Showing 1159 changed files Show diff stats
.gitlab-ci.yml
.travis.yml
Gemfile
INSTALL.varnish.md
README.rails.md
app/api/app.rb
app/api/entities.rb
app/api/entity.rb
app/api/helpers.rb
app/api/v1/activities.rb
app/api/v1/articles.rb
app/api/v1/blocks.rb
app/api/v1/boxes.rb
app/api/v1/categories.rb
app/api/v1/comments.rb
app/api/v1/communities.rb
app/api/v1/contacts.rb
app/api/v1/enterprises.rb
app/api/v1/environments.rb
app/api/v1/people.rb
@@ -30,14 +30,47 @@ integration:
   script: bundle exec rake test:integration
   stage: all-tests
  
-cucumber:
-  script: bundle exec rake cucumber
+cucumber-1:
+  script: SLICE=1/2 bundle exec rake cucumber
+  stage: all-tests
+cucumber-2:
+  script: SLICE=2/2 bundle exec rake cucumber
   stage: all-tests
  
-selenium:
-  script: bundle exec rake selenium
+selenium-1:
+  script: SLICE=1/6 bundle exec rake selenium
+  stage: all-tests
+selenium-2:
+  script: SLICE=2/6 bundle exec rake selenium
+  stage: all-tests
+selenium-3:
+  script: SLICE=3/6 bundle exec rake selenium
+  stage: all-tests
+selenium-4:
+  script: SLICE=4/6 bundle exec rake selenium
+  stage: all-tests
+selenium-5:
+  script: SLICE=5/6 bundle exec rake selenium
+  stage: all-tests
+selenium-6:
+  script: SLICE=6/6 bundle exec rake selenium
   stage: all-tests
  
-plugins:
-  script: bundle exec rake test:noosfero_plugins
+# NOOSFERO_BUNDLE_OPTS=install makes migrations fails
+# probably because of rubygems-integration
+plugins-1:
+  script: SLICE=1/5 bundle exec rake test:noosfero_plugins
   stage: all-tests
+plugins-2:
+  script: SLICE=2/5 bundle exec rake test:noosfero_plugins
+  stage: all-tests
+plugins-3:
+  script: SLICE=3/5 bundle exec rake test:noosfero_plugins
+  stage: all-tests
+plugins-4:
+  script: SLICE=4/5 bundle exec rake test:noosfero_plugins
+  stage: all-tests
+plugins-5:
+  script: SLICE=5/5 bundle exec rake test:noosfero_plugins
+  stage: all-tests
+
@@ -6,15 +6,19 @@ notifications:
     template:
       - "%{repository_slug} %{branch} %{commit} %{commit_subject} - %{result} %{build_url}"
  
-# trusty constainers take more time to start
-#dist: trusty
+# Ensure Container-based environment, as others can have some random failures
+# specially with different Firefox versions and selenium tests.
+# E.g. https://travis-ci.org/noosfero/noosfero/jobs/122918772#L1308
+#
+# Also container-based environments have the fatest boot times and
+# are the only one with cache available for public projects.
+# See https://docs.travis-ci.com/user/ci-environment/#Virtualization-environments
+sudo: false
+cache: bundler
  
 language: ruby
 rvm:
-  - 2.2
-  # ruby 2.3 works but isn't stable on travis
-
-cache: bundler
+  - 2.3.1
  
 addons:
   apt:
@@ -25,11 +29,6 @@ addons:
     paths:
       - $(ls tmp/artifact* | tr "\n" ":")
  
-# workaround for https://github.com/travis-ci/travis-ci/issues/4536
-before_install:
-  - export GEM_HOME=$PWD/vendor/bundle/ruby/2.2.0
-  - gem install bundler
-
 before_script:
   - mkdir -p tmp/{pids,cache} log cache
   - script/noosfero-plugins disableall
@@ -41,21 +40,36 @@ before_script:
   - bundle exec rake db:migrate &>/dev/null
  
 env:
-  - TASK=test:api
-  - TASK=test:units
-  - TASK=test:functionals
-  - TASK=test:integration
-  - SLICE=1/2 TASK=cucumber LANG=en
-  - SLICE=2/2 TASK=cucumber LANG=en
-  - SLICE=1/4 TASK=selenium
-  - SLICE=2/4 TASK=selenium
-  - SLICE=3/4 TASK=selenium
-  - SLICE=4/4 TASK=selenium
-  - SLICE=1/5 TASK=test:noosfero_plugins BUNDLE_OPTS=install
-  - SLICE=2/5 TASK=test:noosfero_plugins BUNDLE_OPTS=install
-  - SLICE=3/5 TASK=test:noosfero_plugins BUNDLE_OPTS=install
-  - SLICE=4/5 TASK=test:noosfero_plugins BUNDLE_OPTS=install
-  - SLICE=5/5 TASK=test:noosfero_plugins BUNDLE_OPTS=install
+  global:
+    - LANG=en
+  matrix:
+    - TASK=test:api
+    - TASK=test:units
+    - TASK=test:functionals
+    - TASK=test:integration
+    - SLICE=1/2 TASK=cucumber
+    - SLICE=2/2 TASK=cucumber
+    - SLICE=1/4 TASK=selenium
+    - SLICE=2/4 TASK=selenium
+    - SLICE=3/4 TASK=selenium
+    - SLICE=4/4 TASK=selenium
+    - SLICE=1/5 TASK=test:noosfero_plugins NOOSFERO_BUNDLE_OPTS=install
+    - SLICE=2/5 TASK=test:noosfero_plugins NOOSFERO_BUNDLE_OPTS=install
+    - SLICE=3/5 TASK=test:noosfero_plugins NOOSFERO_BUNDLE_OPTS=install
+    - SLICE=4/5 TASK=test:noosfero_plugins NOOSFERO_BUNDLE_OPTS=install
+    - SLICE=5/5 TASK=test:noosfero_plugins NOOSFERO_BUNDLE_OPTS=install
+    # chrome hanging on travis
+    #- SLICE=1/4 TASK=selenium SELENIUM_DRIVER=chrome
+    #- SLICE=2/4 TASK=selenium SELENIUM_DRIVER=chrome
+    #- SLICE=3/4 TASK=selenium SELENIUM_DRIVER=chrome
+    #- SLICE=4/4 TASK=selenium SELENIUM_DRIVER=chrome
+
+matrix:
+  allow_failures:
+    - env: SLICE=1/4 TASK=selenium SELENIUM_DRIVER=chrome
+    - env: SLICE=2/4 TASK=selenium SELENIUM_DRIVER=chrome
+    - env: SLICE=3/4 TASK=selenium SELENIUM_DRIVER=chrome
+    - env: SLICE=4/4 TASK=selenium SELENIUM_DRIVER=chrome
  
 script:
   - bundle exec rake $TASK
@@ -77,6 +77,7 @@ group :cucumber do
   gem 'cucumber-rails',         '~> 1.4.2', :require => false
   gem 'database_cleaner',       '~> 1.3'
   gem 'selenium-webdriver',     '>= 2.50'
+  gem 'chromedriver-helper' if ENV['SELENIUM_DRIVER'] == 'chrome'
 end
  
 # Requires custom dependencies
@@ -19,7 +19,6 @@ Install the RPAF apache module (or skip this step if not using apache):
  
 3a) Edit `/etc/apache2/ports.conf`, and:
  
-  * change `NameVirtualHost *:80` to `NameVirtualHost *:8080`
   * change `Listen 80` to `Listen 127.0.0.1:8080`
  
 3b) Edit `/etc/apache2/sites-enabled/*`, and change `<VirtualHost *:80>` to `<VirtualHost *:8080>`
@@ -30,6 +29,7 @@ Install the RPAF apache module (or skip this step if not using apache):
  
    * change the line that says `START=no` to say `START=yes`
    * change `-a :6081` to `-a :80`
+   * add parameter `-p vcc_allow_inline_c=on` on `DAEMON_OPTS`
  
 4b) Edit `/etc/varnish/default.vcl` and add the following lines at the end:
  
@@ -99,7 +99,7 @@ Description of contents
   Holds controllers that should be named like weblog_controller.rb for automated URL mapping. All controllers should descend from `ActionController::Base`.
  
 * `app/models`
-  Holds models that should be named like post.rb. Most models will descend from `ActiveRecord::Base`.
+  Holds models that should be named like post.rb. Most models will descend from `ApplicationRecord`.
  
 * `app/views`
   Holds the template files for the view that should be named like `weblog/index.rhtml` for the `WeblogController#index` action. All views use eRuby syntax. This directory can also be used to keep stylesheets, images, and so on that can be symlinked to public.
@@ -0,0 +1,89 @@
+require_dependency 'api/helpers'
+
+module Api
+  class App < Grape::API
+    use Rack::JSONP
+
+    logger = Logger.new(File.join(Rails.root, 'log', "#{ENV['RAILS_ENV'] || 'production'}_api.log"))
+    logger.formatter = GrapeLogging::Formatters::Default.new
+    #use GrapeLogging::Middleware::RequestLogger, { logger: logger }
+
+    rescue_from :all do |e|
+      logger.error e
+      error! e.message, 500
+    end unless Rails.env.test?
+
+    @@NOOSFERO_CONF = nil
+    def self.NOOSFERO_CONF
+      if @@NOOSFERO_CONF
+        @@NOOSFERO_CONF
+      else
+        file = Rails.root.join('config', 'noosfero.yml')
+        @@NOOSFERO_CONF = File.exists?(file) ? YAML.load_file(file)[Rails.env] || {} : {}
+      end
+    end
+
+    before { set_locale  }
+    before { setup_multitenancy }
+    before { detect_stuff_by_domain }
+    before { filter_disabled_plugins_endpoints }
+    before { init_noosfero_plugins }
+    after { set_session_cookie }
+
+    version 'v1'
+    prefix [ENV['RAILS_RELATIVE_URL_ROOT'], "api"].compact.join('/')
+    format :json
+    content_type :txt, "text/plain"
+
+    helpers Helpers
+
+    mount V1::Session
+    mount V1::Articles
+    mount V1::Comments
+    mount V1::Users
+    mount V1::Communities
+    mount V1::People
+    mount V1::Enterprises
+    mount V1::Categories
+    mount V1::Tasks
+    mount V1::Tags
+    mount V1::Environments
+    mount V1::Search
+    mount V1::Contacts
+    mount V1::Boxes
+    mount V1::Blocks
+    mount V1::Profiles
+    mount V1::Activities
+
+    # hook point which allow plugins to add Grape::API extensions to Api::App
+    #finds for plugins which has api mount points classes defined (the class should extends Grape::API)
+    @plugins = Noosfero::Plugin.all.map { |p| p.constantize }
+    @plugins.each do |klass|
+      if klass.public_methods.include? :api_mount_points
+        klass.api_mount_points.each do |mount_class|
+          mount mount_class if mount_class && ( mount_class < Grape::API )
+        end
+      end
+    end
+
+    def self.endpoint_unavailable?(endpoint, environment)
+      api_class = endpoint.options[:app] || endpoint.options[:for]
+      if api_class.present?
+        klass = api_class.name.deconstantize.constantize
+        return klass < Noosfero::Plugin && !environment.plugin_enabled?(klass)
+      end
+    end
+
+    class << self
+      def endpoints_with_plugins(environment = nil)
+        if environment.present?
+          cloned_endpoints = endpoints_without_plugins.dup
+          cloned_endpoints.delete_if { |endpoint| endpoint_unavailable?(endpoint, environment) }
+        else
+          endpoints_without_plugins
+        end
+      end
+      alias_method_chain :endpoints, :plugins
+    end
+  end
+end
@@ -0,0 +1,269 @@
+module Api
+  module Entities
+
+    Entity.format_with :timestamp do |date|
+      date.strftime('%Y/%m/%d %H:%M:%S') if date
+    end
+
+    PERMISSIONS = {
+      :admin => 0,
+      :self  => 10,
+      :private_content => 20,
+      :logged_user => 30,
+      :anonymous => 40
+    }
+
+    def self.can_display_profile_field? profile, options, permission_options={}
+      permissions={:field => "", :permission => :private_content}
+      permissions.merge!(permission_options)
+      field = permissions[:field]
+      permission = permissions[:permission]
+      return true if profile.public? && profile.public_fields.map{|f| f.to_sym}.include?(field.to_sym)
+
+      current_person = options[:current_person]
+
+      current_permission = if current_person.present?
+        if current_person.is_admin?
+          :admin
+        elsif current_person == profile
+          :self
+        elsif profile.display_private_info_to?(current_person)
+          :private_content
+        else
+          :logged_user
+        end
+      else
+        :anonymous
+      end
+      PERMISSIONS[current_permission] <= PERMISSIONS[permission]
+    end
+
+    class Image < Entity
+      root 'images', 'image'
+
+      expose  :url do |image, options|
+        image.public_filename
+      end
+
+      expose  :icon_url do |image, options|
+        image.public_filename(:icon)
+      end
+
+      expose  :minor_url do |image, options|
+        image.public_filename(:minor)
+      end
+
+      expose  :portrait_url do |image, options|
+        image.public_filename(:portrait)
+      end
+
+      expose  :thumb_url do |image, options|
+        image.public_filename(:thumb)
+      end
+    end
+
+    class CategoryBase < Entity
+      root 'categories', 'category'
+      expose :name, :id, :slug
+    end
+
+    class Category < CategoryBase
+      root 'categories', 'category'
+      expose :full_name do |category, options|
+        category.full_name
+      end
+      expose :parent, :using => CategoryBase, if: { parent: true }
+      expose :children, :using => CategoryBase, if: { children: true }
+      expose :image, :using => Image
+      expose :display_color
+    end
+
+    class Region < Category
+      root 'regions', 'region'
+      expose :parent_id
+    end
+
+    class Block < Entity
+      root 'blocks', 'block'
+      expose :id, :type, :settings, :position, :enabled
+      expose :mirror, :mirror_block_id, :title
+      expose :api_content, if: lambda { |object, options| options[:display_api_content] || object.display_api_content_by_default? }
+    end
+
+    class Box < Entity
+      root 'boxes', 'box'
+      expose :id, :position
+      expose :blocks, :using => Block do |box, options|
+        box.blocks.select {|block| block.visible_to_user?(options[:current_person]) }
+      end
+    end
+
+    class Profile < Entity
+      expose :identifier, :name, :id
+      expose :created_at, :format_with => :timestamp
+      expose :updated_at, :format_with => :timestamp
+      expose :additional_data do |profile, options|
+        hash ={}
+        profile.public_values.each do |value|
+          hash[value.custom_field.name]=value.value
+        end
+
+        private_values = profile.custom_field_values - profile.public_values
+        private_values.each do |value|
+          if Entities.can_display_profile_field?(profile,options)
+            hash[value.custom_field.name]=value.value
+          end
+        end
+        hash
+      end
+      expose :image, :using => Image
+      expose :region, :using => Region
+      expose :type
+      expose :custom_header
+      expose :custom_footer
+    end
+
+    class UserBasic < Entity
+      expose :id
+      expose :login
+    end
+
+    class Person < Profile
+      root 'people', 'person'
+      expose :user, :using => UserBasic, documentation: {type: 'User', desc: 'The user data of a person' }
+      expose :vote_count
+      expose :comments_count do |person, options|
+        person.comments.count
+      end
+      expose :following_articles_count do |person, options|
+        person.following_articles.count
+      end
+      expose :articles_count do |person, options|
+        person.articles.count
+      end
+    end
+
+    class Enterprise < Profile
+      root 'enterprises', 'enterprise'
+    end
+
+    class Community < Profile
+      root 'communities', 'community'
+      expose :description
+      expose :admins, :if => lambda { |community, options| community.display_info_to? options[:current_person]} do |community, options|
+        community.admins.map{|admin| {"name"=>admin.name, "id"=>admin.id, "username" => admin.identifier}}
+      end
+      expose :categories, :using => Category
+      expose :members, :using => Person , :if => lambda{ |community, options| community.display_info_to? options[:current_person] }
+    end
+
+    class CommentBase < Entity
+      expose :body, :title, :id
+      expose :created_at, :format_with => :timestamp
+      expose :author, :using => Profile
+      expose :reply_of, :using => CommentBase
+    end
+
+    class Comment < CommentBase
+      root 'comments', 'comment'
+      expose :children, as: :replies, :using => Comment
+    end
+
+    class ArticleBase < Entity
+      root 'articles', 'article'
+      expose :id
+      expose :body
+      expose :abstract, documentation: {type: 'String', desc: 'Teaser of the body'}
+      expose :created_at, :format_with => :timestamp
+      expose :updated_at, :format_with => :timestamp
+      expose :title, :documentation => {:type => "String", :desc => "Title of the article"}
+      expose :created_by, :as => :author, :using => Profile, :documentation => {type: 'Profile', desc: 'The profile author that create the article'}
+      expose :profile, :using => Profile, :documentation => {type: 'Profile', desc: 'The profile associated with the article'}
+      expose :categories, :using => Category
+      expose :image, :using => Image
+      expose :votes_for
+      expose :votes_against
+      expose :setting
+      expose :position
+      expose :hits
+      expose :start_date
+      expose :end_date, :documentation => {type: 'DateTime', desc: 'The date of finish of the article'}
+      expose :tag_list
+      expose :children_count
+      expose :slug, :documentation => {:type => "String", :desc => "Trimmed and parsed name of a article"}
+      expose :path
+      expose :followers_count
+      expose :votes_count
+      expose :comments_count
+      expose :archived, :documentation => {:type => "Boolean", :desc => "Defines if a article is readonly"}
+      expose :type
+      expose :comments, using: CommentBase, :if => lambda{|obj,opt| opt[:params] && ['1','true',true].include?(opt[:params][:show_comments])}
+      expose :published
+      expose :accept_comments?, as: :accept_comments
+    end
+
+    class Article < ArticleBase
+      root 'articles', 'article'
+      expose :parent, :using => ArticleBase
+      expose :children, :using => ArticleBase do |article, options|
+        article.children.published.limit(V1::Articles::MAX_PER_PAGE)
+      end
+    end
+
+    class User < Entity
+      root 'users', 'user'
+
+      attrs = [:id,:login,:email,:activated?]
+      aliases = {:activated? => :activated}
+
+      attrs.each do |attribute|
+        name = aliases.has_key?(attribute) ? aliases[attribute] : attribute
+        expose attribute, :as => name, :if => lambda{|user,options| Entities.can_display_profile_field?(user.person, options, {:field =>  attribute})}
+      end
+
+      expose :person, :using => Person, :if => lambda{|user,options| user.person.display_info_to? options[:current_person]}
+      expose :permissions, :if => lambda{|user,options| Entities.can_display_profile_field?(user.person, options, {:field => :permissions, :permission => :self})} do |user, options|
+        output = {}
+        user.person.role_assignments.map do |role_assigment|
+          if role_assigment.resource.respond_to?(:identifier) && !role_assigment.role.nil?
+            output[role_assigment.resource.identifier] = role_assigment.role.permissions
+          end
+        end
+        output
+      end
+    end
+
+    class UserLogin < User
+      root 'users', 'user'
+      expose :private_token, documentation: {type: 'String', desc: 'A valid authentication code for post/delete api actions'}, if: lambda {|object, options| object.activated? }
+    end
+
+    class Task < Entity
+      root 'tasks', 'task'
+      expose :id
+      expose :type
+    end
+
+    class Environment < Entity
+      expose :name
+      expose :id
+      expose :description
+      expose :settings, if: lambda { |instance, options| options[:is_admin] }
+    end
+
+    class Tag < Entity
+      root 'tags', 'tag'
+      expose :name
+    end
+
+    class Activity < Entity
+      root 'activities', 'activity'
+      expose :id, :params, :verb, :created_at, :updated_at, :comments_count, :visible
+      expose :user, :using => Profile
+      expose :target do |activity, opts|
+        type_map = {Profile => ::Profile, ArticleBase => ::Article}.find {|h| activity.target.kind_of?(h.last)}
+        type_map.first.represent(activity.target) unless type_map.nil?
+      end
+    end
+  end
+end
@@ -0,0 +1,27 @@
+module Api
+  class Entity < Grape::Entity
+
+    def initialize(object, options = {})
+      object = nil if object.is_a? Exception
+      super object, options
+    end
+
+    def self.represent(objects, options = {})
+      if options[:has_exception]
+        data = super objects, options.merge(is_inner_data: true)
+        if objects.is_a? Exception
+          data.merge ok: false, error: {
+            type: objects.class.name,
+            message: objects.message
+          }
+        else
+          data = data.serializable_hash if data.is_a? Entity
+          data.merge ok: true, error: { type: 'Success', message: '' }
+        end
+      else
+        super objects, options
+      end
+    end
+
+  end
+end
@@ -0,0 +1,421 @@
+require 'base64'
+require 'tempfile'
+
+module Api
+  module Helpers
+    PRIVATE_TOKEN_PARAM = :private_token
+    DEFAULT_ALLOWED_PARAMETERS = [:parent_id, :from, :until, :content_type, :author_id, :identifier, :archived]
+
+    include SanitizeParams
+    include Noosfero::Plugin::HotSpot
+    include ForgotPasswordHelper
+    include SearchTermHelper
+
+    def set_locale
+      I18n.locale = (params[:lang] || request.env['HTTP_ACCEPT_LANGUAGE'] || 'en')
+    end
+
+    def init_noosfero_plugins
+      plugins
+    end
+
+    def current_user
+      private_token = (params[PRIVATE_TOKEN_PARAM] || headers['Private-Token']).to_s
+      @current_user ||= User.find_by private_token: private_token
+      @current_user ||= plugins.dispatch("api_custom_login", request).first
+      @current_user
+    end
+
+    def current_person
+      current_user.person unless current_user.nil?
+    end
+
+    def is_admin?(environment)
+      return false unless current_user
+      return current_person.is_admin?(environment)
+    end
+
+    def logout
+      @current_user = nil
+    end
+
+    def environment
+      @environment
+    end
+
+    def present_partial(model, options)
+      if(params[:fields].present?)
+        begin
+          fields = JSON.parse(params[:fields])
+          if fields.present?
+            options.merge!(fields.symbolize_keys.slice(:only, :except))
+          end
+        rescue
+          fields = params[:fields]
+          fields = fields.split(',') if fields.kind_of?(String)
+          options[:only] = Array.wrap(fields)
+        end
+      end
+      present model, options
+    end
+
+    include FindByContents
+
+    ####################################################################
+    #### SEARCH
+    ####################################################################
+    def multiple_search?(searches=nil)
+      ['index', 'category_index'].include?(params[:action]) || (searches && searches.size > 1)
+    end
+    ####################################################################
+
+    def logger
+      logger = Logger.new(File.join(Rails.root, 'log', "#{ENV['RAILS_ENV'] || 'production'}_api.log"))
+      logger.formatter = GrapeLogging::Formatters::Default.new
+      logger
+    end
+
+    def limit
+      limit = params[:limit].to_i
+      limit = default_limit if limit <= 0
+      limit
+    end
+
+    def period(from_date, until_date)
+      return nil if from_date.nil? && until_date.nil?
+
+      begin_period = from_date.nil? ? Time.at(0).to_datetime : from_date
+      end_period = until_date.nil? ? DateTime.now : until_date
+
+      begin_period..end_period
+    end
+
+    def parse_content_type(content_type)
+      return nil if content_type.blank?
+      content_type.split(',').map do |content_type|
+        content_type.camelcase
+      end
+    end
+
+    def find_article(articles, id)
+      article = articles.find(id)
+      article.display_to?(current_person) ? article : forbidden!
+    end
+
+    def post_article(asset, params)
+      return forbidden! unless current_person.can_post_content?(asset)
+
+      klass_type = params[:content_type] || params[:article].delete(:type) || TinyMceArticle.name
+      return forbidden! unless klass_type.constantize <= Article
+
+      article = klass_type.constantize.new(params[:article])
+      article.last_changed_by = current_person
+      article.created_by= current_person
+      article.profile = asset
+
+      if !article.save
+        render_api_errors!(article.errors.full_messages)
+      end
+      present_partial article, :with => Entities::Article
+    end
+
+    def present_article(asset)
+      article = find_article(asset.articles, params[:id])
+      present_partial article, :with => Entities::Article, :params => params
+    end
+
+    def present_articles_for_asset(asset, method = 'articles')
+      articles = find_articles(asset, method)
+      present_articles(articles)
+    end
+
+    def present_articles(articles)
+      present_partial paginate(articles), :with => Entities::Article, :params => params
+    end
+
+    def find_articles(asset, method = 'articles')
+      articles = select_filtered_collection_of(asset, method, params)
+      if current_person.present?
+        articles = articles.display_filter(current_person, nil)
+      else
+        articles = articles.published
+      end
+      articles
+    end
+
+    def find_task(asset, id)
+      task = asset.tasks.find(id)
+      current_person.has_permission?(task.permission, asset) ? task : forbidden!
+    end
+
+    def post_task(asset, params)
+      klass_type= params[:content_type].nil? ? 'Task' : params[:content_type]
+      return forbidden! unless klass_type.constantize <= Task
+
+      task = klass_type.constantize.new(params[:task])
+      task.requestor_id = current_person.id
+      task.target_id = asset.id
+      task.target_type = 'Profile'
+
+      if !task.save
+        render_api_errors!(task.errors.full_messages)
+      end
+      present_partial task, :with => Entities::Task
+    end
+
+    def present_task(asset)
+      task = find_task(asset, params[:id])
+      present_partial task, :with => Entities::Task
+    end
+
+    def present_tasks(asset)
+      tasks = select_filtered_collection_of(asset, 'tasks', params)
+      tasks = tasks.select {|t| current_person.has_permission?(t.permission, asset)}
+      return forbidden! if tasks.empty? && !current_person.has_permission?(:perform_task, asset)
+      present_partial tasks, :with => Entities::Task
+    end
+
+    def make_conditions_with_parameter(params = {})
+      parsed_params = parser_params(params)
+      conditions = {}
+      from_date = DateTime.parse(parsed_params.delete(:from)) if parsed_params[:from]
+      until_date = DateTime.parse(parsed_params.delete(:until)) if parsed_params[:until]
+
+      conditions[:type] = parse_content_type(parsed_params.delete(:content_type)) unless parsed_params[:content_type].nil?
+
+      conditions[:created_at] = period(from_date, until_date) if from_date || until_date
+      conditions.merge!(parsed_params)
+
+      conditions
+    end
+
+    # changing make_order_with_parameters to avoid sql injection
+    def make_order_with_parameters(object, method, params)
+      order = "created_at DESC"
+      unless params[:order].blank?
+        if params[:order].include? '\'' or params[:order].include? '"'
+          order = "created_at DESC"
+        elsif ['RANDOM()', 'RANDOM'].include? params[:order].upcase
+          order = 'RANDOM()'
+        else
+          field_name, direction = params[:order].split(' ')
+          assoc = object.class.reflect_on_association(method.to_sym)
+          if !field_name.blank? and assoc
+            if assoc.klass.attribute_names.include? field_name
+              if direction.present? and ['ASC','DESC'].include? direction.upcase
+                order = "#{field_name} #{direction.upcase}"
+              end
+            end
+          end
+        end
+      end
+      return order
+    end
+
+    def make_timestamp_with_parameters_and_method(params, method)
+      timestamp = nil
+      if params[:timestamp]
+        datetime = DateTime.parse(params[:timestamp])
+        table_name = method.to_s.singularize.camelize.constantize.table_name
+        timestamp = "#{table_name}.updated_at >= '#{datetime}'"
+      end
+
+      timestamp
+    end
+
+    def by_reference(scope, params)
+      reference_id = params[:reference_id].to_i == 0 ? nil : params[:reference_id].to_i
+      if reference_id.nil?
+        scope
+      else
+        created_at = scope.find(reference_id).created_at
+        scope.send("#{params.key?(:oldest) ? 'older_than' : 'younger_than'}", created_at)
+      end
+    end
+
+    def by_categories(scope, params)
+      category_ids = params[:category_ids]
+      if category_ids.nil?
+        scope
+      else
+        scope.joins(:categories).where(:categories => {:id => category_ids})
+      end
+    end
+
+    def select_filtered_collection_of(object, method, params)
+      conditions = make_conditions_with_parameter(params)
+      order = make_order_with_parameters(object,method,params)
+      timestamp = make_timestamp_with_parameters_and_method(params, method)
+
+      objects = object.send(method)
+      objects = by_reference(objects, params)
+      objects = by_categories(objects, params)
+
+      objects = objects.where(conditions).where(timestamp).reorder(order)
+
+      params[:page] ||= 1
+      params[:per_page] ||= limit
+      paginate(objects)
+    end
+
+    def authenticate!
+      unauthorized! unless current_user
+    end
+
+    def profiles_for_person(profiles, person)
+      if person
+        profiles.listed_for_person(person)
+      else
+        profiles.visible
+      end
+    end
+
+    # Checks the occurrences of uniqueness of attributes, each attribute must be present in the params hash
+    # or a Bad Request error is invoked.
+    #
+    # Parameters:
+    #   keys (unique) - A hash consisting of keys that must be unique
+    def unique_attributes!(obj, keys)
+      keys.each do |key|
+        cant_be_saved_request!(key) if obj.find_by(key.to_s => params[key])
+      end
+    end
+
+    def attributes_for_keys(keys)
+      attrs = {}
+      keys.each do |key|
+        attrs[key] = params[key] if params[key].present? or (params.has_key?(key) and params[key] == false)
+      end
+      attrs
+    end
+
+    ##########################################
+    #              error helpers             #
+    ##########################################
+
+    def not_found!
+      render_api_error!('404 Not found', 404)
+    end
+
+    def forbidden!
+      render_api_error!('403 Forbidden', 403)
+    end
+
+    def cant_be_saved_request!(attribute)
+      message = _("(Invalid request) %s can't be saved") % attribute
+      render_api_error!(message, 400)
+    end
+
+    def bad_request!(attribute)
+      message = _("(Invalid request) %s not given") % attribute
+      render_api_error!(message, 400)
+    end
+
+    def something_wrong!
+      message = _("Something wrong happened")
+      render_api_error!(message, 400)
+    end
+
+    def unauthorized!
+      render_api_error!(_('Unauthorized'), 401)
+    end
+
+    def not_allowed!
+      render_api_error!(_('Method Not Allowed'), 405)
+    end
+
+    # javascript_console_message is supposed to be executed as console.log()
+    def render_api_error!(user_message, status, log_message = nil, javascript_console_message = nil)
+      message_hash = {'message' => user_message, :code => status}
+      message_hash[:javascript_console_message] = javascript_console_message if javascript_console_message.present?
+      log_msg = "#{status}, User message: #{user_message}"
+      log_msg = "#{log_message}, #{log_msg}" if log_message.present?
+      log_msg = "#{log_msg}, Javascript Console Message: #{javascript_console_message}" if javascript_console_message.present?
+      logger.error log_msg unless Rails.env.test?
+      error!(message_hash, status)
+    end
+
+    def render_api_errors!(messages)
+      messages = messages.to_a if messages.class == ActiveModel::Errors
+      render_api_error!(messages.join(','), 400)
+    end
+
+    protected
+
+    def set_session_cookie
+      cookies['_noosfero_api_session'] = { value: @current_user.private_token, httponly: true } if @current_user.present?
+    end
+
+    def setup_multitenancy
+      Noosfero::MultiTenancy.setup!(request.host)
+    end
+
+    def detect_stuff_by_domain
+      @domain = Domain.by_name(request.host)
+      if @domain.nil?
+        @environment = Environment.default
+        if @environment.nil? && Rails.env.development?
+          # This should only happen in development ...
+          @environment = Environment.create!(:name => "Noosfero", :is_default => true)
+        end
+      else
+        @environment = @domain.environment
+      end
+    end
+
+    def filter_disabled_plugins_endpoints
+      not_found! if Api::App.endpoint_unavailable?(self, @environment)
+    end
+
+    def asset_with_image params
+      if params.has_key? :image_builder
+        asset_api_params = params
+        asset_api_params[:image_builder] = base64_to_uploadedfile(asset_api_params[:image_builder])
+        return asset_api_params
+      end
+        params
+    end
+
+    def base64_to_uploadedfile(base64_image)
+      tempfile = base64_to_tempfile base64_image
+      converted_image = base64_image
+      converted_image[:tempfile] = tempfile
+      return {uploaded_data: ActionDispatch::Http::UploadedFile.new(converted_image)}
+    end
+
+    def base64_to_tempfile base64_image
+      base64_img_str = base64_image[:tempfile]
+      decoded_base64_str = Base64.decode64(base64_img_str)
+      tempfile = Tempfile.new(base64_image[:filename])
+      tempfile.write(decoded_base64_str.encode("ascii-8bit").force_encoding("utf-8"))
+      tempfile.rewind
+      tempfile
+    end
+    private
+
+    def parser_params(params)
+      parsed_params = {}
+      params.map do |k,v|
+        parsed_params[k.to_sym] = v if DEFAULT_ALLOWED_PARAMETERS.include?(k.to_sym)
+      end
+      parsed_params
+    end
+
+    def default_limit
+      20
+    end
+
+    def parse_content_type(content_type)
+      return nil if content_type.blank?
+      content_type.split(',').map do |content_type|
+        content_type.camelcase
+      end
+    end
+
+    def period(from_date, until_date)
+      begin_period = from_date.nil? ? Time.at(0).to_datetime : from_date
+      end_period = until_date.nil? ? DateTime.now : until_date
+      begin_period..end_period
+    end
+  end
+end
@@ -0,0 +1,20 @@
+module Api
+  module V1
+    class Activities < Grape::API
+      before { authenticate! }
+
+      resource :profiles do
+
+        get ':id/activities' do
+          profile = Profile.find_by id: params[:id]
+
+          not_found! if profile.blank? || profile.secret || !profile.visible
+          forbidden! if !profile.secret && profile.visible && !profile.display_private_info_to?(current_person)
+
+          activities = profile.activities.map(&:activity)
+          present activities, :with => Entities::Activity, :current_person => current_person
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,303 @@
+module Api
+  module V1
+    class Articles < Grape::API
+
+      ARTICLE_TYPES = Article.descendants.map{|a| a.to_s}
+
+      MAX_PER_PAGE = 50
+
+      resource :articles do
+
+        paginate max_per_page: MAX_PER_PAGE
+        # Collect articles
+        #
+        # Parameters:
+        #   from             - date where the search will begin. If nothing is passed the default date will be the date of the first article created
+        #   oldest           - Collect the oldest articles. If nothing is passed the newest articles are collected
+        #   limit            - amount of articles returned. The default value is 20
+        #
+        # Example Request:
+        #  GET host/api/v1/articles?from=2013-04-04-14:41:43&until=2015-04-04-14:41:43&limit=10&private_token=e96fff37c2238fdab074d1dcea8e6317
+
+        desc 'Return all articles of all kinds' do
+          detail 'Get all articles filtered by fields in query params'
+          params Entities::Article.documentation
+          success Entities::Article
+          failure [[403, 'Forbidden']]
+          named 'ArticlesList'
+          headers [
+            'Per-Page' => {
+                  description: 'Total number of records',
+                  required: false
+              }
+            ]
+        end
+        get do
+          present_articles_for_asset(environment)
+        end
+
+        desc "Return one article by id" do
+          detail 'Get only one article by id. If not found the "forbidden" http error is showed'
+          params Entities::Article.documentation
+          success Entities::Article
+          failure [[403, 'Forbidden']]
+          named 'ArticleById'
+        end
+        get ':id', requirements: {id: /[0-9]+/} do
+          present_article(environment)
+        end
+
+        post ':id' do
+          article = environment.articles.find(params[:id])
+          return forbidden! unless article.allow_edit?(current_person)
+          article.update_attributes!(asset_with_image(params[:article]))
+          present_partial article, :with => Entities::Article
+        end
+
+        desc 'Report a abuse and/or violent content in a article by id' do
+          detail 'Submit a abuse (in general, a content violation) report about a specific article'
+          params Entities::Article.documentation
+          failure [[400, 'Bad Request']]
+          named 'ArticleReportAbuse'
+        end
+        post ':id/report_abuse' do
+          article = find_article(environment.articles, params[:id])
+          profile = article.profile
+          begin
+            abuse_report = AbuseReport.new(:reason => params[:report_abuse])
+            if !params[:content_type].blank?
+              article = params[:content_type].constantize.find(params[:content_id])
+              abuse_report.content = article_reported_version(article)
+            end
+
+            current_person.register_report(abuse_report, profile)
+
+            if !params[:content_type].blank?
+              abuse_report = AbuseReport.find_by reporter_id: current_person.id, abuse_complaint_id: profile.opened_abuse_complaint.id
+              Delayed::Job.enqueue DownloadReportedImagesJob.new(abuse_report, article)
+            end
+
+            {
+              :success => true,
+              :message => _('Your abuse report was registered. The administrators are reviewing your report.'),
+            }
+          rescue Exception => exception
+            #logger.error(exception.to_s)
+            render_api_error!(_('Your report couldn\'t be saved due to some problem. Please contact the administrator.'), 400)
+          end
+
+        end
+
+        desc "Returns the articles I voted" do
+          detail 'Get the Articles I make a vote'
+          failure [[403, 'Forbidden']]
+          named 'ArticleFollowers'
+        end
+         #FIXME refactor this method
+        get 'voted_by_me' do
+          present_articles(current_person.votes.where(:voteable_type => 'Article').collect(&:voteable))
+        end
+
+        desc 'Perform a vote on a article by id' do
+          detail 'Vote on a specific article with values: 1 (if you like) or -1 (if not)'
+          params Entities::UserLogin.documentation
+          failure [[401,'Unauthorized']]
+          named 'ArticleVote'
+        end
+        post ':id/vote' do
+          authenticate!
+          value = (params[:value] || 1).to_i
+          # FIXME verify allowed values
+          render_api_error!('Vote value not allowed', 400) unless [-1, 1].include?(value)
+          article = find_article(environment.articles, params[:id])
+          begin
+            vote = Vote.new(:voteable => article, :voter => current_person, :vote => value)
+            {:vote => vote.save!}
+          rescue ActiveRecord::RecordInvalid => e
+            render_api_error!(e.message, 400)
+          end
+        end
+
+        desc "Returns the total followers for the article" do
+          detail 'Get the followers of a specific article by id'
+          failure [[403, 'Forbidden']]
+          named 'ArticleFollowers'
+        end
+        get ':id/followers' do
+          article = find_article(environment.articles, params[:id])
+          total = article.person_followers.count
+          {:total_followers => total}
+        end
+
+        desc "Return the articles followed by me"
+        get 'followed_by_me' do
+          present_articles_for_asset(current_person, 'following_articles')
+        end
+
+        desc "Add a follower for the article" do
+          detail 'Add the current user identified by private token, like a follower of a article'
+          params Entities::UserLogin.documentation
+          failure [[401, 'Unauthorized']]
+          named 'ArticleFollow'
+        end
+        post ':id/follow' do
+          authenticate!
+          article = find_article(environment.articles, params[:id])
+          if article.article_followers.exists?(:person_id => current_person.id)
+            {:success => false, :already_follow => true}
+          else
+            article_follower = ArticleFollower.new
+            article_follower.article = article
+            article_follower.person = current_person
+            article_follower.save!
+            {:success => true}
+          end
+        end
+
+        desc 'Return the children of a article identified by id' do
+          detail 'Get all children articles of a specific article'
+          params Entities::Article.documentation
+          failure [[403, 'Forbidden']]
+          named 'ArticleChildren'
+        end
+
+        paginate per_page: MAX_PER_PAGE, max_per_page: MAX_PER_PAGE
+        get ':id/children' do
+          article = find_article(environment.articles, params[:id])
+
+          #TODO make tests for this situation
+          votes_order = params.delete(:order) if params[:order]=='votes_score'
+          articles = select_filtered_collection_of(article, 'children', params)
+          articles = articles.display_filter(current_person, article.profile)
+
+          #TODO make tests for this situation
+          if votes_order
+            articles = articles.joins('left join votes on articles.id=votes.voteable_id').group('articles.id').reorder('sum(coalesce(votes.vote, 0)) DESC')
+          end
+          Article.hit(articles)
+          present_articles(articles)
+        end
+
+        desc 'Return one child of a article identified by id' do
+          detail 'Get a child of a specific article'
+          params Entities::Article.documentation
+          success Entities::Article
+          failure [[403, 'Forbidden']]
+          named 'ArticleChild'
+        end
+        get ':id/children/:child_id' do
+          article = find_article(environment.articles, params[:id])
+          child = find_article(article.children, params[:child_id])
+          child.hit
+          present_partial child, :with => Entities::Article
+        end
+
+        desc 'Suggest a article to another profile' do
+          detail 'Suggest a article to another profile (person, community...)'
+          params Entities::Article.documentation
+          success Entities::Task
+          failure [[401,'Unauthorized']]
+          named 'ArticleSuggest'
+        end
+        post ':id/children/suggest' do
+          authenticate!
+          parent_article = environment.articles.find(params[:id])
+
+          suggest_article = SuggestArticle.new
+          suggest_article.article = params[:article]
+          suggest_article.article[:parent_id] = parent_article.id
+          suggest_article.target = parent_article.profile
+          suggest_article.requestor = current_person
+
+          unless suggest_article.save
+            render_api_errors!(suggest_article.article_object.errors.full_messages)
+          end
+          present_partial suggest_article, :with => Entities::Task
+        end
+
+        # Example Request:
+        #  POST api/v1/articles/:id/children?private_token=234298743290432&article[name]=title&article[body]=body
+        desc 'Add a child article to a parent identified by id' do
+          detail 'Create a new article and associate to a parent'
+          params Entities::Article.documentation
+          success Entities::Article
+          failure [[401,'Unauthorized']]
+          named 'ArticleAddChild'
+        end
+        post ':id/children' do
+          parent_article = environment.articles.find(params[:id])
+          params[:article][:parent_id] = parent_article.id
+          post_article(parent_article.profile, params)
+        end
+      end
+
+      resource :profiles do
+        get ':id/home_page' do
+          profiles = environment.profiles
+          profiles = profiles.visible_for_person(current_person)
+          profile = profiles.find_by id: params[:id]
+          present_partial profile.home_page, :with => Entities::Article
+        end
+      end
+
+      kinds = %w[profile community person enterprise]
+      kinds.each do |kind|
+        resource kind.pluralize.to_sym do
+          segment "/:#{kind}_id" do
+            resource :articles do
+
+              desc "Return all articles associate with a profile of type #{kind}" do
+                detail 'Get a list of articles of a profile'
+                params Entities::Article.documentation
+                success Entities::Article
+                failure [[403, 'Forbidden']]
+                named 'ArticlesOfProfile'
+              end
+              get do
+                profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
+
+                if params[:path].present?
+                  article = profile.articles.find_by path: params[:path]
+                  if !article || !article.display_to?(current_person)
+                    article = forbidden!
+                  end
+
+                  present_partial article, :with => Entities::Article
+                else
+
+                  present_articles_for_asset(profile)
+                end
+              end
+
+              desc "Return a article associate with a profile of type #{kind}" do
+                detail 'Get only one article of a profile'
+                params Entities::Article.documentation
+                success Entities::Article
+                failure [[403, 'Forbidden']]
+                named 'ArticleOfProfile'
+              end
+              get ':id' do
+                profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
+                present_article(profile)
+              end
+
+              # Example Request:
+              #  POST api/v1/{people,communities,enterprises}/:asset_id/articles?private_token=234298743290432&article[name]=title&article[body]=body
+              desc "Add a new article associated with a profile of type #{kind}" do
+                detail 'Create a new article and associate with a profile'
+                params Entities::Article.documentation
+                success Entities::Article
+                failure [[403, 'Forbidden']]
+                named 'ArticleCreateToProfile'
+              end
+              post do
+                profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
+                post_article(profile, params)
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,15 @@
+module Api
+  module V1
+
+    class Blocks < Grape::API
+      resource :blocks do
+        get ':id' do
+          block = Block.find(params["id"])
+          return forbidden! unless block.visible_to_user?(current_person)
+          present block, :with => Entities::Block, display_api_content: true
+        end
+      end
+    end
+
+  end
+end
@@ -0,0 +1,45 @@
+module Api
+  module V1
+
+    class Boxes < Grape::API
+
+      kinds = %w[profile community person enterprise]
+      kinds.each do |kind|
+
+        resource kind.pluralize.to_sym do
+
+          segment "/:#{kind}_id" do
+            resource :boxes do
+              get do
+                profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
+                return forbidden! unless profile.display_info_to?(current_person)
+                present profile.boxes, :with => Entities::Box
+              end
+            end
+          end
+        end
+
+      end
+
+      resource :environments do
+        [ '/default', '/context', ':environment_id' ].each do |route|
+          segment route do
+            resource :boxes do
+              get do
+                if (route.match(/default/))
+                  env = Environment.default
+                elsif (route.match(/context/))
+                  env = environment
+                else
+                  env = Environment.find(params[:environment_id])
+                end
+                present env.boxes, :with => Entities::Box
+              end
+            end
+          end
+        end
+      end
+    end
+
+  end
+end
@@ -0,0 +1,25 @@
+module Api
+  module V1
+    class Categories < Grape::API
+
+      resource :categories do
+
+        get do
+          type = params[:category_type]
+          include_parent = params[:include_parent] == 'true'
+          include_children = params[:include_children] == 'true'
+
+          categories = type.nil? ?  environment.categories : environment.categories.where(:type => type)
+          present categories, :with => Entities::Category, parent: include_parent, children: include_children
+        end
+
+        desc "Return the category by id"
+        get ':id' do
+          present environment.categories.find(params[:id]), :with => Entities::Category, parent: true, children: true
+        end
+
+      end
+
+    end
+  end
+end
@@ -0,0 +1,49 @@
+module Api
+  module V1
+    class Comments < Grape::API
+      MAX_PER_PAGE = 20
+
+
+      resource :articles do
+        paginate max_per_page: MAX_PER_PAGE
+        # Collect comments from articles
+        #
+        # Parameters:
+        #   reference_id     - comment id used as reference to collect comment
+        #   oldest           - Collect the oldest comments from reference_id comment. If nothing is passed the newest comments are collected
+        #   limit            - amount of comments returned. The default value is 20
+        #
+        # Example Request:
+        #  GET /articles/12/comments?oldest&limit=10&reference_id=23
+        get ":id/comments" do
+          article = find_article(environment.articles, params[:id])
+          comments = select_filtered_collection_of(article, :comments, params)
+          comments = comments.without_spam
+          comments = comments.without_reply if(params[:without_reply].present?)
+          comments = plugins.filter(:unavailable_comments, comments)
+          present paginate(comments), :with => Entities::Comment, :current_person => current_person
+        end
+
+        get ":id/comments/:comment_id" do
+          article = find_article(environment.articles, params[:id])
+          present article.comments.find(params[:comment_id]), :with => Entities::Comment, :current_person => current_person
+        end
+
+        # Example Request:
+        #  POST api/v1/articles/12/comments?private_token=2298743290432&body=new comment&title=New
+        post ":id/comments" do
+          authenticate!
+          article = find_article(environment.articles, params[:id])
+          options = params.select { |key,v| !['id','private_token'].include?(key) }.merge(:author => current_person, :source => article)
+          begin
+            comment = Comment.create!(options)
+          rescue ActiveRecord::RecordInvalid => e
+            render_api_error!(e.message, 400)
+          end
+          present comment, :with => Entities::Comment, :current_person => current_person
+        end
+      end
+
+    end
+  end
+end
@@ -0,0 +1,82 @@
+module Api
+  module V1
+    class Communities < Grape::API
+
+      resource :communities do
+
+        # Collect comments from articles
+        #
+        # Parameters:
+        #   from             - date where the search will begin. If nothing is passed the default date will be the date of the first article created
+        #   oldest           - Collect the oldest comments from reference_id comment. If nothing is passed the newest comments are collected
+        #   limit            - amount of comments returned. The default value is 20
+        #
+        # Example Request:
+        #  GET /communities?from=2013-04-04-14:41:43&until=2014-04-04-14:41:43&limit=10
+        #  GET /communities?reference_id=10&limit=10&oldest
+        get do
+          communities = select_filtered_collection_of(environment, 'communities', params)
+          communities = profiles_for_person(communities, current_person)
+          communities = communities.by_location(params) # Must be the last. May return Exception obj
+          present communities, :with => Entities::Community, :current_person => current_person
+        end
+
+
+        # Example Request:
+        #  POST api/v1/communties?private_token=234298743290432&community[name]=some_name
+        #  for each custom field for community, add &community[field_name]=field_value to the request
+        post do
+          authenticate!
+          params[:community] ||= {}
+
+          params[:community][:custom_values]={}
+          params[:community].keys.each do |key|
+            params[:community][:custom_values][key]=params[:community].delete(key) if Community.custom_fields(environment).any?{|cf| cf.name==key}
+          end
+
+          begin
+            community = Community.create_after_moderation(current_person, params[:community].merge({:environment => environment}))
+          rescue
+            community = Community.new(params[:community])
+          end
+
+          if !community.save
+            render_api_errors!(community.errors.full_messages)
+          end
+
+          present community, :with => Entities::Community, :current_person => current_person
+        end
+
+        get ':id' do
+          community = profiles_for_person(environment.communities, current_person).find_by_id(params[:id])
+          present community, :with => Entities::Community, :current_person => current_person
+        end
+
+      end
+
+      resource :people do
+
+        segment '/:person_id' do
+
+          resource :communities do
+
+            get do
+              person = environment.people.find(params[:person_id])
+
+              not_found! if person.blank?
+              forbidden! if !person.display_info_to?(current_person)
+
+              communities = select_filtered_collection_of(person, 'communities', params)
+              communities = communities.visible
+              present communities, :with => Entities::Community, :current_person => current_person
+            end
+
+          end
+
+        end
+
+      end
+
+    end
+  end
+end
@@ -0,0 +1,26 @@
+module Api
+  module V1
+    class Contacts < Grape::API
+
+      resource :communities do
+
+        resource ':id/contact' do
+          #contact => {:name => 'some name', :email => 'test@mail.com', :subject => 'some title', :message => 'some message'}
+          desc "Send a contact message"
+          post do
+            profile = environment.communities.find(params[:id])
+            forbidden! unless profile.present?
+            contact = Contact.new params[:contact].merge(dest: profile)
+            if contact.deliver
+              {:success => true}
+            else
+              {:success => false}
+            end
+          end
+
+        end
+      end
+
+    end
+  end
+end
@@ -0,0 +1,55 @@
+module Api
+  module V1
+    class Enterprises < Grape::API
+
+      resource :enterprises do
+
+        # Collect enterprises from environment
+        #
+        # Parameters:
+        #   from             - date where the search will begin. If nothing is passed the default date will be the date of the first article created
+        #   oldest           - Collect the oldest comments from reference_id comment. If nothing is passed the newest comments are collected
+        #   limit            - amount of comments returned. The default value is 20
+        #   georef params    - read `Profile.by_location` for more information.
+        #
+        # Example Request:
+        #  GET /enterprises?from=2013-04-04-14:41:43&until=2014-04-04-14:41:43&limit=10
+        #  GET /enterprises?reference_id=10&limit=10&oldest
+        get do
+          enterprises = select_filtered_collection_of(environment, 'enterprises', params)
+          enterprises = enterprises.visible
+          enterprises = enterprises.by_location(params) # Must be the last. May return Exception obj.
+          present enterprises, :with => Entities::Enterprise, :current_person => current_person
+        end
+
+        desc "Return one enterprise by id"
+        get ':id' do
+          enterprise = environment.enterprises.visible.find_by(id: params[:id])
+          present enterprise, :with => Entities::Enterprise, :current_person => current_person
+        end
+
+      end
+
+      resource :people do
+
+        segment '/:person_id' do
+
+          resource :enterprises do
+
+            get do
+              person = environment.people.find(params[:person_id])
+              enterprises = select_filtered_collection_of(person, 'enterprises', params)
+              enterprises = enterprises.visible.by_location(params)
+              present enterprises, :with => Entities::Enterprise, :current_person => current_person
+            end
+
+          end
+
+        end
+
+      end
+
+
+    end
+  end
+end
@@ -0,0 +1,28 @@
+module Api
+  module V1
+    class Environments < Grape::API
+
+      resource :environment do
+
+        desc "Return the person information"
+        get '/signup_person_fields' do
+          present environment.signup_person_fields
+        end
+
+        get ':id' do
+          local_environment = nil
+          if (params[:id] == "default")
+            local_environment = Environment.default
+          elsif (params[:id] == "context")
+            local_environment = environment
+          else
+            local_environment = Environment.find(params[:id])
+          end
+          present_partial local_environment, :with => Entities::Environment, :is_admin => is_admin?(local_environment)
+        end
+
+      end
+
+    end
+  end
+end
@@ -0,0 +1,127 @@
+module Api
+  module V1
+    class People < Grape::API
+
+      MAX_PER_PAGE = 50
+
+      desc 'API Root'
+
+      resource :people do
+        paginate max_per_page: MAX_PER_PAGE
+
+        # -- A note about privacy --
+        # We wold find people by location, but we must test if the related
+        # fields are public. We can't do it now, with SQL, while the location
+        # data and the fields_privacy are a serialized settings.
+        # We must build a new table for profile data, where we can set meta-data
+        # like:
+        # | id | profile_id | key  | value    | privacy_level | source    |
+        # |  1 |         99 | city | Salvador | friends       | user      |
+        # |  2 |         99 | lng  |  -38.521 | me only       | automatic |
+
+        # Collect people from environment
+        #
+        # Parameters:
+        #   from             - date where the search will begin. If nothing is passed the default date will be the date of the first article created
+        #   oldest           - Collect the oldest comments from reference_id comment. If nothing is passed the newest comments are collected
+        #   limit            - amount of comments returned. The default value is 20
+        #
+        # Example Request:
+        #  GET /people?from=2013-04-04-14:41:43&until=2014-04-04-14:41:43&limit=10
+        #  GET /people?reference_id=10&limit=10&oldest
+
+        desc "Find environment's people"
+        get do
+          people = select_filtered_collection_of(environment, 'people', params)
+          people = people.visible
+          present_partial people, :with => Entities::Person, :current_person => current_person
+        end
+
+        desc "Return the logged user information"
+        get "/me" do
+          authenticate!
+          present_partial current_person, :with => Entities::Person, :current_person => current_person
+        end
+
+        desc "Return the person information"
+        get ':id' do
+          person = environment.people.visible.find_by(id: params[:id])
+          return not_found! if person.blank?
+          present person, :with => Entities::Person, :current_person => current_person
+        end
+
+        desc "Update person information"
+        post ':id' do
+          authenticate!
+          return forbidden! if current_person.id.to_s != params[:id]
+          current_person.update_attributes!(asset_with_image(params[:person]))
+          present current_person, :with => Entities::Person, :current_person => current_person
+        end
+
+        #  POST api/v1/people?person[login]=some_login&person[password]=some_password&person[name]=Jack
+        #  for each custom field for person, add &person[field_name]=field_value to the request
+        desc "Create person"
+        post do
+          authenticate!
+          user_data = {}
+          user_data[:login] = params[:person].delete(:login) || params[:person][:identifier]
+          user_data[:email] = params[:person].delete(:email)
+          user_data[:password] = params[:person].delete(:password)
+          user_data[:password_confirmation] = params[:person].delete(:password_confirmation)
+
+          params[:person][:custom_values]={}
+          params[:person].keys.each do |key|
+            params[:person][:custom_values][key]=params[:person].delete(key) if Person.custom_fields(environment).any?{|cf| cf.name==key}
+          end
+
+          user = User.build(user_data, asset_with_image(params[:person]), environment)
+
+          begin
+            user.signup!
+          rescue ActiveRecord::RecordInvalid
+            render_api_errors!(user.errors.full_messages)
+          end
+
+          present user.person, :with => Entities::Person, :current_person => user.person
+        end
+
+        desc "Return the person friends"
+        get ':id/friends' do
+          person = environment.people.visible.find_by(id: params[:id])
+          return not_found! if person.blank?
+          friends = person.friends.visible
+          present friends, :with => Entities::Person, :current_person => current_person
+        end
+
+        desc "Return the person permissions on other profiles"
+        get ":id/permissions" do
+          authenticate!
+          person = environment.people.find(params[:id])
+          return not_found! if person.blank?
+          return forbidden! unless current_person == person || environment.admins.include?(current_person)
+
+          output = {}
+          person.role_assignments.map do |role_assigment|
+            if role_assigment.resource.respond_to?(:identifier)
+              output[role_assigment.resource.identifier] = role_assigment.role.permissions
+            end
+          end
+          present output
+        end
+      end
+
+      resource :profiles do
+        segment '/:profile_id' do
+          resource :members do
+            paginate max_per_page: MAX_PER_PAGE
+            get do
+              profile = environment.profiles.find_by id: params[:profile_id]
+              members = select_filtered_collection_of(profile, 'members', params)
+              present members, :with => Entities::Person, :current_person => current_person
+            end
+          end
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,42 @@
+module Api
+  module V1
+    class Profiles < Grape::API
+
+      resource :profiles do
+
+        get do
+          profiles = select_filtered_collection_of(environment, 'profiles', params)
+          profiles = profiles.visible
+          profiles = profiles.by_location(params) # Must be the last. May return Exception obj.
+          present profiles, :with => Entities::Profile, :current_person => current_person
+        end
+
+        get ':id' do
+          profiles = environment.profiles
+          profiles = profiles.visible
+          profile = profiles.find_by id: params[:id]
+
+          if profile
+            present profile, :with => Entities::Profile, :current_person => current_person
+          else
+            not_found!
+          end
+        end
+
+        delete ':id' do
+          authenticate!
+          profiles = environment.profiles
+          profile = profiles.find_by id: params[:id]
+
+          not_found! if profile.blank?
+
+          if current_person.has_permission?(:destroy_profile, profile)
+            profile.destroy
+          else
+            forbidden!
+          end
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,37 @@
+module Api
+  module V1
+    class Search < Grape::API
+
+      resource :search do
+        resource :article do
+          paginate max_per_page: 200
+          get do
+            # Security checks
+            sanitize_params_hash(params)
+            # Api::Helpers
+            asset = :articles
+            context = environment
+
+            profile = environment.profiles.find(params[:profile_id]) if params[:profile_id]
+            scope = profile.nil? ? environment.articles.is_public : profile.articles.is_public
+            scope = scope.where(:type => params[:type]) if params[:type] && !(params[:type] == 'Article')
+            scope = scope.where(make_conditions_with_parameter(params))
+            scope = scope.joins(:categories).where(:categories => {:id => params[:category_ids]}) if params[:category_ids].present?
+            scope = scope.where('articles.children_count > 0') if params[:has_children].present?
+            query = params[:query] || ""
+            order = "more_recent"
+
+            options = {:filter => order, :template_id => params[:template_id]}
+
+            search_result = find_by_contents(asset, context, scope, query, {:page => 1}, options)
+
+            articles = search_result[:results]
+
+            present_articles(articles)
+          end
+        end
+      end
+
+    end
+  end
+end
@@ -0,0 +1,157 @@
+require "uri"
+
+module Api
+  module V1
+    class Session < Grape::API
+
+      # Login to get token
+      #
+      # Parameters:
+      #   login (*required) - user login or email
+      #   password (required) - user password
+      #
+      # Example Request:
+      #  POST http://localhost:3000/api/v1/login?login=adminuser&password=admin
+      post "/login" do
+        begin
+          user ||= User.authenticate(params[:login], params[:password], environment)
+        rescue User::UserNotActivated => e
+          render_api_error!(e.message, 401)
+        end
+
+        return unauthorized! unless user
+        @current_user = user
+        present user, :with => Entities::UserLogin, :current_person => current_person
+      end
+
+      post "/login_from_cookie" do
+        return unauthorized! if cookies[:auth_token].blank?
+        user = User.where(remember_token: cookies[:auth_token]).first
+        return unauthorized! unless user && user.activated?
+        @current_user = user
+        present user, :with => Entities::UserLogin, :current_person => current_person
+      end
+
+      # Create user.
+      #
+      # Parameters:
+      #   email (required)                  - Email
+      #   password (required)               - Password
+      #   login                             - login
+      # Example Request:
+      #   POST /register?email=some@mail.com&password=pas&password_confirmation=pas&login=some
+      params do
+        requires :email, type: String, desc: _("Email")
+        requires :login, type: String, desc: _("Login")
+        requires :password, type: String, desc: _("Password")
+      end
+
+      post "/register" do
+        attrs = attributes_for_keys [:email, :login, :password, :password_confirmation] + environment.signup_person_fields
+        name = params[:name].present? ? params[:name] : attrs[:email]
+        attrs[:password_confirmation] = attrs[:password] if !attrs.has_key?(:password_confirmation)
+        user = User.new(attrs.merge(:name => name))
+
+        begin
+          user.signup!
+          user.generate_private_token! if user.activated?
+          present user, :with => Entities::UserLogin, :current_person => user.person
+        rescue ActiveRecord::RecordInvalid
+          message = user.errors.as_json.merge((user.person.present? ? user.person.errors : {}).as_json).to_json
+          render_api_error!(message, 400)
+        end
+      end
+
+      params do
+        requires :activation_code, type: String, desc: _("Activation token")
+      end
+
+      # Activate a user.
+      #
+      # Parameter:
+      #   activation_code (required)                  - Activation token
+      # Example Request:
+      #   PATCH /activate?activation_code=28259abd12cc6a64ef9399cf3286cb998b96aeaf
+      patch "/activate" do
+        user = User.find_by activation_code: params[:activation_code]
+        if user
+          unless user.environment.enabled?('admin_must_approve_new_users')
+            if user.activate
+                user.generate_private_token!
+                present user, :with => Entities::UserLogin, :current_person => current_person
+            end
+          else
+            if user.create_moderate_task
+              user.activation_code = nil
+              user.save!
+
+              # Waiting for admin moderate user registration
+              status 202
+              body({
+                :message => 'Waiting for admin moderate user registration'
+              })
+            end
+          end
+        else
+          # Token not found in database
+          render_api_error!(_('Token is invalid'), 412)
+        end
+      end
+
+      # Request a new password.
+      #
+      # Parameters:
+      #   value (required)                  - Email or login
+      # Example Request:
+      #   POST /forgot_password?value=some@mail.com
+      post "/forgot_password" do
+        requestors = fetch_requestors(params[:value])
+        not_found! if requestors.blank?
+        remote_ip = (request.respond_to?(:remote_ip) && request.remote_ip) || (env && env['REMOTE_ADDR'])
+        requestors.each do |requestor|
+          ChangePassword.create!(:requestor => requestor)
+        end
+      end
+
+      # Resend activation code.
+      #
+      # Parameters:
+      #   value (required)                  - Email or login
+      # Example Request:
+      #   POST /resend_activation_code?value=some@mail.com
+      post "/resend_activation_code" do
+        requestors = fetch_requestors(params[:value])
+        not_found! if requestors.blank?
+        remote_ip = (request.respond_to?(:remote_ip) && request.remote_ip) || (env && env['REMOTE_ADDR'])
+        requestors.each do |requestor|
+          requestor.user.resend_activation_code
+        end
+        present requestors.map(&:user), :with => Entities::UserLogin
+      end
+
+      params do
+        requires :code, type: String, desc: _("Forgot password code")
+      end
+      # Change password
+      #
+      # Parameters:
+      #   code (required)                  - Change password code
+      #   password (required)
+      #   password_confirmation (required)
+      # Example Request:
+      #   PATCH /new_password?code=xxxx&password=secret&password_confirmation=secret
+      patch "/new_password" do
+        change_password = ChangePassword.find_by code: params[:code]
+        not_found! if change_password.nil?
+
+        if change_password.update_attributes(:password => params[:password], :password_confirmation => params[:password_confirmation])
+          change_password.finish
+          present change_password.requestor.user, :with => Entities::UserLogin, :current_person => current_person
+        else
+          something_wrong!
+        end
+      end
+
+    end
+  end
+end
@@ -0,0 +1,30 @@
+module Api
+  module V1
+    class Tags < Grape::API
+      resource :articles do
+        resource ':id/tags' do
+          get do
+            article = find_article(environment.articles, params[:id])
+            present article.tag_list
+          end
+
+          desc "Add a tag to an article"
+          post do
+            authenticate!
+            article = find_article(environment.articles, params[:id])
+            article.tag_list=params[:tags]
+            article.save
+            present article.tag_list
+          end
+        end
+      end
+
+      resource :environment do
+        desc 'Return the tag counts for this environment'
+        get '/tags' do
+          present environment.tag_counts
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,57 @@
+module Api
+  module V1
+    class Tasks < Grape::API
+#      before { authenticate! }
+
+#      ARTICLE_TYPES = Article.descendants.map{|a| a.to_s}
+
+      resource :tasks do
+
+        # Collect tasks
+        #
+        # Parameters:
+        #   from             - date where the search will begin. If nothing is passed the default date will be the date of the first article created
+        #   oldest           - Collect the oldest articles. If nothing is passed the newest articles are collected
+        #   limit            - amount of articles returned. The default value is 20
+        #
+        # Example Request:
+        #  GET host/api/v1/tasks?from=2013-04-04-14:41:43&until=2015-04-04-14:41:43&limit=10&private_token=e96fff37c2238fdab074d1dcea8e6317
+        get do
+          tasks = select_filtered_collection_of(environment, 'tasks', params)
+          tasks = tasks.select {|t| current_person.has_permission?(t.permission, environment)}
+          present_partial tasks, :with => Entities::Task
+        end
+
+        desc "Return the task id"
+        get ':id' do
+          task = find_task(environment, params[:id])
+          present_partial task, :with => Entities::Task
+        end
+      end
+
+      kinds = %w[community person enterprise]
+      kinds.each do |kind|
+        resource kind.pluralize.to_sym do
+          segment "/:#{kind}_id" do
+            resource :tasks do
+              get do
+                profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
+                present_tasks(profile)
+              end
+
+              get ':id' do
+                profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
+                present_task(profile)
+              end
+
+              post do
+                profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
+                post_task(profile, params)
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,43 @@
+module Api
+  module V1
+    class Users < Grape::API
+
+      resource :users do
+
+        get do
+          users = select_filtered_collection_of(environment, 'users', params)
+          users = users.select{|u| u.person.display_info_to? current_person}
+          present users, :with => Entities::User, :current_person => current_person
+        end
+
+        get "/me" do
+          authenticate!
+          present current_user, :with => Entities::User, :current_person => current_person
+        end
+
+        get ":id" do
+          user = environment.users.find_by id: params[:id]
+          if user
+            present user, :with => Entities::User, :current_person => current_person
+          else
+            not_found!
+          end
+        end
+
+        get ":id/permissions" do
+          authenticate!
+          user = environment.users.find(params[:id])
+          output = {}
+          user.person.role_assignments.map do |role_assigment|
+            if role_assigment.resource.respond_to?(:identifier) && role_assigment.resource.identifier == params[:profile]
+              output[:permissions] = role_assigment.role.permissions
+            end
+          end
+          present output
+        end
+
+      end
+
+    end
+  end
+end
@@ -7,7 +7,6 @@ class CategoriesController &lt; AdminController
   def index
     @categories = environment.categories.where("parent_id is null AND type is null")
     @regions = environment.regions.where(:parent_id => nil)
-    @product_categories = environment.product_categories.where(:parent_id => nil)
   end
  
   def get_children
 class EditTemplateController < AdminController
-  
+
   protect 'edit_environment_design', :environment
-  
+
   #FIXME
   #design_editor :holder => 'environment', :autosave => true, :block_types => :block_types
  
@@ -9,7 +9,6 @@ class EditTemplateController &lt; AdminController
     %w[
        FavoriteLinks
        ListBlock
-       SellersSearchBlock
      ]
   end
  
 class EnvironmentDesignController < BoxOrganizerController
-  
+
   protect 'edit_environment_design', :environment
  
   def available_blocks
-    @available_blocks ||= [ ArticleBlock, LoginBlock, RecentDocumentsBlock, EnterprisesBlock, CommunitiesBlock, SellersSearchBlock, LinkListBlock, FeedReaderBlock, SlideshowBlock, HighlightsBlock, FeaturedProductsBlock, CategoriesBlock, RawHTMLBlock, TagsBlock ]
+    @available_blocks ||= [ ArticleBlock, LoginBlock, RecentDocumentsBlock, EnterprisesBlock, CommunitiesBlock, LinkListBlock, FeedReaderBlock, SlideshowBlock, HighlightsBlock, CategoriesBlock, RawHTMLBlock, TagsBlock ]
     @available_blocks += plugins.dispatch(:extra_blocks, :type => Environment)
   end
  
@@ -45,7 +45,6 @@ class UsersController &lt; AdminController
     redirect_to :action => :index, :q => params[:q], :filter => params[:filter]
   end
  
-
   def destroy_user
     if request.post?
       person = environment.people.find_by id: params[:id]
@@ -58,7 +57,6 @@ class UsersController &lt; AdminController
     redirect_to :action => :index, :q => params[:q], :filter => params[:filter]
   end
  
-
   def download
     respond_to do |format|
       format.html
@@ -87,8 +85,11 @@ class UsersController &lt; AdminController
   end
  
   def send_mail
-    @mailing = environment.mailings.build(params[:mailing])
     if request.post?
+      @mailing = environment.mailings.build(params[:mailing])
+      @mailing.recipients_roles = []
+      @mailing.recipients_roles << "profile_admin" if params[:recipients][:profile_admins].include?("true")
+      @mailing.recipients_roles << "environment_administrator" if params[:recipients][:env_admins].include?("true")
       @mailing.locale = locale
       @mailing.person = user
       if @mailing.save
@@ -103,12 +103,10 @@ class CmsController &lt; MyProfileController
         end
       end
     end
-
-    escape_fields @article
   end
  
   def new
-    # FIXME this method should share some logic wirh edit !!!
+    # FIXME this method should share some logic with edit !!!
  
     @success_back_to = params[:success_back_to]
     # user must choose an article type first
@@ -174,9 +172,6 @@ class CmsController &lt; MyProfileController
         return
       end
     end
-
-    escape_fields @article
-
     render :action => 'edit'
   end
  
@@ -365,7 +360,7 @@ class CmsController &lt; MyProfileController
   def search
     query = params[:q]
     results = find_by_contents(:uploaded_files, profile, profile.files.published, query)[:results]
-    render :text => article_list_to_json(results), :content_type => 'application/json'
+    render :text => article_list_to_json(results).html_safe, :content_type => 'application/json'
   end
  
   def search_article_privacy_exceptions
@@ -409,9 +404,6 @@ class CmsController &lt; MyProfileController
     ]
     articles += special_article_types if params && params[:cms]
     parent_id = params ? params[:parent_id] : nil
-    if profile.enterprise?
-      articles << EnterpriseHomepage
-    end
     if @parent && @parent.blog?
       articles -= Article.folder_types.map(&:constantize)
     end
@@ -451,9 +443,7 @@ class CmsController &lt; MyProfileController
   end
  
   def refuse_blocks
-    if ['TinyMceArticle', 'TextileArticle', 'Event', 'EnterpriseHomepage'].include?(@type)
-      @no_design_blocks = true
-    end
+    @no_design_blocks = @type.present? && valid_article_type?(@type) ? !@type.constantize.can_display_blocks? : false
   end
  
   def per_page
@@ -521,10 +511,4 @@ class CmsController &lt; MyProfileController
     end
   end
  
-  def escape_fields article
-    unless article.kind_of?(RssFeed)
-      @escaped_body = CGI::escapeHTML(article.body || '')
-      @escaped_abstract = CGI::escapeHTML(article.abstract || '')
-    end
-  end
 end
@@ -45,17 +45,10 @@ class ProfileDesignController &lt; BoxOrganizerController
     if profile.enterprise?
       blocks << DisabledEnterpriseMessageBlock
       blocks << HighlightsBlock
-      blocks << ProductCategoriesBlock
-      blocks << FeaturedProductsBlock
       blocks << FansBlock
       blocks += plugins.dispatch(:extra_blocks, :type => Enterprise)
     end
  
-    # product block exclusive for enterprises in environments that permits it
-    if profile.enterprise? && profile.environment.enabled?('products_for_enterprises')
-      blocks << ProductsBlock
-    end
-
     # block exclusive to profiles that have blog
     if profile.has_blog?
       blocks << BlogArchivesBlock
@@ -29,6 +29,7 @@ class ProfileEditorController &lt; MyProfileController
         Image.transaction do
           begin
             @plugins.dispatch(:profile_editor_transaction_extras)
+            # TODO: This is unsafe! Add sanitizer
             @profile_data.update!(params[:profile_data])
             redirect_to :action => 'index', :profile => profile.identifier
           rescue Exception => ex
@@ -14,20 +14,23 @@ class TasksController &lt; MyProfileController
     @filter_text = params[:filter_text].presence
     @filter_responsible = params[:filter_responsible]
     @task_types = Task.pending_types_for(profile)
-
-    @tasks = Task.pending_all(profile, @filter_type, @filter_text).order_by('created_at', 'asc')
+    @tasks = Task.pending_all(profile, @filter_type, @filter_text).order_by('created_at', 'asc').paginate(:per_page => Task.per_page, :page => params[:page])
     @tasks = @tasks.where(:responsible_id => @filter_responsible.to_i != -1 ? @filter_responsible : nil) if @filter_responsible.present?
     @tasks = @tasks.paginate(:per_page => Task.per_page, :page => params[:page])
-
     @failed = params ? params[:failed] : {}
  
     @responsible_candidates = profile.members.by_role(profile.roles.reject {|r| !r.has_permission?('perform_task')}) if profile.organization?
  
     @view_only = !current_person.has_permission?(:perform_task, profile)
+
   end
  
   def processed
-    @tasks = Task.to(profile).without_spam.closed.sort_by(&:created_at)
+    @tasks = Task.to(profile).without_spam.closed.order('tasks.created_at DESC')
+    @filter = params[:filter] || {}
+    @tasks = filter_tasks(@filter, @tasks)
+    @tasks = @tasks.paginate(:per_page => Task.per_page, :page => params[:page])
+    @task_types = Task.closed_types_for(profile)
   end
  
   def change_responsible
@@ -95,4 +98,36 @@ class TasksController &lt; MyProfileController
     @ticket = Ticket.where('(requestor_id = ? or target_id = ?) and id = ?', profile.id, profile.id, params[:id]).first
   end
  
+  def search_tasks
+    filter_type = params[:filter_type].presence
+    filter_text = params[:filter_text].presence
+    result = Task.pending_all(profile,filter_type, filter_text)
+
+    render :json => result.map { |task| {:label => task.data[:name], :value => task.data[:name]} }
+  end
+
+  protected
+
+  def filter_tasks(filter, tasks)
+    tasks = tasks.eager_load(:requestor, :closed_by)
+    tasks = tasks.of(filter[:type].presence)
+    tasks = tasks.where(:status => filter[:status]) unless filter[:status].blank?
+
+    filter[:created_from] = Date.parse(filter[:created_from]) unless filter[:created_from].blank?
+    filter[:created_until] = Date.parse(filter[:created_until]) unless filter[:created_until].blank?
+    filter[:closed_from] = Date.parse(filter[:closed_from]) unless filter[:closed_from].blank?
+    filter[:closed_until] = Date.parse(filter[:closed_until]) unless filter[:closed_until].blank?
+
+    tasks = tasks.from_creation_date filter[:created_from] unless filter[:created_from].blank?
+    tasks = tasks.until_creation_date filter[:created_until] unless filter[:created_until].blank?
+
+    tasks = tasks.from_closed_date filter[:closed_from] unless filter[:closed_from].blank?
+    tasks = tasks.until_closed_date filter[:closed_until] unless filter[:closed_until].blank?
+
+    tasks = tasks.where('profiles.name LIKE ?', filter[:requestor]) unless filter[:requestor].blank?
+    tasks = tasks.where('closed_bies_tasks.name LIKE ?', filter[:closed_by]) unless filter[:closed_by].blank?
+    tasks = tasks.where('tasks.data LIKE ?', "%#{filter[:text]}%") unless filter[:text].blank?
+    tasks
+  end
+
 end
@@ -13,7 +13,7 @@ class ApiController &lt; PublicController
   private
  
   def endpoints
-    Noosfero::API::API.endpoints(environment)
+    Api::App.endpoints(environment)
   end
  
 end
@@ -86,8 +86,16 @@ class ProfileController &lt; PublicController
     @articles = profile.top_level_articles.includes([:profile, :parent])
   end
  
+  def join_modal
+      profile.add_member(user)
+      session[:notice] = _('%s administrator still needs to accept you as member.') % profile.name
+      redirect_to :action => :index
+  end
+
   def join
     if !user.memberships.include?(profile)
+      return if profile.community? && show_confirmation_modal?(profile)
+
       profile.add_member(user)
       if !profile.members.include?(user)
         render :text => {:message => _('%s administrator still needs to accept you as member.') % profile.name}.to_json
@@ -3,7 +3,10 @@ class SearchController &lt; PublicController
   helper TagsHelper
   include SearchHelper
   include ActionView::Helpers::NumberHelper
+  include SanitizeParams
  
+
+  before_filter :sanitize_params
   before_filter :redirect_asset_param, :except => [:assets, :suggestions]
   before_filter :load_category, :except => :suggestions
   before_filter :load_search_assets, :except => :suggestions
@@ -49,7 +52,6 @@ class SearchController &lt; PublicController
     [
       [ :people, _('People'), :recent_people ],
       [ :enterprises, _('Enterprises'), :recent_enterprises ],
-      [ :products, _('Products'), :recent_products ],
       [ :events, _('Upcoming events'), :upcoming_events ],
       [ :communities, _('Communities'), :recent_communities ],
       [ :articles, _('Contents'), :recent_articles ]
@@ -75,16 +77,17 @@ class SearchController &lt; PublicController
     full_text_search
   end
  
-  def products
-    @scope = @environment.products
-    full_text_search
-  end
-
   def enterprises
     @scope = visible_profiles(Enterprise)
     full_text_search
   end
  
+  # keep URL compatibility
+  def products
+    return render_not_found unless defined? ProductsPlugin
+    redirect_to url_for(params.merge controller: 'products_plugin/search', action: :products)
+  end
+
   def communities
     @scope = visible_profiles(Community)
     full_text_search
@@ -134,7 +137,8 @@ class SearchController &lt; PublicController
  
   def tag
     @tag = params[:tag]
-    @tag_cache_key = "tag_#{CGI.escape(@tag.to_s)}_env_#{environment.id.to_s}_page_#{params[:npage]}"
+    tag_str = @tag.kind_of?(Array) ? @tag.join(" ") : @tag.to_str
+    @tag_cache_key = "tag_#{CGI.escape(tag_str)}_env_#{environment.id.to_s}_page_#{params[:npage]}"
     if is_cache_expired?(@tag_cache_key)
       @searches[@asset] = {:results => environment.articles.tagged_with(@tag).paginate(paginate_options)}
     end
@@ -182,7 +186,6 @@ class SearchController &lt; PublicController
       people:      _('People'),
       communities: _('Communities'),
       enterprises: _('Enterprises'),
-      products:    _('Products and Services'),
       events:      _('Events'),
     }
   end
@@ -256,12 +259,11 @@ class SearchController &lt; PublicController
   end
  
   def available_assets
-    assets = {
+    {
       articles:    _('Contents'),
       enterprises: _('Enterprises'),
       people:      _('People'),
       communities: _('Communities'),
-      products:    _('Products and Services'),
     }
   end
  
@@ -5,22 +5,22 @@ module ActionTrackerHelper
   end
  
   def new_friendship_description ta
-    n_('has made 1 new friend:<br />%{name}', 'has made %{num} new friends:<br />%{name}', ta.get_friend_name.size) % {
+    n_('has made 1 new friend:<br />%{name}', 'has made %{num} new friends:<br />%{name}', ta.get_friend_name.size).html_safe % {
       num: ta.get_friend_name.size,
-      name: ta.collect_group_with_index(:friend_name) do |n,i|
+      name: safe_join(ta.collect_group_with_index(:friend_name) do |n,i|
         link_to image_tag(ta.get_friend_profile_custom_icon[i] || default_or_themed_icon("/images/icons-app/person-icon.png")),
                 ta.get_friend_url[i], title: n
-      end.join
+      end)
     }
   end
  
   def join_community_description ta
-    n_('has joined 1 community:<br />%{name}', 'has joined %{num} communities:<br />%{name}', ta.get_resource_name.size) % {
+    n_('has joined 1 community:<br />%{name}'.html_safe, 'has joined %{num} communities:<br />%{name}'.html_safe, ta.get_resource_name.size) % {
       num: ta.get_resource_name.size,
       name: ta.collect_group_with_index(:resource_name) do |n,i|
-        link_to image_tag(ta.get_resource_profile_custom_icon[i] || default_or_themed_icon("/images/icons-app/community-icon.png")),
+       link = link_to image_tag(ta.get_resource_profile_custom_icon[i] || default_or_themed_icon("/images/icons-app/community-icon.png")),
                 ta.get_resource_url[i], title: n
-      end.join
+      end.join.html_safe
     }
   end
  
@@ -67,24 +67,6 @@ module ActionTrackerHelper
     }
   end
  
-  def create_product_description ta
-    _('created the product %{title}') % {
-      title: link_to(truncate(ta.get_name), ta.get_url),
-    }
-  end
-
-  def update_product_description ta
-    _('updated the product %{title}') % {
-      title: link_to(truncate(ta.get_name), ta.get_url),
-    }
-  end
-
-  def remove_product_description ta
-    _('removed the product %{title}') % {
-      title: truncate(ta.get_name),
-    }
-  end
-
   def favorite_enterprise_description ta
     _('favorited enterprise %{title}') % {
       title: link_to(truncate(ta.get_enterprise_name), ta.get_enterprise_url),
@@ -44,8 +44,6 @@ module ApplicationHelper
  
   include TokenHelper
  
-  include CatalogHelper
-
   include PluginsHelper
  
   include ButtonsHelper
@@ -56,6 +54,8 @@ module ApplicationHelper
  
   include TaskHelper
  
+  include MembershipsHelper
+
   def locale
     (@page && !@page.language.blank?) ? @page.language : FastGettext.locale
   end
@@ -99,7 +99,6 @@ module ApplicationHelper
   #
   # TODO: implement correcly the 'Help' button click
   def help(content = nil, link_name = nil, options = {}, &block)
-
     link_name ||= _('Help')
  
     @help_message_id ||= 1
@@ -122,7 +121,7 @@ module ApplicationHelper
     button = link_to_function(content_tag('span', link_name), "Element.show('#{help_id}')", options )
     close_button = content_tag("div", link_to_function(_("Close"), "Element.hide('#{help_id}')", :class => 'close_help_button'))
  
-    text = content_tag('div', button + content_tag('div', content_tag('div', content) + close_button, :class => 'help_message', :id => help_id, :style => 'display: none;'), :class => 'help_box')
+    text = content_tag('div', button + content_tag('div', content_tag('div', content.html_safe) + close_button, :class => 'help_message', :id => help_id, :style => 'display: none;'), :class => 'help_box')
  
     unless block.nil?
       concat(text)
@@ -234,13 +233,6 @@ module ApplicationHelper
     link_to(content_tag('span', text), url, html_options.merge(:class => the_class, :title => text))
   end
  
-  def button_bar(options = {}, &block)
-    options[:class].nil? ?
-      options[:class]='button-bar' :
-      options[:class]+=' button-bar'
-    concat(content_tag('div', capture(&block).to_s + tag('br', :style => 'clear: left;'), options))
-  end
-
   def render_profile_actions klass
     name = klass.to_s.underscore
     begin
@@ -362,8 +354,8 @@ module ApplicationHelper
   def popover_menu(title,menu_title,links,html_options={})
     html_options[:class] = "" unless html_options[:class]
     html_options[:class] << " menu-submenu-trigger"
-    html_options[:onclick] = "toggleSubmenu(this, '#{menu_title}', #{CGI::escapeHTML(links.to_json)}); return false"
  
+    html_options[:onclick] = "toggleSubmenu(this, '#{menu_title}', #{CGI::escapeHTML(links.to_json)}); return false".html_safe
     link_to(content_tag(:span, title), '#', html_options)
   end
  
@@ -473,9 +465,9 @@ module ApplicationHelper
       map(&:role)
     names = []
     roles.each do |role|
-      names << content_tag('span', role.name, :style => "color: #{role_color(role, resource.environment.id)}")
+      names << content_tag('span', role.name, :style => "color: #{role_color(role, resource.environment.id)}").html_safe
     end
-    names.join(', ')
+    safe_join(names, ', ')
   end
  
   def role_color(role, env_id)
@@ -788,7 +780,7 @@ module ApplicationHelper
     return "" if categories.blank?
     content_tag(:ul) do
       categories.map do |category|
-        category_path = category.kind_of?(ProductCategory) ? {:controller => 'search', :action => 'assets', :asset => 'products', :product_category => category.id} : { :controller => 'search', :action => 'category_index', :category_path => category.explode_path }
+        category_path = { :controller => 'search', :action => 'category_index', :category_path => category.explode_path }
         if category.display_in_menu?
           content_tag(:li) do
             if !category.is_leaf_displayable_in_menu?
@@ -911,7 +903,8 @@ module ApplicationHelper
   end
  
   def admin_link
-    user.is_admin?(environment) ? link_to('<i class="icon-menu-admin"></i><strong>' + _('Administration') + '</strong>', environment.admin_url, :title => _("Configure the environment"), :class => 'admin-link') : ''
+    admin_icon = '<i class="icon-menu-admin"></i><strong>' + _('Administration') + '</strong>'
+    user.is_admin?(environment) ? link_to(admin_icon.html_safe, environment.admin_url, :title => _("Configure the environment"), :class => 'admin-link') : ''
   end
  
   def usermenu_logged_in
@@ -920,23 +913,39 @@ module ApplicationHelper
     if count > 0
       pending_tasks_count = link_to(count.to_s, user.tasks_url, :id => 'pending-tasks-count', :title => _("Manage your pending tasks"))
     end
+    user_identifier = "<i style='background-image:url(#{user.profile_custom_icon(gravatar_default)})'></i><strong>#{user.identifier}</strong>"
+    welcome_link = link_to(user_identifier.html_safe, user.public_profile_url, :id => "homepage-link", :title => _('Go to your homepage'))
+    welcome_span = _("<span class='welcome'>Welcome,</span> %s") % welcome_link.html_safe
+    ctrl_panel_icon = '<i class="icon-menu-ctrl-panel"></i>'
+    ctrl_panel_section = '<strong>' + ctrl_panel_icon + _('Control panel') + '</strong>'
+    ctrl_panel_link = link_to(ctrl_panel_section.html_safe, user.admin_url, :class => 'ctrl-panel', :title => _("Configure your personal account and content"))
+    logout_icon = '<i class="icon-menu-logout"></i><strong>' + _('Logout') + '</strong>'
+    logout_link = link_to(logout_icon.html_safe, { :controller => 'account', :action => 'logout'} , :id => "logout", :title => _("Leave the system"))
+    join_result = safe_join(
+      [welcome_span.html_safe, render_environment_features(:usermenu).html_safe, admin_link.html_safe,
+        manage_enterprises.html_safe, manage_communities.html_safe, ctrl_panel_link.html_safe,
+        pending_tasks_count.html_safe, logout_link.html_safe], "")
+    join_result
+  end
  
-    (_("<span class='welcome'>Welcome,</span> %s") % link_to("<i style='background-image:url(#{user.profile_custom_icon(gravatar_default)})'></i><strong>#{user.identifier}</strong>", user.url, :id => "homepage-link", :title => _('Go to your homepage'))) +
-    render_environment_features(:usermenu) +
-    admin_link +
-    manage_enterprises +
-    manage_communities +
-    link_to('<i class="icon-menu-ctrl-panel"></i><strong>' + _('Control panel') + '</strong>', user.admin_url, :class => 'ctrl-panel', :title => _("Configure your personal account and content")) +
-    pending_tasks_count +
-    link_to('<i class="icon-menu-logout"></i><strong>' + _('Logout') + '</strong>', { :controller => 'account', :action => 'logout'} , :id => "logout", :title => _("Leave the system"))
+  def usermenu_notlogged_in
+    login_str = '<i class="icon-menu-login"></i><strong>' + _('Login') + '</strong>'
+    ret = _("<span class='login'>%s</span>") % modal_inline_link_to(login_str.html_safe, login_url, '#inlineLoginBox', :id => 'link_login')
+    return ret.html_safe
   end
  
+  def usermenu_signup
+    signup_str = '<strong>' + _('Sign up') + '</strong>'
+    ret = _("<span class='or'>or</span> <span class='signup'>%s</span>") % link_to(signup_str.html_safe, :controller => 'account', :action => 'signup')
+    return ret.html_safe
+
+  end
   def limited_text_area(object_name, method, limit, text_area_id, options = {})
-    content_tag(:div, [
+    content_tag(:div, safe_join([
       text_area(object_name, method, { :id => text_area_id, :onkeyup => "limited_text_area('#{text_area_id}', #{limit})" }.merge(options)),
       content_tag(:p, content_tag(:span, limit) + ' ' + _(' characters left'), :id => text_area_id + '_left'),
       content_tag(:p, _('Limit of characters reached'), :id => text_area_id + '_limit', :style => 'display: none')
-    ].join, :class => 'limited-text-area')
+    ]), :class => 'limited-text-area')
   end
  
   def expandable_text_area(object_name, method, text_area_id, options = {})
@@ -970,11 +979,11 @@ module ApplicationHelper
  
   def task_information(task)
     values = {}
+    values.merge!(task.information[:variables]) if task.information[:variables]
     values.merge!({:requestor => link_to(task.requestor.name, task.requestor.url)}) if task.requestor
     values.merge!({:subject => content_tag('span', task.subject, :class=>'task_target')}) if task.subject
     values.merge!({:linked_subject => link_to(content_tag('span', task.linked_subject[:text], :class => 'task_target'), task.linked_subject[:url])}) if task.linked_subject
-    values.merge!(task.information[:variables]) if task.information[:variables]
-    task.information[:message] % values
+    (task.information[:message] % values).html_safe
   end
  
   def add_zoom_to_article_images
@@ -1032,26 +1041,24 @@ module ApplicationHelper
   end
  
   def render_tabs(tabs)
-    titles = tabs.inject(''){ |result, tab| result << content_tag(:li, link_to(tab[:title], '#'+tab[:id]), :class => 'tab') }
-    contents = tabs.inject(''){ |result, tab| result << content_tag(:div, tab[:content], :id => tab[:id]) }
+    titles = tabs.inject(''.html_safe){ |result, tab| result << content_tag(:li, link_to(tab[:title], '#'+tab[:id]), :class => 'tab') }
+    contents = tabs.inject(''.html_safe){ |result, tab| result << content_tag(:div, tab[:content], :id => tab[:id]) }
  
     content_tag(:div, content_tag(:ul, titles) + raw(contents), :class => 'ui-tabs')
   end
  
   def delete_article_message(article)
-    CGI.escapeHTML(
-      if article.folder?
-        _("Are you sure that you want to remove the folder \"%s\"? Note that all the items inside it will also be removed!") % article.name
-      else
-        _("Are you sure that you want to remove the item \"%s\"?") % article.name
-      end
-    )
+    if article.folder?
+      _("Are you sure that you want to remove the folder \"%s\"? Note that all the items inside it will also be removed!") % article.name
+    else
+      _("Are you sure that you want to remove the item \"%s\"?") % article.name
+    end
   end
  
   def expirable_link_to(expired, content, url, options = {})
     if expired
       options[:class] = (options[:class] || '') + ' disabled'
-      content_tag('a', '&nbsp;'+content_tag('span', content), options)
+      content_tag('a', '&nbsp;'.html_safe+content_tag('span', content), options)
     else
       if options[:modal]
         options.delete(:modal)
@@ -1084,7 +1091,7 @@ module ApplicationHelper
  
     radios = templates.map do |template|
       content_tag('li', labelled_radio_button(link_to(template.name, template.url, :target => '_blank'), "#{field_name}[template_id]", template.id, environment.is_default_template?(template)))
-    end.join("\n")
+    end.join("\n").html_safe
  
     content_tag('div', content_tag('label', _('Profile organization'), :for => 'template-options', :class => 'formlabel') +
       content_tag('p', _('Your profile will be created according to the selected template. Click on the options to view them.'), :style => 'margin: 5px 15px;padding: 0px 10px;') +
@@ -1124,7 +1131,7 @@ module ApplicationHelper
     content_tag(:div, :class => 'errorExplanation', :id => 'errorExplanation') do
       content_tag(:h2, _('Errors while saving')) +
       content_tag(:ul) do
-        errors.map { |err| content_tag(:li, err) }.join
+        safe_join(errors.map { |err| content_tag(:li, err) })
       end
     end
   end
@@ -1234,6 +1241,7 @@ module ApplicationHelper
       :href=>"#",
       :title=>_("Exit full screen mode")
     })
+    content.html_safe
   end
  
 end
@@ -69,14 +69,14 @@ module ArticleHelper
     content_tag('div',
       content_tag('div',
         radio_button(:article, :published, true) +
-          content_tag('span', '&nbsp;', :class => 'access-public-icon') +
+          content_tag('span', '&nbsp;'.html_safe, :class => 'access-public-icon') +
           content_tag('label', _('Public'), :for => 'article_published_true') +
           content_tag('span', _('Visible to other people'), :class => 'access-note'),
           :class => 'access-item'
            ) +
       content_tag('div',
         radio_button(:article, :published, false) +
-          content_tag('span', '&nbsp;', :class => 'access-private-icon') +
+          content_tag('span', '&nbsp;'.html_safe, :class => 'access-private-icon') +
           content_tag('label', _('Private'), :for => 'article_published_false', :id => "label_private") +
           content_tag('span', _('Limit visibility of this article'), :class => 'access-note'),
           :class => 'access-item'
@@ -187,9 +187,9 @@ module ArticleHelper
   def following_button(page, user)
     if !user.blank? and user != page.author
       if page.is_followed_by? user
-        button :cancel, unfollow_button_text(page), {:controller => 'profile', :action => 'unfollow_article', :article_id => page.id}
+        button :cancel, unfollow_button_text(page), {:controller => 'profile', :action => 'unfollow_article', :article_id => page.id, :profile => page.profile.identifier}
       else
-        button :add, follow_button_text(page), {:controller => 'profile', :action => 'follow_article', :article_id => page.id}
+        button :add, follow_button_text(page), {:controller => 'profile', :action => 'follow_article', :article_id => page.id, :profile => page.profile.identifier}
       end
     end
   end
@@ -3,13 +3,13 @@ module BlockHelper
   def block_title(title, subtitle=nil)
     block_header = block_heading title
     block_header += block_heading(subtitle, 'h4') if subtitle
-    content_tag 'div', block_header, :class => 'block-header'
+    content_tag('div', block_header, :class => 'block-header').html_safe
   end
  
   def block_heading(title, heading='h3')
     tag_class = 'block-' + (heading == 'h3' ? 'title' : 'subtitle')
     tag_class += ' empty' if title.empty?
-    content_tag heading, content_tag('span', h(title)), :class => tag_class
+    content_tag heading, content_tag('span', h(title)), :class => tag_class.html_safe
   end
  
   def highlights_block_config_image_fields(block, image={}, row_number=nil)
@@ -28,7 +28,7 @@ module BlockHelper
       }</label></td>
       <td>#{button_without_text(:delete, _('Remove'), '#', class: 'delete-highlight', data: {confirm: _('Are you sure you want to remove this highlight')})}</td>
     </tr>
-    "
+    ".html_safe
   end
  
 end
@@ -41,12 +41,12 @@ module BlogHelper
       css_add << position
       content << (content_tag 'div', id: "post-#{art.id}", class: css_add do
         content_tag 'div', class: position + '-inner blog-post-inner' do
-          display_post(art, conf[:format]).html_safe +
+          display_post(art, conf[:format])  +
           '<br style="clear:both"/>'.html_safe
         end
-      end)
+      end).html_safe
     }
-    content.join("\n<hr class='sep-posts'/>\n") + (pagination or '')
+    safe_join(content, "\n<hr class='sep-posts'/>\n".html_safe) + (pagination or '').html_safe
   end
  
   def display_post(article, format = 'full')
@@ -61,7 +61,8 @@ module BlogHelper
       else
         '<div class="post-pic" style="background-image:url('+img+')"></div>'
       end
-    end.to_s + title + html
+    end.to_s.html_safe +
+    title.html_safe + html
   end
  
   def display_compact_format(article)
@@ -38,7 +38,7 @@ module BoxOrganizerHelper
     content_tag(:ul,
       images_path.map do |preview|
 	content_tag(:li, image_tag(preview, height: '240', alt: ''))
-      end.join("\n")
+      end.join("\n").html_safe
     )
   end
  
@@ -34,7 +34,7 @@ module BoxesHelper
  
   def display_boxes_editor(holder)
     with_box_decorator self do
-      content_tag('div', display_boxes(holder, '&lt;' + _('Main content') + '&gt;'), :id => 'box-organizer')
+      content_tag('div', display_boxes(holder, '<' + _('Main content') + '>'), :id => 'box-organizer')
     end
   end
  
@@ -44,7 +44,7 @@ module BoxesHelper
  
   def display_boxes(holder, main_content)
     boxes = holder.boxes.with_position.first(boxes_limit(holder))
-    content = boxes.reverse.map { |item| display_box(item, main_content) }.join("\n")
+    content = safe_join(boxes.reverse.map { |item| display_box(item, main_content) }, "\n")
     content = main_content if (content.blank?)
  
     content_tag('div', content, :class => 'boxes', :id => 'boxes' )
@@ -52,9 +52,9 @@ module BoxesHelper
  
   def maybe_display_custom_element(holder, element, options = {})
     if holder.respond_to?(element)
-      content_tag('div', holder.send(element), options)
+      content_tag('div', holder.send(element).to_s.html_safe, options)
     else
-      ''
+      ''.html_safe
     end
   end
  
@@ -64,15 +64,16 @@ module BoxesHelper
  
   def display_updated_box(box)
     with_box_decorator self do
-      display_box_content(box, '&lt;' + _('Main content') + '&gt;')
+      display_box_content(box, '<' + _('Main content') + '>')
     end
   end
  
   def display_box_content(box, main_content)
     context = { :article => @page, :request_path => request.path, :locale => locale, :params => request.params, :user => user, :controller => controller }
-    box_decorator.select_blocks(box, box.blocks.includes(:box), context).map do |item|
+    blocks = box_decorator.select_blocks(box, box.blocks.includes(:box), context).map do |item|
       display_block item, main_content
-    end.join("\n") + box_decorator.block_target(box)
+    end
+    safe_join(blocks, "\n") + box_decorator.block_target(box)
   end
  
   def select_blocks box, arr, context
@@ -136,17 +137,18 @@ module BoxesHelper
  
     result = filter_html(result, block)
  
-    content_tag('div',
-      box_decorator.block_target(block.box, block) +
-        content_tag('div',
-         content_tag('div',
-           content_tag('div',
-             result + footer_content + box_decorator.block_edit_buttons(block),
-             :class => 'block-inner-2'),
-           :class => 'block-inner-1'),
-       options),
-    :class => 'block-outer') +
-    box_decorator.block_handle(block)
+    join_result = safe_join([result, footer_content, box_decorator.block_edit_buttons(block)])
+    content_tag_inner_1 = content_tag('div', join_result, :class => 'block-inner-2')
+
+    content_tag_inner_2 = content_tag('div', content_tag_inner_1, :class => 'block-inner-1')
+    content_tag_inner_3 = content_tag('div', content_tag_inner_2, options)
+    content_tag_inner_4 = box_decorator.block_target(block.box, block) + content_tag_inner_3
+    c = content_tag('div', content_tag_inner_4, :class => 'block-outer')
+    box_decorator_result = box_decorator.block_handle(block)
+    result_final = safe_join([c, box_decorator_result], "")
+
+
+    return result_final
   end
  
   def wrap_main_content(content)
@@ -156,17 +158,17 @@ module BoxesHelper
   def extract_block_content(content)
     case content
     when Hash
-      content_tag('iframe', '', :src => url_for(content))
+      content_tag('iframe', ''.html_safe, :src => url_for(content))
     when String
       if content.split("\n").size == 1 and content =~ /^https?:\/\//
-        content_tag('iframe', '', :src => content)
+        content_tag('iframe', ''.html_safe, :src => content)
       else
         content
       end
     when Proc
       self.instance_eval(&content)
     when NilClass
-      ''
+      ''.html_safe
     else
       raise "Unsupported content for block (#{content.class})"
     end
@@ -175,14 +177,14 @@ module BoxesHelper
   module DontMoveBlocks
     # does nothing
     def self.block_target(box, block = nil)
-      ''
+      ''.html_safe
     end
     # does nothing
     def self.block_handle(block)
-      ''
+      ''.html_safe
     end
     def self.block_edit_buttons(block)
-      ''
+      ''.html_safe
     end
     def self.select_blocks box, arr, context
       arr = arr.select{ |block| block.visible? context }
@@ -229,9 +231,9 @@ module BoxesHelper
   # makes the given block draggable so it can be moved away.
   def block_handle(block)
     return "" unless movable?(block)
-    icon = "<div><div>#{display_icon(block.class)}</div><span>#{_(block.class.pretty_name)}</span></div>"
+    icon = "<div><div>#{display_icon(block.class)}</div><span>#{_(block.class.pretty_name)}</span></div>".html_safe
     block_draggable("block-#{block.id}",
-                    :helper => "function() {return cloneDraggableBlock($(this), '#{icon}')}")
+                    :helper => "function() {return cloneDraggableBlock($(this), '#{icon}')}".html_safe)
   end
  
   def block_draggable(element_id, options={})
@@ -302,7 +304,7 @@ module BoxesHelper
       buttons << modal_inline_icon(:embed, _('Embed code'), {}, "#embed-code-box-#{block.id}") << html
     end
  
-    content_tag('div', buttons.join("\n") + tag('br', :style => 'clear: left'), :class => 'button-bar')
+    content_tag('div', buttons.join("\n").html_safe + tag('br', :style => 'clear: left'), :class => 'button-bar')
   end
  
   def current_blocks
 module ButtonsHelper
+
+  def button_bar(options = {}, &block)
+    options[:class] ||= ''
+    options[:class] << ' button-bar'
+
+    content_tag :div, options do
+      [
+        capture(&block).to_s,
+        tag(:br, style: 'clear: left;'),
+      ].safe_join
+    end
+  end
+
   def button(type, label, url, html_options = {})
     html_options ||= {}
     the_class = 'with-text'
@@ -15,9 +28,9 @@ module ButtonsHelper
     end
     the_title = html_options[:title] || label
     if html_options[:disabled]
-      content_tag('a', '&nbsp;'+content_tag('span', label), html_options.merge(:class => the_class, :title => the_title))
+      content_tag('a', '&nbsp;'.html_safe+content_tag('span', label), html_options.merge(:class => the_class, :title => the_title))
     else
-      link_to('&nbsp;'+content_tag('span', label), url, html_options.merge(:class => the_class, :title => the_title))
+      link_to('&nbsp;'.html_safe+content_tag('span', label), url, html_options.merge(:class => the_class, :title => the_title))
     end
   end
  
@@ -2,7 +2,6 @@ module CategoriesHelper
  
   TYPES = [
     [ _('General Category'), Category.to_s ],
-    [ _('Product Category'), ProductCategory.to_s ],
     [ _('Region'), Region.to_s ],
   ]
  
@@ -20,7 +19,7 @@ module CategoriesHelper
   def selected_category_link(cat)
     js_remove = "jQuery('#selected-category-#{cat.id}').remove();"
     content_tag('div', button_to_function_without_text(:remove, _('Remove'), js_remove) +
-      link_to_function(cat.full_name(' &rarr; '), js_remove, :id => "remove-selected-category-#{cat.id}-button", :class => 'select-subcategory-link'),
+      link_to_function(cat.full_name(' &rarr; ').html_safe, js_remove, :id => "remove-selected-category-#{cat.id}-button", :class => 'select-subcategory-link'),
       :class => 'selected-category'
     )
   end
@@ -66,7 +66,7 @@ module CommentHelper
  
   def link_for_edit(comment)
     if comment.can_be_updated_by?(user)
-      {:link => expirable_comment_link(comment, :edit, _('Edit'), url_for(:profile => profile.identifier, :controller => :comment, :action => :edit, :id => comment.id),:class => 'modal')}
+      {:link => expirable_comment_link(comment, :edit, _('Edit'), url_for(:profile => profile.identifier, :controller => :comment, :action => :edit, :id => comment.id), :modal => true)}
     end
   end
  
@@ -7,7 +7,8 @@ module ContentViewerHelper
   def display_number_of_comments(n)
     base_str = "<span class='comment-count hide'>#{n}</span>"
     amount_str = n == 0 ? _('no comments yet') : (n == 1 ? _('One comment') : _('%s comments') % n)
-    base_str + "<span class='comment-count-write-out'>#{amount_str}</span>"
+    base_str += "<span class='comment-count-write-out'>#{amount_str}</span>"
+    base_str.html_safe
   end
  
   def number_of_comments(article)
@@ -19,16 +20,16 @@ module ContentViewerHelper
     title = content_tag('h1', h(title), :class => 'title')
     if article.belongs_to_blog? || article.belongs_to_forum?
       unless args[:no_link]
-        title = content_tag('h1', link_to(article.name, article.url), :class => 'title')
+        title = content_tag('h1', link_to(article.name, url_for(article.url)), :class => 'title')
       end
       comments = ''
       unless args[:no_comments] || !article.accept_comments
-        comments = (" - %s") % link_to_comments(article)
+        comments = (" - %s").html_safe % link_to_comments(article)
       end
       date_format = show_with_right_format_date article
       title << content_tag('span',
         date_format +
-        content_tag('span', _(", by %s") % (article.author ? link_to(article.author_name, article.author_url) : article.author_name), :class => 'author') +
+        content_tag('span', _(", by %s").html_safe % (article.author ? link_to(article.author_name, article.author_url) : article.author_name), :class => 'author') +
         content_tag('span', comments, :class => 'comments'),
         :class => 'publishing-info'
       )
 module DisplayHelper
  
-  def link_to_product(product, opts={})
-    return _('No product') unless product
-    target = product_path(product)
-    link_to content_tag( 'span', product.name ),
-            target,
-            opts
-  end
-
   def themed_path(file)
     if File.exists?(File.join(Rails.root, 'public', theme_path, file))
       File.join(theme_path, file)
@@ -16,55 +8,35 @@ module DisplayHelper
     end
   end
  
-  def image_link_to_product(product, opts={})
-    return _('No product') unless product
-    target = product_path(product)
-    link_to image_tag(product.default_image(:big), :alt => product.name),
-            target,
-            opts
-  end
-
   def price_span(price, options = {})
     content_tag 'span',
       number_to_currency(price, :unit => environment.currency_unit, :delimiter => environment.currency_delimiter, :separator => environment.currency_separator),
       options
   end
  
-  def product_path(product)
-    product.enterprise.enabled? ? product.enterprise.public_profile_url.merge(:controller => 'manage_products', :action => 'show', :id => product) : product.enterprise.url
-  end
-
   def link_to_tag(tag, html_options = {})
     link_to tag.name, {:controller => 'search', :action => 'tag', :tag => tag.name}, html_options
   end
  
   def link_to_category(category, full = true, html_options = {})
-    return _('Uncategorized product') unless category
     name = full ? category.full_name(' &rarr; ') : category.name
     link_to name, Noosfero.url_options.merge({:controller => 'search', :action => 'category_index', :category_path => category.path.split('/'),:host => category.environment.default_hostname }), html_options
   end
  
-  def link_to_product_category(category)
-    if category
-      link_to(category.name, :controller => 'search', :action => 'products', :category_path => category.explode_path)
-    else
-      _('Uncategorized product')
-    end
-  end
-
   def txt2html(txt)
-    txt.strip.
+    ret = txt.strip.
       gsub( /\s*\n\s*\n\s*/, "\r<p/>\r" ).
       gsub( /\s*\n\s*/, "\n<br/>\n" ).
       gsub( /\r/, "\n" ).
       gsub( /(^|\s)(www\.[^\s]+|https?:\/\/[^\s]+)/ ) do
         pre_char, href = $1, $2
         href = 'http://'+href  if ! href.match /^https?:/
-        content = href.gsub(/^https?:\/\//, '').scan(/.{1,4}/).join('&#x200B;')
+        content = safe_join(href.gsub(/^https?:\/\//, '').scan(/.{1,4}/), '&#x200B;'.html_safe)
         pre_char +
         content_tag(:a, content, :href => href, :target => '_blank',
-                    :rel => 'nofolow', :onclick => "return confirm('%s')" %
+                    :rel => 'nofolow', :onclick => "return confirm('%s')".html_safe %
                       _('Are you sure you want to visit this web site?'))
       end
+      ret.html_safe
   end
 end
 module EventsHelper
  
   include DatesHelper
+  include ActionView::Helpers::OutputSafetyHelper
+
   def list_events(date, events)
     title = _('Events for %s') % show_date_month(date)
+    user_events = events.select { |item| item.display_to?(user) }
+    events_for_month = safe_join(user_events.map {|item| display_event_in_listing(item)}, '')
     content_tag('h2', title) +
     content_tag('div',
       (events.any? ?
-        content_tag('table', events.select { |item| item.display_to?(user) }.map {|item| display_event_in_listing(item)}.join('')) :
-        content_tag('em', _('No events for this month'), :class => 'no-events')
+        content_tag('table', events_for_month) :
+          content_tag('em', _('No events for this month'), :class => 'no-events')
       ), :id => 'agenda-items'
     )
   end
@@ -101,7 +101,7 @@ module FormsHelper
  
   def required_fields_message
     content_tag('p', content_tag('span',
-      _("The <label class='pseudoformlabel'>highlighted</label> fields are mandatory."),
+      _("The <label class='pseudoformlabel'>highlighted</label> fields are mandatory.").html_safe,
       :class => 'required-field'
     ))
   end
@@ -112,10 +112,11 @@ module FormsHelper
     options_for_select = container.inject([]) do |options, element|
       text, value = option_text_and_value(element)
       selected_attribute = ' selected="selected"' if option_value_selected?(value, selected)
-      options << %(<option title="#{html_escape(text.to_s)}" value="#{html_escape(value.to_s)}"#{selected_attribute}>#{html_escape(text.to_s)}</option>)
+      opt = %(<option title="#{html_escape(text.to_s)}" value="#{html_escape(value.to_s)}"#{selected_attribute}>#{html_escape(text.to_s)}</option>)
+      options << opt.html_safe
     end
  
-    options_for_select.join("\n")
+    safe_join(options_for_select, "\n")
   end
  
   def balanced_table(items, per_row=3)
@@ -248,8 +249,8 @@ module FormsHelper
   def date_range_field(from_name, to_name, from_value, to_value, datepicker_options = {}, html_options = {})
     from_id = html_options[:from_id] || 'datepicker-from-date'
     to_id = html_options[:to_id] || 'datepicker-to-date'
-    return _('From') +' '+ date_field(from_name, from_value, datepicker_options, html_options.merge({:id => from_id})) +
-    ' ' + _('until') +' '+ date_field(to_name, to_value, datepicker_options, html_options.merge({:id => to_id}))
+    return (_('From') +' '+ date_field(from_name, from_value, datepicker_options, html_options.merge({:id => from_id})) +
+    ' ' + _('until') +' '+ date_field(to_name, to_value, datepicker_options, html_options.merge({:id => to_id}))).html_safe
   end
  
   def select_folder(label_text, field_id, collection, default_value=nil, html_options = {}, js_options = {})
@@ -35,7 +35,7 @@ module ForumHelper
                              :id => "post-#{art.id}"
                             )
     }
-    content_tag('table', content.join) + (pagination or '')
+    content_tag('table', safe_join(content, "")) + (pagination or '').html_safe
   end
  
   def last_topic_update(article)
@@ -40,7 +40,7 @@ module LanguageHelper
         else
           link_to(name, params.merge(:lang => code), :rel => 'nofollow')
         end
-      end.join(separator)
+      end.join(separator).html_safe
       content_tag('div', languages, :id => 'language-chooser', :help => _('The language you choose here is the language used for options, buttons, etc. It does not affect the language of the content created by other users.'))
     end
   end
@@ -40,7 +40,8 @@ module LayoutHelper
  
     output += templete_javascript_ng.to_s
  
-    output
+    # This output should be safe!
+    output.html_safe
   end
  
   def noosfero_stylesheets
@@ -64,7 +65,9 @@ module LayoutHelper
       output << stylesheet_link_tag(global_css_pub)
     end
     output << stylesheet_link_tag(theme_stylesheet_path)
-    output.join "\n"
+
+    # This output should be safe!
+    output.join("\n").html_safe
   end
  
   def noosfero_layout_features
@@ -94,9 +97,7 @@ module LayoutHelper
   end
  
   def addthis_javascript
-    if NOOSFERO_CONF['addthis_enabled']
-      '<script src="https://s7.addthis.com/js/152/addthis_widget.js"></script>'
-    end
+    NOOSFERO_CONF['addthis_enabled'] ? '<script src="https://s7.addthis.com/js/152/addthis_widget.js"></script>' : ''
   end
  
 end
@@ -32,7 +32,7 @@ module MacrosHelper
           }
         });
       }"
-    end
+    end.html_safe
   end
  
   def include_macro_js_files
 module MembershipsHelper
+
+  def join_community_button options={:logged => false}
+    url = options[:logged] ? profile.join_url : profile.join_not_logged_url
+
+    if show_confirmation_modal? profile
+      modal_button :add, _('Join this community'), url, class: 'join-community'
+    else
+      button :add, _('Join this community'), url, class: 'join-community'
+    end
+  end
+
+  def show_confirmation_modal? profile
+    profile.requires_email? && current_person && !current_person.public_fields.include?("email")
+  end
+
 end
@@ -29,14 +29,49 @@ module PartialsHelper
     raise ArgumentError, 'No partial for object. Is there a partial for any class in the inheritance hierarchy?'
   end
  
-  def render_partial_for_class klass, *args
+
+  def partial_for_class(klass, prefix=nil, suffix=nil)
     raise ArgumentError, 'No partial for object. Is there a partial for any class in the inheritance hierarchy?' if klass.nil?
+    name = klass.name.underscore
+    controller.view_paths.each do |view_path|
+      partial = partial_for_class_in_view_path(klass, view_path, prefix, suffix)
+      return partial if partial
+    end
+
+    raise ArgumentError, 'No partial for object. Is there a partial for any class in the inheritance hierarchy?'
+  end
+
+  ##
+  # Calculate partial name with prefix and suffix
+  # Togheter with render_partial_for_class,
+  # it should replace #partial_for_class_in_view_path in the future
+  #
+  def partial_name_for underscore, prefix = nil, suffix = nil
+    parts = underscore.split '/'
+    if prefix or suffix
+      partial = [prefix, parts.last, suffix].compact.map(&:to_s).join '_'
+    else
+      partial = parts.last
+    end
+    if parts.size > 1
+      "#{params[:controller]}/#{parts.first}/#{partial}"
+    else
+      partial
+    end
+  end
+
+  def render_for_class klass, *args, &block
+    raise ArgumentError, 'No partial for object. Is there a partial for any class in the inheritance hierarchy?' unless klass
     begin
-      partial = klass.name.underscore
-      partial = "#{params[:controller]}/#{partial}" if params[:controller] and partial.index '/'
-      return render partial, *args
+      capture klass, &block
     rescue ActionView::MissingTemplate
-      return render_partial_for_class klass.superclass, *args
+      render_for_class klass.superclass, *args, &block
+    end
+  end
+
+  def render_partial_for_class klass, *args
+    render_for_class klass do |klass|
+      render partial_name_for(klass.name.underscore), *args
     end
   end
  
@@ -129,7 +129,11 @@ module ProfileEditorHelper
     else
       domains = environment.domains
     end
-    labelled_form_field(_('Preferred domain name:'), select(object, :preferred_domain_id, domains.map {|item| [item.name, item.id]}, :prompt => '&lt;' + _('Select domain') + '&gt;'))
+    select_domain_prompt = '&lt;'.html_safe + _('Select domain').html_safe + '&gt;'.html_safe
+    select_field = select(object, :preferred_domain_id, domains.map {
+      |item| [item.name, item.id]}, :prompt => select_domain_prompt.html_safe)
+
+    labelled_form_field(_('Preferred domain name:'), select_field)
   end
  
   def control_panel(&block)
@@ -84,7 +84,7 @@ module ProfileHelper
       entries.map do |entry|
         content = self.send("treat_#{field}", entry)
         unless content.blank?
-          content_tag('tr', content_tag('td', title(field, entry), :class => 'field-name') + content_tag('td', content))
+          content_tag('tr', content_tag('td', title(field, entry), :class => 'field-name') + content_tag('td', content.to_s.html_safe))
         end
       end.join("\n")
     end
@@ -61,6 +61,8 @@ module ProfileImageHelper
     image_tag(profile_icon(profile, size), opt )
   end
  
+  include MembershipsHelper
+
   def links_for_balloon(profile)
     if environment.enabled?(:show_balloon_with_profile_links_when_clicked)
       if profile.kind_of?(Person)
@@ -76,13 +78,12 @@ module ProfileImageHelper
           {_('Wall') => {:href => url_for(profile.public_profile_url)}},
           {_('Members') => {:href => url_for(:controller => :profile, :action => :members, :profile => profile.identifier)}},
           {_('Agenda') => {:href => url_for(:controller => :profile, :action => :events, :profile => profile.identifier)}},
-          {_('Join') => {:href => url_for(profile.join_url), :class => 'join-community', :style => 'display: none'}},
+          {_('Join') => {:href => url_for(profile.join_url), :class => 'join-community'+ (show_confirmation_modal?(profile) ? ' modal-toggle' : '') , :style => 'display: none'}},
           {_('Leave community') => {:href => url_for(profile.leave_url), :class => 'leave-community', :style => 'display:  none'}},
           {_('Send an e-mail') => {:href => url_for(:profile => profile.identifier, :controller => 'contact', :action => 'new'), :class => 'send-an-email', :style => 'display: none'}}
         ]
       elsif profile.kind_of?(Enterprise)
         [
-          {_('Products') => {:href => catalog_path(profile.identifier)}},
           {_('Members') => {:href => url_for(:controller => :profile, :action => :members, :profile => profile.identifier)}},
           {_('Agenda') => {:href => url_for(:controller => :profile, :action => :events, :profile => profile.identifier)}},
           {_('Send an e-mail') => {:href => url_for(:profile => profile.identifier, :controller => 'contact', :action => 'new'), :class => 'send-an-email', :style => 'display: none'}},
@@ -131,7 +132,7 @@ module ProfileImageHelper
     links = links_for_balloon(profile)
     content_tag('div', content_tag(tag,
                                    (environment.enabled?(:show_balloon_with_profile_links_when_clicked) ?
-                                   popover_menu(_('Profile links'),profile.short_name,links,{:class => trigger_class, :url => url}) : "") +
+                                   popover_menu(_('Profile links'),profile.short_name,links,{:class => trigger_class, :url => url}) : "").html_safe +
     link_to(
       content_tag( 'span', profile_image( profile, size ), :class => img_class ) +
       content_tag( 'span', h(name), :class => ( profile.class == Person ? 'fn' : 'org' ) ) +
@@ -139,7 +140,7 @@ module ProfileImageHelper
       profile.url,
       :class => 'profile_link url',
       :help => _('Click on this icon to go to the <b>%s</b>\'s home page') % profile.name,
-      :title => profile.name ),
+      :title => profile.name ).html_safe,
       :class => 'vcard'), :class => 'common-profile-list-block')
   end
 end
@@ -0,0 +1,25 @@
+module SanitizeHelper
+
+  def sanitize_html(text, type= :full_sanitize)
+      sanitizer(type).sanitize(text, scrubber: permit_scrubber)
+  end
+
+  def sanitize_link(text)
+      sanitizer(:white_list).sanitize(text, scrubber:permit_scrubber)
+  end
+
+protected
+
+  def permit_scrubber
+      scrubber = Rails::Html::PermitScrubber.new
+      scrubber.tags = Rails.application.config.action_view.sanitized_allowed_tags
+      scrubber.attributes = Rails.application.config.action_view.sanitized_allowed_attributes
+      scrubber
+  end
+
+  def sanitizer type = :full_sanitize
+    return HTML::WhiteListSanitizer.new if type == :white_list
+    HTML::FullSanitizer.new
+  end
+
+end
@@ -124,10 +124,10 @@ module SearchHelper
   def filters(asset)
     return if !asset
     klass = asset_class(asset)
-    content_tag('div', klass::SEARCH_FILTERS.map do |name, options|
+    content_tag('div', safe_join(klass::SEARCH_FILTERS.map do |name, options|
       default = klass.respond_to?("default_search_#{name}") ? klass.send("default_search_#{name}".to_s) : nil
       select_filter(name, options, default)
-    end.join("\n"), :id => 'search-filters')
+    end, "\n"), :id => 'search-filters')
   end
  
   def assets_menu(selected)
@@ -137,11 +137,11 @@ module SearchHelper
     #     menu.
     assets.delete(:events)
     content_tag('ul',
-      assets.map do |asset|
+      safe_join(assets.map do |asset|
         options = {}
         options.merge!(:class => 'selected') if selected.to_s == asset.to_s
         content_tag('li', asset_link(asset), options)
-      end.join("\n"),
+      end, "\n"),
     :id => 'assets-menu')
   end
  
@@ -58,7 +58,7 @@ module TagsHelper
  
       if options[:show_count]
         display_count = options[:show_count] ? "<small><sup>(#{count})</sup></small>" : ""
-        link_to tag + display_count, destination, :style => style
+        link_to (tag + display_count).html_safe, destination, :style => style
       else
         link_to h(tag) , destination, :style => style,
           :title => n_( 'one item', '%d items', count ) % count
@@ -7,7 +7,7 @@ module TinymceHelper
     output += javascript_include_tag 'tinymce/js/tinymce/jquery.tinymce.min.js'
     output += javascript_include_tag 'tinymce.js'
     output += include_macro_js_files.to_s
-    output
+    output.html_safe
   end
  
   def tinymce_init_js options = {}
@@ -37,7 +37,7 @@ module TinymceHelper
     #cleanup non tinymce options
     options = options.except :mode
  
-    "noosfero.tinymce.init(#{options.to_json})"
+    "noosfero.tinymce.init(#{options.to_json})".html_safe
   end
  
   def menubar mode
 module UsersHelper
  
-  FILTER_TRANSLATION = {
+  def filter_translation
+    {
       'all_users' => _('All users'),
       'admin_users' => _('Admin users'),
       'activated_users' => _('Activated users'),
       'deactivated_users' => _('Deativated users'),
-  }
+    }
+  end
  
   def filter_selector(filter, float = 'right')
-    options = options_for_select(FILTER_TRANSLATION.map {|key, name| [name, key]}, :selected => filter)
+    options = options_for_select(filter_translation.map {|key, name| [name, key]}, :selected => filter)
     url_params = url_for(params.merge(:filter => 'FILTER'))
     onchange = "document.location.href = '#{url_params}'.replace('FILTER', this.value)"
     select_field = select_tag(:filter, options, :onchange => onchange)
@@ -19,7 +21,7 @@ module UsersHelper
   end
  
   def users_filter_title(filter)
-    FILTER_TRANSLATION[filter]
+    filter_translation[filter]
   end
  
 end
@@ -0,0 +1,14 @@
+class ActivitiesCounterCacheJob
+
+  def perform
+    person_activities_counts = ApplicationRecord.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.user_id WHERE (action_tracker.created_at >= #{ApplicationRecord.connection.quote(ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db))}) AND ( (profiles.type = 'Person' ) ) GROUP BY profiles.id;")
+    organization_activities_counts = ApplicationRecord.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.target_id WHERE (action_tracker.created_at >= #{ApplicationRecord.connection.quote(ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db))}) AND ( (profiles.type = 'Community' OR profiles.type = 'Enterprise' OR profiles.type = 'Organization' ) ) GROUP BY profiles.id;")
+    activities_counts = person_activities_counts.entries + organization_activities_counts.entries
+    activities_counts.each do |count|
+      update_sql = ApplicationRecord.__send__(:sanitize_sql, ["UPDATE profiles SET activities_count=? WHERE profiles.id=?;", count['count'].to_i, count['id'] ], '')
+      ApplicationRecord.connection.execute(update_sql)
+    end
+    Delayed::Job.enqueue(ActivitiesCounterCacheJob.new, {:priority => -3, :run_at => 1.day.from_now})
+  end
+
+end
@@ -0,0 +1,11 @@
+class CreateThumbnailsJob < Struct.new(:class_name, :file_id)
+  def perform
+    return unless class_name.constantize.exists?(file_id)
+    file = class_name.constantize.find(file_id)
+    file.create_thumbnails
+    article = Article.where(:image_id => file_id).first
+    if article
+      article.touch
+    end
+  end
+end
 class EnvironmentMailing < Mailing
  
+  settings_items :recipients_roles, :type => :array
+  attr_accessible :recipients_roles
+
   def recipients(offset=0, limit=100)
-    source.people.order(:id).offset(offset).limit(limit)
+    recipients_by_role.order(:id).offset(offset).limit(limit)
       .joins("LEFT OUTER JOIN mailing_sents m ON (m.mailing_id = #{id} AND m.person_id = profiles.id)")
       .where("m.person_id" => nil)
   end
  
+  def recipients_by_role
+    if recipients_roles.blank?
+      source.people
+    else
+      roles = Environment::Role.where("key in (?)", self.recipients_roles)
+      Person.by_role(roles).where(environment_id: self.source_id)
+    end
+  end
+
   def each_recipient
     offset = 0
     limit = 100
 require_dependency 'mailing_job'
  
-class Mailing < ActiveRecord::Base
+class Mailing < ApplicationRecord
  
   acts_as_having_settings :field => :data
  
-class AbuseReport < ActiveRecord::Base
+class AbuseReport < ApplicationRecord
  
   attr_accessible :content, :reason
  
-class ActionTrackerNotification < ActiveRecord::Base
+class ActionTrackerNotification < ApplicationRecord
  
   belongs_to :profile
   belongs_to :action_tracker, :class_name => 'ActionTracker::Record', :foreign_key => 'action_tracker_id'
@@ -29,16 +29,18 @@ class AddMember &lt; Task
   end
  
   def information
-    requestor_email = " (#{requestor.email})" if requestor.may_display_field_to?("email")
-
-    {:message => _("%{requestor}%{requestor_email} wants to be a member of '%{organization}'."),
-     variables: {requestor: requestor.name, requestor_email: requestor_email, organization: organization.name}}
+    {:message => _("%{requestor} wants to be a member of '%{target}'."),
+     variables: {requestor: requestor.name, target: target.name}}
   end
  
   def accept_details
     true
   end
  
+  def footer
+    true
+  end
+
   def icon
     {:type => :profile_image, :profile => requestor, :url => requestor.url}
   end
@@ -63,4 +65,15 @@ class AddMember &lt; Task
     suggestion.disable if suggestion
   end
  
+  def task_finished_message
+    _("You have been accepted at \"%{target}\" with the profile \"%{requestor}\"") %
+      {:target => self.target.name,
+       :requestor => self.requestor.name}
+  end
+
+  def task_cancelled_message
+    _("Your request to enter community \"%{target} with the profile \"%{requestor}\" was not accepted. Please contact any profile admin from %{url} for more information.") %
+    {:target => self.target.name, :url => self.target.url,
+     :requestor => self.requestor.name}
+  end
 end
@@ -0,0 +1,61 @@
+class ApplicationRecord < ActiveRecord::Base
+
+  self.abstract_class       = true
+  self.store_full_sti_class = true
+
+  # an ActionView instance for rendering views on models
+  def self.action_view
+    @action_view ||= begin
+      view_paths = ::ActionController::Base.view_paths
+      action_view = ::ActionView::Base.new view_paths
+      # for using Noosfero helpers inside render calls
+      action_view.extend ::ApplicationHelper
+      action_view
+    end
+  end
+
+  # default value needed for the above ActionView
+  def to_partial_path
+    self.class.name.underscore
+  end
+
+  alias :meta_cache_key :cache_key
+  def cache_key
+    key = [Noosfero::VERSION, meta_cache_key]
+    key.unshift ApplicationRecord.connection.schema_search_path
+    key.join('/')
+  end
+
+  def self.like_search(query, options={})
+    if defined?(self::SEARCHABLE_FIELDS) || options[:fields].present?
+      fields_per_table = {}
+      fields_per_table[table_name] = (options[:fields].present? ? options[:fields] : self::SEARCHABLE_FIELDS.keys.map(&:to_s)) & column_names
+
+      if options[:joins].present?
+        join_asset = options[:joins].to_s.classify.constantize
+        if defined?(join_asset::SEARCHABLE_FIELDS) || options[:fields].present?
+          fields_per_table[join_asset.table_name] = (options[:fields].present? ? options[:fields] : join_asset::SEARCHABLE_FIELDS.keys.map(&:to_s)) & join_asset.column_names
+        end
+      end
+
+      query = query.downcase.strip
+      fields_per_table.delete_if { |table,fields| fields.blank? }
+      conditions = fields_per_table.map do |table,fields|
+        fields.map do |field|
+          "lower(#{table}.#{field}) LIKE '%#{query}%'"
+        end.join(' OR ')
+      end.join(' OR ')
+
+      if options[:joins].present?
+        joins(options[:joins]).where(conditions)
+      else
+        where(conditions)
+      end
+
+    else
+      raise "No searchable fields defined for #{self.name}"
+    end
+  end
+
+end
+
@@ -86,7 +86,7 @@ class ApproveArticle &lt; Task
  
   def information
     if article
-      {:message => _('%{requestor} wants to publish the article: %{linked_subject}.')}
+      {:message => _('%{requestor} wants to publish the article: %{linked_subject}.').html_safe}
     else
       {:message => _("The article was removed.")}
     end
  
-class Article < ActiveRecord::Base
+class Article < ApplicationRecord
+
+  include SanitizeHelper
  
   attr_accessible :name, :body, :abstract, :profile, :tag_list, :parent,
                   :allow_members_to_edit, :translation_of_id, :language,
@@ -54,6 +56,7 @@ class Article &lt; ActiveRecord::Base
   track_actions :create_article, :after_create, :keep_params => [:name, :url, :lead, :first_image], :if => Proc.new { |a| a.is_trackable? && !a.image? }
  
   # xss_terminate plugin can't sanitize array fields
+  # sanitize_tag_list is used with SanitizeHelper
   before_save :sanitize_tag_list
  
   before_create do |article|
@@ -601,7 +604,7 @@ class Article &lt; ActiveRecord::Base
   end
  
   def accept_category?(cat)
-    !cat.is_a?(ProductCategory)
+    true
   end
  
   def public?
@@ -803,11 +806,13 @@ class Article &lt; ActiveRecord::Base
   end
  
   def body_images_paths
-    Nokogiri::HTML.fragment(self.body.to_s).css('img[src]').collect do |i|
+    paths = Nokogiri::HTML.fragment(self.body.to_s).css('img[src]').collect do |i|
       src = i['src']
       src = URI.escape src if self.new_record? # xss_terminate runs on save
       (self.profile && self.profile.environment) ? URI.join(self.profile.environment.top_url, src).to_s : src
     end
+    paths.unshift(URI.join(self.profile.environment.top_url, self.image.public_filename).to_s) if self.image.present?
+    paths
   end
  
   def more_comments_label
@@ -859,6 +864,10 @@ class Article &lt; ActiveRecord::Base
     HashWithIndifferentAccess.new :name => name, :abstract => abstract, :body => body, :id => id, :parent_id => parent_id, :author => author
   end
  
+  def self.can_display_blocks?
+    true
+  end
+
   private
  
   def sanitize_tag_list
@@ -870,11 +879,6 @@ class Article &lt; ActiveRecord::Base
     tag_name.gsub(/[<>]/, '')
   end
  
-  def sanitize_html(text)
-    sanitizer = HTML::FullSanitizer.new
-    sanitizer.sanitize(text)
-  end
-
   def parent_archived?
      if self.parent_id_changed? && self.parent && self.parent.archived?
        errors.add(:parent_folder, N_('is archived!!'))
-class ArticleCategorization < ActiveRecord::Base
+class ArticleCategorization < ApplicationRecord
   self.table_name = :articles_categories
  
   belongs_to :article
-class ArticleFollower < ActiveRecord::Base
+class ArticleFollower < ApplicationRecord
  
   attr_accessible :article_id, :person_id
   belongs_to :article, :counter_cache => :followers_count
-class Block < ActiveRecord::Base
+class Block < ApplicationRecord
  
   attr_accessible :title, :subtitle, :display, :limit, :box_id, :posts_per_page,
                   :visualization_format, :language, :display_user,
@@ -76,6 +76,17 @@ class Block &lt; ActiveRecord::Base
     true
   end
  
+  def visible_to_user?(user)
+    visible = self.display_to_user?(user)
+    if self.owner.kind_of?(Profile)
+      visible &= self.owner.display_info_to?(user)
+      visible &= (self.visible? || user && user.has_permission?(:edit_profile_design, self.owner))
+    elsif self.owner.kind_of?(Environment)
+      visible &= (self.visible? || user && user.has_permission?(:edit_environment_design, self.owner))
+    end
+    visible
+  end
+
   def display_to_user?(user)
     display_user == 'all' || (user.nil? && display_user == 'not_logged') || (user && display_user == 'logged') || (user && display_user == 'followers' && user.follows?(owner))
   end
@@ -314,6 +325,14 @@ class Block &lt; ActiveRecord::Base
     self.observers << block
   end
  
+  def api_content
+    nil
+  end
+
+  def display_api_content_by_default?
+    false
+  end
+
   private
  
   def home_page_path
-class Box < ActiveRecord::Base
+class Box < ApplicationRecord
  
   acts_as_list scope: -> box { where owner_id: box.owner_id, owner_type: box.owner_type }
  
@@ -41,7 +41,6 @@ class Box &lt; ActiveRecord::Base
       ProfileImageBlock,
       RawHTMLBlock,
       RecentDocumentsBlock,
-      SellersSearchBlock,
       TagsBlock ]
   end
  
@@ -54,21 +53,17 @@ class Box &lt; ActiveRecord::Base
       EnterprisesBlock,
       FansBlock,
       FavoriteEnterprisesBlock,
-      FeaturedProductsBlock,
       FeedReaderBlock,
       HighlightsBlock,
       LinkListBlock,
       LocationBlock,
       LoginBlock,
       MyNetworkBlock,
-      ProductsBlock,
-      ProductCategoriesBlock,
       ProfileImageBlock,
       ProfileInfoBlock,
       ProfileSearchBlock,
       RawHTMLBlock,
       RecentDocumentsBlock,
-      SellersSearchBlock,
       SlideshowBlock,
       TagsBlock
     ]
-class Category < ActiveRecord::Base
+class Category < ApplicationRecord
  
   attr_accessible :name, :parent_id, :display_color, :display_in_menu, :image_builder, :environment, :parent
  
@@ -35,8 +35,6 @@ class Category &lt; ActiveRecord::Base
   has_many :people, :through => :profile_categorizations, :source => :profile, :class_name => 'Person'
   has_many :communities, :through => :profile_categorizations, :source => :profile, :class_name => 'Community'
  
-  has_many :products, :through => :enterprises
-
   acts_as_having_image
  
   before_save :normalize_display_color
@@ -64,10 +62,6 @@ class Category &lt; ActiveRecord::Base
     self.communities.reorder('created_at DESC, id DESC').paginate(page: 1, per_page: limit)
   end
  
-  def recent_products(limit = 10)
-    self.products.reorder('created_at DESC, id DESC').paginate(page: 1, per_page: limit)
-  end
-
   def recent_articles(limit = 10)
     self.articles.recent(limit)
   end
-class ChatMessage < ActiveRecord::Base
+class ChatMessage < ApplicationRecord
+
   attr_accessible :body, :from, :to
  
   belongs_to :to, :class_name => 'Profile'
-class Comment < ActiveRecord::Base
+class Comment < ApplicationRecord
  
   SEARCHABLE_FIELDS = {
     :title => {:label => _('Title'), :weight => 10},
@@ -2,6 +2,7 @@ class Community &lt; Organization
  
   attr_accessible :accessor_id, :accessor_type, :role_id, :resource_id, :resource_type
   attr_accessible :address_reference, :district, :tag_list, :language, :description
+  attr_accessible :requires_email
   after_destroy :check_invite_member_for_destroy
  
   def self.type_name
@@ -12,6 +13,9 @@ class Community &lt; Organization
   N_('Language')
  
   settings_items :language
+  settings_items :requires_email, :type => :boolean
+
+  alias_method :requires_email?, :requires_email
  
   extend SetProfileRegionFromCityState::ClassMethods
   set_profile_region_from_city_state
-class ContactList < ActiveRecord::Base
+class ContactList < ApplicationRecord
  
   serialize :list, Array
  
@@ -60,9 +60,9 @@ class CreateCommunity &lt; Task
  
   def information
     if description.blank?
-      { :message => _('%{requestor} wants to create community %{subject} with no description.') }
+      { :message => _('%{requestor} wants to create community %{subject} with no description.').html_safe }
     else
-      { :message => _('%{requestor} wants to create community %{subject} with this description:<p><em>%{description}</em></p>'),
+      { :message => _('%{requestor} wants to create community %{subject} with this description:<p><em>%{description}</em></p>').html_safe,
         :variables => {:description => description} }
     end
   end
@@ -163,7 +163,7 @@ class CreateEnterprise &lt; Task
   end
  
   def information
-    {:message => _('%{requestor} wants to create enterprise %{subject}.')}
+    {:message => _('%{requestor} wants to create enterprise %{subject}.').html_safe}
   end
  
   def reject_details
-class CustomField < ActiveRecord::Base
+class CustomField < ApplicationRecord
+
   attr_accessible :name, :default_value, :format, :extras, :customized_type, :active, :required, :signup, :environment, :moderation_task
   serialize :customized_type
   serialize :extras
-class CustomFieldValue < ActiveRecord::Base
+class CustomFieldValue < ApplicationRecord
+
   belongs_to :custom_field
   belongs_to :customized, :polymorphic => true
   attr_accessible :value, :public, :customized, :custom_field, :customized_type
@@ -17,7 +17,7 @@ class DocItem
       else
         match
       end
-    end
+    end.html_safe
   end
  
   private
 require 'noosfero/multi_tenancy'
  
-class Domain < ActiveRecord::Base
+class Domain < ApplicationRecord
  
   attr_accessible :name, :owner, :is_default
  
-class EmailTemplate < ActiveRecord::Base
+class EmailTemplate < ApplicationRecord
  
   belongs_to :owner, :polymorphic => true
  
-# An enterprise is a kind of organization. According to the system concept,
-# only enterprises can offer products and services.
 class Enterprise < Organization
  
-  attr_accessible :business_name, :address_reference, :district, :tag_list, :organization_website, :historic_and_current_context, :activities_short_description, :products_per_catalog_page
+  attr_accessible :business_name, :address_reference, :district, :tag_list,
+    :organization_website, :historic_and_current_context, :activities_short_description
  
   SEARCH_FILTERS = {
     :order => %w[more_recent more_popular more_active],
@@ -17,11 +16,6 @@ class Enterprise &lt; Organization
  
   acts_as_trackable after_add: proc{ |p, t| notify_activity t }
  
-  has_many :products, :foreign_key => :profile_id, :dependent => :destroy
-  has_many :product_categories, :through => :products
-  has_many :inputs, :through => :products
-  has_many :production_costs, :as => :owner
-
   has_many :favorite_enterprise_people
   has_many :fans, source: :person, through: :favorite_enterprise_people
  
@@ -29,10 +23,6 @@ class Enterprise &lt; Organization
  
   settings_items :organization_website, :historic_and_current_context, :activities_short_description
  
-  settings_items :products_per_catalog_page, :type => :integer, :default => 6
-  alias_method :products_per_catalog_page_before_type_cast, :products_per_catalog_page
-  validates_numericality_of :products_per_catalog_page, :allow_nil => true, :greater_than => 0
-
   extend SetProfileRegionFromCityState::ClassMethods
   set_profile_region_from_city_state
  
@@ -66,10 +56,6 @@ class Enterprise &lt; Organization
     environment ? environment.active_enterprise_fields : []
   end
  
-  def highlighted_products_with_image(options = {})
-    Product.where(:highlighted => true).joins(:image)
-  end
-
   def required_fields
     environment ? environment.required_enterprise_fields : []
   end
@@ -136,19 +122,14 @@ class Enterprise &lt; Organization
     links = [
       {:name => _("Enterprises's profile"), :address => '/profile/{profile}', :icon => 'ok'},
       {:name => _('Blog'), :address => '/{profile}/blog', :icon => 'edit'},
-      {:name => _('Products'), :address => '/catalog/{profile}', :icon => 'new'},
     ]
     blocks = [
       [MainBlock.new],
       [ ProfileImageBlock.new,
         LinkListBlock.new(:links => links),
-        ProductCategoriesBlock.new
       ],
       [LocationBlock.new]
     ]
-    if environment.enabled?('products_for_enterprises')
-      blocks[2].unshift ProductsBlock.new
-    end
     blocks
   end
  
@@ -189,14 +170,6 @@ class Enterprise &lt; Organization
     {:title => _('Enterprise Info and settings'), :icon => 'edit-profile-enterprise'}
   end
  
-  def create_product?
-    true
-  end
-
-  def catalog_url
-    { :profile => identifier, :controller => 'catalog'}
-  end
-
   def more_recent_label
     ''
   end
@@ -205,5 +178,4 @@ class Enterprise &lt; Organization
     super or self.fans.where(id: person.id).count > 0
   end
  
-
 end
 # A Environment is like a website to be hosted in the platform. It may
 # contain multiple Profile's and can be identified by several different
 # domains.
-class Environment < ActiveRecord::Base
+class Environment < ApplicationRecord
  
   attr_accessible :name, :is_default, :signup_welcome_text_subject,
                   :signup_welcome_text_body, :terms_of_use,
@@ -13,7 +13,9 @@ class Environment &lt; ActiveRecord::Base
                   :reports_lower_bound, :noreply_email,
                   :signup_welcome_screen_body, :members_whitelist_enabled,
                   :members_whitelist, :highlighted_news_amount,
-                  :portal_news_amount, :date_format, :signup_intro
+                  :portal_news_amount, :date_format, :signup_intro,
+                  :enable_feed_proxy, :http_feed_proxy, :https_feed_proxy,
+                  :disable_feed_ssl
  
   has_many :users
  
@@ -126,7 +128,6 @@ class Environment &lt; ActiveRecord::Base
       'disable_asset_enterprises' => _('Disable search for enterprises'),
       'disable_asset_people' => _('Disable search for people'),
       'disable_asset_communities' => _('Disable search for communities'),
-      'disable_asset_products' => _('Disable search for products'),
       'disable_asset_events' => _('Disable search for events'),
       'disable_categories' => _('Disable categories'),
       'disable_header_and_footer' => _('Disable header/footer editing by users'),
@@ -137,7 +138,6 @@ class Environment &lt; ActiveRecord::Base
       'disable_contact_community' => _('Disable contact for groups/communities'),
       'forbid_destroy_profile' => _('Forbid users of removing profiles'),
  
-      'products_for_enterprises' => _('Enable products for enterprises'),
       'enterprise_registration' => _('Enterprise registration'),
       'enterprise_activation' => _('Enable activation of enterprises'),
       'enterprises_are_disabled_when_created' => _('Enterprises are disabled when created'),
@@ -224,7 +224,6 @@ class Environment &lt; ActiveRecord::Base
  
   has_many :organizations
   has_many :enterprises
-  has_many :products, :through => :enterprises
   has_many :people
   has_many :communities
   has_many :licenses
@@ -234,23 +233,16 @@ class Environment &lt; ActiveRecord::Base
     order('display_color').where('display_color is not null and parent_id is null')
   }, class_name: 'Category'
  
-  has_many :product_categories, -> { where type: 'ProductCategory'}
   has_many :regions
   has_many :states
   has_many :cities
  
   has_many :roles, :dependent => :destroy
  
-  has_many :qualifiers
-  has_many :certifiers
-
   has_many :mailings, :class_name => 'EnvironmentMailing', :foreign_key => :source_id, :as => 'source'
  
   acts_as_accessible
  
-  has_many :units, -> { order 'position' }
-  has_many :production_costs, :as => :owner
-
   def superior_intances
     [self, nil]
   end
@@ -439,9 +431,7 @@ class Environment &lt; ActiveRecord::Base
   end
  
   DEFAULT_FEATURES = %w(
-    disable_asset_products
     disable_gender_icon
-    products_for_enterprises
     disable_select_city_for_contact
     enterprise_registration
     media_panel
@@ -729,7 +719,7 @@ class Environment &lt; ActiveRecord::Base
     url << (Noosfero.url_options.key?(:host) ? Noosfero.url_options[:host] : default_hostname)
     url << ':' << Noosfero.url_options[:port].to_s if Noosfero.url_options.key?(:port)
     url << Noosfero.root('')
-    url
+    url.html_safe
   end
  
   def to_s
@@ -966,10 +956,6 @@ class Environment &lt; ActiveRecord::Base
     end
   end
  
-  def highlighted_products_with_image(options = {})
-    self.products.where(highlighted: true).joins(:image).order('created_at ASC')
-  end
-
   settings_items :home_cache_in_minutes, :type => :integer, :default => 5
   settings_items :general_cache_in_minutes, :type => :integer, :default => 15
   settings_items :profile_cache_in_minutes, :type => :integer, :default => 15
...	...	@@ -30,14 +30,47 @@ integration:
30	30	script: bundle exec rake test:integration
31	31	stage: all-tests
32	32
33		-cucumber:
34		- script: bundle exec rake cucumber
	33	+cucumber-1:
	34	+ script: SLICE=1/2 bundle exec rake cucumber
	35	+ stage: all-tests
	36	+cucumber-2:
	37	+ script: SLICE=2/2 bundle exec rake cucumber
35	38	stage: all-tests
36	39
37		-selenium:
38		- script: bundle exec rake selenium
	40	+selenium-1:
	41	+ script: SLICE=1/6 bundle exec rake selenium
	42	+ stage: all-tests
	43	+selenium-2:
	44	+ script: SLICE=2/6 bundle exec rake selenium
	45	+ stage: all-tests
	46	+selenium-3:
	47	+ script: SLICE=3/6 bundle exec rake selenium
	48	+ stage: all-tests
	49	+selenium-4:
	50	+ script: SLICE=4/6 bundle exec rake selenium
	51	+ stage: all-tests
	52	+selenium-5:
	53	+ script: SLICE=5/6 bundle exec rake selenium
	54	+ stage: all-tests
	55	+selenium-6:
	56	+ script: SLICE=6/6 bundle exec rake selenium
39	57	stage: all-tests
40	58
41		-plugins:
42		- script: bundle exec rake test:noosfero_plugins
	59	+# NOOSFERO_BUNDLE_OPTS=install makes migrations fails
	60	+# probably because of rubygems-integration
	61	+plugins-1:
	62	+ script: SLICE=1/5 bundle exec rake test:noosfero_plugins
43	63	stage: all-tests
	64	+plugins-2:
	65	+ script: SLICE=2/5 bundle exec rake test:noosfero_plugins
	66	+ stage: all-tests
	67	+plugins-3:
	68	+ script: SLICE=3/5 bundle exec rake test:noosfero_plugins
	69	+ stage: all-tests
	70	+plugins-4:
	71	+ script: SLICE=4/5 bundle exec rake test:noosfero_plugins
	72	+ stage: all-tests
	73	+plugins-5:
	74	+ script: SLICE=5/5 bundle exec rake test:noosfero_plugins
	75	+ stage: all-tests
	76	+
...	...
...	...	@@ -6,15 +6,19 @@ notifications:
6	6	template:
7	7	- "%{repository_slug} %{branch} %{commit} %{commit_subject} - %{result} %{build_url}"
8	8
9		-# trusty constainers take more time to start
10		-#dist: trusty
	9	+# Ensure Container-based environment, as others can have some random failures
	10	+# specially with different Firefox versions and selenium tests.
	11	+# E.g. https://travis-ci.org/noosfero/noosfero/jobs/122918772#L1308
	12	+#
	13	+# Also container-based environments have the fatest boot times and
	14	+# are the only one with cache available for public projects.
	15	+# See https://docs.travis-ci.com/user/ci-environment/#Virtualization-environments
	16	+sudo: false
	17	+cache: bundler
11	18
12	19	language: ruby
13	20	rvm:
14		- - 2.2
15		- # ruby 2.3 works but isn't stable on travis
16		-
17		-cache: bundler
	21	+ - 2.3.1
18	22
19	23	addons:
20	24	apt:
...	...	@@ -25,11 +29,6 @@ addons:
25	29	paths:
26	30	- $(ls tmp/artifact* \| tr "\n" ":")
27	31
28		-# workaround for https://github.com/travis-ci/travis-ci/issues/4536
29		-before_install:
30		- - export GEM_HOME=$PWD/vendor/bundle/ruby/2.2.0
31		- - gem install bundler
32		-
33	32	before_script:
34	33	- mkdir -p tmp/{pids,cache} log cache
35	34	- script/noosfero-plugins disableall
...	...	@@ -41,21 +40,36 @@ before_script:
41	40	- bundle exec rake db:migrate &>/dev/null
42	41
43	42	env:
44		- - TASK=test:api
45		- - TASK=test:units
46		- - TASK=test:functionals
47		- - TASK=test:integration
48		- - SLICE=1/2 TASK=cucumber LANG=en
49		- - SLICE=2/2 TASK=cucumber LANG=en
50		- - SLICE=1/4 TASK=selenium
51		- - SLICE=2/4 TASK=selenium
52		- - SLICE=3/4 TASK=selenium
53		- - SLICE=4/4 TASK=selenium
54		- - SLICE=1/5 TASK=test:noosfero_plugins BUNDLE_OPTS=install
55		- - SLICE=2/5 TASK=test:noosfero_plugins BUNDLE_OPTS=install
56		- - SLICE=3/5 TASK=test:noosfero_plugins BUNDLE_OPTS=install
57		- - SLICE=4/5 TASK=test:noosfero_plugins BUNDLE_OPTS=install
58		- - SLICE=5/5 TASK=test:noosfero_plugins BUNDLE_OPTS=install
	43	+ global:
	44	+ - LANG=en
	45	+ matrix:
	46	+ - TASK=test:api
	47	+ - TASK=test:units
	48	+ - TASK=test:functionals
	49	+ - TASK=test:integration
	50	+ - SLICE=1/2 TASK=cucumber
	51	+ - SLICE=2/2 TASK=cucumber
	52	+ - SLICE=1/4 TASK=selenium
	53	+ - SLICE=2/4 TASK=selenium
	54	+ - SLICE=3/4 TASK=selenium
	55	+ - SLICE=4/4 TASK=selenium
	56	+ - SLICE=1/5 TASK=test:noosfero_plugins NOOSFERO_BUNDLE_OPTS=install
	57	+ - SLICE=2/5 TASK=test:noosfero_plugins NOOSFERO_BUNDLE_OPTS=install
	58	+ - SLICE=3/5 TASK=test:noosfero_plugins NOOSFERO_BUNDLE_OPTS=install
	59	+ - SLICE=4/5 TASK=test:noosfero_plugins NOOSFERO_BUNDLE_OPTS=install
	60	+ - SLICE=5/5 TASK=test:noosfero_plugins NOOSFERO_BUNDLE_OPTS=install
	61	+ # chrome hanging on travis
	62	+ #- SLICE=1/4 TASK=selenium SELENIUM_DRIVER=chrome
	63	+ #- SLICE=2/4 TASK=selenium SELENIUM_DRIVER=chrome
	64	+ #- SLICE=3/4 TASK=selenium SELENIUM_DRIVER=chrome
	65	+ #- SLICE=4/4 TASK=selenium SELENIUM_DRIVER=chrome
	66	+
	67	+matrix:
	68	+ allow_failures:
	69	+ - env: SLICE=1/4 TASK=selenium SELENIUM_DRIVER=chrome
	70	+ - env: SLICE=2/4 TASK=selenium SELENIUM_DRIVER=chrome
	71	+ - env: SLICE=3/4 TASK=selenium SELENIUM_DRIVER=chrome
	72	+ - env: SLICE=4/4 TASK=selenium SELENIUM_DRIVER=chrome
59	73
60	74	script:
61	75	- bundle exec rake $TASK
...	...
...	...	@@ -77,6 +77,7 @@ group :cucumber do
77	77	gem 'cucumber-rails', '~> 1.4.2', :require => false
78	78	gem 'database_cleaner', '~> 1.3'
79	79	gem 'selenium-webdriver', '>= 2.50'
	80	+ gem 'chromedriver-helper' if ENV['SELENIUM_DRIVER'] == 'chrome'
80	81	end
81	82
82	83	# Requires custom dependencies
...	...
...	...	@@ -19,7 +19,6 @@ Install the RPAF apache module (or skip this step if not using apache):
19	19
20	20	3a) Edit `/etc/apache2/ports.conf`, and:
21	21
22		- * change `NameVirtualHost :80` to `NameVirtualHost :8080`
23	22	* change `Listen 80` to `Listen 127.0.0.1:8080`
24	23
25	24	3b) Edit `/etc/apache2/sites-enabled/`, and change `<VirtualHost :80>` to `<VirtualHost *:8080>`
...	...	@@ -30,6 +29,7 @@ Install the RPAF apache module (or skip this step if not using apache):
30	29
31	30	* change the line that says `START=no` to say `START=yes`
32	31	* change `-a :6081` to `-a :80`
	32	+ * add parameter `-p vcc_allow_inline_c=on` on `DAEMON_OPTS`
33	33
34	34	4b) Edit `/etc/varnish/default.vcl` and add the following lines at the end:
35	35
...	...
...	...	@@ -99,7 +99,7 @@ Description of contents
99	99	Holds controllers that should be named like weblog_controller.rb for automated URL mapping. All controllers should descend from `ActionController::Base`.
100	100
101	101	* `app/models`
102		- Holds models that should be named like post.rb. Most models will descend from `ActiveRecord::Base`.
	102	+ Holds models that should be named like post.rb. Most models will descend from `ApplicationRecord`.
103	103
104	104	* `app/views`
105	105	Holds the template files for the view that should be named like `weblog/index.rhtml` for the `WeblogController#index` action. All views use eRuby syntax. This directory can also be used to keep stylesheets, images, and so on that can be symlinked to public.
...	...
...	...	@@ -0,0 +1,89 @@
	1	+require_dependency 'api/helpers'
	2	+
	3	+module Api
	4	+ class App < Grape::API
	5	+ use Rack::JSONP
	6	+
	7	+ logger = Logger.new(File.join(Rails.root, 'log', "#{ENV['RAILS_ENV'] \|\| 'production'}_api.log"))
	8	+ logger.formatter = GrapeLogging::Formatters::Default.new
	9	+ #use GrapeLogging::Middleware::RequestLogger, { logger: logger }
	10	+
	11	+ rescue_from :all do \|e\|
	12	+ logger.error e
	13	+ error! e.message, 500
	14	+ end unless Rails.env.test?
	15	+
	16	+ @@NOOSFERO_CONF = nil
	17	+ def self.NOOSFERO_CONF
	18	+ if @@NOOSFERO_CONF
	19	+ @@NOOSFERO_CONF
	20	+ else
	21	+ file = Rails.root.join('config', 'noosfero.yml')
	22	+ @@NOOSFERO_CONF = File.exists?(file) ? YAML.load_file(file)[Rails.env] \|\| {} : {}
	23	+ end
	24	+ end
	25	+
	26	+ before { set_locale }
	27	+ before { setup_multitenancy }
	28	+ before { detect_stuff_by_domain }
	29	+ before { filter_disabled_plugins_endpoints }
	30	+ before { init_noosfero_plugins }
	31	+ after { set_session_cookie }
	32	+
	33	+ version 'v1'
	34	+ prefix [ENV['RAILS_RELATIVE_URL_ROOT'], "api"].compact.join('/')
	35	+ format :json
	36	+ content_type :txt, "text/plain"
	37	+
	38	+ helpers Helpers
	39	+
	40	+ mount V1::Session
	41	+ mount V1::Articles
	42	+ mount V1::Comments
	43	+ mount V1::Users
	44	+ mount V1::Communities
	45	+ mount V1::People
	46	+ mount V1::Enterprises
	47	+ mount V1::Categories
	48	+ mount V1::Tasks
	49	+ mount V1::Tags
	50	+ mount V1::Environments
	51	+ mount V1::Search
	52	+ mount V1::Contacts
	53	+ mount V1::Boxes
	54	+ mount V1::Blocks
	55	+ mount V1::Profiles
	56	+ mount V1::Activities
	57	+
	58	+ # hook point which allow plugins to add Grape::API extensions to Api::App
	59	+ #finds for plugins which has api mount points classes defined (the class should extends Grape::API)
	60	+ @plugins = Noosfero::Plugin.all.map { \|p\| p.constantize }
	61	+ @plugins.each do \|klass\|
	62	+ if klass.public_methods.include? :api_mount_points
	63	+ klass.api_mount_points.each do \|mount_class\|
	64	+ mount mount_class if mount_class && ( mount_class < Grape::API )
	65	+ end
	66	+ end
	67	+ end
	68	+
	69	+ def self.endpoint_unavailable?(endpoint, environment)
	70	+ api_class = endpoint.options[:app] \|\| endpoint.options[:for]
	71	+ if api_class.present?
	72	+ klass = api_class.name.deconstantize.constantize
	73	+ return klass < Noosfero::Plugin && !environment.plugin_enabled?(klass)
	74	+ end
	75	+ end
	76	+
	77	+ class << self
	78	+ def endpoints_with_plugins(environment = nil)
	79	+ if environment.present?
	80	+ cloned_endpoints = endpoints_without_plugins.dup
	81	+ cloned_endpoints.delete_if { \|endpoint\| endpoint_unavailable?(endpoint, environment) }
	82	+ else
	83	+ endpoints_without_plugins
	84	+ end
	85	+ end
	86	+ alias_method_chain :endpoints, :plugins
	87	+ end
	88	+ end
	89	+end
...	...
...	...	@@ -0,0 +1,269 @@
	1	+module Api
	2	+ module Entities
	3	+
	4	+ Entity.format_with :timestamp do \|date\|
	5	+ date.strftime('%Y/%m/%d %H:%M:%S') if date
	6	+ end
	7	+
	8	+ PERMISSIONS = {
	9	+ :admin => 0,
	10	+ :self => 10,
	11	+ :private_content => 20,
	12	+ :logged_user => 30,
	13	+ :anonymous => 40
	14	+ }
	15	+
	16	+ def self.can_display_profile_field? profile, options, permission_options={}
	17	+ permissions={:field => "", :permission => :private_content}
	18	+ permissions.merge!(permission_options)
	19	+ field = permissions[:field]
	20	+ permission = permissions[:permission]
	21	+ return true if profile.public? && profile.public_fields.map{\|f\| f.to_sym}.include?(field.to_sym)
	22	+
	23	+ current_person = options[:current_person]
	24	+
	25	+ current_permission = if current_person.present?
	26	+ if current_person.is_admin?
	27	+ :admin
	28	+ elsif current_person == profile
	29	+ :self
	30	+ elsif profile.display_private_info_to?(current_person)
	31	+ :private_content
	32	+ else
	33	+ :logged_user
	34	+ end
	35	+ else
	36	+ :anonymous
	37	+ end
	38	+ PERMISSIONS[current_permission] <= PERMISSIONS[permission]
	39	+ end
	40	+
	41	+ class Image < Entity
	42	+ root 'images', 'image'
	43	+
	44	+ expose :url do \|image, options\|
	45	+ image.public_filename
	46	+ end
	47	+
	48	+ expose :icon_url do \|image, options\|
	49	+ image.public_filename(:icon)
	50	+ end
	51	+
	52	+ expose :minor_url do \|image, options\|
	53	+ image.public_filename(:minor)
	54	+ end
	55	+
	56	+ expose :portrait_url do \|image, options\|
	57	+ image.public_filename(:portrait)
	58	+ end
	59	+
	60	+ expose :thumb_url do \|image, options\|
	61	+ image.public_filename(:thumb)
	62	+ end
	63	+ end
	64	+
	65	+ class CategoryBase < Entity
	66	+ root 'categories', 'category'
	67	+ expose :name, :id, :slug
	68	+ end
	69	+
	70	+ class Category < CategoryBase
	71	+ root 'categories', 'category'
	72	+ expose :full_name do \|category, options\|
	73	+ category.full_name
	74	+ end
	75	+ expose :parent, :using => CategoryBase, if: { parent: true }
	76	+ expose :children, :using => CategoryBase, if: { children: true }
	77	+ expose :image, :using => Image
	78	+ expose :display_color
	79	+ end
	80	+
	81	+ class Region < Category
	82	+ root 'regions', 'region'
	83	+ expose :parent_id
	84	+ end
	85	+
	86	+ class Block < Entity
	87	+ root 'blocks', 'block'
	88	+ expose :id, :type, :settings, :position, :enabled
	89	+ expose :mirror, :mirror_block_id, :title
	90	+ expose :api_content, if: lambda { \|object, options\| options[:display_api_content] \|\| object.display_api_content_by_default? }
	91	+ end
	92	+
	93	+ class Box < Entity
	94	+ root 'boxes', 'box'
	95	+ expose :id, :position
	96	+ expose :blocks, :using => Block do \|box, options\|
	97	+ box.blocks.select {\|block\| block.visible_to_user?(options[:current_person]) }
	98	+ end
	99	+ end
	100	+
	101	+ class Profile < Entity
	102	+ expose :identifier, :name, :id
	103	+ expose :created_at, :format_with => :timestamp
	104	+ expose :updated_at, :format_with => :timestamp
	105	+ expose :additional_data do \|profile, options\|
	106	+ hash ={}
	107	+ profile.public_values.each do \|value\|
	108	+ hash[value.custom_field.name]=value.value
	109	+ end
	110	+
	111	+ private_values = profile.custom_field_values - profile.public_values
	112	+ private_values.each do \|value\|
	113	+ if Entities.can_display_profile_field?(profile,options)
	114	+ hash[value.custom_field.name]=value.value
	115	+ end
	116	+ end
	117	+ hash
	118	+ end
	119	+ expose :image, :using => Image
	120	+ expose :region, :using => Region
	121	+ expose :type
	122	+ expose :custom_header
	123	+ expose :custom_footer
	124	+ end
	125	+
	126	+ class UserBasic < Entity
	127	+ expose :id
	128	+ expose :login
	129	+ end
	130	+
	131	+ class Person < Profile
	132	+ root 'people', 'person'
	133	+ expose :user, :using => UserBasic, documentation: {type: 'User', desc: 'The user data of a person' }
	134	+ expose :vote_count
	135	+ expose :comments_count do \|person, options\|
	136	+ person.comments.count
	137	+ end
	138	+ expose :following_articles_count do \|person, options\|
	139	+ person.following_articles.count
	140	+ end
	141	+ expose :articles_count do \|person, options\|
	142	+ person.articles.count
	143	+ end
	144	+ end
	145	+
	146	+ class Enterprise < Profile
	147	+ root 'enterprises', 'enterprise'
	148	+ end
	149	+
	150	+ class Community < Profile
	151	+ root 'communities', 'community'
	152	+ expose :description
	153	+ expose :admins, :if => lambda { \|community, options\| community.display_info_to? options[:current_person]} do \|community, options\|
	154	+ community.admins.map{\|admin\| {"name"=>admin.name, "id"=>admin.id, "username" => admin.identifier}}
	155	+ end
	156	+ expose :categories, :using => Category
	157	+ expose :members, :using => Person , :if => lambda{ \|community, options\| community.display_info_to? options[:current_person] }
	158	+ end
	159	+
	160	+ class CommentBase < Entity
	161	+ expose :body, :title, :id
	162	+ expose :created_at, :format_with => :timestamp
	163	+ expose :author, :using => Profile
	164	+ expose :reply_of, :using => CommentBase
	165	+ end
	166	+
	167	+ class Comment < CommentBase
	168	+ root 'comments', 'comment'
	169	+ expose :children, as: :replies, :using => Comment
	170	+ end
	171	+
	172	+ class ArticleBase < Entity
	173	+ root 'articles', 'article'
	174	+ expose :id
	175	+ expose :body
	176	+ expose :abstract, documentation: {type: 'String', desc: 'Teaser of the body'}
	177	+ expose :created_at, :format_with => :timestamp
	178	+ expose :updated_at, :format_with => :timestamp
	179	+ expose :title, :documentation => {:type => "String", :desc => "Title of the article"}
	180	+ expose :created_by, :as => :author, :using => Profile, :documentation => {type: 'Profile', desc: 'The profile author that create the article'}
	181	+ expose :profile, :using => Profile, :documentation => {type: 'Profile', desc: 'The profile associated with the article'}
	182	+ expose :categories, :using => Category
	183	+ expose :image, :using => Image
	184	+ expose :votes_for
	185	+ expose :votes_against
	186	+ expose :setting
	187	+ expose :position
	188	+ expose :hits
	189	+ expose :start_date
	190	+ expose :end_date, :documentation => {type: 'DateTime', desc: 'The date of finish of the article'}
	191	+ expose :tag_list
	192	+ expose :children_count
	193	+ expose :slug, :documentation => {:type => "String", :desc => "Trimmed and parsed name of a article"}
	194	+ expose :path
	195	+ expose :followers_count
	196	+ expose :votes_count
	197	+ expose :comments_count
	198	+ expose :archived, :documentation => {:type => "Boolean", :desc => "Defines if a article is readonly"}
	199	+ expose :type
	200	+ expose :comments, using: CommentBase, :if => lambda{\|obj,opt\| opt[:params] && ['1','true',true].include?(opt[:params][:show_comments])}
	201	+ expose :published
	202	+ expose :accept_comments?, as: :accept_comments
	203	+ end
	204	+
	205	+ class Article < ArticleBase
	206	+ root 'articles', 'article'
	207	+ expose :parent, :using => ArticleBase
	208	+ expose :children, :using => ArticleBase do \|article, options\|
	209	+ article.children.published.limit(V1::Articles::MAX_PER_PAGE)
	210	+ end
	211	+ end
	212	+
	213	+ class User < Entity
	214	+ root 'users', 'user'
	215	+
	216	+ attrs = [:id,:login,:email,:activated?]
	217	+ aliases = {:activated? => :activated}
	218	+
	219	+ attrs.each do \|attribute\|
	220	+ name = aliases.has_key?(attribute) ? aliases[attribute] : attribute
	221	+ expose attribute, :as => name, :if => lambda{\|user,options\| Entities.can_display_profile_field?(user.person, options, {:field => attribute})}
	222	+ end
	223	+
	224	+ expose :person, :using => Person, :if => lambda{\|user,options\| user.person.display_info_to? options[:current_person]}
	225	+ expose :permissions, :if => lambda{\|user,options\| Entities.can_display_profile_field?(user.person, options, {:field => :permissions, :permission => :self})} do \|user, options\|
	226	+ output = {}
	227	+ user.person.role_assignments.map do \|role_assigment\|
	228	+ if role_assigment.resource.respond_to?(:identifier) && !role_assigment.role.nil?
	229	+ output[role_assigment.resource.identifier] = role_assigment.role.permissions
	230	+ end
	231	+ end
	232	+ output
	233	+ end
	234	+ end
	235	+
	236	+ class UserLogin < User
	237	+ root 'users', 'user'
	238	+ expose :private_token, documentation: {type: 'String', desc: 'A valid authentication code for post/delete api actions'}, if: lambda {\|object, options\| object.activated? }
	239	+ end
	240	+
	241	+ class Task < Entity
	242	+ root 'tasks', 'task'
	243	+ expose :id
	244	+ expose :type
	245	+ end
	246	+
	247	+ class Environment < Entity
	248	+ expose :name
	249	+ expose :id
	250	+ expose :description
	251	+ expose :settings, if: lambda { \|instance, options\| options[:is_admin] }
	252	+ end
	253	+
	254	+ class Tag < Entity
	255	+ root 'tags', 'tag'
	256	+ expose :name
	257	+ end
	258	+
	259	+ class Activity < Entity
	260	+ root 'activities', 'activity'
	261	+ expose :id, :params, :verb, :created_at, :updated_at, :comments_count, :visible
	262	+ expose :user, :using => Profile
	263	+ expose :target do \|activity, opts\|
	264	+ type_map = {Profile => ::Profile, ArticleBase => ::Article}.find {\|h\| activity.target.kind_of?(h.last)}
	265	+ type_map.first.represent(activity.target) unless type_map.nil?
	266	+ end
	267	+ end
	268	+ end
	269	+end
...	...
...	...	@@ -0,0 +1,27 @@
	1	+module Api
	2	+ class Entity < Grape::Entity
	3	+
	4	+ def initialize(object, options = {})
	5	+ object = nil if object.is_a? Exception
	6	+ super object, options
	7	+ end
	8	+
	9	+ def self.represent(objects, options = {})
	10	+ if options[:has_exception]
	11	+ data = super objects, options.merge(is_inner_data: true)
	12	+ if objects.is_a? Exception
	13	+ data.merge ok: false, error: {
	14	+ type: objects.class.name,
	15	+ message: objects.message
	16	+ }
	17	+ else
	18	+ data = data.serializable_hash if data.is_a? Entity
	19	+ data.merge ok: true, error: { type: 'Success', message: '' }
	20	+ end
	21	+ else
	22	+ super objects, options
	23	+ end
	24	+ end
	25	+
	26	+ end
	27	+end
...	...
...	...	@@ -0,0 +1,421 @@
	1	+require 'base64'
	2	+require 'tempfile'
	3	+
	4	+module Api
	5	+ module Helpers
	6	+ PRIVATE_TOKEN_PARAM = :private_token
	7	+ DEFAULT_ALLOWED_PARAMETERS = [:parent_id, :from, :until, :content_type, :author_id, :identifier, :archived]
	8	+
	9	+ include SanitizeParams
	10	+ include Noosfero::Plugin::HotSpot
	11	+ include ForgotPasswordHelper
	12	+ include SearchTermHelper
	13	+
	14	+ def set_locale
	15	+ I18n.locale = (params[:lang] \|\| request.env['HTTP_ACCEPT_LANGUAGE'] \|\| 'en')
	16	+ end
	17	+
	18	+ def init_noosfero_plugins
	19	+ plugins
	20	+ end
	21	+
	22	+ def current_user
	23	+ private_token = (params[PRIVATE_TOKEN_PARAM] \|\| headers['Private-Token']).to_s
	24	+ @current_user \|\|= User.find_by private_token: private_token
	25	+ @current_user \|\|= plugins.dispatch("api_custom_login", request).first
	26	+ @current_user
	27	+ end
	28	+
	29	+ def current_person
	30	+ current_user.person unless current_user.nil?
	31	+ end
	32	+
	33	+ def is_admin?(environment)
	34	+ return false unless current_user
	35	+ return current_person.is_admin?(environment)
	36	+ end
	37	+
	38	+ def logout
	39	+ @current_user = nil
	40	+ end
	41	+
	42	+ def environment
	43	+ @environment
	44	+ end
	45	+
	46	+ def present_partial(model, options)
	47	+ if(params[:fields].present?)
	48	+ begin
	49	+ fields = JSON.parse(params[:fields])
	50	+ if fields.present?
	51	+ options.merge!(fields.symbolize_keys.slice(:only, :except))
	52	+ end
	53	+ rescue
	54	+ fields = params[:fields]
	55	+ fields = fields.split(',') if fields.kind_of?(String)
	56	+ options[:only] = Array.wrap(fields)
	57	+ end
	58	+ end
	59	+ present model, options
	60	+ end
	61	+
	62	+ include FindByContents
	63	+
	64	+ ####################################################################
	65	+ #### SEARCH
	66	+ ####################################################################
	67	+ def multiple_search?(searches=nil)
	68	+ ['index', 'category_index'].include?(params[:action]) \|\| (searches && searches.size > 1)
	69	+ end
	70	+ ####################################################################
	71	+
	72	+ def logger
	73	+ logger = Logger.new(File.join(Rails.root, 'log', "#{ENV['RAILS_ENV'] \|\| 'production'}_api.log"))
	74	+ logger.formatter = GrapeLogging::Formatters::Default.new
	75	+ logger
	76	+ end
	77	+
	78	+ def limit
	79	+ limit = params[:limit].to_i
	80	+ limit = default_limit if limit <= 0
	81	+ limit
	82	+ end
	83	+
	84	+ def period(from_date, until_date)
	85	+ return nil if from_date.nil? && until_date.nil?
	86	+
	87	+ begin_period = from_date.nil? ? Time.at(0).to_datetime : from_date
	88	+ end_period = until_date.nil? ? DateTime.now : until_date
	89	+
	90	+ begin_period..end_period
	91	+ end
	92	+
	93	+ def parse_content_type(content_type)
	94	+ return nil if content_type.blank?
	95	+ content_type.split(',').map do \|content_type\|
	96	+ content_type.camelcase
	97	+ end
	98	+ end
	99	+
	100	+ def find_article(articles, id)
	101	+ article = articles.find(id)
	102	+ article.display_to?(current_person) ? article : forbidden!
	103	+ end
	104	+
	105	+ def post_article(asset, params)
	106	+ return forbidden! unless current_person.can_post_content?(asset)
	107	+
	108	+ klass_type = params[:content_type] \|\| params[:article].delete(:type) \|\| TinyMceArticle.name
	109	+ return forbidden! unless klass_type.constantize <= Article
	110	+
	111	+ article = klass_type.constantize.new(params[:article])
	112	+ article.last_changed_by = current_person
	113	+ article.created_by= current_person
	114	+ article.profile = asset
	115	+
	116	+ if !article.save
	117	+ render_api_errors!(article.errors.full_messages)
	118	+ end
	119	+ present_partial article, :with => Entities::Article
	120	+ end
	121	+
	122	+ def present_article(asset)
	123	+ article = find_article(asset.articles, params[:id])
	124	+ present_partial article, :with => Entities::Article, :params => params
	125	+ end
	126	+
	127	+ def present_articles_for_asset(asset, method = 'articles')
	128	+ articles = find_articles(asset, method)
	129	+ present_articles(articles)
	130	+ end
	131	+
	132	+ def present_articles(articles)
	133	+ present_partial paginate(articles), :with => Entities::Article, :params => params
	134	+ end
	135	+
	136	+ def find_articles(asset, method = 'articles')
	137	+ articles = select_filtered_collection_of(asset, method, params)
	138	+ if current_person.present?
	139	+ articles = articles.display_filter(current_person, nil)
	140	+ else
	141	+ articles = articles.published
	142	+ end
	143	+ articles
	144	+ end
	145	+
	146	+ def find_task(asset, id)
	147	+ task = asset.tasks.find(id)
	148	+ current_person.has_permission?(task.permission, asset) ? task : forbidden!
	149	+ end
	150	+
	151	+ def post_task(asset, params)
	152	+ klass_type= params[:content_type].nil? ? 'Task' : params[:content_type]
	153	+ return forbidden! unless klass_type.constantize <= Task
	154	+
	155	+ task = klass_type.constantize.new(params[:task])
	156	+ task.requestor_id = current_person.id
	157	+ task.target_id = asset.id
	158	+ task.target_type = 'Profile'
	159	+
	160	+ if !task.save
	161	+ render_api_errors!(task.errors.full_messages)
	162	+ end
	163	+ present_partial task, :with => Entities::Task
	164	+ end
	165	+
	166	+ def present_task(asset)
	167	+ task = find_task(asset, params[:id])
	168	+ present_partial task, :with => Entities::Task
	169	+ end
	170	+
	171	+ def present_tasks(asset)
	172	+ tasks = select_filtered_collection_of(asset, 'tasks', params)
	173	+ tasks = tasks.select {\|t\| current_person.has_permission?(t.permission, asset)}
	174	+ return forbidden! if tasks.empty? && !current_person.has_permission?(:perform_task, asset)
	175	+ present_partial tasks, :with => Entities::Task
	176	+ end
	177	+
	178	+ def make_conditions_with_parameter(params = {})
	179	+ parsed_params = parser_params(params)
	180	+ conditions = {}
	181	+ from_date = DateTime.parse(parsed_params.delete(:from)) if parsed_params[:from]
	182	+ until_date = DateTime.parse(parsed_params.delete(:until)) if parsed_params[:until]
	183	+
	184	+ conditions[:type] = parse_content_type(parsed_params.delete(:content_type)) unless parsed_params[:content_type].nil?
	185	+
	186	+ conditions[:created_at] = period(from_date, until_date) if from_date \|\| until_date
	187	+ conditions.merge!(parsed_params)
	188	+
	189	+ conditions
	190	+ end
	191	+
	192	+ # changing make_order_with_parameters to avoid sql injection
	193	+ def make_order_with_parameters(object, method, params)
	194	+ order = "created_at DESC"
	195	+ unless params[:order].blank?
	196	+ if params[:order].include? '\'' or params[:order].include? '"'
	197	+ order = "created_at DESC"
	198	+ elsif ['RANDOM()', 'RANDOM'].include? params[:order].upcase
	199	+ order = 'RANDOM()'
	200	+ else
	201	+ field_name, direction = params[:order].split(' ')
	202	+ assoc = object.class.reflect_on_association(method.to_sym)
	203	+ if !field_name.blank? and assoc
	204	+ if assoc.klass.attribute_names.include? field_name
	205	+ if direction.present? and ['ASC','DESC'].include? direction.upcase
	206	+ order = "#{field_name} #{direction.upcase}"
	207	+ end
	208	+ end
	209	+ end
	210	+ end
	211	+ end
	212	+ return order
	213	+ end
	214	+
	215	+ def make_timestamp_with_parameters_and_method(params, method)
	216	+ timestamp = nil
	217	+ if params[:timestamp]
	218	+ datetime = DateTime.parse(params[:timestamp])
	219	+ table_name = method.to_s.singularize.camelize.constantize.table_name
	220	+ timestamp = "#{table_name}.updated_at >= '#{datetime}'"
	221	+ end
	222	+
	223	+ timestamp
	224	+ end
	225	+
	226	+ def by_reference(scope, params)
	227	+ reference_id = params[:reference_id].to_i == 0 ? nil : params[:reference_id].to_i
	228	+ if reference_id.nil?
	229	+ scope
	230	+ else
	231	+ created_at = scope.find(reference_id).created_at
	232	+ scope.send("#{params.key?(:oldest) ? 'older_than' : 'younger_than'}", created_at)
	233	+ end
	234	+ end
	235	+
	236	+ def by_categories(scope, params)
	237	+ category_ids = params[:category_ids]
	238	+ if category_ids.nil?
	239	+ scope
	240	+ else
	241	+ scope.joins(:categories).where(:categories => {:id => category_ids})
	242	+ end
	243	+ end
	244	+
	245	+ def select_filtered_collection_of(object, method, params)
	246	+ conditions = make_conditions_with_parameter(params)
	247	+ order = make_order_with_parameters(object,method,params)
	248	+ timestamp = make_timestamp_with_parameters_and_method(params, method)
	249	+
	250	+ objects = object.send(method)
	251	+ objects = by_reference(objects, params)
	252	+ objects = by_categories(objects, params)
	253	+
	254	+ objects = objects.where(conditions).where(timestamp).reorder(order)
	255	+
	256	+ params[:page] \|\|= 1
	257	+ params[:per_page] \|\|= limit
	258	+ paginate(objects)
	259	+ end
	260	+
	261	+ def authenticate!
	262	+ unauthorized! unless current_user
	263	+ end
	264	+
	265	+ def profiles_for_person(profiles, person)
	266	+ if person
	267	+ profiles.listed_for_person(person)
	268	+ else
	269	+ profiles.visible
	270	+ end
	271	+ end
	272	+
	273	+ # Checks the occurrences of uniqueness of attributes, each attribute must be present in the params hash
	274	+ # or a Bad Request error is invoked.
	275	+ #
	276	+ # Parameters:
	277	+ # keys (unique) - A hash consisting of keys that must be unique
	278	+ def unique_attributes!(obj, keys)
	279	+ keys.each do \|key\|
	280	+ cant_be_saved_request!(key) if obj.find_by(key.to_s => params[key])
	281	+ end
	282	+ end
	283	+
	284	+ def attributes_for_keys(keys)
	285	+ attrs = {}
	286	+ keys.each do \|key\|
	287	+ attrs[key] = params[key] if params[key].present? or (params.has_key?(key) and params[key] == false)
	288	+ end
	289	+ attrs
	290	+ end
	291	+
	292	+ ##########################################
	293	+ # error helpers #
	294	+ ##########################################
	295	+
	296	+ def not_found!
	297	+ render_api_error!('404 Not found', 404)
	298	+ end
	299	+
	300	+ def forbidden!
	301	+ render_api_error!('403 Forbidden', 403)
	302	+ end
	303	+
	304	+ def cant_be_saved_request!(attribute)
	305	+ message = _("(Invalid request) %s can't be saved") % attribute
	306	+ render_api_error!(message, 400)
	307	+ end
	308	+
	309	+ def bad_request!(attribute)
	310	+ message = _("(Invalid request) %s not given") % attribute
	311	+ render_api_error!(message, 400)
	312	+ end
	313	+
	314	+ def something_wrong!
	315	+ message = _("Something wrong happened")
	316	+ render_api_error!(message, 400)
	317	+ end
	318	+
	319	+ def unauthorized!
	320	+ render_api_error!(_('Unauthorized'), 401)
	321	+ end
	322	+
	323	+ def not_allowed!
	324	+ render_api_error!(_('Method Not Allowed'), 405)
	325	+ end
	326	+
	327	+ # javascript_console_message is supposed to be executed as console.log()
	328	+ def render_api_error!(user_message, status, log_message = nil, javascript_console_message = nil)
	329	+ message_hash = {'message' => user_message, :code => status}
	330	+ message_hash[:javascript_console_message] = javascript_console_message if javascript_console_message.present?
	331	+ log_msg = "#{status}, User message: #{user_message}"
	332	+ log_msg = "#{log_message}, #{log_msg}" if log_message.present?
	333	+ log_msg = "#{log_msg}, Javascript Console Message: #{javascript_console_message}" if javascript_console_message.present?
	334	+ logger.error log_msg unless Rails.env.test?
	335	+ error!(message_hash, status)
	336	+ end
	337	+
	338	+ def render_api_errors!(messages)
	339	+ messages = messages.to_a if messages.class == ActiveModel::Errors
	340	+ render_api_error!(messages.join(','), 400)
	341	+ end
	342	+
	343	+ protected
	344	+
	345	+ def set_session_cookie
	346	+ cookies['_noosfero_api_session'] = { value: @current_user.private_token, httponly: true } if @current_user.present?
	347	+ end
	348	+
	349	+ def setup_multitenancy
	350	+ Noosfero::MultiTenancy.setup!(request.host)
	351	+ end
	352	+
	353	+ def detect_stuff_by_domain
	354	+ @domain = Domain.by_name(request.host)
	355	+ if @domain.nil?
	356	+ @environment = Environment.default
	357	+ if @environment.nil? && Rails.env.development?
	358	+ # This should only happen in development ...
	359	+ @environment = Environment.create!(:name => "Noosfero", :is_default => true)
	360	+ end
	361	+ else
	362	+ @environment = @domain.environment
	363	+ end
	364	+ end
	365	+
	366	+ def filter_disabled_plugins_endpoints
	367	+ not_found! if Api::App.endpoint_unavailable?(self, @environment)
	368	+ end
	369	+
	370	+ def asset_with_image params
	371	+ if params.has_key? :image_builder
	372	+ asset_api_params = params
	373	+ asset_api_params[:image_builder] = base64_to_uploadedfile(asset_api_params[:image_builder])
	374	+ return asset_api_params
	375	+ end
	376	+ params
	377	+ end
	378	+
	379	+ def base64_to_uploadedfile(base64_image)
	380	+ tempfile = base64_to_tempfile base64_image
	381	+ converted_image = base64_image
	382	+ converted_image[:tempfile] = tempfile
	383	+ return {uploaded_data: ActionDispatch::Http::UploadedFile.new(converted_image)}
	384	+ end
	385	+
	386	+ def base64_to_tempfile base64_image
	387	+ base64_img_str = base64_image[:tempfile]
	388	+ decoded_base64_str = Base64.decode64(base64_img_str)
	389	+ tempfile = Tempfile.new(base64_image[:filename])
	390	+ tempfile.write(decoded_base64_str.encode("ascii-8bit").force_encoding("utf-8"))
	391	+ tempfile.rewind
	392	+ tempfile
	393	+ end
	394	+ private
	395	+
	396	+ def parser_params(params)
	397	+ parsed_params = {}
	398	+ params.map do \|k,v\|
	399	+ parsed_params[k.to_sym] = v if DEFAULT_ALLOWED_PARAMETERS.include?(k.to_sym)
	400	+ end
	401	+ parsed_params
	402	+ end
	403	+
	404	+ def default_limit
	405	+ 20
	406	+ end
	407	+
	408	+ def parse_content_type(content_type)
	409	+ return nil if content_type.blank?
	410	+ content_type.split(',').map do \|content_type\|
	411	+ content_type.camelcase
	412	+ end
	413	+ end
	414	+
	415	+ def period(from_date, until_date)
	416	+ begin_period = from_date.nil? ? Time.at(0).to_datetime : from_date
	417	+ end_period = until_date.nil? ? DateTime.now : until_date
	418	+ begin_period..end_period
	419	+ end
	420	+ end
	421	+end
...	...
...	...	@@ -0,0 +1,20 @@
	1	+module Api
	2	+ module V1
	3	+ class Activities < Grape::API
	4	+ before { authenticate! }
	5	+
	6	+ resource :profiles do
	7	+
	8	+ get ':id/activities' do
	9	+ profile = Profile.find_by id: params[:id]
	10	+
	11	+ not_found! if profile.blank? \|\| profile.secret \|\| !profile.visible
	12	+ forbidden! if !profile.secret && profile.visible && !profile.display_private_info_to?(current_person)
	13	+
	14	+ activities = profile.activities.map(&:activity)
	15	+ present activities, :with => Entities::Activity, :current_person => current_person
	16	+ end
	17	+ end
	18	+ end
	19	+ end
	20	+end
...	...