
-        <span class="sr-only"><%= _('Search') %></span>
-        <span class="fa fa-search navbar-toggle-icon"></span>
-      </button>
-      <button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#navbar-navigation-collapse">
-        <span class="sr-only"><%= _('Navigation') %></span>
-        <span class="icon-bar"></span>
-        <span class="icon-bar"></span>
-        <span class="icon-bar"></span>
-      </button>
-
-    </div>
-
-    <!-- Collect the nav links, forms, and other content for toggling -->
-    <div class="collapse navbar-collapse" id="navbar-navigation-collapse">
-      <ul class="nav navbar-nav menu-navigation">
-        <%= theme_extra_navigation %>
-        <li class="dropdown" id="search-dropdown-menu">
-          <a href="#" class="dropdown-toggle icon-search" data-hover="dropdown" data-toggle="dropdown" title="<%= _('Search') %>"><span><%= _('Search') %></span></a>
-          <ul class="dropdown-menu" role="menu">
-            <li>
-              <form action="/search" id="top-search" method="get" role="search">
-                <div class="form-group col-lg-12 col-md-12 col-sm-12">
-                  <input name="query" title="<%=_('Search...')%>" placeholder="<%=_('Search...')%>" type="text" class="form-control input-sm"/>
-                </div>
-              </form>
-            </li>
-          </ul>
-        </li>
-      </ul>
-    </div>
-    <div class="collapse navbar-collapse" id="navbar-search-collapse">
-      <form action="/search" id="top-search" class="navbar-form navbar-left" method="get" role="search">
-        <div class="form-group">
-          <input name="query" title="<%=_('Search...')%>" placeholder="<%=_('Search...')%>" type="text" class="form-control"/>
-        </div>
-      </form>
-    </div>
-    <div class="collapse navbar-collapse" id="navbar-user-collapse">
-      <ul class="nav navbar-nav pull-right">
-        <% if user.present? %>
-          <%= usermenu_logged_in %>
-        <% else %>
-            <li>
-              <%= modal_inline_link_to('<i class="icon-menu-login"></i><strong>' + _('Login') + '</strong>', login_url, '#inlineLoginBox', :id => 'link_login') %>
-              <%= @plugins.dispatch(:alternative_authentication_link).collect { |content| instance_exec(&content) }.join("") #TODO review this
-              %>
-            </li>
-            <% unless @plugins.dispatch(:allow_user_registration).include?(false) %>
-                <li>
-                <%= link_to('<strong>' + _('Sign up') + '</strong>', :controller => 'account', :action => 'signup')%>
-                </li>
-            <% end %>
-        <% end %>
-      </ul>
-    </div><!-- /.navbar-collapse -->
-  </div><!-- /.container-fluid -->
-</nav>
-</div>
-<div id='inlineLoginBox' style='display: none;'>
-  <%= render :file => 'account/login', :locals => { :is_thickbox => true } %>
-</div>
@@ -0,0 +1,54 @@
+div
+  nav#top-bar.navbar.navbar-default.navbar-static-top role="navigation"
+    .container
+      /! Brand and toggle get grouped for better mobile display
+      .navbar-header
+        button.navbar-toggle data-target="#navbar-user-collapse" data-toggle="collapse" type="button"
+          span.sr-only= _('User menu')
+          span.fa.fa-user.navbar-toggle-icon
+
+        button.navbar-toggle data-target="#navbar-search-collapse" data-toggle="collapse" type="button"
+          span.sr-only= _('Search')
+          span.fa.fa-search.navbar-toggle-icon
+
+        button.navbar-toggle data-target="#navbar-navigation-collapse" data-toggle="collapse" type="button"
+          span.sr-only= _('Navigation')
+          span.icon-bar
+          span.icon-bar
+          span.icon-bar
+        a.navbar-brand href="#{environment.top_url}"
+          = theme_site_title
+          span#navbar-brand-site-title
+            = h @environment.name
+
+      /! Collect the nav links, forms, and other content for toggling
+      #navbar-navigation-collapse.collapse.navbar-collapse
+        ul.nav.navbar-nav.menu-navigation
+          = theme_extra_navigation
+          li#search-dropdown-menu.dropdown
+            a.dropdown-toggle.icon-search data-hover="dropdown" data-toggle="dropdown" href="#" title="#{_('Search')}"
+              span= _('Search')
+            ul.dropdown-menu role="menu"
+              li
+                form#top-search action="/search" method="get" role="search"
+                  .form-group.col-lg-12.col-md-12.col-sm-12
+                    input.form-control.input-sm name="query" placeholder="#{_('Search...')}" title="#{_('Search...')}" type="text" /
+
+      #navbar-search-collapse.collapse.navbar-collapse
+        form#top-search.navbar-form.navbar-left action="/search" method="get" role="search"
+          .form-group
+            input.form-control name="query" placeholder="#{_('Search...')}" title="#{_('Search...')}" type="text" /
+
+      #navbar-user-collapse.collapse.navbar-collapse
+        ul.nav.navbar-nav.pull-right
+          - if user.present?
+            = render 'layouts/usermenu_logged_in'
+          - else
+            li
+              = modal_inline_link_to "<i class='icon-menu-login'></i><strong>#{_('Login')}</strong>".html_safe, login_url, '#inlineLoginBox', id: 'link_login'
+              = @plugins.dispatch(:alternative_authentication_link).collect{ |content| instance_exec(&content) }.safe_join
+            - unless @plugins.dispatch(:allow_user_registration).include? false
+              li= link_to content_tag(:strong, _('Sign up')), controller: :account, action: :signup
+
+#inlineLoginBox style="display: none;"
+  = render file: 'account/login', locals: {is_thickbox: true}
@@ -0,0 +1,39 @@
+- pending_tasks_count = Task.to(user).pending.count if user
+
+li.dropdown
+  = link_to '#', id: "homepage-link", title: _('Go to your homepage'), class: 'dropdown-toggle', data: {toggle: 'dropdown', hover: 'dropdown'}
+    = image_tag user.profile_custom_icon(gravatar_default), class: 'menu-user-gravatar'
+    = content_tag :strong, user.identifier
+    - if pending_tasks_count
+      span class='badge' onclick="document.location='#{url_for(user.tasks_url)}'" title="#{_("Manage your pending tasks")}"
+        count
+
+  ul class='dropdown-menu' role='menu'
+    li
+      = link_to user.public_profile_url, id: "homepage-link", title: _('Go to your homepage')
+        span class='icon-person' = _('Profile')
+    li.divider
+
+    /TODO
+    /= render_environment_features(:usermenu)
+
+    li = admin_link
+
+    li
+      = link_to user.admin_url, class: 'ctrl-panel', title: _("Configure your personal account and content")
+        i class='icon-menu-ctrl-panel'
+        strong = _('Control panel')
+
+    - if environment.enabled? 'xmpp_chat'
+      = responsive_chat_user_status_menu 'icon-menu-offline', _('Offline')
+
+    li = manage_enterprises
+    li = manage_communities
+
+    li.divider
+
+    li
+      = link_to({controller: 'account', action: 'logout'}, id: "logout", title: _("Leave the system"))
+        i class='icon-menu-logout'
+        strong = _('Logout')
+
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<%= html_language %>" lang="<%= html_language %>" class="<%= h html_tag_classes %>">
   <head>
-    <title><%= h page_title %></title>
+    <title><%= h page_title.html_safe %></title>
     <%= yield(:feeds) %>
     <!--<meta http-equiv="refresh" content="1"/>-->
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
@@ -22,7 +22,7 @@
     <%=
       @plugins.dispatch(:head_ending).map do |content|
         if content.respond_to?(:call) then instance_exec(&content).to_s.html_safe else content.to_s.html_safe end
-      end.join("\n")
+      end.safe_join
     %>
     <script type="text/javascript">
@@ -68,7 +68,7 @@
     <%=
       @plugins.dispatch(:body_ending).map do |content|
         if content.respond_to?(:call) then instance_exec(&content).html_safe else content.html_safe end
-      end.join("\n")
+      end.safe_join
     %>
   </body>
 </html>
@@ -146,4 +146,49 @@ class ProfilesTest &lt; ActiveSupport::TestCase
     refute json.has_key?('Rating')
   end
+  [Community, Enterprise].each do |klass|
+    should "update #{klass.name}" do
+      login_api
+      profile = fast_create(klass)
+      profile.add_admin(person)
+      params[:profile] = {}
+      params[:profile][:custom_header] = "Another Header"
+      post "/api/v1/profiles/#{profile.id}?#{params.to_query}"
+      assert_equal "Another Header", profile.reload.custom_header
+    end
+
+    should "not update a #{klass.name} if user does not have permission" do
+      login_api
+      profile = fast_create(klass)
+      params[:profile] = {}
+      params[:profile][:custom_header] = "Another Header"
+      post "/api/v1/profiles/#{profile.id}?#{params.to_query}"
+      assert_equal 403, last_response.status
+    end
+
+    should "not update a #{klass.name} if user is not logged in" do
+      profile = fast_create(klass)
+      params[:profile] = {}
+      params[:profile][:custom_header] = "Another Header"
+      post "/api/v1/profiles/#{profile.id}?#{params.to_query}"
+      assert_equal 401, last_response.status
+    end
+  end
+
+  should 'update person' do
+    login_api
+    params[:profile] = {}
+    params[:profile][:custom_header] = "Another Header"
+    post "/api/v1/profiles/#{person.id}?#{params.to_query}"
+    assert_equal "Another Header", person.reload.custom_header
+  end
+
+  should 'not update person information if user does not have permission' do
+    login_api
+    profile = fast_create(Person)
+    params[:profile] = {}
+    params[:profile][:custom_header] = "Another Header"
+    post "/api/v1/profiles/#{profile.id}?#{params.to_query}"
+    assert_equal 403, last_response.status
+  end
 end
@@ -224,7 +224,7 @@ class ApplicationControllerTest &lt; ActionController::TestCase
   end
   should 'display theme test panel when testing theme' do
-    @request.session[:theme] = 'my-test-theme'
+    @request.session[:user_theme] = 'my-test-theme'
     theme = mock
     profile = mock
     theme.expects(:owner).returns(profile).at_least_once
@@ -576,4 +576,36 @@ class ApplicationControllerTest &lt; ActionController::TestCase
     assert_redirected_to :controller => 'test', :action => 'index', :profile => profile.identifier
   end
+  should 'set session theme if a params theme is passed as parameter' do
+    current_theme = 'my-test-theme'
+    environment = Environment.default
+    Theme.stubs(:system_themes).returns([Theme.new(current_theme)])
+    environment.themes = [current_theme]
+    environment.save!
+    assert_nil @request.session[:theme]
+    get :index, :theme => current_theme
+    assert_equal current_theme, @request.session[:theme]
+  end
+
+  should 'set session theme only in environment available themes' do
+    environment = Environment.default
+    assert_nil @request.session[:theme]
+    environment.stubs(:theme_ids).returns(['another_theme'])
+    get :index, :theme => 'my-test-theme'
+    assert_nil @request.session[:theme]
+  end
+
+  should 'unset session theme if not environment available themes is defined' do
+    environment = Environment.default
+    current_theme = 'my-test-theme'
+    Theme.stubs(:system_themes).returns([Theme.new(current_theme)])
+    environment.themes = [current_theme]
+    environment.save!
+    get :index, :theme => current_theme
+    assert_equal current_theme, @request.session[:theme]
+
+    get :index, :theme => 'another_theme'
+    assert_nil @request.session[:theme]
+  end
+
 end
@@ -231,7 +231,7 @@ class ProfileThemesControllerTest &lt; ActionController::TestCase
     theme = Theme.create('theme-under-test', :owner => profile)
     post :start_test, :profile => 'testinguser', :id => 'theme-under-test'
-    assert_equal 'theme-under-test', session[:theme]
+    assert_equal 'theme-under-test', session[:user_theme]
     assert_redirected_to :controller => 'content_viewer', :profile => 'testinguser', :action => 'view_page'
   end
@@ -239,7 +239,7 @@ class ProfileThemesControllerTest &lt; ActionController::TestCase
     theme = Theme.create('theme-under-test', :owner => profile)
     post :stop_test, :profile => 'testinguser', :id => 'theme-under-test'
-    assert_nil session[:theme]
+    assert_nil session[:user_theme]
     assert_redirected_to :action => 'index'
   end
@@ -149,4 +149,11 @@ class AddMemberTest &lt; ActiveSupport::TestCase
     assert_no_match(/\(#{task.requestor.email}\)/, task.target_notification_description)
   end
+
+  should 'have cancel notification message with explanation' do
+    explanation_message = 'some explanation'
+    task = AddMember.new(:person => person, :organization => community,
+                         :reject_explanation => explanation_message)
+    assert_match(/#{explanation_message}/, task.task_cancelled_message)
+  end
 end
@@ -466,7 +466,7 @@ class ApplicationHelperTest &lt; ActionView::TestCase
   should 'use theme passed via param when in development mode' do
     stubs(:environment).returns(build(Environment, :theme => 'environment-theme'))
     Rails.env.stubs(:development?).returns(true)
-    self.stubs(:params).returns({:theme => 'skyblue'})
+    self.stubs(:params).returns({:user_theme => 'skyblue'})
     assert_equal 'skyblue', current_theme
   end
@@ -101,14 +101,14 @@ class ContentViewerHelperTest &lt; ActionView::TestCase
   end
   should 'theme provides addthis custom icon' do
-    stubs(:session).returns({:theme => 'base'})
+    stubs(:session).returns({:user_theme => 'base'})
     File.expects(:exists?).with(anything).returns(true)
     Environment.any_instance.stubs(:default_hostname).returns('noosfero.org')
     assert_match 'addthis.gif', addthis_image_tag
   end
   should 'use default addthis icon if theme has no addthis.gif image' do
-    stubs(:session).returns({:theme => 'base'})
+    stubs(:session).returns({:user_theme => 'base'})
     File.expects(:exists?).with(anything).returns(false)
     Environment.any_instance.stubs(:default_hostname).returns('noosfero.org')
     assert_match 'bt-bookmark.gif', addthis_image_tag
@@ -457,6 +457,22 @@ class EnvironmentTest &lt; ActiveSupport::TestCase
     assert_equal ['new-theme', 'other-theme'], Environment.default.themes.map(&:id)
   end
+  should 'return the theme ids' do
+    env = Environment.default
+    t1 = 'theme_1'
+    t2 = 'theme_2'
+    Theme.stubs(:system_themes).returns([Theme.new(t1), Theme.new(t2)])
+    env.themes = [t1, t2]
+    env.save!
+    assert_equivalent  [t1, t2], Environment.default.theme_ids
+  end
+  should 'theme_ids be an empty array if there is no settings themes defined' do
+    env = Environment.default
+    env.settings[:themes] = nil
+    env.save!
+    assert Environment.default.theme_ids.empty?
+  end
+
   should 'create templates' do
     e = create(Environment, :name => 'test_env')
     e.reload
@@ -20,7 +20,7 @@ class ThemeLoaderHelperTest &lt; ActionView::TestCase
   end
   should 'override theme with testing theme from session' do
-    stubs(:session).returns(:theme => 'theme-under-test')
+    stubs(:session).returns(:user_theme => 'theme-under-test')
     assert_equal 'theme-under-test', current_theme
   end
@@ -30,7 +30,17 @@ class ThemeLoaderHelperTest &lt; ActionView::TestCase
   end
   should 'point to user theme path when testing theme' do
-    stubs(:session).returns({:theme => 'theme-under-test'})
+    stubs(:session).returns({:user_theme => 'theme-under-test'})
     assert_equal '/user_themes/theme-under-test', theme_path
   end
-end
 \ No newline at end of file
+
+  should 'point to session theme is defined' do
+    session = mock
+    stubs(:session).returns(session)
+    my_session_theme = 'session_theme'
+    session.stubs(:[]).with(:user_theme).returns(nil)
+    session.stubs(:[]).with(:theme).returns(my_session_theme)
+    assert_equal '/designs/themes/' + my_session_theme, theme_path
+  end
+
+end
	@@ -22,6 +22,15 @@ module Api		@@ -22,6 +22,15 @@ module Api
22	not_found!	22	not_found!
23	end	23	end
24	end	24	end
		25	+
		26	+ desc "Update profile information"
		27	+ post ':id' do
		28	+ authenticate!
		29	+ profile = environment.profiles.find_by(id: params[:id])
		30	+ return forbidden! unless current_person.has_permission?(:edit_profile, profile)
		31	+ profile.update_attributes!(params[:profile])
		32	+ present profile, :with => Entities::Profile, :current_person => current_person
		33	+ end
25		34
26	delete ':id' do	35	delete ':id' do
27	authenticate!	36	authenticate!
@@ -0,0 +1,160 @@		@@ -0,0 +1,160 @@
	1	+module AuthenticatedSystem
	2	+
	3	+ protected
	4	+
	5	+ def self.included base
	6	+ if base < ActionController::Base
	7	+ base.around_filter :user_set_current
	8	+ base.before_filter :login_from_cookie
	9	+ end
	10	+
	11	+ # Inclusion hook to make #current_user and #logged_in?
	12	+ # available as ActionView helper methods.
	13	+ base.helper_method :current_user, :logged_in?
	14	+ end
	15	+
	16	+ # Returns true or false if the user is logged in.
	17	+ # Preloads @current_user with the user model if they're logged in.
	18	+ def logged_in?
	19	+ current_user != nil
	20	+ end
	21	+
	22	+ # Accesses the current user from the session.
	23	+ def current_user
	24	+ @current_user \|\|= begin
	25	+ id = session[:user]
	26	+ user = User.where(id: id).first if id
	27	+ user.session = session if user
	28	+ User.current = user
	29	+ user
	30	+ end
	31	+ end
	32	+
	33	+ # Store the given user in the session.
	34	+ def current_user=(new_user)
	35	+ if new_user.nil?
	36	+ session.delete(:user)
	37	+ else
	38	+ session[:user] = new_user.id
	39	+ new_user.session = session
	40	+ new_user.register_login
	41	+ end
	42	+ @current_user = User.current = new_user
	43	+ end
	44	+
	45	+ # See impl. from http://stackoverflow.com/a/2513456/670229
	46	+ def user_set_current
	47	+ User.current = current_user
	48	+ yield
	49	+ ensure
	50	+ # to address the thread variable leak issues in Puma/Thin webserver
	51	+ User.current = nil
	52	+ end
	53	+
	54	+ # Check if the user is authorized.
	55	+ #
	56	+ # Override this method in your controllers if you want to restrict access
	57	+ # to only a few actions or if you want to check if the user
	58	+ # has the correct rights.
	59	+ #
	60	+ # Example:
	61	+ #
	62	+ # # only allow nonbobs
	63	+ # def authorize?
	64	+ # current_user.login != "bob"
	65	+ # end
	66	+ def authorized?
	67	+ true
	68	+ end
	69	+
	70	+ # Filter method to enforce a login requirement.
	71	+ #
	72	+ # To require logins for all actions, use this in your controllers:
	73	+ #
	74	+ # before_filter :login_required
	75	+ #
	76	+ # To require logins for specific actions, use this in your controllers:
	77	+ #
	78	+ # before_filter :login_required, :only => [ :edit, :update ]
	79	+ #
	80	+ # To skip this in a subclassed controller:
	81	+ #
	82	+ # skip_before_filter :login_required
	83	+ #
	84	+ def login_required
	85	+ username, passwd = get_auth_data
	86	+ if username && passwd
	87	+ self.current_user \|\|= User.authenticate(username, passwd) \|\| nil
	88	+ end
	89	+ if logged_in? && authorized?
	90	+ true
	91	+ else
	92	+ if params[:require_login_popup]
	93	+ render :json => { :require_login_popup => true }
	94	+ else
	95	+ access_denied
	96	+ end
	97	+ end
	98	+ end
	99	+
	100	+ # Redirect as appropriate when an access request fails.
	101	+ #
	102	+ # The default action is to redirect to the login screen.
	103	+ #
	104	+ # Override this method in your controllers if you want to have special
	105	+ # behavior in case the user is not authorized
	106	+ # to access the requested action. For example, a popup window might
	107	+ # simply close itself.
	108	+ def access_denied
	109	+ respond_to do \|accepts\|
	110	+ accepts.html do
	111	+ if request.xhr?
	112	+ render :text => _('Access denied'), :status => 401
	113	+ else
	114	+ store_location
	115	+ redirect_to :controller => '/account', :action => 'login'
	116	+ end
	117	+ end
	118	+ accepts.xml do
	119	+ headers["Status"] = "Unauthorized"
	120	+ headers["WWW-Authenticate"] = %(Basic realm="Web Password")
	121	+ render :text => "Could't authenticate you", :status => '401 Unauthorized'
	122	+ end
	123	+ end
	124	+ false
	125	+ end
	126	+
	127	+ # Store the URI of the current request in the session.
	128	+ #
	129	+ # We can return to this location by calling #redirect_back_or_default.
	130	+ def store_location(location = request.url)
	131	+ session[:return_to] = location
	132	+ end
	133	+
	134	+ # Redirect to the URI stored by the most recent store_location call or
	135	+ # to the passed default.
	136	+ def redirect_back_or_default(default)
	137	+ if session[:return_to]
	138	+ redirect_to(session.delete(:return_to))
	139	+ else
	140	+ redirect_to(default)
	141	+ end
	142	+ end
	143	+
	144	+ # When called with before_filter :login_from_cookie will check for an :auth_token
	145	+ # cookie and log the user back in if apropriate
	146	+ def login_from_cookie
	147	+ return if cookies[:auth_token].blank? or logged_in?
	148	+ user = User.where(remember_token: cookies[:auth_token]).first
	149	+ self.current_user = user if user and user.remember_token?
	150	+ end
	151	+
	152	+ private
	153	+ @@http_auth_headers = %w(X-HTTP_AUTHORIZATION HTTP_AUTHORIZATION Authorization)
	154	+ # gets BASIC auth info
	155	+ def get_auth_data
	156	+ auth_key = @@http_auth_headers.detect { \|h\| request.env.has_key?(h) }
	157	+ auth_data = request.env[auth_key].to_s.split unless auth_key.blank?
	158	+ return auth_data && auth_data[0] == 'Basic' ? Base64.decode64(auth_data[1]).split(':')[0..1] : [nil, nil]
	159	+ end
	160	+end
	@@ -18,6 +18,13 @@ class ApplicationController < ActionController::Base		@@ -18,6 +18,13 @@ class ApplicationController < ActionController::Base
18	end	18	end
19	before_filter :redirect_to_current_user	19	before_filter :redirect_to_current_user
20		20
		21	+ before_filter :set_session_theme
		22	+ def set_session_theme
		23	+ if params[:theme]
		24	+ session[:theme] = environment.theme_ids.include?(params[:theme]) ? params[:theme] : nil
		25	+ end
		26	+ end
		27	+
21	def require_login_for_environment	28	def require_login_for_environment
22	login_required	29	login_required
23	end	30	end
	@@ -63,12 +63,12 @@ class ProfileThemesController < ThemesController		@@ -63,12 +63,12 @@ class ProfileThemesController < ThemesController
63	end	63	end
64		64
65	def start_test	65	def start_test
66	- session[:theme] = params[:id]	66	+ session[:user_theme] = params[:id]
67	redirect_to :controller => 'content_viewer', :profile => profile.identifier, :action => 'view_page'	67	redirect_to :controller => 'content_viewer', :profile => profile.identifier, :action => 'view_page'
68	end	68	end
69		69
70	def stop_test	70	def stop_test
71	- session[:theme] = nil	71	+ session[:user_theme] = nil
72	redirect_to :action => 'index'	72	redirect_to :action => 'index'
73	end	73	end
74		74
	@@ -188,9 +188,9 @@ module ArticleHelper		@@ -188,9 +188,9 @@ module ArticleHelper
188	def following_button(page, user)	188	def following_button(page, user)
189	if !user.blank? and user != page.author	189	if !user.blank? and user != page.author
190	if page.is_followed_by? user	190	if page.is_followed_by? user
191	- button :cancel, unfollow_button_text(page), {:controller => 'profile', :profile => page.profile.identifier, :action => 'unfollow_article', :article_id => page.id, :profile => page.profile.identifier}	191	+ button :cancel, unfollow_button_text(page), {controller: :profile, profile: page.profile.identifier, action: :unfollow_article, article_id: page.id}
192	else	192	else
193	- button :add, follow_button_text(page), {:controller => 'profile', :profile => page.profile.identifier, :action => 'follow_article', :article_id => page.id, :profile => page.profile.identifier}	193	+ button :add, follow_button_text(page), {controller: :profile, profile: page.profile.identifier, action: :follow_article, article_id: page.id}
194	end	194	end
195	end	195	end
196	end	196	end
	@@ -82,7 +82,7 @@ class PersonNotifier		@@ -82,7 +82,7 @@ class PersonNotifier
82	helper ActionTrackerHelper	82	helper ActionTrackerHelper
83		83
84	def session	84	def session
85	- {:theme => nil}	85	+ {:user_theme => nil}
86	end	86	end
87		87
88	def content_summary(person, notifications, tasks)	88	def content_summary(person, notifications, tasks)
	@@ -1,160 +0,0 @@	@@ -1,160 +0,0 @@
1	-module AuthenticatedSystem
2	-
3	- protected
4	-
5	- def self.included base
6	- if base < ActionController::Base
7	- base.around_filter :user_set_current
8	- base.before_filter :login_from_cookie
9	- end
10	-
11	- # Inclusion hook to make #current_user and #logged_in?
12	- # available as ActionView helper methods.
13	- base.helper_method :current_user, :logged_in?
14	- end
15	-
16	- # Returns true or false if the user is logged in.
17	- # Preloads @current_user with the user model if they're logged in.
18	- def logged_in?
19	- current_user != nil
20	- end
21	-
22	- # Accesses the current user from the session.
23	- def current_user
24	- @current_user \|\|= begin
25	- id = session[:user]
26	- user = User.where(id: id).first if id
27	- user.session = session if user
28	- User.current = user
29	- user
30	- end
31	- end
32	-
33	- # Store the given user in the session.
34	- def current_user=(new_user)
35	- if new_user.nil?
36	- session.delete(:user)
37	- else
38	- session[:user] = new_user.id
39	- new_user.session = session
40	- new_user.register_login
41	- end
42	- @current_user = User.current = new_user
43	- end
44	-
45	- # See impl. from http://stackoverflow.com/a/2513456/670229
46	- def user_set_current
47	- User.current = current_user
48	- yield
49	- ensure
50	- # to address the thread variable leak issues in Puma/Thin webserver
51	- User.current = nil
52	- end
53	-
54	- # Check if the user is authorized.
55	- #
56	- # Override this method in your controllers if you want to restrict access
57	- # to only a few actions or if you want to check if the user
58	- # has the correct rights.
59	- #
60	- # Example:
61	- #
62	- # # only allow nonbobs
63	- # def authorize?
64	- # current_user.login != "bob"
65	- # end
66	- def authorized?
67	- true
68	- end
69	-
70	- # Filter method to enforce a login requirement.
71	- #
72	- # To require logins for all actions, use this in your controllers:
73	- #
74	- # before_filter :login_required
75	- #
76	- # To require logins for specific actions, use this in your controllers:
77	- #
78	- # before_filter :login_required, :only => [ :edit, :update ]
79	- #
80	- # To skip this in a subclassed controller:
81	- #
82	- # skip_before_filter :login_required
83	- #
84	- def login_required
85	- username, passwd = get_auth_data
86	- if username && passwd
87	- self.current_user \|\|= User.authenticate(username, passwd) \|\| nil
88	- end
89	- if logged_in? && authorized?
90	- true
91	- else
92	- if params[:require_login_popup]
93	- render :json => { :require_login_popup => true }
94	- else
95	- access_denied
96	- end
97	- end
98	- end
99	-
100	- # Redirect as appropriate when an access request fails.
101	- #
102	- # The default action is to redirect to the login screen.
103	- #
104	- # Override this method in your controllers if you want to have special
105	- # behavior in case the user is not authorized
106	- # to access the requested action. For example, a popup window might
107	- # simply close itself.
108	- def access_denied
109	- respond_to do \|accepts\|
110	- accepts.html do
111	- if request.xhr?
112	- render :text => _('Access denied'), :status => 401
113	- else
114	- store_location
115	- redirect_to :controller => '/account', :action => 'login'
116	- end
117	- end
118	- accepts.xml do
119	- headers["Status"] = "Unauthorized"
120	- headers["WWW-Authenticate"] = %(Basic realm="Web Password")
121	- render :text => "Could't authenticate you", :status => '401 Unauthorized'
122	- end
123	- end
124	- false
125	- end
126	-
127	- # Store the URI of the current request in the session.
128	- #
129	- # We can return to this location by calling #redirect_back_or_default.
130	- def store_location(location = request.url)
131	- session[:return_to] = location
132	- end
133	-
134	- # Redirect to the URI stored by the most recent store_location call or
135	- # to the passed default.
136	- def redirect_back_or_default(default)
137	- if session[:return_to]
138	- redirect_to(session.delete(:return_to))
139	- else
140	- redirect_to(default)
141	- end
142	- end
143	-
144	- # When called with before_filter :login_from_cookie will check for an :auth_token
145	- # cookie and log the user back in if apropriate
146	- def login_from_cookie
147	- return if cookies[:auth_token].blank? or logged_in?
148	- user = User.where(remember_token: cookies[:auth_token]).first
149	- self.current_user = user if user and user.remember_token?
150	- end
151	-
152	- private
153	- @@http_auth_headers = %w(X-HTTP_AUTHORIZATION HTTP_AUTHORIZATION Authorization)
154	- # gets BASIC auth info
155	- def get_auth_data
156	- auth_key = @@http_auth_headers.detect { \|h\| request.env.has_key?(h) }
157	- auth_data = request.env[auth_key].to_s.split unless auth_key.blank?
158	- return auth_data && auth_data[0] == 'Basic' ? Base64.decode64(auth_data[1]).split(':')[0..1] : [nil, nil]
159	- end
160	-end
1	javascript:	1	javascript:
2	- analytics.timeOnPage.baseUrl = #{url_for(controller: 'analytics_plugin/time_on_page').to_json}	2	+ analytics.timeOnPage.baseUrl = #{url_for(profile: profile.identifier, controller: 'analytics_plugin/time_on_page').to_json}
3	analytics.timeOnPage.updateInterval = #{AnalyticsPlugin::TimeOnPageUpdateIntervalMs.to_json}	3	analytics.timeOnPage.updateInterval = #{AnalyticsPlugin::TimeOnPageUpdateIntervalMs.to_json}
4	analytics.requestId = #{request.env['action_dispatch.request_id'].to_json}	4	analytics.requestId = #{request.env['action_dispatch.request_id'].to_json}
5	analytics.init()	5	analytics.init()
1	-
2	class MetadataPlugin::Base < Noosfero::Plugin	1	class MetadataPlugin::Base < Noosfero::Plugin
3		2
4	def self.plugin_name	3	def self.plugin_name
	@@ -71,6 +70,6 @@ end		@@ -71,6 +70,6 @@ end
71		70
72	ActiveSupport.run_load_hooks :metadata_plugin, MetadataPlugin	71	ActiveSupport.run_load_hooks :metadata_plugin, MetadataPlugin
73	ActiveSupport.on_load :active_record do	72	ActiveSupport.on_load :active_record do
74	- ApplicationRecord.extend MetadataPlugin::Specs::ClassMethods	73	+ ActiveRecord::Base.extend MetadataPlugin::Specs::ClassMethods
75	end	74	end
76		75
@@ -0,0 +1,3 @@		@@ -0,0 +1,3 @@
	1	+- if profile.enterprise?
	2	+ h2= _('Products/Services catalog')
	3	+ = labelled_form_field(_('Number of products/services displayed per page on catalog'), text_field(:profile_data, :products_per_catalog_page, size: 3))