Showing 1159 changed files Show diff stats
.gitlab-ci.yml
.travis.yml
Gemfile
INSTALL.varnish.md
README.rails.md
app/api/app.rb
app/api/entities.rb
app/api/entity.rb
app/api/helpers.rb
app/api/v1/activities.rb
app/api/v1/articles.rb
app/api/v1/blocks.rb
app/api/v1/boxes.rb
app/api/v1/categories.rb
app/api/v1/comments.rb
app/api/v1/communities.rb
app/api/v1/contacts.rb
app/api/v1/enterprises.rb
app/api/v1/environments.rb
app/api/v1/people.rb
@@ -30,14 +30,47 @@ integration:
   script: bundle exec rake test:integration
   stage: all-tests
-cucumber:
-  script: bundle exec rake cucumber
+cucumber-1:
+  script: SLICE=1/2 bundle exec rake cucumber
+  stage: all-tests
+cucumber-2:
+  script: SLICE=2/2 bundle exec rake cucumber
   stage: all-tests
-selenium:
-  script: bundle exec rake selenium
+selenium-1:
+  script: SLICE=1/6 bundle exec rake selenium
+  stage: all-tests
+selenium-2:
+  script: SLICE=2/6 bundle exec rake selenium
+  stage: all-tests
+selenium-3:
+  script: SLICE=3/6 bundle exec rake selenium
+  stage: all-tests
+selenium-4:
+  script: SLICE=4/6 bundle exec rake selenium
+  stage: all-tests
+selenium-5:
+  script: SLICE=5/6 bundle exec rake selenium
+  stage: all-tests
+selenium-6:
+  script: SLICE=6/6 bundle exec rake selenium
   stage: all-tests
-plugins:
-  script: bundle exec rake test:noosfero_plugins
+# NOOSFERO_BUNDLE_OPTS=install makes migrations fails
+# probably because of rubygems-integration
+plugins-1:
+  script: SLICE=1/5 bundle exec rake test:noosfero_plugins
   stage: all-tests
+plugins-2:
+  script: SLICE=2/5 bundle exec rake test:noosfero_plugins
+  stage: all-tests
+plugins-3:
+  script: SLICE=3/5 bundle exec rake test:noosfero_plugins
+  stage: all-tests
+plugins-4:
+  script: SLICE=4/5 bundle exec rake test:noosfero_plugins
+  stage: all-tests
+plugins-5:
+  script: SLICE=5/5 bundle exec rake test:noosfero_plugins
+  stage: all-tests
+
@@ -6,15 +6,19 @@ notifications:
     template:
       - "%{repository_slug} %{branch} %{commit} %{commit_subject} - %{result} %{build_url}"
-# trusty constainers take more time to start
-#dist: trusty
+# Ensure Container-based environment, as others can have some random failures
+# specially with different Firefox versions and selenium tests.
+# E.g. https://travis-ci.org/noosfero/noosfero/jobs/122918772#L1308
+#
+# Also container-based environments have the fatest boot times and
+# are the only one with cache available for public projects.
+# See https://docs.travis-ci.com/user/ci-environment/#Virtualization-environments
+sudo: false
+cache: bundler
 language: ruby
 rvm:
-  - 2.2
-  # ruby 2.3 works but isn't stable on travis
-
-cache: bundler
+  - 2.3.1
 addons:
   apt:
@@ -25,11 +29,6 @@ addons:
     paths:
       - $(ls tmp/artifact* | tr "\n" ":")
-# workaround for https://github.com/travis-ci/travis-ci/issues/4536
-before_install:
-  - export GEM_HOME=$PWD/vendor/bundle/ruby/2.2.0
-  - gem install bundler
-
 before_script:
   - mkdir -p tmp/{pids,cache} log cache
   - script/noosfero-plugins disableall
@@ -41,21 +40,36 @@ before_script:
   - bundle exec rake db:migrate &>/dev/null
 env:
-  - TASK=test:api
-  - TASK=test:units
-  - TASK=test:functionals
-  - TASK=test:integration
-  - SLICE=1/2 TASK=cucumber LANG=en
-  - SLICE=2/2 TASK=cucumber LANG=en
-  - SLICE=1/4 TASK=selenium
-  - SLICE=2/4 TASK=selenium
-  - SLICE=3/4 TASK=selenium
-  - SLICE=4/4 TASK=selenium
-  - SLICE=1/5 TASK=test:noosfero_plugins BUNDLE_OPTS=install
-  - SLICE=2/5 TASK=test:noosfero_plugins BUNDLE_OPTS=install
-  - SLICE=3/5 TASK=test:noosfero_plugins BUNDLE_OPTS=install
-  - SLICE=4/5 TASK=test:noosfero_plugins BUNDLE_OPTS=install
-  - SLICE=5/5 TASK=test:noosfero_plugins BUNDLE_OPTS=install
+  global:
+    - LANG=en
+  matrix:
+    - TASK=test:api
+    - TASK=test:units
+    - TASK=test:functionals
+    - TASK=test:integration
+    - SLICE=1/2 TASK=cucumber
+    - SLICE=2/2 TASK=cucumber
+    - SLICE=1/4 TASK=selenium
+    - SLICE=2/4 TASK=selenium
+    - SLICE=3/4 TASK=selenium
+    - SLICE=4/4 TASK=selenium
+    - SLICE=1/5 TASK=test:noosfero_plugins NOOSFERO_BUNDLE_OPTS=install
+    - SLICE=2/5 TASK=test:noosfero_plugins NOOSFERO_BUNDLE_OPTS=install
+    - SLICE=3/5 TASK=test:noosfero_plugins NOOSFERO_BUNDLE_OPTS=install
+    - SLICE=4/5 TASK=test:noosfero_plugins NOOSFERO_BUNDLE_OPTS=install
+    - SLICE=5/5 TASK=test:noosfero_plugins NOOSFERO_BUNDLE_OPTS=install
+    # chrome hanging on travis
+    #- SLICE=1/4 TASK=selenium SELENIUM_DRIVER=chrome
+    #- SLICE=2/4 TASK=selenium SELENIUM_DRIVER=chrome
+    #- SLICE=3/4 TASK=selenium SELENIUM_DRIVER=chrome
+    #- SLICE=4/4 TASK=selenium SELENIUM_DRIVER=chrome
+
+matrix:
+  allow_failures:
+    - env: SLICE=1/4 TASK=selenium SELENIUM_DRIVER=chrome
+    - env: SLICE=2/4 TASK=selenium SELENIUM_DRIVER=chrome
+    - env: SLICE=3/4 TASK=selenium SELENIUM_DRIVER=chrome
+    - env: SLICE=4/4 TASK=selenium SELENIUM_DRIVER=chrome
 script:
   - bundle exec rake $TASK
@@ -77,6 +77,7 @@ group :cucumber do
   gem 'cucumber-rails',         '~> 1.4.2', :require => false
   gem 'database_cleaner',       '~> 1.3'
   gem 'selenium-webdriver',     '>= 2.50'
+  gem 'chromedriver-helper' if ENV['SELENIUM_DRIVER'] == 'chrome'
 end
 # Requires custom dependencies
@@ -19,7 +19,6 @@ Install the RPAF apache module (or skip this step if not using apache):
 3a) Edit `/etc/apache2/ports.conf`, and:
-  * change `NameVirtualHost *:80` to `NameVirtualHost *:8080`
   * change `Listen 80` to `Listen 127.0.0.1:8080`
 3b) Edit `/etc/apache2/sites-enabled/*`, and change `<VirtualHost *:80>` to `<VirtualHost *:8080>`
@@ -30,6 +29,7 @@ Install the RPAF apache module (or skip this step if not using apache):
    * change the line that says `START=no` to say `START=yes`
    * change `-a :6081` to `-a :80`
+   * add parameter `-p vcc_allow_inline_c=on` on `DAEMON_OPTS`
 4b) Edit `/etc/varnish/default.vcl` and add the following lines at the end:
@@ -99,7 +99,7 @@ Description of contents
   Holds controllers that should be named like weblog_controller.rb for automated URL mapping. All controllers should descend from `ActionController::Base`.
 * `app/models`
-  Holds models that should be named like post.rb. Most models will descend from `ActiveRecord::Base`.
+  Holds models that should be named like post.rb. Most models will descend from `ApplicationRecord`.
 * `app/views`
   Holds the template files for the view that should be named like `weblog/index.rhtml` for the `WeblogController#index` action. All views use eRuby syntax. This directory can also be used to keep stylesheets, images, and so on that can be symlinked to public.
@@ -0,0 +1,89 @@
+require_dependency 'api/helpers'
+
+module Api
+  class App < Grape::API
+    use Rack::JSONP
+
+    logger = Logger.new(File.join(Rails.root, 'log', "#{ENV['RAILS_ENV'] || 'production'}_api.log"))
+    logger.formatter = GrapeLogging::Formatters::Default.new
+    #use GrapeLogging::Middleware::RequestLogger, { logger: logger }
+
+    rescue_from :all do |e|
+      logger.error e
+      error! e.message, 500
+    end unless Rails.env.test?
+
+    @@NOOSFERO_CONF = nil
+    def self.NOOSFERO_CONF
+      if @@NOOSFERO_CONF
+        @@NOOSFERO_CONF
+      else
+        file = Rails.root.join('config', 'noosfero.yml')
+        @@NOOSFERO_CONF = File.exists?(file) ? YAML.load_file(file)[Rails.env] || {} : {}
+      end
+    end
+
+    before { set_locale  }
+    before { setup_multitenancy }
+    before { detect_stuff_by_domain }
+    before { filter_disabled_plugins_endpoints }
+    before { init_noosfero_plugins }
+    after { set_session_cookie }
+
+    version 'v1'
+    prefix [ENV['RAILS_RELATIVE_URL_ROOT'], "api"].compact.join('/')
+    format :json
+    content_type :txt, "text/plain"
+
+    helpers Helpers
+
+    mount V1::Session
+    mount V1::Articles
+    mount V1::Comments
+    mount V1::Users
+    mount V1::Communities
+    mount V1::People
+    mount V1::Enterprises
+    mount V1::Categories
+    mount V1::Tasks
+    mount V1::Tags
+    mount V1::Environments
+    mount V1::Search
+    mount V1::Contacts
+    mount V1::Boxes
+    mount V1::Blocks
+    mount V1::Profiles
+    mount V1::Activities
+
+    # hook point which allow plugins to add Grape::API extensions to Api::App
+    #finds for plugins which has api mount points classes defined (the class should extends Grape::API)
+    @plugins = Noosfero::Plugin.all.map { |p| p.constantize }
+    @plugins.each do |klass|
+      if klass.public_methods.include? :api_mount_points
+        klass.api_mount_points.each do |mount_class|
+          mount mount_class if mount_class && ( mount_class < Grape::API )
+        end
+      end
+    end
+
+    def self.endpoint_unavailable?(endpoint, environment)
+      api_class = endpoint.options[:app] || endpoint.options[:for]
+      if api_class.present?
+        klass = api_class.name.deconstantize.constantize
+        return klass < Noosfero::Plugin && !environment.plugin_enabled?(klass)
+      end
+    end
+
+    class << self
+      def endpoints_with_plugins(environment = nil)
+        if environment.present?
+          cloned_endpoints = endpoints_without_plugins.dup
+          cloned_endpoints.delete_if { |endpoint| endpoint_unavailable?(endpoint, environment) }
+        else
+          endpoints_without_plugins
+        end
+      end
+      alias_method_chain :endpoints, :plugins
+    end
+  end
+end
@@ -0,0 +1,269 @@
+module Api
+  module Entities
+
+    Entity.format_with :timestamp do |date|
+      date.strftime('%Y/%m/%d %H:%M:%S') if date
+    end
+
+    PERMISSIONS = {
+      :admin => 0,
+      :self  => 10,
+      :private_content => 20,
+      :logged_user => 30,
+      :anonymous => 40
+    }
+
+    def self.can_display_profile_field? profile, options, permission_options={}
+      permissions={:field => "", :permission => :private_content}
+      permissions.merge!(permission_options)
+      field = permissions[:field]
+      permission = permissions[:permission]
+      return true if profile.public? && profile.public_fields.map{|f| f.to_sym}.include?(field.to_sym)
+
+      current_person = options[:current_person]
+
+      current_permission = if current_person.present?
+        if current_person.is_admin?
+          :admin
+        elsif current_person == profile
+          :self
+        elsif profile.display_private_info_to?(current_person)
+          :private_content
+        else
+          :logged_user
+        end
+      else
+        :anonymous
+      end
+      PERMISSIONS[current_permission] <= PERMISSIONS[permission]
+    end
+
+    class Image < Entity
+      root 'images', 'image'
+
+      expose  :url do |image, options|
+        image.public_filename
+      end
+
+      expose  :icon_url do |image, options|
+        image.public_filename(:icon)
+      end
+
+      expose  :minor_url do |image, options|
+        image.public_filename(:minor)
+      end
+
+      expose  :portrait_url do |image, options|
+        image.public_filename(:portrait)
+      end
+
+      expose  :thumb_url do |image, options|
+        image.public_filename(:thumb)
+      end
+    end
+
+    class CategoryBase < Entity
+      root 'categories', 'category'
+      expose :name, :id, :slug
+    end
+
+    class Category < CategoryBase
+      root 'categories', 'category'
+      expose :full_name do |category, options|
+        category.full_name
+      end
+      expose :parent, :using => CategoryBase, if: { parent: true }
+      expose :children, :using => CategoryBase, if: { children: true }
+      expose :image, :using => Image
+      expose :display_color
+    end
+
+    class Region < Category
+      root 'regions', 'region'
+      expose :parent_id
+    end
+
+    class Block < Entity
+      root 'blocks', 'block'
+      expose :id, :type, :settings, :position, :enabled
+      expose :mirror, :mirror_block_id, :title
+      expose :api_content, if: lambda { |object, options| options[:display_api_content] || object.display_api_content_by_default? }
+    end
+
+    class Box < Entity
+      root 'boxes', 'box'
+      expose :id, :position
+      expose :blocks, :using => Block do |box, options|
+        box.blocks.select {|block| block.visible_to_user?(options[:current_person]) }
+      end
+    end
+
+    class Profile < Entity
+      expose :identifier, :name, :id
+      expose :created_at, :format_with => :timestamp
+      expose :updated_at, :format_with => :timestamp
+      expose :additional_data do |profile, options|
+        hash ={}
+        profile.public_values.each do |value|
+          hash[value.custom_field.name]=value.value
+        end
+
+        private_values = profile.custom_field_values - profile.public_values
+        private_values.each do |value|
+          if Entities.can_display_profile_field?(profile,options)
+            hash[value.custom_field.name]=value.value
+          end
+        end
+        hash
+      end
+      expose :image, :using => Image
+      expose :region, :using => Region
+      expose :type
+      expose :custom_header
+      expose :custom_footer
+    end
+
+    class UserBasic < Entity
+      expose :id
+      expose :login
+    end
+
+    class Person < Profile
+      root 'people', 'person'
+      expose :user, :using => UserBasic, documentation: {type: 'User', desc: 'The user data of a person' }
+      expose :vote_count
+      expose :comments_count do |person, options|
+        person.comments.count
+      end
+      expose :following_articles_count do |person, options|
+        person.following_articles.count
+      end
+      expose :articles_count do |person, options|
+        person.articles.count
+      end
+    end
+
+    class Enterprise < Profile
+      root 'enterprises', 'enterprise'
+    end
+
+    class Community < Profile
+      root 'communities', 'community'
+      expose :description
+      expose :admins, :if => lambda { |community, options| community.display_info_to? options[:current_person]} do |community, options|
+        community.admins.map{|admin| {"name"=>admin.name, "id"=>admin.id, "username" => admin.identifier}}
+      end
+      expose :categories, :using => Category
+      expose :members, :using => Person , :if => lambda{ |community, options| community.display_info_to? options[:current_person] }
+    end
+
+    class CommentBase < Entity
+      expose :body, :title, :id
+      expose :created_at, :format_with => :timestamp
+      expose :author, :using => Profile
+      expose :reply_of, :using => CommentBase
+    end
+
+    class Comment < CommentBase
+      root 'comments', 'comment'
+      expose :children, as: :replies, :using => Comment
+    end
+
+    class ArticleBase < Entity
+      root 'articles', 'article'
+      expose :id
+      expose :body
+      expose :abstract, documentation: {type: 'String', desc: 'Teaser of the body'}
+      expose :created_at, :format_with => :timestamp
+      expose :updated_at, :format_with => :timestamp
+      expose :title, :documentation => {:type => "String", :desc => "Title of the article"}
+      expose :created_by, :as => :author, :using => Profile, :documentation => {type: 'Profile', desc: 'The profile author that create the article'}
+      expose :profile, :using => Profile, :documentation => {type: 'Profile', desc: 'The profile associated with the article'}
+      expose :categories, :using => Category
+      expose :image, :using => Image
+      expose :votes_for
+      expose :votes_against
+      expose :setting
+      expose :position
+      expose :hits
+      expose :start_date
+      expose :end_date, :documentation => {type: 'DateTime', desc: 'The date of finish of the article'}
+      expose :tag_list
+      expose :children_count
+      expose :slug, :documentation => {:type => "String", :desc => "Trimmed and parsed name of a article"}
+      expose :path
+      expose :followers_count
+      expose :votes_count
+      expose :comments_count
+      expose :archived, :documentation => {:type => "Boolean", :desc => "Defines if a article is readonly"}
+      expose :type
+      expose :comments, using: CommentBase, :if => lambda{|obj,opt| opt[:params] && ['1','true',true].include?(opt[:params][:show_comments])}
+      expose :published
+      expose :accept_comments?, as: :accept_comments
+    end
+
+    class Article < ArticleBase
+      root 'articles', 'article'
+      expose :parent, :using => ArticleBase
+      expose :children, :using => ArticleBase do |article, options|
+        article.children.published.limit(V1::Articles::MAX_PER_PAGE)
+      end
+    end
+
+    class User < Entity
+      root 'users', 'user'
+
+      attrs = [:id,:login,:email,:activated?]
+      aliases = {:activated? => :activated}
+
+      attrs.each do |attribute|
+        name = aliases.has_key?(attribute) ? aliases[attribute] : attribute
+        expose attribute, :as => name, :if => lambda{|user,options| Entities.can_display_profile_field?(user.person, options, {:field =>  attribute})}
+      end
+
+      expose :person, :using => Person, :if => lambda{|user,options| user.person.display_info_to? options[:current_person]}
+      expose :permissions, :if => lambda{|user,options| Entities.can_display_profile_field?(user.person, options, {:field => :permissions, :permission => :self})} do |user, options|
+        output = {}
+        user.person.role_assignments.map do |role_assigment|
+          if role_assigment.resource.respond_to?(:identifier) && !role_assigment.role.nil?
+            output[role_assigment.resource.identifier] = role_assigment.role.permissions
+          end
+        end
+        output
+      end
+    end
+
+    class UserLogin < User
+      root 'users', 'user'
+      expose :private_token, documentation: {type: 'String', desc: 'A valid authentication code for post/delete api actions'}, if: lambda {|object, options| object.activated? }
+    end
+
+    class Task < Entity
+      root 'tasks', 'task'
+      expose :id
+      expose :type
+    end
+
+    class Environment < Entity
+      expose :name
+      expose :id
+      expose :description
+      expose :settings, if: lambda { |instance, options| options[:is_admin] }
+    end
+
+    class Tag < Entity
+      root 'tags', 'tag'
+      expose :name
+    end
+
+    class Activity < Entity
+      root 'activities', 'activity'
+      expose :id, :params, :verb, :created_at, :updated_at, :comments_count, :visible
+      expose :user, :using => Profile
+      expose :target do |activity, opts|
+        type_map = {Profile => ::Profile, ArticleBase => ::Article}.find {|h| activity.target.kind_of?(h.last)}
+        type_map.first.represent(activity.target) unless type_map.nil?
+      end
+    end
+  end
+end
@@ -0,0 +1,27 @@
+module Api
+  class Entity < Grape::Entity
+
+    def initialize(object, options = {})
+      object = nil if object.is_a? Exception
+      super object, options
+    end
+
+    def self.represent(objects, options = {})
+      if options[:has_exception]
+        data = super objects, options.merge(is_inner_data: true)
+        if objects.is_a? Exception
+          data.merge ok: false, error: {
+            type: objects.class.name,
+            message: objects.message
+          }
+        else
+          data = data.serializable_hash if data.is_a? Entity
+          data.merge ok: true, error: { type: 'Success', message: '' }
+        end
+      else
+        super objects, options
+      end
+    end
+
+  end
+end
@@ -0,0 +1,421 @@
+require 'base64'
+require 'tempfile'
+
+module Api
+  module Helpers
+    PRIVATE_TOKEN_PARAM = :private_token
+    DEFAULT_ALLOWED_PARAMETERS = [:parent_id, :from, :until, :content_type, :author_id, :identifier, :archived]
+
+    include SanitizeParams
+    include Noosfero::Plugin::HotSpot
+    include ForgotPasswordHelper
+    include SearchTermHelper
+
+    def set_locale
+      I18n.locale = (params[:lang] || request.env['HTTP_ACCEPT_LANGUAGE'] || 'en')
+    end
+
+    def init_noosfero_plugins
+      plugins
+    end
+
+    def current_user
+      private_token = (params[PRIVATE_TOKEN_PARAM] || headers['Private-Token']).to_s
+      @current_user ||= User.find_by private_token: private_token
+      @current_user ||= plugins.dispatch("api_custom_login", request).first
+      @current_user
+    end
+
+    def current_person
+      current_user.person unless current_user.nil?
+    end
+
+    def is_admin?(environment)
+      return false unless current_user
+      return current_person.is_admin?(environment)
+    end
+
+    def logout
+      @current_user = nil
+    end
+
+    def environment
+      @environment
+    end
+
+    def present_partial(model, options)
+      if(params[:fields].present?)
+        begin
+          fields = JSON.parse(params[:fields])
+          if fields.present?
+            options.merge!(fields.symbolize_keys.slice(:only, :except))
+          end
+        rescue
+          fields = params[:fields]
+          fields = fields.split(',') if fields.kind_of?(String)
+          options[:only] = Array.wrap(fields)
+        end
+      end
+      present model, options
+    end
+
+    include FindByContents
+
+    ####################################################################
+    #### SEARCH
+    ####################################################################
+    def multiple_search?(searches=nil)
+      ['index', 'category_index'].include?(params[:action]) || (searches && searches.size > 1)
+    end
+    ####################################################################
+
+    def logger
+      logger = Logger.new(File.join(Rails.root, 'log', "#{ENV['RAILS_ENV'] || 'production'}_api.log"))
+      logger.formatter = GrapeLogging::Formatters::Default.new
+      logger
+    end
+
+    def limit
+      limit = params[:limit].to_i
+      limit = default_limit if limit <= 0
+      limit
+    end
+
+    def period(from_date, until_date)
+      return nil if from_date.nil? && until_date.nil?
+
+      begin_period = from_date.nil? ? Time.at(0).to_datetime : from_date
+      end_period = until_date.nil? ? DateTime.now : until_date
+
+      begin_period..end_period
+    end
+
+    def parse_content_type(content_type)
+      return nil if content_type.blank?
+      content_type.split(',').map do |content_type|
+        content_type.camelcase
+      end
+    end
+
+    def find_article(articles, id)
+      article = articles.find(id)
+      article.display_to?(current_person) ? article : forbidden!
+    end
+
+    def post_article(asset, params)
+      return forbidden! unless current_person.can_post_content?(asset)
+
+      klass_type = params[:content_type] || params[:article].delete(:type) || TinyMceArticle.name
+      return forbidden! unless klass_type.constantize <= Article
+
+      article = klass_type.constantize.new(params[:article])
+      article.last_changed_by = current_person
+      article.created_by= current_person
+      article.profile = asset
+
+      if !article.save
+        render_api_errors!(article.errors.full_messages)
+      end
+      present_partial article, :with => Entities::Article
+    end
+
+    def present_article(asset)
+      article = find_article(asset.articles, params[:id])
+      present_partial article, :with => Entities::Article, :params => params
+    end
+
+    def present_articles_for_asset(asset, method = 'articles')
+      articles = find_articles(asset, method)
+      present_articles(articles)
+    end
+
+    def present_articles(articles)
+      present_partial paginate(articles), :with => Entities::Article, :params => params
+    end
+
+    def find_articles(asset, method = 'articles')
+      articles = select_filtered_collection_of(asset, method, params)
+      if current_person.present?
+        articles = articles.display_filter(current_person, nil)
+      else
+        articles = articles.published
+      end
+      articles
+    end
+
+    def find_task(asset, id)
+      task = asset.tasks.find(id)
+      current_person.has_permission?(task.permission, asset) ? task : forbidden!
+    end
+
+    def post_task(asset, params)
+      klass_type= params[:content_type].nil? ? 'Task' : params[:content_type]
+      return forbidden! unless klass_type.constantize <= Task
+
+      task = klass_type.constantize.new(params[:task])
+      task.requestor_id = current_person.id
+      task.target_id = asset.id
+      task.target_type = 'Profile'
+
+      if !task.save
+        render_api_errors!(task.errors.full_messages)
+      end
+      present_partial task, :with => Entities::Task
+    end
+
+    def present_task(asset)
+      task = find_task(asset, params[:id])
+      present_partial task, :with => Entities::Task
+    end
+
+    def present_tasks(asset)
+      tasks = select_filtered_collection_of(asset, 'tasks', params)
+      tasks = tasks.select {|t| current_person.has_permission?(t.permission, asset)}
+      return forbidden! if tasks.empty? && !current_person.has_permission?(:perform_task, asset)
+      present_partial tasks, :with => Entities::Task
+    end
+
+    def make_conditions_with_parameter(params = {})
+      parsed_params = parser_params(params)
+      conditions = {}
+      from_date = DateTime.parse(parsed_params.delete(:from)) if parsed_params[:from]
+      until_date = DateTime.parse(parsed_params.delete(:until)) if parsed_params[:until]
+
+      conditions[:type] = parse_content_type(parsed_params.delete(:content_type)) unless parsed_params[:content_type].nil?
+
+      conditions[:created_at] = period(from_date, until_date) if from_date || until_date
+      conditions.merge!(parsed_params)
+
+      conditions
+    end
+
+    # changing make_order_with_parameters to avoid sql injection
+    def make_order_with_parameters(object, method, params)
+      order = "created_at DESC"
+      unless params[:order].blank?
+        if params[:order].include? '\'' or params[:order].include? '"'
+          order = "created_at DESC"
+        elsif ['RANDOM()', 'RANDOM'].include? params[:order].upcase
+          order = 'RANDOM()'
+        else
+          field_name, direction = params[:order].split(' ')
+          assoc = object.class.reflect_on_association(method.to_sym)
+          if !field_name.blank? and assoc
+            if assoc.klass.attribute_names.include? field_name
+              if direction.present? and ['ASC','DESC'].include? direction.upcase
+                order = "#{field_name} #{direction.upcase}"
+              end
+            end
+          end
+        end
+      end
+      return order
+    end
+
+    def make_timestamp_with_parameters_and_method(params, method)
+      timestamp = nil
+      if params[:timestamp]
+        datetime = DateTime.parse(params[:timestamp])
+        table_name = method.to_s.singularize.camelize.constantize.table_name
+        timestamp = "#{table_name}.updated_at >= '#{datetime}'"
+      end
+
+      timestamp
+    end
+
+    def by_reference(scope, params)
+      reference_id = params[:reference_id].to_i == 0 ? nil : params[:reference_id].to_i
+      if reference_id.nil?
+        scope
+      else
+        created_at = scope.find(reference_id).created_at
+        scope.send("#{params.key?(:oldest) ? 'older_than' : 'younger_than'}", created_at)
+      end
+    end
+
+    def by_categories(scope, params)
+      category_ids = params[:category_ids]
+      if category_ids.nil?
+        scope
+      else
+        scope.joins(:categories).where(:categories => {:id => category_ids})
+      end
+    end
+
+    def select_filtered_collection_of(object, method, params)
+      conditions = make_conditions_with_parameter(params)
+      order = make_order_with_parameters(object,method,params)
+      timestamp = make_timestamp_with_parameters_and_method(params, method)
+
+      objects = object.send(method)
+      objects = by_reference(objects, params)
+      objects = by_categories(objects, params)
+
+      objects = objects.where(conditions).where(timestamp).reorder(order)
+
+      params[:page] ||= 1
+      params[:per_page] ||= limit
+      paginate(objects)
+    end
+
+    def authenticate!
+      unauthorized! unless current_user
+    end
+
+    def profiles_for_person(profiles, person)
+      if person
+        profiles.listed_for_person(person)
+      else
+        profiles.visible
+      end
+    end
+
+    # Checks the occurrences of uniqueness of attributes, each attribute must be present in the params hash
+    # or a Bad Request error is invoked.
+    #
+    # Parameters:
+    #   keys (unique) - A hash consisting of keys that must be unique
+    def unique_attributes!(obj, keys)
+      keys.each do |key|
+        cant_be_saved_request!(key) if obj.find_by(key.to_s => params[key])
+      end
+    end
+
+    def attributes_for_keys(keys)
+      attrs = {}
+      keys.each do |key|
+        attrs[key] = params[key] if params[key].present? or (params.has_key?(key) and params[key] == false)
+      end
+      attrs
+    end
+
+    ##########################################
+    #              error helpers             #
+    ##########################################
+
+    def not_found!
+      render_api_error!('404 Not found', 404)
+    end
+
+    def forbidden!
+      render_api_error!('403 Forbidden', 403)
+    end
+
+    def cant_be_saved_request!(attribute)
+      message = _("(Invalid request) %s can't be saved") % attribute
+      render_api_error!(message, 400)
+    end
+
+    def bad_request!(attribute)
+      message = _("(Invalid request) %s not given") % attribute
+      render_api_error!(message, 400)
+    end
+
+    def something_wrong!
+      message = _("Something wrong happened")
+      render_api_error!(message, 400)
+    end
+
+    def unauthorized!
+      render_api_error!(_('Unauthorized'), 401)
+    end
+
+    def not_allowed!
+      render_api_error!(_('Method Not Allowed'), 405)
+    end
+
+    # javascript_console_message is supposed to be executed as console.log()
+    def render_api_error!(user_message, status, log_message = nil, javascript_console_message = nil)
+      message_hash = {'message' => user_message, :code => status}
+      message_hash[:javascript_console_message] = javascript_console_message if javascript_console_message.present?
+      log_msg = "#{status}, User message: #{user_message}"
+      log_msg = "#{log_message}, #{log_msg}" if log_message.present?
+      log_msg = "#{log_msg}, Javascript Console Message: #{javascript_console_message}" if javascript_console_message.present?
+      logger.error log_msg unless Rails.env.test?
+      error!(message_hash, status)
+    end
+
+    def render_api_errors!(messages)
+      messages = messages.to_a if messages.class == ActiveModel::Errors
+      render_api_error!(messages.join(','), 400)
+    end
+
+    protected
+
+    def set_session_cookie
+      cookies['_noosfero_api_session'] = { value: @current_user.private_token, httponly: true } if @current_user.present?
+    end
+
+    def setup_multitenancy
+      Noosfero::MultiTenancy.setup!(request.host)
+    end
+
+    def detect_stuff_by_domain
+      @domain = Domain.by_name(request.host)
+      if @domain.nil?
+        @environment = Environment.default
+        if @environment.nil? && Rails.env.development?
+          # This should only happen in development ...
+          @environment = Environment.create!(:name => "Noosfero", :is_default => true)
+        end
+      else
+        @environment = @domain.environment
+      end
+    end
+
+    def filter_disabled_plugins_endpoints
+      not_found! if Api::App.endpoint_unavailable?(self, @environment)
+    end
+
+    def asset_with_image params
+      if params.has_key? :image_builder
+        asset_api_params = params
+        asset_api_params[:image_builder] = base64_to_uploadedfile(asset_api_params[:image_builder])
+        return asset_api_params
+      end
+        params
+    end
+
+    def base64_to_uploadedfile(base64_image)
+      tempfile = base64_to_tempfile base64_image
+      converted_image = base64_image
+      converted_image[:tempfile] = tempfile
+      return {uploaded_data: ActionDispatch::Http::UploadedFile.new(converted_image)}
+    end
+
+    def base64_to_tempfile base64_image
+      base64_img_str = base64_image[:tempfile]
+      decoded_base64_str = Base64.decode64(base64_img_str)
+      tempfile = Tempfile.new(base64_image[:filename])
+      tempfile.write(decoded_base64_str.encode("ascii-8bit").force_encoding("utf-8"))
+      tempfile.rewind
+      tempfile
+    end
+    private
+
+    def parser_params(params)
+      parsed_params = {}
+      params.map do |k,v|
+        parsed_params[k.to_sym] = v if DEFAULT_ALLOWED_PARAMETERS.include?(k.to_sym)
+      end
+      parsed_params
+    end
+
+    def default_limit
+      20
+    end
+
+    def parse_content_type(content_type)
+      return nil if content_type.blank?
+      content_type.split(',').map do |content_type|
+        content_type.camelcase
+      end
+    end
+
+    def period(from_date, until_date)
+      begin_period = from_date.nil? ? Time.at(0).to_datetime : from_date
+      end_period = until_date.nil? ? DateTime.now : until_date
+      begin_period..end_period
+    end
+  end
+end
@@ -0,0 +1,20 @@
+module Api
+  module V1
+    class Activities < Grape::API
+      before { authenticate! }
+
+      resource :profiles do
+
+        get ':id/activities' do
+          profile = Profile.find_by id: params[:id]
+
+          not_found! if profile.blank? || profile.secret || !profile.visible
+          forbidden! if !profile.secret && profile.visible && !profile.display_private_info_to?(current_person)
+
+          activities = profile.activities.map(&:activity)
+          present activities, :with => Entities::Activity, :current_person => current_person
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,303 @@
+module Api
+  module V1
+    class Articles < Grape::API
+
+      ARTICLE_TYPES = Article.descendants.map{|a| a.to_s}
+
+      MAX_PER_PAGE = 50
+
+      resource :articles do
+
+        paginate max_per_page: MAX_PER_PAGE
+        # Collect articles
+        #
+        # Parameters:
+        #   from             - date where the search will begin. If nothing is passed the default date will be the date of the first article created
+        #   oldest           - Collect the oldest articles. If nothing is passed the newest articles are collected
+        #   limit            - amount of articles returned. The default value is 20
+        #
+        # Example Request:
+        #  GET host/api/v1/articles?from=2013-04-04-14:41:43&until=2015-04-04-14:41:43&limit=10&private_token=e96fff37c2238fdab074d1dcea8e6317
+
+        desc 'Return all articles of all kinds' do
+          detail 'Get all articles filtered by fields in query params'
+          params Entities::Article.documentation
+          success Entities::Article
+          failure [[403, 'Forbidden']]
+          named 'ArticlesList'
+          headers [
+            'Per-Page' => {
+                  description: 'Total number of records',
+                  required: false
+              }
+            ]
+        end
+        get do
+          present_articles_for_asset(environment)
+        end
+
+        desc "Return one article by id" do
+          detail 'Get only one article by id. If not found the "forbidden" http error is showed'
+          params Entities::Article.documentation
+          success Entities::Article
+          failure [[403, 'Forbidden']]
+          named 'ArticleById'
+        end
+        get ':id', requirements: {id: /[0-9]+/} do
+          present_article(environment)
+        end
+
+        post ':id' do
+          article = environment.articles.find(params[:id])
+          return forbidden! unless article.allow_edit?(current_person)
+          article.update_attributes!(asset_with_image(params[:article]))
+          present_partial article, :with => Entities::Article
+        end
+
+        desc 'Report a abuse and/or violent content in a article by id' do
+          detail 'Submit a abuse (in general, a content violation) report about a specific article'
+          params Entities::Article.documentation
+          failure [[400, 'Bad Request']]
+          named 'ArticleReportAbuse'
+        end
+        post ':id/report_abuse' do
+          article = find_article(environment.articles, params[:id])
+          profile = article.profile
+          begin
+            abuse_report = AbuseReport.new(:reason => params[:report_abuse])
+            if !params[:content_type].blank?
+              article = params[:content_type].constantize.find(params[:content_id])
+              abuse_report.content = article_reported_version(article)
+            end
+
+            current_person.register_report(abuse_report, profile)
+
+            if !params[:content_type].blank?
+              abuse_report = AbuseReport.find_by reporter_id: current_person.id, abuse_complaint_id: profile.opened_abuse_complaint.id
+              Delayed::Job.enqueue DownloadReportedImagesJob.new(abuse_report, article)
+            end
+
+            {
+              :success => true,
+              :message => _('Your abuse report was registered. The administrators are reviewing your report.'),
+            }
+          rescue Exception => exception
+            #logger.error(exception.to_s)
+            render_api_error!(_('Your report couldn\'t be saved due to some problem. Please contact the administrator.'), 400)
+          end
+
+        end
+
+        desc "Returns the articles I voted" do
+          detail 'Get the Articles I make a vote'
+          failure [[403, 'Forbidden']]
+          named 'ArticleFollowers'
+        end
+         #FIXME refactor this method
+        get 'voted_by_me' do
+          present_articles(current_person.votes.where(:voteable_type => 'Article').collect(&:voteable))
+        end
+
+        desc 'Perform a vote on a article by id' do
+          detail 'Vote on a specific article with values: 1 (if you like) or -1 (if not)'
+          params Entities::UserLogin.documentation
+          failure [[401,'Unauthorized']]
+          named 'ArticleVote'
+        end
+        post ':id/vote' do
+          authenticate!
+          value = (params[:value] || 1).to_i
+          # FIXME verify allowed values
+          render_api_error!('Vote value not allowed', 400) unless [-1, 1].include?(value)
+          article = find_article(environment.articles, params[:id])
+          begin
+            vote = Vote.new(:voteable => article, :voter => current_person, :vote => value)
+            {:vote => vote.save!}
+          rescue ActiveRecord::RecordInvalid => e
+            render_api_error!(e.message, 400)
+          end
+        end
+
+        desc "Returns the total followers for the article" do
+          detail 'Get the followers of a specific article by id'
+          failure [[403, 'Forbidden']]
+          named 'ArticleFollowers'
+        end
+        get ':id/followers' do
+          article = find_article(environment.articles, params[:id])
+          total = article.person_followers.count
+          {:total_followers => total}
+        end
+
+        desc "Return the articles followed by me"
+        get 'followed_by_me' do
+          present_articles_for_asset(current_person, 'following_articles')
+        end
+
+        desc "Add a follower for the article" do
+          detail 'Add the current user identified by private token, like a follower of a article'
+          params Entities::UserLogin.documentation
+          failure [[401, 'Unauthorized']]
+          named 'ArticleFollow'
+        end
+        post ':id/follow' do
+          authenticate!
+          article = find_article(environment.articles, params[:id])
+          if article.article_followers.exists?(:person_id => current_person.id)
+            {:success => false, :already_follow => true}
+          else
+            article_follower = ArticleFollower.new
+            article_follower.article = article
+            article_follower.person = current_person
+            article_follower.save!
+            {:success => true}
+          end
+        end
+
+        desc 'Return the children of a article identified by id' do
+          detail 'Get all children articles of a specific article'
+          params Entities::Article.documentation
+          failure [[403, 'Forbidden']]
+          named 'ArticleChildren'
+        end
+
+        paginate per_page: MAX_PER_PAGE, max_per_page: MAX_PER_PAGE
+        get ':id/children' do
+          article = find_article(environment.articles, params[:id])
+
+          #TODO make tests for this situation
+          votes_order = params.delete(:order) if params[:order]=='votes_score'
+          articles = select_filtered_collection_of(article, 'children', params)
+          articles = articles.display_filter(current_person, article.profile)
+
+          #TODO make tests for this situation
+          if votes_order
+            articles = articles.joins('left join votes on articles.id=votes.voteable_id').group('articles.id').reorder('sum(coalesce(votes.vote, 0)) DESC')
+          end
+          Article.hit(articles)
+          present_articles(articles)
+        end
+
+        desc 'Return one child of a article identified by id' do
+          detail 'Get a child of a specific article'
+          params Entities::Article.documentation
+          success Entities::Article
+          failure [[403, 'Forbidden']]
+          named 'ArticleChild'
+        end
+        get ':id/children/:child_id' do
+          article = find_article(environment.articles, params[:id])
+          child = find_article(article.children, params[:child_id])
+          child.hit
+          present_partial child, :with => Entities::Article
+        end
+
+        desc 'Suggest a article to another profile' do
+          detail 'Suggest a article to another profile (person, community...)'
+          params Entities::Article.documentation
+          success Entities::Task
+          failure [[401,'Unauthorized']]
+          named 'ArticleSuggest'
+        end
+        post ':id/children/suggest' do
+          authenticate!
+          parent_article = environment.articles.find(params[:id])
+
+          suggest_article = SuggestArticle.new
+          suggest_article.article = params[:article]
+          suggest_article.article[:parent_id] = parent_article.id
+          suggest_article.target = parent_article.profile
+          suggest_article.requestor = current_person
+
+          unless suggest_article.save
+            render_api_errors!(suggest_article.article_object.errors.full_messages)
+          end
+          present_partial suggest_article, :with => Entities::Task
+        end
+
+        # Example Request:
+        #  POST api/v1/articles/:id/children?private_token=234298743290432&article[name]=title&article[body]=body
+        desc 'Add a child article to a parent identified by id' do
+          detail 'Create a new article and associate to a parent'
+          params Entities::Article.documentation
+          success Entities::Article
+          failure [[401,'Unauthorized']]
+          named 'ArticleAddChild'
+        end
+        post ':id/children' do
+          parent_article = environment.articles.find(params[:id])
+          params[:article][:parent_id] = parent_article.id
+          post_article(parent_article.profile, params)
+        end
+      end
+
+      resource :profiles do
+        get ':id/home_page' do
+          profiles = environment.profiles
+          profiles = profiles.visible_for_person(current_person)
+          profile = profiles.find_by id: params[:id]
+          present_partial profile.home_page, :with => Entities::Article
+        end
+      end
+
+      kinds = %w[profile community person enterprise]
+      kinds.each do |kind|
+        resource kind.pluralize.to_sym do
+          segment "/:#{kind}_id" do
+            resource :articles do
+
+              desc "Return all articles associate with a profile of type #{kind}" do
+                detail 'Get a list of articles of a profile'
+                params Entities::Article.documentation
+                success Entities::Article
+                failure [[403, 'Forbidden']]
+                named 'ArticlesOfProfile'
+              end
+              get do
+                profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
+
+                if params[:path].present?
+                  article = profile.articles.find_by path: params[:path]
+                  if !article || !article.display_to?(current_person)
+                    article = forbidden!
+                  end
+
+                  present_partial article, :with => Entities::Article
+                else
+
+                  present_articles_for_asset(profile)
+                end
+              end
+
+              desc "Return a article associate with a profile of type #{kind}" do
+                detail 'Get only one article of a profile'
+                params Entities::Article.documentation
+                success Entities::Article
+                failure [[403, 'Forbidden']]
+                named 'ArticleOfProfile'
+              end
+              get ':id' do
+                profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
+                present_article(profile)
+              end
+
+              # Example Request:
+              #  POST api/v1/{people,communities,enterprises}/:asset_id/articles?private_token=234298743290432&article[name]=title&article[body]=body
+              desc "Add a new article associated with a profile of type #{kind}" do
+                detail 'Create a new article and associate with a profile'
+                params Entities::Article.documentation
+                success Entities::Article
+                failure [[403, 'Forbidden']]
+                named 'ArticleCreateToProfile'
+              end
+              post do
+                profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
+                post_article(profile, params)
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,15 @@
+module Api
+  module V1
+
+    class Blocks < Grape::API
+      resource :blocks do
+        get ':id' do
+          block = Block.find(params["id"])
+          return forbidden! unless block.visible_to_user?(current_person)
+          present block, :with => Entities::Block, display_api_content: true
+        end
+      end
+    end
+
+  end
+end
@@ -0,0 +1,45 @@
+module Api
+  module V1
+
+    class Boxes < Grape::API
+
+      kinds = %w[profile community person enterprise]
+      kinds.each do |kind|
+
+        resource kind.pluralize.to_sym do
+
+          segment "/:#{kind}_id" do
+            resource :boxes do
+              get do
+                profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
+                return forbidden! unless profile.display_info_to?(current_person)
+                present profile.boxes, :with => Entities::Box
+              end
+            end
+          end
+        end
+
+      end
+
+      resource :environments do
+        [ '/default', '/context', ':environment_id' ].each do |route|
+          segment route do
+            resource :boxes do
+              get do
+                if (route.match(/default/))
+                  env = Environment.default
+                elsif (route.match(/context/))
+                  env = environment
+                else
+                  env = Environment.find(params[:environment_id])
+                end
+                present env.boxes, :with => Entities::Box
+              end
+            end
+          end
+        end
+      end
+    end
+
+  end
+end
@@ -0,0 +1,25 @@
+module Api
+  module V1
+    class Categories < Grape::API
+
+      resource :categories do
+
+        get do
+          type = params[:category_type]
+          include_parent = params[:include_parent] == 'true'
+          include_children = params[:include_children] == 'true'
+
+          categories = type.nil? ?  environment.categories : environment.categories.where(:type => type)
+          present categories, :with => Entities::Category, parent: include_parent, children: include_children
+        end
+
+        desc "Return the category by id"
+        get ':id' do
+          present environment.categories.find(params[:id]), :with => Entities::Category, parent: true, children: true
+        end
+
+      end
+
+    end
+  end
+end
@@ -0,0 +1,49 @@
+module Api
+  module V1
+    class Comments < Grape::API
+      MAX_PER_PAGE = 20
+
+
+      resource :articles do
+        paginate max_per_page: MAX_PER_PAGE
+        # Collect comments from articles
+        #
+        # Parameters:
+        #   reference_id     - comment id used as reference to collect comment
+        #   oldest           - Collect the oldest comments from reference_id comment. If nothing is passed the newest comments are collected
+        #   limit            - amount of comments returned. The default value is 20
+        #
+        # Example Request:
+        #  GET /articles/12/comments?oldest&limit=10&reference_id=23
+        get ":id/comments" do
+          article = find_article(environment.articles, params[:id])
+          comments = select_filtered_collection_of(article, :comments, params)
+          comments = comments.without_spam
+          comments = comments.without_reply if(params[:without_reply].present?)
+          comments = plugins.filter(:unavailable_comments, comments)
+          present paginate(comments), :with => Entities::Comment, :current_person => current_person
+        end
+
+        get ":id/comments/:comment_id" do
+          article = find_article(environment.articles, params[:id])
+          present article.comments.find(params[:comment_id]), :with => Entities::Comment, :current_person => current_person
+        end
+
+        # Example Request:
+        #  POST api/v1/articles/12/comments?private_token=2298743290432&body=new comment&title=New
+        post ":id/comments" do
+          authenticate!
+          article = find_article(environment.articles, params[:id])
+          options = params.select { |key,v| !['id','private_token'].include?(key) }.merge(:author => current_person, :source => article)
+          begin
+            comment = Comment.create!(options)
+          rescue ActiveRecord::RecordInvalid => e
+            render_api_error!(e.message, 400)
+          end
+          present comment, :with => Entities::Comment, :current_person => current_person
+        end
+      end
+
+    end
+  end
+end
@@ -0,0 +1,82 @@
+module Api
+  module V1
+    class Communities < Grape::API
+
+      resource :communities do
+
+        # Collect comments from articles
+        #
+        # Parameters:
+        #   from             - date where the search will begin. If nothing is passed the default date will be the date of the first article created
+        #   oldest           - Collect the oldest comments from reference_id comment. If nothing is passed the newest comments are collected
+        #   limit            - amount of comments returned. The default value is 20
+        #
+        # Example Request:
+        #  GET /communities?from=2013-04-04-14:41:43&until=2014-04-04-14:41:43&limit=10
+        #  GET /communities?reference_id=10&limit=10&oldest
+        get do
+          communities = select_filtered_collection_of(environment, 'communities', params)
+          communities = profiles_for_person(communities, current_person)
+          communities = communities.by_location(params) # Must be the last. May return Exception obj
+          present communities, :with => Entities::Community, :current_person => current_person
+        end
+
+
+        # Example Request:
+        #  POST api/v1/communties?private_token=234298743290432&community[name]=some_name
+        #  for each custom field for community, add &community[field_name]=field_value to the request
+        post do
+          authenticate!
+          params[:community] ||= {}
+
+          params[:community][:custom_values]={}
+          params[:community].keys.each do |key|
+            params[:community][:custom_values][key]=params[:community].delete(key) if Community.custom_fields(environment).any?{|cf| cf.name==key}
+          end
+
+          begin
+            community = Community.create_after_moderation(current_person, params[:community].merge({:environment => environment}))
+          rescue
+            community = Community.new(params[:community])
+          end
+
+          if !community.save
+            render_api_errors!(community.errors.full_messages)
+          end
+
+          present community, :with => Entities::Community, :current_person => current_person
+        end
+
+        get ':id' do
+          community = profiles_for_person(environment.communities, current_person).find_by_id(params[:id])
+          present community, :with => Entities::Community, :current_person => current_person
+        end
+
+      end
+
+      resource :people do
+
+        segment '/:person_id' do
+
+          resource :communities do
+
+            get do
+              person = environment.people.find(params[:person_id])
+
+              not_found! if person.blank?
+              forbidden! if !person.display_info_to?(current_person)
+
+              communities = select_filtered_collection_of(person, 'communities', params)
+              communities = communities.visible
+              present communities, :with => Entities::Community, :current_person => current_person
+            end
+
+          end
+
+        end
+
+      end
+
+    end
+  end
+end
@@ -0,0 +1,26 @@
+module Api
+  module V1
+    class Contacts < Grape::API
+
+      resource :communities do
+
+        resource ':id/contact' do
+          #contact => {:name => 'some name', :email => 'test@mail.com', :subject => 'some title', :message => 'some message'}
+          desc "Send a contact message"
+          post do
+            profile = environment.communities.find(params[:id])
+            forbidden! unless profile.present?
+            contact = Contact.new params[:contact].merge(dest: profile)
+            if contact.deliver
+              {:success => true}
+            else
+              {:success => false}
+            end
+          end
+
+        end
+      end
+
+    end
+  end
+end
@@ -0,0 +1,55 @@
+module Api
+  module V1
+    class Enterprises < Grape::API
+
+      resource :enterprises do
+
+        # Collect enterprises from environment
+        #
+        # Parameters:
+        #   from             - date where the search will begin. If nothing is passed the default date will be the date of the first article created
+        #   oldest           - Collect the oldest comments from reference_id comment. If nothing is passed the newest comments are collected
+        #   limit            - amount of comments returned. The default value is 20
+        #   georef params    - read `Profile.by_location` for more information.
+        #
+        # Example Request:
+        #  GET /enterprises?from=2013-04-04-14:41:43&until=2014-04-04-14:41:43&limit=10
+        #  GET /enterprises?reference_id=10&limit=10&oldest
+        get do
+          enterprises = select_filtered_collection_of(environment, 'enterprises', params)
+          enterprises = enterprises.visible
+          enterprises = enterprises.by_location(params) # Must be the last. May return Exception obj.
+          present enterprises, :with => Entities::Enterprise, :current_person => current_person
+        end
+
+        desc "Return one enterprise by id"
+        get ':id' do
+          enterprise = environment.enterprises.visible.find_by(id: params[:id])
+          present enterprise, :with => Entities::Enterprise, :current_person => current_person
+        end
+
+      end
+
+      resource :people do
+
+        segment '/:person_id' do
+
+          resource :enterprises do
+
+            get do
+              person = environment.people.find(params[:person_id])
+              enterprises = select_filtered_collection_of(person, 'enterprises', params)
+              enterprises = enterprises.visible.by_location(params)
+              present enterprises, :with => Entities::Enterprise, :current_person => current_person
+            end
+
+          end
+
+        end
+
+      end
+
+
+    end
+  end
+end
@@ -0,0 +1,28 @@
+module Api
+  module V1
+    class Environments < Grape::API
+
+      resource :environment do
+
+        desc "Return the person information"
+        get '/signup_person_fields' do
+          present environment.signup_person_fields
+        end
+
+        get ':id' do
+          local_environment = nil
+          if (params[:id] == "default")
+            local_environment = Environment.default
+          elsif (params[:id] == "context")
+            local_environment = environment
+          else
+            local_environment = Environment.find(params[:id])
+          end
+          present_partial local_environment, :with => Entities::Environment, :is_admin => is_admin?(local_environment)
+        end
+
+      end
+
+    end
+  end
+end
@@ -0,0 +1,127 @@
+module Api
+  module V1
+    class People < Grape::API
+
+      MAX_PER_PAGE = 50
+
+      desc 'API Root'
+
+      resource :people do
+        paginate max_per_page: MAX_PER_PAGE
+
+        # -- A note about privacy --
+        # We wold find people by location, but we must test if the related
+        # fields are public. We can't do it now, with SQL, while the location
+        # data and the fields_privacy are a serialized settings.
+        # We must build a new table for profile data, where we can set meta-data
+        # like:
+        # | id | profile_id | key  | value    | privacy_level | source    |
+        # |  1 |         99 | city | Salvador | friends       | user      |
+        # |  2 |         99 | lng  |  -38.521 | me only       | automatic |
+
+        # Collect people from environment
+        #
+        # Parameters:
+        #   from             - date where the search will begin. If nothing is passed the default date will be the date of the first article created
+        #   oldest           - Collect the oldest comments from reference_id comment. If nothing is passed the newest comments are collected
+        #   limit            - amount of comments returned. The default value is 20
+        #
+        # Example Request:
+        #  GET /people?from=2013-04-04-14:41:43&until=2014-04-04-14:41:43&limit=10
+        #  GET /people?reference_id=10&limit=10&oldest
+
+        desc "Find environment's people"
+        get do
+          people = select_filtered_collection_of(environment, 'people', params)
+          people = people.visible
+          present_partial people, :with => Entities::Person, :current_person => current_person
+        end
+
+        desc "Return the logged user information"
+        get "/me" do
+          authenticate!
+          present_partial current_person, :with => Entities::Person, :current_person => current_person
+        end
+
+        desc "Return the person information"
+        get ':id' do
+          person = environment.people.visible.find_by(id: params[:id])
+          return not_found! if person.blank?
+          present person, :with => Entities::Person, :current_person => current_person
+        end
+
+        desc "Update person information"
+        post ':id' do
+          authenticate!
+          return forbidden! if current_person.id.to_s != params[:id]
+          current_person.update_attributes!(asset_with_image(params[:person]))
+          present current_person, :with => Entities::Person, :current_person => current_person
+        end
+
+        #  POST api/v1/people?person[login]=some_login&person[password]=some_password&person[name]=Jack
+        #  for each custom field for person, add &person[field_name]=field_value to the request
+        desc "Create person"
+        post do
+          authenticate!
+          user_data = {}
+          user_data[:login] = params[:person].delete(:login) || params[:person][:identifier]
+          user_data[:email] = params[:person].delete(:email)
+          user_data[:password] = params[:person].delete(:password)
+          user_data[:password_confirmation] = params[:person].delete(:password_confirmation)
+
+          params[:person][:custom_values]={}
+          params[:person].keys.each do |key|
+            params[:person][:custom_values][key]=params[:person].delete(key) if Person.custom_fields(environment).any?{|cf| cf.name==key}
+          end
+
+          user = User.build(user_data, asset_with_image(params[:person]), environment)
+
+          begin
+            user.signup!
+          rescue ActiveRecord::RecordInvalid
+            render_api_errors!(user.errors.full_messages)
+          end
+
+          present user.person, :with => Entities::Person, :current_person => user.person
+        end
+
+        desc "Return the person friends"
+        get ':id/friends' do
+          person = environment.people.visible.find_by(id: params[:id])
+          return not_found! if person.blank?
+          friends = person.friends.visible
+          present friends, :with => Entities::Person, :current_person => current_person
+        end
+
+        desc "Return the person permissions on other profiles"
+        get ":id/permissions" do
+          authenticate!
+          person = environment.people.find(params[:id])
+          return not_found! if person.blank?
+          return forbidden! unless current_person == person || environment.admins.include?(current_person)
+
+          output = {}
+          person.role_assignments.map do |role_assigment|
+            if role_assigment.resource.respond_to?(:identifier)
+              output[role_assigment.resource.identifier] = role_assigment.role.permissions
+            end
+          end
+          present output
+        end
+      end
+
+      resource :profiles do
+        segment '/:profile_id' do
+          resource :members do
+            paginate max_per_page: MAX_PER_PAGE
+            get do
+              profile = environment.profiles.find_by id: params[:profile_id]
+              members = select_filtered_collection_of(profile, 'members', params)
+              present members, :with => Entities::Person, :current_person => current_person
+            end
+          end
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,42 @@
+module Api
+  module V1
+    class Profiles < Grape::API
+
+      resource :profiles do
+
+        get do
+          profiles = select_filtered_collection_of(environment, 'profiles', params)
+          profiles = profiles.visible
+          profiles = profiles.by_location(params) # Must be the last. May return Exception obj.
+          present profiles, :with => Entities::Profile, :current_person => current_person
+        end
+
+        get ':id' do
+          profiles = environment.profiles
+          profiles = profiles.visible
+          profile = profiles.find_by id: params[:id]
+
+          if profile
+            present profile, :with => Entities::Profile, :current_person => current_person
+          else
+            not_found!
+          end
+        end
+
+        delete ':id' do
+          authenticate!
+          profiles = environment.profiles
+          profile = profiles.find_by id: params[:id]
+
+          not_found! if profile.blank?
+
+          if current_person.has_permission?(:destroy_profile, profile)
+            profile.destroy
+          else
+            forbidden!
+          end
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,37 @@
+module Api
+  module V1
+    class Search < Grape::API
+
+      resource :search do
+        resource :article do
+          paginate max_per_page: 200
+          get do
+            # Security checks
+            sanitize_params_hash(params)
+            # Api::Helpers
+            asset = :articles
+            context = environment
+
+            profile = environment.profiles.find(params[:profile_id]) if params[:profile_id]
+            scope = profile.nil? ? environment.articles.is_public : profile.articles.is_public
+            scope = scope.where(:type => params[:type]) if params[:type] && !(params[:type] == 'Article')
+            scope = scope.where(make_conditions_with_parameter(params))
+            scope = scope.joins(:categories).where(:categories => {:id => params[:category_ids]}) if params[:category_ids].present?
+            scope = scope.where('articles.children_count > 0') if params[:has_children].present?
+            query = params[:query] || ""
+            order = "more_recent"
+
+            options = {:filter => order, :template_id => params[:template_id]}
+
+            search_result = find_by_contents(asset, context, scope, query, {:page => 1}, options)
+
+            articles = search_result[:results]
+
+            present_articles(articles)
+          end
+        end
+      end
+
+    end
+  end
+end
@@ -0,0 +1,157 @@
+require "uri"
+
+module Api
+  module V1
+    class Session < Grape::API
+
+      # Login to get token
+      #
+      # Parameters:
+      #   login (*required) - user login or email
+      #   password (required) - user password
+      #
+      # Example Request:
+      #  POST http://localhost:3000/api/v1/login?login=adminuser&password=admin
+      post "/login" do
+        begin
+          user ||= User.authenticate(params[:login], params[:password], environment)
+        rescue User::UserNotActivated => e
+          render_api_error!(e.message, 401)
+        end
+
+        return unauthorized! unless user
+        @current_user = user
+        present user, :with => Entities::UserLogin, :current_person => current_person
+      end
+
+      post "/login_from_cookie" do
+        return unauthorized! if cookies[:auth_token].blank?
+        user = User.where(remember_token: cookies[:auth_token]).first
+        return unauthorized! unless user && user.activated?
+        @current_user = user
+        present user, :with => Entities::UserLogin, :current_person => current_person
+      end
+
+      # Create user.
+      #
+      # Parameters:
+      #   email (required)                  - Email
+      #   password (required)               - Password
+      #   login                             - login
+      # Example Request:
+      #   POST /register?email=some@mail.com&password=pas&password_confirmation=pas&login=some
+      params do
+        requires :email, type: String, desc: _("Email")
+        requires :login, type: String, desc: _("Login")
+        requires :password, type: String, desc: _("Password")
+      end
+
+      post "/register" do
+        attrs = attributes_for_keys [:email, :login, :password, :password_confirmation] + environment.signup_person_fields
+        name = params[:name].present? ? params[:name] : attrs[:email]
+        attrs[:password_confirmation] = attrs[:password] if !attrs.has_key?(:password_confirmation)
+        user = User.new(attrs.merge(:name => name))
+
+        begin
+          user.signup!
+          user.generate_private_token! if user.activated?
+          present user, :with => Entities::UserLogin, :current_person => user.person
+        rescue ActiveRecord::RecordInvalid
+          message = user.errors.as_json.merge((user.person.present? ? user.person.errors : {}).as_json).to_json
+          render_api_error!(message, 400)
+        end
+      end
+
+      params do
+        requires :activation_code, type: String, desc: _("Activation token")
+      end
+
+      # Activate a user.
+      #
+      # Parameter:
+      #   activation_code (required)                  - Activation token
+      # Example Request:
+      #   PATCH /activate?activation_code=28259abd12cc6a64ef9399cf3286cb998b96aeaf
+      patch "/activate" do
+        user = User.find_by activation_code: params[:activation_code]
+        if user
+          unless user.environment.enabled?('admin_must_approve_new_users')
+            if user.activate
+                user.generate_private_token!
+                present user, :with => Entities::UserLogin, :current_person => current_person
+            end
+          else
+            if user.create_moderate_task
+              user.activation_code = nil
+              user.save!
+
+              # Waiting for admin moderate user registration
+              status 202
+              body({
+                :message => 'Waiting for admin moderate user registration'
+              })
+            end
+          end
+        else
+          # Token not found in database
+          render_api_error!(_('Token is invalid'), 412)
+        end
+      end
+
+      # Request a new password.
+      #
+      # Parameters:
+      #   value (required)                  - Email or login
+      # Example Request:
+      #   POST /forgot_password?value=some@mail.com
+      post "/forgot_password" do
+        requestors = fetch_requestors(params[:value])
+        not_found! if requestors.blank?
+        remote_ip = (request.respond_to?(:remote_ip) && request.remote_ip) || (env && env['REMOTE_ADDR'])
+        requestors.each do |requestor|
+          ChangePassword.create!(:requestor => requestor)
+        end
+      end
+
+      # Resend activation code.
+      #
+      # Parameters:
+      #   value (required)                  - Email or login
+      # Example Request:
+      #   POST /resend_activation_code?value=some@mail.com
+      post "/resend_activation_code" do
+        requestors = fetch_requestors(params[:value])
+        not_found! if requestors.blank?
+        remote_ip = (request.respond_to?(:remote_ip) && request.remote_ip) || (env && env['REMOTE_ADDR'])
+        requestors.each do |requestor|
+          requestor.user.resend_activation_code
+        end
+        present requestors.map(&:user), :with => Entities::UserLogin
+      end
+
+      params do
+        requires :code, type: String, desc: _("Forgot password code")
+      end
+      # Change password
+      #
+      # Parameters:
+      #   code (required)                  - Change password code
+      #   password (required)
+      #   password_confirmation (required)
+      # Example Request:
+      #   PATCH /new_password?code=xxxx&password=secret&password_confirmation=secret
+      patch "/new_password" do
+        change_password = ChangePassword.find_by code: params[:code]
+        not_found! if change_password.nil?
+
+        if change_password.update_attributes(:password => params[:password], :password_confirmation => params[:password_confirmation])
+          change_password.finish
+          present change_password.requestor.user, :with => Entities::UserLogin, :current_person => current_person
+        else
+          something_wrong!
+        end
+      end
+
+    end
+  end
+end
@@ -0,0 +1,30 @@
+module Api
+  module V1
+    class Tags < Grape::API
+      resource :articles do
+        resource ':id/tags' do
+          get do
+            article = find_article(environment.articles, params[:id])
+            present article.tag_list
+          end
+
+          desc "Add a tag to an article"
+          post do
+            authenticate!
+            article = find_article(environment.articles, params[:id])
+            article.tag_list=params[:tags]
+            article.save
+            present article.tag_list
+          end
+        end
+      end
+
+      resource :environment do
+        desc 'Return the tag counts for this environment'
+        get '/tags' do
+          present environment.tag_counts
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,57 @@
+module Api
+  module V1
+    class Tasks < Grape::API
+#      before { authenticate! }
+
+#      ARTICLE_TYPES = Article.descendants.map{|a| a.to_s}
+
+      resource :tasks do
+
+        # Collect tasks
+        #
+        # Parameters:
+        #   from             - date where the search will begin. If nothing is passed the default date will be the date of the first article created
+        #   oldest           - Collect the oldest articles. If nothing is passed the newest articles are collected
+        #   limit            - amount of articles returned. The default value is 20
+        #
+        # Example Request:
+        #  GET host/api/v1/tasks?from=2013-04-04-14:41:43&until=2015-04-04-14:41:43&limit=10&private_token=e96fff37c2238fdab074d1dcea8e6317
+        get do
+          tasks = select_filtered_collection_of(environment, 'tasks', params)
+          tasks = tasks.select {|t| current_person.has_permission?(t.permission, environment)}
+          present_partial tasks, :with => Entities::Task
+        end
+
+        desc "Return the task id"
+        get ':id' do
+          task = find_task(environment, params[:id])
+          present_partial task, :with => Entities::Task
+        end
+      end
+
+      kinds = %w[community person enterprise]
+      kinds.each do |kind|
+        resource kind.pluralize.to_sym do
+          segment "/:#{kind}_id" do
+            resource :tasks do
+              get do
+                profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
+                present_tasks(profile)
+              end
+
+              get ':id' do
+                profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
+                present_task(profile)
+              end
+
+              post do
+                profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
+                post_task(profile, params)
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,43 @@
+module Api
+  module V1
+    class Users < Grape::API
+
+      resource :users do
+
+        get do
+          users = select_filtered_collection_of(environment, 'users', params)
+          users = users.select{|u| u.person.display_info_to? current_person}
+          present users, :with => Entities::User, :current_person => current_person
+        end
+
+        get "/me" do
+          authenticate!
+          present current_user, :with => Entities::User, :current_person => current_person
+        end
+
+        get ":id" do
+          user = environment.users.find_by id: params[:id]
+          if user
+            present user, :with => Entities::User, :current_person => current_person
+          else
+            not_found!
+          end
+        end
+
+        get ":id/permissions" do
+          authenticate!
+          user = environment.users.find(params[:id])
+          output = {}
+          user.person.role_assignments.map do |role_assigment|
+            if role_assigment.resource.respond_to?(:identifier) && role_assigment.resource.identifier == params[:profile]
+              output[:permissions] = role_assigment.role.permissions
+            end
+          end
+          present output
+        end
+
+      end
+
+    end
+  end
+end
@@ -7,7 +7,6 @@ class CategoriesController &lt; AdminController
   def index
     @categories = environment.categories.where("parent_id is null AND type is null")
     @regions = environment.regions.where(:parent_id => nil)
-    @product_categories = environment.product_categories.where(:parent_id => nil)
   end
   def get_children
 class EditTemplateController < AdminController
-  
+
   protect 'edit_environment_design', :environment
-  
+
   #FIXME
   #design_editor :holder => 'environment', :autosave => true, :block_types => :block_types
@@ -9,7 +9,6 @@ class EditTemplateController &lt; AdminController
     %w[
        FavoriteLinks
        ListBlock
-       SellersSearchBlock
      ]
   end
 class EnvironmentDesignController < BoxOrganizerController
-  
+
   protect 'edit_environment_design', :environment
   def available_blocks
-    @available_blocks ||= [ ArticleBlock, LoginBlock, RecentDocumentsBlock, EnterprisesBlock, CommunitiesBlock, SellersSearchBlock, LinkListBlock, FeedReaderBlock, SlideshowBlock, HighlightsBlock, FeaturedProductsBlock, CategoriesBlock, RawHTMLBlock, TagsBlock ]
+    @available_blocks ||= [ ArticleBlock, LoginBlock, RecentDocumentsBlock, EnterprisesBlock, CommunitiesBlock, LinkListBlock, FeedReaderBlock, SlideshowBlock, HighlightsBlock, CategoriesBlock, RawHTMLBlock, TagsBlock ]
     @available_blocks += plugins.dispatch(:extra_blocks, :type => Environment)
   end
@@ -45,7 +45,6 @@ class UsersController &lt; AdminController
     redirect_to :action => :index, :q => params[:q], :filter => params[:filter]
   end
-
   def destroy_user
     if request.post?
       person = environment.people.find_by id: params[:id]
@@ -58,7 +57,6 @@ class UsersController &lt; AdminController
     redirect_to :action => :index, :q => params[:q], :filter => params[:filter]
   end
-
   def download
     respond_to do |format|
       format.html
@@ -87,8 +85,11 @@ class UsersController &lt; AdminController
   end
   def send_mail
-    @mailing = environment.mailings.build(params[:mailing])
     if request.post?
+      @mailing = environment.mailings.build(params[:mailing])
+      @mailing.recipients_roles = []
+      @mailing.recipients_roles << "profile_admin" if params[:recipients][:profile_admins].include?("true")
+      @mailing.recipients_roles << "environment_administrator" if params[:recipients][:env_admins].include?("true")
       @mailing.locale = locale
       @mailing.person = user
       if @mailing.save
@@ -103,12 +103,10 @@ class CmsController &lt; MyProfileController
         end
       end
     end
-
-    escape_fields @article
   end
   def new
-    # FIXME this method should share some logic wirh edit !!!
+    # FIXME this method should share some logic with edit !!!
     @success_back_to = params[:success_back_to]
     # user must choose an article type first
@@ -174,9 +172,6 @@ class CmsController &lt; MyProfileController
         return
       end
     end
-
-    escape_fields @article
-
     render :action => 'edit'
   end
@@ -365,7 +360,7 @@ class CmsController &lt; MyProfileController
   def search
     query = params[:q]
     results = find_by_contents(:uploaded_files, profile, profile.files.published, query)[:results]
-    render :text => article_list_to_json(results), :content_type => 'application/json'
+    render :text => article_list_to_json(results).html_safe, :content_type => 'application/json'
   end
   def search_article_privacy_exceptions
@@ -409,9 +404,6 @@ class CmsController &lt; MyProfileController
     ]
     articles += special_article_types if params && params[:cms]
     parent_id = params ? params[:parent_id] : nil
-    if profile.enterprise?
-      articles << EnterpriseHomepage
-    end
     if @parent && @parent.blog?
       articles -= Article.folder_types.map(&:constantize)
     end
@@ -451,9 +443,7 @@ class CmsController &lt; MyProfileController
   end
   def refuse_blocks
-    if ['TinyMceArticle', 'TextileArticle', 'Event', 'EnterpriseHomepage'].include?(@type)
-      @no_design_blocks = true
-    end
+    @no_design_blocks = @type.present? && valid_article_type?(@type) ? !@type.constantize.can_display_blocks? : false
   end
   def per_page
@@ -521,10 +511,4 @@ class CmsController &lt; MyProfileController
     end
   end
-  def escape_fields article
-    unless article.kind_of?(RssFeed)
-      @escaped_body = CGI::escapeHTML(article.body || '')
-      @escaped_abstract = CGI::escapeHTML(article.abstract || '')
-    end
-  end
 end
@@ -45,17 +45,10 @@ class ProfileDesignController &lt; BoxOrganizerController
     if profile.enterprise?
       blocks << DisabledEnterpriseMessageBlock
       blocks << HighlightsBlock
-      blocks << ProductCategoriesBlock
-      blocks << FeaturedProductsBlock
       blocks << FansBlock
       blocks += plugins.dispatch(:extra_blocks, :type => Enterprise)
     end
-    # product block exclusive for enterprises in environments that permits it
-    if profile.enterprise? && profile.environment.enabled?('products_for_enterprises')
-      blocks << ProductsBlock
-    end
-
     # block exclusive to profiles that have blog
     if profile.has_blog?
       blocks << BlogArchivesBlock
@@ -29,6 +29,7 @@ class ProfileEditorController &lt; MyProfileController
         Image.transaction do
           begin
             @plugins.dispatch(:profile_editor_transaction_extras)
+            # TODO: This is unsafe! Add sanitizer
             @profile_data.update!(params[:profile_data])
             redirect_to :action => 'index', :profile => profile.identifier
           rescue Exception => ex
@@ -14,20 +14,23 @@ class TasksController &lt; MyProfileController
     @filter_text = params[:filter_text].presence
     @filter_responsible = params[:filter_responsible]
     @task_types = Task.pending_types_for(profile)
-
-    @tasks = Task.pending_all(profile, @filter_type, @filter_text).order_by('created_at', 'asc')
+    @tasks = Task.pending_all(profile, @filter_type, @filter_text).order_by('created_at', 'asc').paginate(:per_page => Task.per_page, :page => params[:page])
     @tasks = @tasks.where(:responsible_id => @filter_responsible.to_i != -1 ? @filter_responsible : nil) if @filter_responsible.present?
     @tasks = @tasks.paginate(:per_page => Task.per_page, :page => params[:page])
-
     @failed = params ? params[:failed] : {}
     @responsible_candidates = profile.members.by_role(profile.roles.reject {|r| !r.has_permission?('perform_task')}) if profile.organization?
     @view_only = !current_person.has_permission?(:perform_task, profile)
+
   end
   def processed
-    @tasks = Task.to(profile).without_spam.closed.sort_by(&:created_at)
+    @tasks = Task.to(profile).without_spam.closed.order('tasks.created_at DESC')
+    @filter = params[:filter] || {}
+    @tasks = filter_tasks(@filter, @tasks)
+    @tasks = @tasks.paginate(:per_page => Task.per_page, :page => params[:page])
+    @task_types = Task.closed_types_for(profile)
   end
   def change_responsible
@@ -95,4 +98,36 @@ class TasksController &lt; MyProfileController
     @ticket = Ticket.where('(requestor_id = ? or target_id = ?) and id = ?', profile.id, profile.id, params[:id]).first
   end
+  def search_tasks
+    filter_type = params[:filter_type].presence
+    filter_text = params[:filter_text].presence
+    result = Task.pending_all(profile,filter_type, filter_text)
+
+    render :json => result.map { |task| {:label => task.data[:name], :value => task.data[:name]} }
+  end
+
+  protected
+
+  def filter_tasks(filter, tasks)
+    tasks = tasks.eager_load(:requestor, :closed_by)
+    tasks = tasks.of(filter[:type].presence)
+    tasks = tasks.where(:status => filter[:status]) unless filter[:status].blank?
+
+    filter[:created_from] = Date.parse(filter[:created_from]) unless filter[:created_from].blank?
+    filter[:created_until] = Date.parse(filter[:created_until]) unless filter[:created_until].blank?
+    filter[:closed_from] = Date.parse(filter[:closed_from]) unless filter[:closed_from].blank?
+    filter[:closed_until] = Date.parse(filter[:closed_until]) unless filter[:closed_until].blank?
+
+    tasks = tasks.from_creation_date filter[:created_from] unless filter[:created_from].blank?
+    tasks = tasks.until_creation_date filter[:created_until] unless filter[:created_until].blank?
+
+    tasks = tasks.from_closed_date filter[:closed_from] unless filter[:closed_from].blank?
+    tasks = tasks.until_closed_date filter[:closed_until] unless filter[:closed_until].blank?
+
+    tasks = tasks.where('profiles.name LIKE ?', filter[:requestor]) unless filter[:requestor].blank?
+    tasks = tasks.where('closed_bies_tasks.name LIKE ?', filter[:closed_by]) unless filter[:closed_by].blank?
+    tasks = tasks.where('tasks.data LIKE ?', "%#{filter[:text]}%") unless filter[:text].blank?
+    tasks
+  end
+
 end
@@ -13,7 +13,7 @@ class ApiController &lt; PublicController
   private
   def endpoints
-    Noosfero::API::API.endpoints(environment)
+    Api::App.endpoints(environment)
   end
 end
@@ -86,8 +86,16 @@ class ProfileController &lt; PublicController
     @articles = profile.top_level_articles.includes([:profile, :parent])
   end
+  def join_modal
+      profile.add_member(user)
+      session[:notice] = _('%s administrator still needs to accept you as member.') % profile.name
+      redirect_to :action => :index
+  end
+
   def join
     if !user.memberships.include?(profile)
+      return if profile.community? && show_confirmation_modal?(profile)
+
       profile.add_member(user)
       if !profile.members.include?(user)
         render :text => {:message => _('%s administrator still needs to accept you as member.') % profile.name}.to_json
@@ -3,7 +3,10 @@ class SearchController &lt; PublicController
   helper TagsHelper
   include SearchHelper
   include ActionView::Helpers::NumberHelper
+  include SanitizeParams
+
+  before_filter :sanitize_params
   before_filter :redirect_asset_param, :except => [:assets, :suggestions]
   before_filter :load_category, :except => :suggestions
   before_filter :load_search_assets, :except => :suggestions
@@ -49,7 +52,6 @@ class SearchController &lt; PublicController
     [
       [ :people, _('People'), :recent_people ],
       [ :enterprises, _('Enterprises'), :recent_enterprises ],
-      [ :products, _('Products'), :recent_products ],
       [ :events, _('Upcoming events'), :upcoming_events ],
       [ :communities, _('Communities'), :recent_communities ],
       [ :articles, _('Contents'), :recent_articles ]
@@ -75,16 +77,17 @@ class SearchController &lt; PublicController
     full_text_search
   end
-  def products
-    @scope = @environment.products
-    full_text_search
-  end
-
   def enterprises
     @scope = visible_profiles(Enterprise)
     full_text_search
   end
+  # keep URL compatibility
+  def products
+    return render_not_found unless defined? ProductsPlugin
+    redirect_to url_for(params.merge controller: 'products_plugin/search', action: :products)
+  end
+
   def communities
     @scope = visible_profiles(Community)
     full_text_search
@@ -134,7 +137,8 @@ class SearchController &lt; PublicController
   def tag
     @tag = params[:tag]
-    @tag_cache_key = "tag_#{CGI.escape(@tag.to_s)}_env_#{environment.id.to_s}_page_#{params[:npage]}"
+    tag_str = @tag.kind_of?(Array) ? @tag.join(" ") : @tag.to_str
+    @tag_cache_key = "tag_#{CGI.escape(tag_str)}_env_#{environment.id.to_s}_page_#{params[:npage]}"
     if is_cache_expired?(@tag_cache_key)
       @searches[@asset] = {:results => environment.articles.tagged_with(@tag).paginate(paginate_options)}
     end
@@ -182,7 +186,6 @@ class SearchController &lt; PublicController
       people:      _('People'),
       communities: _('Communities'),
       enterprises: _('Enterprises'),
-      products:    _('Products and Services'),
       events:      _('Events'),
     }
   end
@@ -256,12 +259,11 @@ class SearchController &lt; PublicController
   end
   def available_assets
-    assets = {
+    {
       articles:    _('Contents'),
       enterprises: _('Enterprises'),
       people:      _('People'),
       communities: _('Communities'),
-      products:    _('Products and Services'),
     }
   end
@@ -5,22 +5,22 @@ module ActionTrackerHelper
   end
   def new_friendship_description ta
-    n_('has made 1 new friend:<br />%{name}', 'has made %{num} new friends:<br />%{name}', ta.get_friend_name.size) % {
+    n_('has made 1 new friend:<br />%{name}', 'has made %{num} new friends:<br />%{name}', ta.get_friend_name.size).html_safe % {
       num: ta.get_friend_name.size,
-      name: ta.collect_group_with_index(:friend_name) do |n,i|
+      name: safe_join(ta.collect_group_with_index(:friend_name) do |n,i|
         link_to image_tag(ta.get_friend_profile_custom_icon[i] || default_or_themed_icon("/images/icons-app/person-icon.png")),
                 ta.get_friend_url[i], title: n
-      end.join
+      end)
     }
   end
   def join_community_description ta
-    n_('has joined 1 community:<br />%{name}', 'has joined %{num} communities:<br />%{name}', ta.get_resource_name.size) % {
+    n_('has joined 1 community:<br />%{name}'.html_safe, 'has joined %{num} communities:<br />%{name}'.html_safe, ta.get_resource_name.size) % {
       num: ta.get_resource_name.size,
       name: ta.collect_group_with_index(:resource_name) do |n,i|
-        link_to image_tag(ta.get_resource_profile_custom_icon[i] || default_or_themed_icon("/images/icons-app/community-icon.png")),
+       link = link_to image_tag(ta.get_resource_profile_custom_icon[i] || default_or_themed_icon("/images/icons-app/community-icon.png")),
                 ta.get_resource_url[i], title: n
-      end.join
+      end.join.html_safe
     }
   end
@@ -67,24 +67,6 @@ module ActionTrackerHelper
     }
   end
-  def create_product_description ta
-    _('created the product %{title}') % {
-      title: link_to(truncate(ta.get_name), ta.get_url),
-    }
-  end
-
-  def update_product_description ta
-    _('updated the product %{title}') % {
-      title: link_to(truncate(ta.get_name), ta.get_url),
-    }
-  end
-
-  def remove_product_description ta
-    _('removed the product %{title}') % {
-      title: truncate(ta.get_name),
-    }
-  end
-
   def favorite_enterprise_description ta
     _('favorited enterprise %{title}') % {
       title: link_to(truncate(ta.get_enterprise_name), ta.get_enterprise_url),
@@ -44,8 +44,6 @@ module ApplicationHelper
   include TokenHelper
-  include CatalogHelper
-
   include PluginsHelper
   include ButtonsHelper
@@ -56,6 +54,8 @@ module ApplicationHelper
   include TaskHelper
+  include MembershipsHelper
+
   def locale
     (@page && !@page.language.blank?) ? @page.language : FastGettext.locale
   end
@@ -99,7 +99,6 @@ module ApplicationHelper
   #
   # TODO: implement correcly the 'Help' button click
   def help(content = nil, link_name = nil, options = {}, &block)
-
     link_name ||= _('Help')
     @help_message_id ||= 1
@@ -122,7 +121,7 @@ module ApplicationHelper
     button = link_to_function(content_tag('span', link_name), "Element.show('#{help_id}')", options )
     close_button = content_tag("div", link_to_function(_("Close"), "Element.hide('#{help_id}')", :class => 'close_help_button'))
-    text = content_tag('div', button + content_tag('div', content_tag('div', content) + close_button, :class => 'help_message', :id => help_id, :style => 'display: none;'), :class => 'help_box')
+    text = content_tag('div', button + content_tag('div', content_tag('div', content.html_safe) + close_button, :class => 'help_message', :id => help_id, :style => 'display: none;'), :class => 'help_box')
     unless block.nil?
       concat(text)
@@ -234,13 +233,6 @@ module ApplicationHelper
     link_to(content_tag('span', text), url, html_options.merge(:class => the_class, :title => text))
   end
-  def button_bar(options = {}, &block)
-    options[:class].nil? ?
-      options[:class]='button-bar' :
-      options[:class]+=' button-bar'
-    concat(content_tag('div', capture(&block).to_s + tag('br', :style => 'clear: left;'), options))
-  end
-
   def render_profile_actions klass
     name = klass.to_s.underscore
     begin
@@ -362,8 +354,8 @@ module ApplicationHelper
   def popover_menu(title,menu_title,links,html_options={})
     html_options[:class] = "" unless html_options[:class]
     html_options[:class] << " menu-submenu-trigger"
-    html_options[:onclick] = "toggleSubmenu(this, '#{menu_title}', #{CGI::escapeHTML(links.to_json)}); return false"
+    html_options[:onclick] = "toggleSubmenu(this, '#{menu_title}', #{CGI::escapeHTML(links.to_json)}); return false".html_safe
     link_to(content_tag(:span, title), '#', html_options)
   end
@@ -473,9 +465,9 @@ module ApplicationHelper
       map(&:role)
     names = []
     roles.each do |role|
-      names << content_tag('span', role.name, :style => "color: #{role_color(role, resource.environment.id)}")
+      names << content_tag('span', role.name, :style => "color: #{role_color(role, resource.environment.id)}").html_safe
     end
-    names.join(', ')
+    safe_join(names, ', ')
   end
   def role_color(role, env_id)
@@ -788,7 +780,7 @@ module ApplicationHelper
     return "" if categories.blank?
     content_tag(:ul) do
       categories.map do |category|
-        category_path = category.kind_of?(ProductCategory) ? {:controller => 'search', :action => 'assets', :asset => 'products', :product_category => category.id} : { :controller => 'search', :action => 'category_index', :category_path => category.explode_path }
+        category_path = { :controller => 'search', :action => 'category_index', :category_path => category.explode_path }
         if category.display_in_menu?
           content_tag(:li) do
             if !category.is_leaf_displayable_in_menu?
@@ -911,7 +903,8 @@ module ApplicationHelper
   end
   def admin_link
-    user.is_admin?(environment) ? link_to('<i class="icon-menu-admin"></i><strong>' + _('Administration') + '</strong>', environment.admin_url, :title => _("Configure the environment"), :class => 'admin-link') : ''
+    admin_icon = '<i class="icon-menu-admin"></i><strong>' + _('Administration') + '</strong>'
+    user.is_admin?(environment) ? link_to(admin_icon.html_safe, environment.admin_url, :title => _("Configure the environment"), :class => 'admin-link') : ''
   end
   def usermenu_logged_in
@@ -920,23 +913,39 @@ module ApplicationHelper
     if count > 0
       pending_tasks_count = link_to(count.to_s, user.tasks_url, :id => 'pending-tasks-count', :title => _("Manage your pending tasks"))
     end
+    user_identifier = "<i style='background-image:url(#{user.profile_custom_icon(gravatar_default)})'></i><strong>#{user.identifier}</strong>"
+    welcome_link = link_to(user_identifier.html_safe, user.public_profile_url, :id => "homepage-link", :title => _('Go to your homepage'))
+    welcome_span = _("<span class='welcome'>Welcome,</span> %s") % welcome_link.html_safe
+    ctrl_panel_icon = '<i class="icon-menu-ctrl-panel"></i>'
+    ctrl_panel_section = '<strong>' + ctrl_panel_icon + _('Control panel') + '</strong>'
+    ctrl_panel_link = link_to(ctrl_panel_section.html_safe, user.admin_url, :class => 'ctrl-panel', :title => _("Configure your personal account and content"))
+    logout_icon = '<i class="icon-menu-logout"></i><strong>' + _('Logout') + '</strong>'
+    logout_link = link_to(logout_icon.html_safe, { :controller => 'account', :action => 'logout'} , :id => "logout", :title => _("Leave the system"))
+    join_result = safe_join(
+      [welcome_span.html_safe, render_environment_features(:usermenu).html_safe, admin_link.html_safe,
+        manage_enterprises.html_safe, manage_communities.html_safe, ctrl_panel_link.html_safe,
+        pending_tasks_count.html_safe, logout_link.html_safe], "")
+    join_result
+  end
-    (_("<span class='welcome'>Welcome,</span> %s") % link_to("<i style='background-image:url(#{user.profile_custom_icon(gravatar_default)})'></i><strong>#{user.identifier}</strong>", user.url, :id => "homepage-link", :title => _('Go to your homepage'))) +
-    render_environment_features(:usermenu) +
-    admin_link +
-    manage_enterprises +
-    manage_communities +
-    link_to('<i class="icon-menu-ctrl-panel"></i><strong>' + _('Control panel') + '</strong>', user.admin_url, :class => 'ctrl-panel', :title => _("Configure your personal account and content")) +
-    pending_tasks_count +
-    link_to('<i class="icon-menu-logout"></i><strong>' + _('Logout') + '</strong>', { :controller => 'account', :action => 'logout'} , :id => "logout", :title => _("Leave the system"))
+  def usermenu_notlogged_in
+    login_str = '<i class="icon-menu-login"></i><strong>' + _('Login') + '</strong>'
+    ret = _("<span class='login'>%s</span>") % modal_inline_link_to(login_str.html_safe, login_url, '#inlineLoginBox', :id => 'link_login')
+    return ret.html_safe
   end
+  def usermenu_signup
+    signup_str = '<strong>' + _('Sign up') + '</strong>'
+    ret = _("<span class='or'>or</span> <span class='signup'>%s</span>") % link_to(signup_str.html_safe, :controller => 'account', :action => 'signup')
+    return ret.html_safe
+
+  end
   def limited_text_area(object_name, method, limit, text_area_id, options = {})
-    content_tag(:div, [
+    content_tag(:div, safe_join([
       text_area(object_name, method, { :id => text_area_id, :onkeyup => "limited_text_area('#{text_area_id}', #{limit})" }.merge(options)),
       content_tag(:p, content_tag(:span, limit) + ' ' + _(' characters left'), :id => text_area_id + '_left'),
       content_tag(:p, _('Limit of characters reached'), :id => text_area_id + '_limit', :style => 'display: none')
-    ].join, :class => 'limited-text-area')
+    ]), :class => 'limited-text-area')
   end
   def expandable_text_area(object_name, method, text_area_id, options = {})
@@ -970,11 +979,11 @@ module ApplicationHelper
   def task_information(task)
     values = {}
+    values.merge!(task.information[:variables]) if task.information[:variables]
     values.merge!({:requestor => link_to(task.requestor.name, task.requestor.url)}) if task.requestor
     values.merge!({:subject => content_tag('span', task.subject, :class=>'task_target')}) if task.subject
     values.merge!({:linked_subject => link_to(content_tag('span', task.linked_subject[:text], :class => 'task_target'), task.linked_subject[:url])}) if task.linked_subject
-    values.merge!(task.information[:variables]) if task.information[:variables]
-    task.information[:message] % values
+    (task.information[:message] % values).html_safe
   end
   def add_zoom_to_article_images
@@ -1032,26 +1041,24 @@ module ApplicationHelper
   end
   def render_tabs(tabs)
-    titles = tabs.inject(''){ |result, tab| result << content_tag(:li, link_to(tab[:title], '#'+tab[:id]), :class => 'tab') }
-    contents = tabs.inject(''){ |result, tab| result << content_tag(:div, tab[:content], :id => tab[:id]) }
+    titles = tabs.inject(''.html_safe){ |result, tab| result << content_tag(:li, link_to(tab[:title], '#'+tab[:id]), :class => 'tab') }
+    contents = tabs.inject(''.html_safe){ |result, tab| result << content_tag(:div, tab[:content], :id => tab[:id]) }
     content_tag(:div, content_tag(:ul, titles) + raw(contents), :class => 'ui-tabs')
   end
   def delete_article_message(article)
-    CGI.escapeHTML(
-      if article.folder?
-        _("Are you sure that you want to remove the folder \"%s\"? Note that all the items inside it will also be removed!") % article.name
-      else
-        _("Are you sure that you want to remove the item \"%s\"?") % article.name
-      end
-    )
+    if article.folder?
+      _("Are you sure that you want to remove the folder \"%s\"? Note that all the items inside it will also be removed!") % article.name
+    else
+      _("Are you sure that you want to remove the item \"%s\"?") % article.name
+    end
   end
   def expirable_link_to(expired, content, url, options = {})
     if expired
       options[:class] = (options[:class] || '') + ' disabled'
-      content_tag('a', '&nbsp;'+content_tag('span', content), options)
+      content_tag('a', '&nbsp;'.html_safe+content_tag('span', content), options)
     else
       if options[:modal]
         options.delete(:modal)
@@ -1084,7 +1091,7 @@ module ApplicationHelper
     radios = templates.map do |template|
       content_tag('li', labelled_radio_button(link_to(template.name, template.url, :target => '_blank'), "#{field_name}[template_id]", template.id, environment.is_default_template?(template)))
-    end.join("\n")
+    end.join("\n").html_safe
     content_tag('div', content_tag('label', _('Profile organization'), :for => 'template-options', :class => 'formlabel') +
       content_tag('p', _('Your profile will be created according to the selected template. Click on the options to view them.'), :style => 'margin: 5px 15px;padding: 0px 10px;') +
@@ -1124,7 +1131,7 @@ module ApplicationHelper
     content_tag(:div, :class => 'errorExplanation', :id => 'errorExplanation') do
       content_tag(:h2, _('Errors while saving')) +
       content_tag(:ul) do
-        errors.map { |err| content_tag(:li, err) }.join
+        safe_join(errors.map { |err| content_tag(:li, err) })
       end
     end
   end
@@ -1234,6 +1241,7 @@ module ApplicationHelper
       :href=>"#",
       :title=>_("Exit full screen mode")
     })
+    content.html_safe
   end
 end
@@ -69,14 +69,14 @@ module ArticleHelper
     content_tag('div',
       content_tag('div',
         radio_button(:article, :published, true) +
-          content_tag('span', '&nbsp;', :class => 'access-public-icon') +
+          content_tag('span', '&nbsp;'.html_safe, :class => 'access-public-icon') +
           content_tag('label', _('Public'), :for => 'article_published_true') +
           content_tag('span', _('Visible to other people'), :class => 'access-note'),
           :class => 'access-item'
            ) +
       content_tag('div',
         radio_button(:article, :published, false) +
-          content_tag('span', '&nbsp;', :class => 'access-private-icon') +
+          content_tag('span', '&nbsp;'.html_safe, :class => 'access-private-icon') +
           content_tag('label', _('Private'), :for => 'article_published_false', :id => "label_private") +
           content_tag('span', _('Limit visibility of this article'), :class => 'access-note'),
           :class => 'access-item'
@@ -187,9 +187,9 @@ module ArticleHelper
   def following_button(page, user)
     if !user.blank? and user != page.author
       if page.is_followed_by? user
-        button :cancel, unfollow_button_text(page), {:controller => 'profile', :action => 'unfollow_article', :article_id => page.id}
+        button :cancel, unfollow_button_text(page), {:controller => 'profile', :action => 'unfollow_article', :article_id => page.id, :profile => page.profile.identifier}
       else
-        button :add, follow_button_text(page), {:controller => 'profile', :action => 'follow_article', :article_id => page.id}
+        button :add, follow_button_text(page), {:controller => 'profile', :action => 'follow_article', :article_id => page.id, :profile => page.profile.identifier}
       end
     end
   end
@@ -3,13 +3,13 @@ module BlockHelper
   def block_title(title, subtitle=nil)
     block_header = block_heading title
     block_header += block_heading(subtitle, 'h4') if subtitle
-    content_tag 'div', block_header, :class => 'block-header'
+    content_tag('div', block_header, :class => 'block-header').html_safe
   end
   def block_heading(title, heading='h3')
     tag_class = 'block-' + (heading == 'h3' ? 'title' : 'subtitle')
     tag_class += ' empty' if title.empty?
-    content_tag heading, content_tag('span', h(title)), :class => tag_class
+    content_tag heading, content_tag('span', h(title)), :class => tag_class.html_safe
   end
   def highlights_block_config_image_fields(block, image={}, row_number=nil)
@@ -28,7 +28,7 @@ module BlockHelper
       }</label></td>
       <td>#{button_without_text(:delete, _('Remove'), '#', class: 'delete-highlight', data: {confirm: _('Are you sure you want to remove this highlight')})}</td>
     </tr>
-    "
+    ".html_safe
   end
 end
@@ -41,12 +41,12 @@ module BlogHelper
       css_add << position
       content << (content_tag 'div', id: "post-#{art.id}", class: css_add do
         content_tag 'div', class: position + '-inner blog-post-inner' do
-          display_post(art, conf[:format]).html_safe +
+          display_post(art, conf[:format])  +
           '<br style="clear:both"/>'.html_safe
         end
-      end)
+      end).html_safe
     }
-    content.join("\n<hr class='sep-posts'/>\n") + (pagination or '')
+    safe_join(content, "\n<hr class='sep-posts'/>\n".html_safe) + (pagination or '').html_safe
   end
   def display_post(article, format = 'full')
@@ -61,7 +61,8 @@ module BlogHelper
       else
         '<div class="post-pic" style="background-image:url('+img+')"></div>'
       end
-    end.to_s + title + html
+    end.to_s.html_safe +
+    title.html_safe + html
   end
   def display_compact_format(article)
@@ -38,7 +38,7 @@ module BoxOrganizerHelper
     content_tag(:ul,
       images_path.map do |preview|
 	content_tag(:li, image_tag(preview, height: '240', alt: ''))
-      end.join("\n")
+      end.join("\n").html_safe
     )
   end
@@ -34,7 +34,7 @@ module BoxesHelper
   def display_boxes_editor(holder)
     with_box_decorator self do
-      content_tag('div', display_boxes(holder, '&lt;' + _('Main content') + '&gt;'), :id => 'box-organizer')
+      content_tag('div', display_boxes(holder, '<' + _('Main content') + '>'), :id => 'box-organizer')
     end
   end
@@ -44,7 +44,7 @@ module BoxesHelper
   def display_boxes(holder, main_content)
     boxes = holder.boxes.with_position.first(boxes_limit(holder))
-    content = boxes.reverse.map { |item| display_box(item, main_content) }.join("\n")
+    content = safe_join(boxes.reverse.map { |item| display_box(item, main_content) }, "\n")
     content = main_content if (content.blank?)
     content_tag('div', content, :class => 'boxes', :id => 'boxes' )
@@ -52,9 +52,9 @@ module BoxesHelper
   def maybe_display_custom_element(holder, element, options = {})
     if holder.respond_to?(element)
-      content_tag('div', holder.send(element), options)
+      content_tag('div', holder.send(element).to_s.html_safe, options)
     else
-      ''
+      ''.html_safe
     end
   end
@@ -64,15 +64,16 @@ module BoxesHelper
   def display_updated_box(box)
     with_box_decorator self do
-      display_box_content(box, '&lt;' + _('Main content') + '&gt;')
+      display_box_content(box, '<' + _('Main content') + '>')
     end
   end
   def display_box_content(box, main_content)
     context = { :article => @page, :request_path => request.path, :locale => locale, :params => request.params, :user => user, :controller => controller }
-    box_decorator.select_blocks(box, box.blocks.includes(:box), context).map do |item|
+    blocks = box_decorator.select_blocks(box, box.blocks.includes(:box), context).map do |item|
       display_block item, main_content
-    end.join("\n") + box_decorator.block_target(box)
+    end
+    safe_join(blocks, "\n") + box_decorator.block_target(box)
   end
   def select_blocks box, arr, context
@@ -136,17 +137,18 @@ module BoxesHelper
     result = filter_html(result, block)
-    content_tag('div',
-      box_decorator.block_target(block.box, block) +
-        content_tag('div',
-         content_tag('div',
-           content_tag('div',
-             result + footer_content + box_decorator.block_edit_buttons(block),
-             :class => 'block-inner-2'),
-           :class => 'block-inner-1'),
-       options),
-    :class => 'block-outer') +
-    box_decorator.block_handle(block)
+    join_result = safe_join([result, footer_content, box_decorator.block_edit_buttons(block)])
+    content_tag_inner_1 = content_tag('div', join_result, :class => 'block-inner-2')
+
+    content_tag_inner_2 = content_tag('div', content_tag_inner_1, :class => 'block-inner-1')
+    content_tag_inner_3 = content_tag('div', content_tag_inner_2, options)
+    content_tag_inner_4 = box_decorator.block_target(block.box, block) + content_tag_inner_3
+    c = content_tag('div', content_tag_inner_4, :class => 'block-outer')
+    box_decorator_result = box_decorator.block_handle(block)
+    result_final = safe_join([c, box_decorator_result], "")
+
+
+    return result_final
   end
   def wrap_main_content(content)
@@ -156,17 +158,17 @@ module BoxesHelper
   def extract_block_content(content)
     case content
     when Hash
-      content_tag('iframe', '', :src => url_for(content))
+      content_tag('iframe', ''.html_safe, :src => url_for(content))
     when String
       if content.split("\n").size == 1 and content =~ /^https?:\/\//
-        content_tag('iframe', '', :src => content)
+        content_tag('iframe', ''.html_safe, :src => content)
       else
         content
       end
     when Proc
       self.instance_eval(&content)
     when NilClass
-      ''
+      ''.html_safe
     else
       raise "Unsupported content for block (#{content.class})"
     end
@@ -175,14 +177,14 @@ module BoxesHelper
   module DontMoveBlocks
     # does nothing
     def self.block_target(box, block = nil)
-      ''
+      ''.html_safe
     end
     # does nothing
     def self.block_handle(block)
-      ''
+      ''.html_safe
     end
     def self.block_edit_buttons(block)
-      ''
+      ''.html_safe
     end
     def self.select_blocks box, arr, context
       arr = arr.select{ |block| block.visible? context }
@@ -229,9 +231,9 @@ module BoxesHelper
   # makes the given block draggable so it can be moved away.
   def block_handle(block)
     return "" unless movable?(block)
-    icon = "<div><div>#{display_icon(block.class)}</div><span>#{_(block.class.pretty_name)}</span></div>"
+    icon = "<div><div>#{display_icon(block.class)}</div><span>#{_(block.class.pretty_name)}</span></div>".html_safe
     block_draggable("block-#{block.id}",
-                    :helper => "function() {return cloneDraggableBlock($(this), '#{icon}')}")
+                    :helper => "function() {return cloneDraggableBlock($(this), '#{icon}')}".html_safe)
   end
   def block_draggable(element_id, options={})
@@ -302,7 +304,7 @@ module BoxesHelper
       buttons << modal_inline_icon(:embed, _('Embed code'), {}, "#embed-code-box-#{block.id}") << html
     end
-    content_tag('div', buttons.join("\n") + tag('br', :style => 'clear: left'), :class => 'button-bar')
+    content_tag('div', buttons.join("\n").html_safe + tag('br', :style => 'clear: left'), :class => 'button-bar')
   end
   def current_blocks
 module ButtonsHelper
+
+  def button_bar(options = {}, &block)
+    options[:class] ||= ''
+    options[:class] << ' button-bar'
+
+    content_tag :div, options do
+      [
+        capture(&block).to_s,
+        tag(:br, style: 'clear: left;'),
+      ].safe_join
+    end
+  end
+
   def button(type, label, url, html_options = {})
     html_options ||= {}
     the_class = 'with-text'
@@ -15,9 +28,9 @@ module ButtonsHelper
     end
     the_title = html_options[:title] || label
     if html_options[:disabled]
-      content_tag('a', '&nbsp;'+content_tag('span', label), html_options.merge(:class => the_class, :title => the_title))
+      content_tag('a', '&nbsp;'.html_safe+content_tag('span', label), html_options.merge(:class => the_class, :title => the_title))
     else
-      link_to('&nbsp;'+content_tag('span', label), url, html_options.merge(:class => the_class, :title => the_title))
+      link_to('&nbsp;'.html_safe+content_tag('span', label), url, html_options.merge(:class => the_class, :title => the_title))
     end
   end
@@ -2,7 +2,6 @@ module CategoriesHelper
   TYPES = [
     [ _('General Category'), Category.to_s ],
-    [ _('Product Category'), ProductCategory.to_s ],
     [ _('Region'), Region.to_s ],
   ]
@@ -20,7 +19,7 @@ module CategoriesHelper
   def selected_category_link(cat)
     js_remove = "jQuery('#selected-category-#{cat.id}').remove();"
     content_tag('div', button_to_function_without_text(:remove, _('Remove'), js_remove) +
-      link_to_function(cat.full_name(' &rarr; '), js_remove, :id => "remove-selected-category-#{cat.id}-button", :class => 'select-subcategory-link'),
+      link_to_function(cat.full_name(' &rarr; ').html_safe, js_remove, :id => "remove-selected-category-#{cat.id}-button", :class => 'select-subcategory-link'),
       :class => 'selected-category'
     )
   end
@@ -66,7 +66,7 @@ module CommentHelper
   def link_for_edit(comment)
     if comment.can_be_updated_by?(user)
-      {:link => expirable_comment_link(comment, :edit, _('Edit'), url_for(:profile => profile.identifier, :controller => :comment, :action => :edit, :id => comment.id),:class => 'modal')}
+      {:link => expirable_comment_link(comment, :edit, _('Edit'), url_for(:profile => profile.identifier, :controller => :comment, :action => :edit, :id => comment.id), :modal => true)}
     end
   end
@@ -7,7 +7,8 @@ module ContentViewerHelper
   def display_number_of_comments(n)
     base_str = "<span class='comment-count hide'>#{n}</span>"
     amount_str = n == 0 ? _('no comments yet') : (n == 1 ? _('One comment') : _('%s comments') % n)
-    base_str + "<span class='comment-count-write-out'>#{amount_str}</span>"
+    base_str += "<span class='comment-count-write-out'>#{amount_str}</span>"
+    base_str.html_safe
   end
   def number_of_comments(article)
@@ -19,16 +20,16 @@ module ContentViewerHelper
     title = content_tag('h1', h(title), :class => 'title')
     if article.belongs_to_blog? || article.belongs_to_forum?
       unless args[:no_link]
-        title = content_tag('h1', link_to(article.name, article.url), :class => 'title')
+        title = content_tag('h1', link_to(article.name, url_for(article.url)), :class => 'title')
       end
       comments = ''
       unless args[:no_comments] || !article.accept_comments
-        comments = (" - %s") % link_to_comments(article)
+        comments = (" - %s").html_safe % link_to_comments(article)
       end
       date_format = show_with_right_format_date article
       title << content_tag('span',
         date_format +
-        content_tag('span', _(", by %s") % (article.author ? link_to(article.author_name, article.author_url) : article.author_name), :class => 'author') +
+        content_tag('span', _(", by %s").html_safe % (article.author ? link_to(article.author_name, article.author_url) : article.author_name), :class => 'author') +
         content_tag('span', comments, :class => 'comments'),
         :class => 'publishing-info'
       )
 module DisplayHelper
-  def link_to_product(product, opts={})
-    return _('No product') unless product
-    target = product_path(product)
-    link_to content_tag( 'span', product.name ),
-            target,
-            opts
-  end
-
   def themed_path(file)
     if File.exists?(File.join(Rails.root, 'public', theme_path, file))
       File.join(theme_path, file)
@@ -16,55 +8,35 @@ module DisplayHelper
     end
   end
-  def image_link_to_product(product, opts={})
-    return _('No product') unless product
-    target = product_path(product)
-    link_to image_tag(product.default_image(:big), :alt => product.name),
-            target,
-            opts
-  end
-
   def price_span(price, options = {})
     content_tag 'span',
       number_to_currency(price, :unit => environment.currency_unit, :delimiter => environment.currency_delimiter, :separator => environment.currency_separator),
       options
   end
-  def product_path(product)
-    product.enterprise.enabled? ? product.enterprise.public_profile_url.merge(:controller => 'manage_products', :action => 'show', :id => product) : product.enterprise.url
-  end
-
   def link_to_tag(tag, html_options = {})
     link_to tag.name, {:controller => 'search', :action => 'tag', :tag => tag.name}, html_options
   end
   def link_to_category(category, full = true, html_options = {})
-    return _('Uncategorized product') unless category
     name = full ? category.full_name(' &rarr; ') : category.name
     link_to name, Noosfero.url_options.merge({:controller => 'search', :action => 'category_index', :category_path => category.path.split('/'),:host => category.environment.default_hostname }), html_options
   end
-  def link_to_product_category(category)
-    if category
-      link_to(category.name, :controller => 'search', :action => 'products', :category_path => category.explode_path)
-    else
-      _('Uncategorized product')
-    end
-  end
-
   def txt2html(txt)
-    txt.strip.
+    ret = txt.strip.
       gsub( /\s*\n\s*\n\s*/, "\r<p/>\r" ).
       gsub( /\s*\n\s*/, "\n<br/>\n" ).
       gsub( /\r/, "\n" ).
       gsub( /(^|\s)(www\.[^\s]+|https?:\/\/[^\s]+)/ ) do
         pre_char, href = $1, $2
         href = 'http://'+href  if ! href.match /^https?:/
-        content = href.gsub(/^https?:\/\//, '').scan(/.{1,4}/).join('&#x200B;')
+        content = safe_join(href.gsub(/^https?:\/\//, '').scan(/.{1,4}/), '&#x200B;'.html_safe)
         pre_char +
         content_tag(:a, content, :href => href, :target => '_blank',
-                    :rel => 'nofolow', :onclick => "return confirm('%s')" %
+                    :rel => 'nofolow', :onclick => "return confirm('%s')".html_safe %
                       _('Are you sure you want to visit this web site?'))
       end
+      ret.html_safe
   end
 end
 module EventsHelper
   include DatesHelper
+  include ActionView::Helpers::OutputSafetyHelper
+
   def list_events(date, events)
     title = _('Events for %s') % show_date_month(date)
+    user_events = events.select { |item| item.display_to?(user) }
+    events_for_month = safe_join(user_events.map {|item| display_event_in_listing(item)}, '')
     content_tag('h2', title) +
     content_tag('div',
       (events.any? ?
-        content_tag('table', events.select { |item| item.display_to?(user) }.map {|item| display_event_in_listing(item)}.join('')) :
-        content_tag('em', _('No events for this month'), :class => 'no-events')
+        content_tag('table', events_for_month) :
+          content_tag('em', _('No events for this month'), :class => 'no-events')
       ), :id => 'agenda-items'
     )
   end
@@ -101,7 +101,7 @@ module FormsHelper
   def required_fields_message
     content_tag('p', content_tag('span',
-      _("The <label class='pseudoformlabel'>highlighted</label> fields are mandatory."),
+      _("The <label class='pseudoformlabel'>highlighted</label> fields are mandatory.").html_safe,
       :class => 'required-field'
     ))
   end
@@ -112,10 +112,11 @@ module FormsHelper
     options_for_select = container.inject([]) do |options, element|
       text, value = option_text_and_value(element)
       selected_attribute = ' selected="selected"' if option_value_selected?(value, selected)
-      options << %(<option title="#{html_escape(text.to_s)}" value="#{html_escape(value.to_s)}"#{selected_attribute}>#{html_escape(text.to_s)}</option>)
+      opt = %(<option title="#{html_escape(text.to_s)}" value="#{html_escape(value.to_s)}"#{selected_attribute}>#{html_escape(text.to_s)}</option>)
+      options << opt.html_safe
     end
-    options_for_select.join("\n")
+    safe_join(options_for_select, "\n")
   end
   def balanced_table(items, per_row=3)
@@ -248,8 +249,8 @@ module FormsHelper
   def date_range_field(from_name, to_name, from_value, to_value, datepicker_options = {}, html_options = {})
     from_id = html_options[:from_id] || 'datepicker-from-date'
     to_id = html_options[:to_id] || 'datepicker-to-date'
-    return _('From') +' '+ date_field(from_name, from_value, datepicker_options, html_options.merge({:id => from_id})) +
-    ' ' + _('until') +' '+ date_field(to_name, to_value, datepicker_options, html_options.merge({:id => to_id}))
+    return (_('From') +' '+ date_field(from_name, from_value, datepicker_options, html_options.merge({:id => from_id})) +
+    ' ' + _('until') +' '+ date_field(to_name, to_value, datepicker_options, html_options.merge({:id => to_id}))).html_safe
   end
   def select_folder(label_text, field_id, collection, default_value=nil, html_options = {}, js_options = {})
@@ -35,7 +35,7 @@ module ForumHelper
                              :id => "post-#{art.id}"
                             )
     }
-    content_tag('table', content.join) + (pagination or '')
+    content_tag('table', safe_join(content, "")) + (pagination or '').html_safe
   end
   def last_topic_update(article)
@@ -40,7 +40,7 @@ module LanguageHelper
         else
           link_to(name, params.merge(:lang => code), :rel => 'nofollow')
         end
-      end.join(separator)
+      end.join(separator).html_safe
       content_tag('div', languages, :id => 'language-chooser', :help => _('The language you choose here is the language used for options, buttons, etc. It does not affect the language of the content created by other users.'))
     end
   end
@@ -40,7 +40,8 @@ module LayoutHelper
     output += templete_javascript_ng.to_s
-    output
+    # This output should be safe!
+    output.html_safe
   end
   def noosfero_stylesheets
@@ -64,7 +65,9 @@ module LayoutHelper
       output << stylesheet_link_tag(global_css_pub)
     end
     output << stylesheet_link_tag(theme_stylesheet_path)
-    output.join "\n"
+
+    # This output should be safe!
+    output.join("\n").html_safe
   end
   def noosfero_layout_features
@@ -94,9 +97,7 @@ module LayoutHelper
   end
   def addthis_javascript
-    if NOOSFERO_CONF['addthis_enabled']
-      '<script src="https://s7.addthis.com/js/152/addthis_widget.js"></script>'
-    end
+    NOOSFERO_CONF['addthis_enabled'] ? '<script src="https://s7.addthis.com/js/152/addthis_widget.js"></script>' : ''
   end
 end
@@ -32,7 +32,7 @@ module MacrosHelper
           }
         });
       }"
-    end
+    end.html_safe
   end
   def include_macro_js_files
 module MembershipsHelper
+
+  def join_community_button options={:logged => false}
+    url = options[:logged] ? profile.join_url : profile.join_not_logged_url
+
+    if show_confirmation_modal? profile
+      modal_button :add, _('Join this community'), url, class: 'join-community'
+    else
+      button :add, _('Join this community'), url, class: 'join-community'
+    end
+  end
+
+  def show_confirmation_modal? profile
+    profile.requires_email? && current_person && !current_person.public_fields.include?("email")
+  end
+
 end
@@ -29,14 +29,49 @@ module PartialsHelper
     raise ArgumentError, 'No partial for object. Is there a partial for any class in the inheritance hierarchy?'
   end
-  def render_partial_for_class klass, *args
+
+  def partial_for_class(klass, prefix=nil, suffix=nil)
     raise ArgumentError, 'No partial for object. Is there a partial for any class in the inheritance hierarchy?' if klass.nil?
+    name = klass.name.underscore
+    controller.view_paths.each do |view_path|
+      partial = partial_for_class_in_view_path(klass, view_path, prefix, suffix)
+      return partial if partial
+    end
+
+    raise ArgumentError, 'No partial for object. Is there a partial for any class in the inheritance hierarchy?'
+  end
+
+  ##
+  # Calculate partial name with prefix and suffix
+  # Togheter with render_partial_for_class,
+  # it should replace #partial_for_class_in_view_path in the future
+  #
+  def partial_name_for underscore, prefix = nil, suffix = nil
+    parts = underscore.split '/'
+    if prefix or suffix
+      partial = [prefix, parts.last, suffix].compact.map(&:to_s).join '_'
+    else
+      partial = parts.last
+    end
+    if parts.size > 1
+      "#{params[:controller]}/#{parts.first}/#{partial}"
+    else
+      partial
+    end
+  end
+
+  def render_for_class klass, *args, &block
+    raise ArgumentError, 'No partial for object. Is there a partial for any class in the inheritance hierarchy?' unless klass
     begin
-      partial = klass.name.underscore
-      partial = "#{params[:controller]}/#{partial}" if params[:controller] and partial.index '/'
-      return render partial, *args
+      capture klass, &block
     rescue ActionView::MissingTemplate
-      return render_partial_for_class klass.superclass, *args
+      render_for_class klass.superclass, *args, &block
+    end
+  end
+
+  def render_partial_for_class klass, *args
+    render_for_class klass do |klass|
+      render partial_name_for(klass.name.underscore), *args
     end
   end
@@ -129,7 +129,11 @@ module ProfileEditorHelper
     else
       domains = environment.domains
     end
-    labelled_form_field(_('Preferred domain name:'), select(object, :preferred_domain_id, domains.map {|item| [item.name, item.id]}, :prompt => '&lt;' + _('Select domain') + '&gt;'))
+    select_domain_prompt = '&lt;'.html_safe + _('Select domain').html_safe + '&gt;'.html_safe
+    select_field = select(object, :preferred_domain_id, domains.map {
+      |item| [item.name, item.id]}, :prompt => select_domain_prompt.html_safe)
+
+    labelled_form_field(_('Preferred domain name:'), select_field)
   end
   def control_panel(&block)
@@ -84,7 +84,7 @@ module ProfileHelper
       entries.map do |entry|
         content = self.send("treat_#{field}", entry)
         unless content.blank?
-          content_tag('tr', content_tag('td', title(field, entry), :class => 'field-name') + content_tag('td', content))
+          content_tag('tr', content_tag('td', title(field, entry), :class => 'field-name') + content_tag('td', content.to_s.html_safe))
         end
       end.join("\n")
     end
@@ -61,6 +61,8 @@ module ProfileImageHelper
     image_tag(profile_icon(profile, size), opt )
   end
+  include MembershipsHelper
+
   def links_for_balloon(profile)
     if environment.enabled?(:show_balloon_with_profile_links_when_clicked)
       if profile.kind_of?(Person)
@@ -76,13 +78,12 @@ module ProfileImageHelper
           {_('Wall') => {:href => url_for(profile.public_profile_url)}},
           {_('Members') => {:href => url_for(:controller => :profile, :action => :members, :profile => profile.identifier)}},
           {_('Agenda') => {:href => url_for(:controller => :profile, :action => :events, :profile => profile.identifier)}},
-          {_('Join') => {:href => url_for(profile.join_url), :class => 'join-community', :style => 'display: none'}},
+          {_('Join') => {:href => url_for(profile.join_url), :class => 'join-community'+ (show_confirmation_modal?(profile) ? ' modal-toggle' : '') , :style => 'display: none'}},
           {_('Leave community') => {:href => url_for(profile.leave_url), :class => 'leave-community', :style => 'display:  none'}},
           {_('Send an e-mail') => {:href => url_for(:profile => profile.identifier, :controller => 'contact', :action => 'new'), :class => 'send-an-email', :style => 'display: none'}}
         ]
       elsif profile.kind_of?(Enterprise)
         [
-          {_('Products') => {:href => catalog_path(profile.identifier)}},
           {_('Members') => {:href => url_for(:controller => :profile, :action => :members, :profile => profile.identifier)}},
           {_('Agenda') => {:href => url_for(:controller => :profile, :action => :events, :profile => profile.identifier)}},
           {_('Send an e-mail') => {:href => url_for(:profile => profile.identifier, :controller => 'contact', :action => 'new'), :class => 'send-an-email', :style => 'display: none'}},
@@ -131,7 +132,7 @@ module ProfileImageHelper
     links = links_for_balloon(profile)
     content_tag('div', content_tag(tag,
                                    (environment.enabled?(:show_balloon_with_profile_links_when_clicked) ?
-                                   popover_menu(_('Profile links'),profile.short_name,links,{:class => trigger_class, :url => url}) : "") +
+                                   popover_menu(_('Profile links'),profile.short_name,links,{:class => trigger_class, :url => url}) : "").html_safe +
     link_to(
       content_tag( 'span', profile_image( profile, size ), :class => img_class ) +
       content_tag( 'span', h(name), :class => ( profile.class == Person ? 'fn' : 'org' ) ) +
@@ -139,7 +140,7 @@ module ProfileImageHelper
       profile.url,
       :class => 'profile_link url',
       :help => _('Click on this icon to go to the <b>%s</b>\'s home page') % profile.name,
-      :title => profile.name ),
+      :title => profile.name ).html_safe,
       :class => 'vcard'), :class => 'common-profile-list-block')
   end
 end
@@ -0,0 +1,25 @@
+module SanitizeHelper
+
+  def sanitize_html(text, type= :full_sanitize)
+      sanitizer(type).sanitize(text, scrubber: permit_scrubber)
+  end
+
+  def sanitize_link(text)
+      sanitizer(:white_list).sanitize(text, scrubber:permit_scrubber)
+  end
+
+protected
+
+  def permit_scrubber
+      scrubber = Rails::Html::PermitScrubber.new
+      scrubber.tags = Rails.application.config.action_view.sanitized_allowed_tags
+      scrubber.attributes = Rails.application.config.action_view.sanitized_allowed_attributes
+      scrubber
+  end
+
+  def sanitizer type = :full_sanitize
+    return HTML::WhiteListSanitizer.new if type == :white_list
+    HTML::FullSanitizer.new
+  end
+
+end
@@ -124,10 +124,10 @@ module SearchHelper
   def filters(asset)
     return if !asset
     klass = asset_class(asset)
-    content_tag('div', klass::SEARCH_FILTERS.map do |name, options|
+    content_tag('div', safe_join(klass::SEARCH_FILTERS.map do |name, options|
       default = klass.respond_to?("default_search_#{name}") ? klass.send("default_search_#{name}".to_s) : nil
       select_filter(name, options, default)
-    end.join("\n"), :id => 'search-filters')
+    end, "\n"), :id => 'search-filters')
   end
   def assets_menu(selected)
@@ -137,11 +137,11 @@ module SearchHelper
     #     menu.
     assets.delete(:events)
     content_tag('ul',
-      assets.map do |asset|
+      safe_join(assets.map do |asset|
         options = {}
         options.merge!(:class => 'selected') if selected.to_s == asset.to_s
         content_tag('li', asset_link(asset), options)
-      end.join("\n"),
+      end, "\n"),
     :id => 'assets-menu')
   end
@@ -58,7 +58,7 @@ module TagsHelper
       if options[:show_count]
         display_count = options[:show_count] ? "<small><sup>(#{count})</sup></small>" : ""
-        link_to tag + display_count, destination, :style => style
+        link_to (tag + display_count).html_safe, destination, :style => style
       else
         link_to h(tag) , destination, :style => style,
           :title => n_( 'one item', '%d items', count ) % count
@@ -7,7 +7,7 @@ module TinymceHelper
     output += javascript_include_tag 'tinymce/js/tinymce/jquery.tinymce.min.js'
     output += javascript_include_tag 'tinymce.js'
     output += include_macro_js_files.to_s
-    output
+    output.html_safe
   end
   def tinymce_init_js options = {}
@@ -37,7 +37,7 @@ module TinymceHelper
     #cleanup non tinymce options
     options = options.except :mode
-    "noosfero.tinymce.init(#{options.to_json})"
+    "noosfero.tinymce.init(#{options.to_json})".html_safe
   end
   def menubar mode
 module UsersHelper
-  FILTER_TRANSLATION = {
+  def filter_translation
+    {
       'all_users' => _('All users'),
       'admin_users' => _('Admin users'),
       'activated_users' => _('Activated users'),
       'deactivated_users' => _('Deativated users'),
-  }
+    }
+  end
   def filter_selector(filter, float = 'right')
-    options = options_for_select(FILTER_TRANSLATION.map {|key, name| [name, key]}, :selected => filter)
+    options = options_for_select(filter_translation.map {|key, name| [name, key]}, :selected => filter)
     url_params = url_for(params.merge(:filter => 'FILTER'))
     onchange = "document.location.href = '#{url_params}'.replace('FILTER', this.value)"
     select_field = select_tag(:filter, options, :onchange => onchange)
@@ -19,7 +21,7 @@ module UsersHelper
   end
   def users_filter_title(filter)
-    FILTER_TRANSLATION[filter]
+    filter_translation[filter]
   end
 end
@@ -0,0 +1,14 @@
+class ActivitiesCounterCacheJob
+
+  def perform
+    person_activities_counts = ApplicationRecord.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.user_id WHERE (action_tracker.created_at >= #{ApplicationRecord.connection.quote(ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db))}) AND ( (profiles.type = 'Person' ) ) GROUP BY profiles.id;")
+    organization_activities_counts = ApplicationRecord.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.target_id WHERE (action_tracker.created_at >= #{ApplicationRecord.connection.quote(ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db))}) AND ( (profiles.type = 'Community' OR profiles.type = 'Enterprise' OR profiles.type = 'Organization' ) ) GROUP BY profiles.id;")
+    activities_counts = person_activities_counts.entries + organization_activities_counts.entries
+    activities_counts.each do |count|
+      update_sql = ApplicationRecord.__send__(:sanitize_sql, ["UPDATE profiles SET activities_count=? WHERE profiles.id=?;", count['count'].to_i, count['id'] ], '')
+      ApplicationRecord.connection.execute(update_sql)
+    end
+    Delayed::Job.enqueue(ActivitiesCounterCacheJob.new, {:priority => -3, :run_at => 1.day.from_now})
+  end
+
+end
@@ -0,0 +1,11 @@
+class CreateThumbnailsJob < Struct.new(:class_name, :file_id)
+  def perform
+    return unless class_name.constantize.exists?(file_id)
+    file = class_name.constantize.find(file_id)
+    file.create_thumbnails
+    article = Article.where(:image_id => file_id).first
+    if article
+      article.touch
+    end
+  end
+end
 class EnvironmentMailing < Mailing
+  settings_items :recipients_roles, :type => :array
+  attr_accessible :recipients_roles
+
   def recipients(offset=0, limit=100)
-    source.people.order(:id).offset(offset).limit(limit)
+    recipients_by_role.order(:id).offset(offset).limit(limit)
       .joins("LEFT OUTER JOIN mailing_sents m ON (m.mailing_id = #{id} AND m.person_id = profiles.id)")
       .where("m.person_id" => nil)
   end
+  def recipients_by_role
+    if recipients_roles.blank?
+      source.people
+    else
+      roles = Environment::Role.where("key in (?)", self.recipients_roles)
+      Person.by_role(roles).where(environment_id: self.source_id)
+    end
+  end
+
   def each_recipient
     offset = 0
     limit = 100
 require_dependency 'mailing_job'
-class Mailing < ActiveRecord::Base
+class Mailing < ApplicationRecord
   acts_as_having_settings :field => :data
-class AbuseReport < ActiveRecord::Base
+class AbuseReport < ApplicationRecord
   attr_accessible :content, :reason
-class ActionTrackerNotification < ActiveRecord::Base
+class ActionTrackerNotification < ApplicationRecord
   belongs_to :profile
   belongs_to :action_tracker, :class_name => 'ActionTracker::Record', :foreign_key => 'action_tracker_id'
@@ -29,16 +29,18 @@ class AddMember &lt; Task
   end
   def information
-    requestor_email = " (#{requestor.email})" if requestor.may_display_field_to?("email")
-
-    {:message => _("%{requestor}%{requestor_email} wants to be a member of '%{organization}'."),
-     variables: {requestor: requestor.name, requestor_email: requestor_email, organization: organization.name}}
+    {:message => _("%{requestor} wants to be a member of '%{target}'."),
+     variables: {requestor: requestor.name, target: target.name}}
   end
   def accept_details
     true
   end
+  def footer
+    true
+  end
+
   def icon
     {:type => :profile_image, :profile => requestor, :url => requestor.url}
   end
@@ -63,4 +65,15 @@ class AddMember &lt; Task
     suggestion.disable if suggestion
   end
+  def task_finished_message
+    _("You have been accepted at \"%{target}\" with the profile \"%{requestor}\"") %
+      {:target => self.target.name,
+       :requestor => self.requestor.name}
+  end
+
+  def task_cancelled_message
+    _("Your request to enter community \"%{target} with the profile \"%{requestor}\" was not accepted. Please contact any profile admin from %{url} for more information.") %
+    {:target => self.target.name, :url => self.target.url,
+     :requestor => self.requestor.name}
+  end
 end
@@ -0,0 +1,61 @@
+class ApplicationRecord < ActiveRecord::Base
+
+  self.abstract_class       = true
+  self.store_full_sti_class = true
+
+  # an ActionView instance for rendering views on models
+  def self.action_view
+    @action_view ||= begin
+      view_paths = ::ActionController::Base.view_paths
+      action_view = ::ActionView::Base.new view_paths
+      # for using Noosfero helpers inside render calls
+      action_view.extend ::ApplicationHelper
+      action_view
+    end
+  end
+
+  # default value needed for the above ActionView
+  def to_partial_path
+    self.class.name.underscore
+  end
+
+  alias :meta_cache_key :cache_key
+  def cache_key
+    key = [Noosfero::VERSION, meta_cache_key]
+    key.unshift ApplicationRecord.connection.schema_search_path
+    key.join('/')
+  end
+
+  def self.like_search(query, options={})
+    if defined?(self::SEARCHABLE_FIELDS) || options[:fields].present?
+      fields_per_table = {}
+      fields_per_table[table_name] = (options[:fields].present? ? options[:fields] : self::SEARCHABLE_FIELDS.keys.map(&:to_s)) & column_names
+
+      if options[:joins].present?
+        join_asset = options[:joins].to_s.classify.constantize
+        if defined?(join_asset::SEARCHABLE_FIELDS) || options[:fields].present?
+          fields_per_table[join_asset.table_name] = (options[:fields].present? ? options[:fields] : join_asset::SEARCHABLE_FIELDS.keys.map(&:to_s)) & join_asset.column_names
+        end
+      end
+
+      query = query.downcase.strip
+      fields_per_table.delete_if { |table,fields| fields.blank? }
+      conditions = fields_per_table.map do |table,fields|
+        fields.map do |field|
+          "lower(#{table}.#{field}) LIKE '%#{query}%'"
+        end.join(' OR ')
+      end.join(' OR ')
+
+      if options[:joins].present?
+        joins(options[:joins]).where(conditions)
+      else
+        where(conditions)
+      end
+
+    else
+      raise "No searchable fields defined for #{self.name}"
+    end
+  end
+
+end
+
@@ -86,7 +86,7 @@ class ApproveArticle &lt; Task
   def information
     if article
-      {:message => _('%{requestor} wants to publish the article: %{linked_subject}.')}
+      {:message => _('%{requestor} wants to publish the article: %{linked_subject}.').html_safe}
     else
       {:message => _("The article was removed.")}
     end
-class Article < ActiveRecord::Base
+class Article < ApplicationRecord
+
+  include SanitizeHelper
   attr_accessible :name, :body, :abstract, :profile, :tag_list, :parent,
                   :allow_members_to_edit, :translation_of_id, :language,
@@ -54,6 +56,7 @@ class Article &lt; ActiveRecord::Base
   track_actions :create_article, :after_create, :keep_params => [:name, :url, :lead, :first_image], :if => Proc.new { |a| a.is_trackable? && !a.image? }
   # xss_terminate plugin can't sanitize array fields
+  # sanitize_tag_list is used with SanitizeHelper
   before_save :sanitize_tag_list
   before_create do |article|
@@ -601,7 +604,7 @@ class Article &lt; ActiveRecord::Base
   end
   def accept_category?(cat)
-    !cat.is_a?(ProductCategory)
+    true
   end
   def public?
@@ -803,11 +806,13 @@ class Article &lt; ActiveRecord::Base
   end
   def body_images_paths
-    Nokogiri::HTML.fragment(self.body.to_s).css('img[src]').collect do |i|
+    paths = Nokogiri::HTML.fragment(self.body.to_s).css('img[src]').collect do |i|
       src = i['src']
       src = URI.escape src if self.new_record? # xss_terminate runs on save
       (self.profile && self.profile.environment) ? URI.join(self.profile.environment.top_url, src).to_s : src
     end
+    paths.unshift(URI.join(self.profile.environment.top_url, self.image.public_filename).to_s) if self.image.present?
+    paths
   end
   def more_comments_label
@@ -859,6 +864,10 @@ class Article &lt; ActiveRecord::Base
     HashWithIndifferentAccess.new :name => name, :abstract => abstract, :body => body, :id => id, :parent_id => parent_id, :author => author
   end
+  def self.can_display_blocks?
+    true
+  end
+
   private
   def sanitize_tag_list
@@ -870,11 +879,6 @@ class Article &lt; ActiveRecord::Base
     tag_name.gsub(/[<>]/, '')
   end
-  def sanitize_html(text)
-    sanitizer = HTML::FullSanitizer.new
-    sanitizer.sanitize(text)
-  end
-
   def parent_archived?
      if self.parent_id_changed? && self.parent && self.parent.archived?
        errors.add(:parent_folder, N_('is archived!!'))
-class ArticleCategorization < ActiveRecord::Base
+class ArticleCategorization < ApplicationRecord
   self.table_name = :articles_categories
   belongs_to :article
-class ArticleFollower < ActiveRecord::Base
+class ArticleFollower < ApplicationRecord
   attr_accessible :article_id, :person_id
   belongs_to :article, :counter_cache => :followers_count
-class Block < ActiveRecord::Base
+class Block < ApplicationRecord
   attr_accessible :title, :subtitle, :display, :limit, :box_id, :posts_per_page,
                   :visualization_format, :language, :display_user,
@@ -76,6 +76,17 @@ class Block &lt; ActiveRecord::Base
     true
   end
+  def visible_to_user?(user)
+    visible = self.display_to_user?(user)
+    if self.owner.kind_of?(Profile)
+      visible &= self.owner.display_info_to?(user)
+      visible &= (self.visible? || user && user.has_permission?(:edit_profile_design, self.owner))
+    elsif self.owner.kind_of?(Environment)
+      visible &= (self.visible? || user && user.has_permission?(:edit_environment_design, self.owner))
+    end
+    visible
+  end
+
   def display_to_user?(user)
     display_user == 'all' || (user.nil? && display_user == 'not_logged') || (user && display_user == 'logged') || (user && display_user == 'followers' && user.follows?(owner))
   end
@@ -314,6 +325,14 @@ class Block &lt; ActiveRecord::Base
     self.observers << block
   end
+  def api_content
+    nil
+  end
+
+  def display_api_content_by_default?
+    false
+  end
+
   private
   def home_page_path
-class Box < ActiveRecord::Base
+class Box < ApplicationRecord
   acts_as_list scope: -> box { where owner_id: box.owner_id, owner_type: box.owner_type }
@@ -41,7 +41,6 @@ class Box &lt; ActiveRecord::Base
       ProfileImageBlock,
       RawHTMLBlock,
       RecentDocumentsBlock,
-      SellersSearchBlock,
       TagsBlock ]
   end
@@ -54,21 +53,17 @@ class Box &lt; ActiveRecord::Base
       EnterprisesBlock,
       FansBlock,
       FavoriteEnterprisesBlock,
-      FeaturedProductsBlock,
       FeedReaderBlock,
       HighlightsBlock,
       LinkListBlock,
       LocationBlock,
       LoginBlock,
       MyNetworkBlock,
-      ProductsBlock,
-      ProductCategoriesBlock,
       ProfileImageBlock,
       ProfileInfoBlock,
       ProfileSearchBlock,
       RawHTMLBlock,
       RecentDocumentsBlock,
-      SellersSearchBlock,
       SlideshowBlock,
       TagsBlock
     ]
-class Category < ActiveRecord::Base
+class Category < ApplicationRecord
   attr_accessible :name, :parent_id, :display_color, :display_in_menu, :image_builder, :environment, :parent
@@ -35,8 +35,6 @@ class Category &lt; ActiveRecord::Base
   has_many :people, :through => :profile_categorizations, :source => :profile, :class_name => 'Person'
   has_many :communities, :through => :profile_categorizations, :source => :profile, :class_name => 'Community'
-  has_many :products, :through => :enterprises
-
   acts_as_having_image
   before_save :normalize_display_color
@@ -64,10 +62,6 @@ class Category &lt; ActiveRecord::Base
     self.communities.reorder('created_at DESC, id DESC').paginate(page: 1, per_page: limit)
   end
-  def recent_products(limit = 10)
-    self.products.reorder('created_at DESC, id DESC').paginate(page: 1, per_page: limit)
-  end
-
   def recent_articles(limit = 10)
     self.articles.recent(limit)
   end
-class ChatMessage < ActiveRecord::Base
+class ChatMessage < ApplicationRecord
+
   attr_accessible :body, :from, :to
   belongs_to :to, :class_name => 'Profile'
-class Comment < ActiveRecord::Base
+class Comment < ApplicationRecord
   SEARCHABLE_FIELDS = {
     :title => {:label => _('Title'), :weight => 10},
@@ -2,6 +2,7 @@ class Community &lt; Organization
   attr_accessible :accessor_id, :accessor_type, :role_id, :resource_id, :resource_type
   attr_accessible :address_reference, :district, :tag_list, :language, :description
+  attr_accessible :requires_email
   after_destroy :check_invite_member_for_destroy
   def self.type_name
@@ -12,6 +13,9 @@ class Community &lt; Organization
   N_('Language')
   settings_items :language
+  settings_items :requires_email, :type => :boolean
+
+  alias_method :requires_email?, :requires_email
   extend SetProfileRegionFromCityState::ClassMethods
   set_profile_region_from_city_state
-class ContactList < ActiveRecord::Base
+class ContactList < ApplicationRecord
   serialize :list, Array
@@ -60,9 +60,9 @@ class CreateCommunity &lt; Task
   def information
     if description.blank?
-      { :message => _('%{requestor} wants to create community %{subject} with no description.') }
+      { :message => _('%{requestor} wants to create community %{subject} with no description.').html_safe }
     else
-      { :message => _('%{requestor} wants to create community %{subject} with this description:<p><em>%{description}</em></p>'),
+      { :message => _('%{requestor} wants to create community %{subject} with this description:<p><em>%{description}</em></p>').html_safe,
         :variables => {:description => description} }
     end
   end
@@ -163,7 +163,7 @@ class CreateEnterprise &lt; Task
   end
   def information
-    {:message => _('%{requestor} wants to create enterprise %{subject}.')}
+    {:message => _('%{requestor} wants to create enterprise %{subject}.').html_safe}
   end
   def reject_details
-class CustomField < ActiveRecord::Base
+class CustomField < ApplicationRecord
+
   attr_accessible :name, :default_value, :format, :extras, :customized_type, :active, :required, :signup, :environment, :moderation_task
   serialize :customized_type
   serialize :extras
-class CustomFieldValue < ActiveRecord::Base
+class CustomFieldValue < ApplicationRecord
+
   belongs_to :custom_field
   belongs_to :customized, :polymorphic => true
   attr_accessible :value, :public, :customized, :custom_field, :customized_type
@@ -17,7 +17,7 @@ class DocItem
       else
         match
       end
-    end
+    end.html_safe
   end
   private
 require 'noosfero/multi_tenancy'
-class Domain < ActiveRecord::Base
+class Domain < ApplicationRecord
   attr_accessible :name, :owner, :is_default
-class EmailTemplate < ActiveRecord::Base
+class EmailTemplate < ApplicationRecord
   belongs_to :owner, :polymorphic => true
-# An enterprise is a kind of organization. According to the system concept,
-# only enterprises can offer products and services.
 class Enterprise < Organization
-  attr_accessible :business_name, :address_reference, :district, :tag_list, :organization_website, :historic_and_current_context, :activities_short_description, :products_per_catalog_page
+  attr_accessible :business_name, :address_reference, :district, :tag_list,
+    :organization_website, :historic_and_current_context, :activities_short_description
   SEARCH_FILTERS = {
     :order => %w[more_recent more_popular more_active],
@@ -17,11 +16,6 @@ class Enterprise &lt; Organization
   acts_as_trackable after_add: proc{ |p, t| notify_activity t }
-  has_many :products, :foreign_key => :profile_id, :dependent => :destroy
-  has_many :product_categories, :through => :products
-  has_many :inputs, :through => :products
-  has_many :production_costs, :as => :owner
-
   has_many :favorite_enterprise_people
   has_many :fans, source: :person, through: :favorite_enterprise_people
@@ -29,10 +23,6 @@ class Enterprise &lt; Organization
   settings_items :organization_website, :historic_and_current_context, :activities_short_description
-  settings_items :products_per_catalog_page, :type => :integer, :default => 6
-  alias_method :products_per_catalog_page_before_type_cast, :products_per_catalog_page
-  validates_numericality_of :products_per_catalog_page, :allow_nil => true, :greater_than => 0
-
   extend SetProfileRegionFromCityState::ClassMethods
   set_profile_region_from_city_state
@@ -66,10 +56,6 @@ class Enterprise &lt; Organization
     environment ? environment.active_enterprise_fields : []
   end
-  def highlighted_products_with_image(options = {})
-    Product.where(:highlighted => true).joins(:image)
-  end
-
   def required_fields
     environment ? environment.required_enterprise_fields : []
   end
@@ -136,19 +122,14 @@ class Enterprise &lt; Organization
     links = [
       {:name => _("Enterprises's profile"), :address => '/profile/{profile}', :icon => 'ok'},
       {:name => _('Blog'), :address => '/{profile}/blog', :icon => 'edit'},
-      {:name => _('Products'), :address => '/catalog/{profile}', :icon => 'new'},
     ]
     blocks = [
       [MainBlock.new],
       [ ProfileImageBlock.new,
         LinkListBlock.new(:links => links),
-        ProductCategoriesBlock.new
       ],
       [LocationBlock.new]
     ]
-    if environment.enabled?('products_for_enterprises')
-      blocks[2].unshift ProductsBlock.new
-    end
     blocks
   end
@@ -189,14 +170,6 @@ class Enterprise &lt; Organization
     {:title => _('Enterprise Info and settings'), :icon => 'edit-profile-enterprise'}
   end
-  def create_product?
-    true
-  end
-
-  def catalog_url
-    { :profile => identifier, :controller => 'catalog'}
-  end
-
   def more_recent_label
     ''
   end
@@ -205,5 +178,4 @@ class Enterprise &lt; Organization
     super or self.fans.where(id: person.id).count > 0
   end
-
 end
 # A Environment is like a website to be hosted in the platform. It may
 # contain multiple Profile's and can be identified by several different
 # domains.
-class Environment < ActiveRecord::Base
+class Environment < ApplicationRecord
   attr_accessible :name, :is_default, :signup_welcome_text_subject,
                   :signup_welcome_text_body, :terms_of_use,
@@ -13,7 +13,9 @@ class Environment &lt; ActiveRecord::Base
                   :reports_lower_bound, :noreply_email,
                   :signup_welcome_screen_body, :members_whitelist_enabled,
                   :members_whitelist, :highlighted_news_amount,
-                  :portal_news_amount, :date_format, :signup_intro
+                  :portal_news_amount, :date_format, :signup_intro,
+                  :enable_feed_proxy, :http_feed_proxy, :https_feed_proxy,
+                  :disable_feed_ssl
   has_many :users
@@ -126,7 +128,6 @@ class Environment &lt; ActiveRecord::Base
       'disable_asset_enterprises' => _('Disable search for enterprises'),
       'disable_asset_people' => _('Disable search for people'),
       'disable_asset_communities' => _('Disable search for communities'),
-      'disable_asset_products' => _('Disable search for products'),
       'disable_asset_events' => _('Disable search for events'),
       'disable_categories' => _('Disable categories'),
       'disable_header_and_footer' => _('Disable header/footer editing by users'),
@@ -137,7 +138,6 @@ class Environment &lt; ActiveRecord::Base
       'disable_contact_community' => _('Disable contact for groups/communities'),
       'forbid_destroy_profile' => _('Forbid users of removing profiles'),
-      'products_for_enterprises' => _('Enable products for enterprises'),
       'enterprise_registration' => _('Enterprise registration'),
       'enterprise_activation' => _('Enable activation of enterprises'),
       'enterprises_are_disabled_when_created' => _('Enterprises are disabled when created'),
@@ -224,7 +224,6 @@ class Environment &lt; ActiveRecord::Base
   has_many :organizations
   has_many :enterprises
-  has_many :products, :through => :enterprises
   has_many :people
   has_many :communities
   has_many :licenses
@@ -234,23 +233,16 @@ class Environment &lt; ActiveRecord::Base
     order('display_color').where('display_color is not null and parent_id is null')
   }, class_name: 'Category'
-  has_many :product_categories, -> { where type: 'ProductCategory'}
   has_many :regions
   has_many :states
   has_many :cities
   has_many :roles, :dependent => :destroy
-  has_many :qualifiers
-  has_many :certifiers
-
   has_many :mailings, :class_name => 'EnvironmentMailing', :foreign_key => :source_id, :as => 'source'
   acts_as_accessible
-  has_many :units, -> { order 'position' }
-  has_many :production_costs, :as => :owner
-
   def superior_intances
     [self, nil]
   end
@@ -439,9 +431,7 @@ class Environment &lt; ActiveRecord::Base
   end
   DEFAULT_FEATURES = %w(
-    disable_asset_products
     disable_gender_icon
-    products_for_enterprises
     disable_select_city_for_contact
     enterprise_registration
     media_panel
@@ -729,7 +719,7 @@ class Environment &lt; ActiveRecord::Base
     url << (Noosfero.url_options.key?(:host) ? Noosfero.url_options[:host] : default_hostname)
     url << ':' << Noosfero.url_options[:port].to_s if Noosfero.url_options.key?(:port)
     url << Noosfero.root('')
-    url
+    url.html_safe
   end
   def to_s
@@ -966,10 +956,6 @@ class Environment &lt; ActiveRecord::Base
     end
   end
-  def highlighted_products_with_image(options = {})
-    self.products.where(highlighted: true).joins(:image).order('created_at ASC')
-  end
-
   settings_items :home_cache_in_minutes, :type => :integer, :default => 5
   settings_items :general_cache_in_minutes, :type => :integer, :default => 15
   settings_items :profile_cache_in_minutes, :type => :integer, :default => 15
	@@ -30,14 +30,47 @@ integration:		@@ -30,14 +30,47 @@ integration:
30	script: bundle exec rake test:integration	30	script: bundle exec rake test:integration
31	stage: all-tests	31	stage: all-tests
32		32
33	-cucumber:
34	- script: bundle exec rake cucumber	33	+cucumber-1:
		34	+ script: SLICE=1/2 bundle exec rake cucumber
		35	+ stage: all-tests
		36	+cucumber-2:
		37	+ script: SLICE=2/2 bundle exec rake cucumber
35	stage: all-tests	38	stage: all-tests
36		39
37	-selenium:
38	- script: bundle exec rake selenium	40	+selenium-1:
		41	+ script: SLICE=1/6 bundle exec rake selenium
		42	+ stage: all-tests
		43	+selenium-2:
		44	+ script: SLICE=2/6 bundle exec rake selenium
		45	+ stage: all-tests
		46	+selenium-3:
		47	+ script: SLICE=3/6 bundle exec rake selenium
		48	+ stage: all-tests
		49	+selenium-4:
		50	+ script: SLICE=4/6 bundle exec rake selenium
		51	+ stage: all-tests
		52	+selenium-5:
		53	+ script: SLICE=5/6 bundle exec rake selenium
		54	+ stage: all-tests
		55	+selenium-6:
		56	+ script: SLICE=6/6 bundle exec rake selenium
39	stage: all-tests	57	stage: all-tests
40		58
41	-plugins:
42	- script: bundle exec rake test:noosfero_plugins	59	+# NOOSFERO_BUNDLE_OPTS=install makes migrations fails
		60	+# probably because of rubygems-integration
		61	+plugins-1:
		62	+ script: SLICE=1/5 bundle exec rake test:noosfero_plugins
43	stage: all-tests	63	stage: all-tests
		64	+plugins-2:
		65	+ script: SLICE=2/5 bundle exec rake test:noosfero_plugins
		66	+ stage: all-tests
		67	+plugins-3:
		68	+ script: SLICE=3/5 bundle exec rake test:noosfero_plugins
		69	+ stage: all-tests
		70	+plugins-4:
		71	+ script: SLICE=4/5 bundle exec rake test:noosfero_plugins
		72	+ stage: all-tests
		73	+plugins-5:
		74	+ script: SLICE=5/5 bundle exec rake test:noosfero_plugins
		75	+ stage: all-tests
		76	+
	@@ -77,6 +77,7 @@ group :cucumber do		@@ -77,6 +77,7 @@ group :cucumber do
77	gem 'cucumber-rails', '~> 1.4.2', :require => false	77	gem 'cucumber-rails', '~> 1.4.2', :require => false
78	gem 'database_cleaner', '~> 1.3'	78	gem 'database_cleaner', '~> 1.3'
79	gem 'selenium-webdriver', '>= 2.50'	79	gem 'selenium-webdriver', '>= 2.50'
		80	+ gem 'chromedriver-helper' if ENV['SELENIUM_DRIVER'] == 'chrome'
80	end	81	end
81		82
82	# Requires custom dependencies	83	# Requires custom dependencies
	@@ -99,7 +99,7 @@ Description of contents		@@ -99,7 +99,7 @@ Description of contents
99	Holds controllers that should be named like weblog_controller.rb for automated URL mapping. All controllers should descend from `ActionController::Base`.	99	Holds controllers that should be named like weblog_controller.rb for automated URL mapping. All controllers should descend from `ActionController::Base`.
100		100
101	* `app/models`	101	* `app/models`
102	- Holds models that should be named like post.rb. Most models will descend from `ActiveRecord::Base`.	102	+ Holds models that should be named like post.rb. Most models will descend from `ApplicationRecord`.
103		103
104	* `app/views`	104	* `app/views`
105	Holds the template files for the view that should be named like `weblog/index.rhtml` for the `WeblogController#index` action. All views use eRuby syntax. This directory can also be used to keep stylesheets, images, and so on that can be symlinked to public.	105	Holds the template files for the view that should be named like `weblog/index.rhtml` for the `WeblogController#index` action. All views use eRuby syntax. This directory can also be used to keep stylesheets, images, and so on that can be symlinked to public.
@@ -0,0 +1,89 @@		@@ -0,0 +1,89 @@
	1	+require_dependency 'api/helpers'
	2	+
	3	+module Api
	4	+ class App < Grape::API
	5	+ use Rack::JSONP
	6	+
	7	+ logger = Logger.new(File.join(Rails.root, 'log', "#{ENV['RAILS_ENV'] \|\| 'production'}_api.log"))
	8	+ logger.formatter = GrapeLogging::Formatters::Default.new
	9	+ #use GrapeLogging::Middleware::RequestLogger, { logger: logger }
	10	+
	11	+ rescue_from :all do \|e\|
	12	+ logger.error e
	13	+ error! e.message, 500
	14	+ end unless Rails.env.test?
	15	+
	16	+ @@NOOSFERO_CONF = nil
	17	+ def self.NOOSFERO_CONF
	18	+ if @@NOOSFERO_CONF
	19	+ @@NOOSFERO_CONF
	20	+ else
	21	+ file = Rails.root.join('config', 'noosfero.yml')
	22	+ @@NOOSFERO_CONF = File.exists?(file) ? YAML.load_file(file)[Rails.env] \|\| {} : {}
	23	+ end
	24	+ end
	25	+
	26	+ before { set_locale }
	27	+ before { setup_multitenancy }
	28	+ before { detect_stuff_by_domain }
	29	+ before { filter_disabled_plugins_endpoints }
	30	+ before { init_noosfero_plugins }
	31	+ after { set_session_cookie }
	32	+
	33	+ version 'v1'
	34	+ prefix [ENV['RAILS_RELATIVE_URL_ROOT'], "api"].compact.join('/')
	35	+ format :json
	36	+ content_type :txt, "text/plain"
	37	+
	38	+ helpers Helpers
	39	+
	40	+ mount V1::Session
	41	+ mount V1::Articles
	42	+ mount V1::Comments
	43	+ mount V1::Users
	44	+ mount V1::Communities
	45	+ mount V1::People
	46	+ mount V1::Enterprises
	47	+ mount V1::Categories
	48	+ mount V1::Tasks
	49	+ mount V1::Tags
	50	+ mount V1::Environments
	51	+ mount V1::Search
	52	+ mount V1::Contacts
	53	+ mount V1::Boxes
	54	+ mount V1::Blocks
	55	+ mount V1::Profiles
	56	+ mount V1::Activities
	57	+
	58	+ # hook point which allow plugins to add Grape::API extensions to Api::App
	59	+ #finds for plugins which has api mount points classes defined (the class should extends Grape::API)
	60	+ @plugins = Noosfero::Plugin.all.map { \|p\| p.constantize }
	61	+ @plugins.each do \|klass\|
	62	+ if klass.public_methods.include? :api_mount_points
	63	+ klass.api_mount_points.each do \|mount_class\|
	64	+ mount mount_class if mount_class && ( mount_class < Grape::API )
	65	+ end
	66	+ end
	67	+ end
	68	+
	69	+ def self.endpoint_unavailable?(endpoint, environment)
	70	+ api_class = endpoint.options[:app] \|\| endpoint.options[:for]
	71	+ if api_class.present?
	72	+ klass = api_class.name.deconstantize.constantize
	73	+ return klass < Noosfero::Plugin && !environment.plugin_enabled?(klass)
	74	+ end
	75	+ end
	76	+
	77	+ class << self
	78	+ def endpoints_with_plugins(environment = nil)
	79	+ if environment.present?
	80	+ cloned_endpoints = endpoints_without_plugins.dup
	81	+ cloned_endpoints.delete_if { \|endpoint\| endpoint_unavailable?(endpoint, environment) }
	82	+ else
	83	+ endpoints_without_plugins
	84	+ end
	85	+ end
	86	+ alias_method_chain :endpoints, :plugins
	87	+ end
	88	+ end
	89	+end
@@ -0,0 +1,269 @@		@@ -0,0 +1,269 @@
	1	+module Api
	2	+ module Entities
	3	+
	4	+ Entity.format_with :timestamp do \|date\|
	5	+ date.strftime('%Y/%m/%d %H:%M:%S') if date
	6	+ end
	7	+
	8	+ PERMISSIONS = {
	9	+ :admin => 0,
	10	+ :self => 10,
	11	+ :private_content => 20,
	12	+ :logged_user => 30,
	13	+ :anonymous => 40
	14	+ }
	15	+
	16	+ def self.can_display_profile_field? profile, options, permission_options={}
	17	+ permissions={:field => "", :permission => :private_content}
	18	+ permissions.merge!(permission_options)
	19	+ field = permissions[:field]
	20	+ permission = permissions[:permission]
	21	+ return true if profile.public? && profile.public_fields.map{\|f\| f.to_sym}.include?(field.to_sym)
	22	+
	23	+ current_person = options[:current_person]
	24	+
	25	+ current_permission = if current_person.present?
	26	+ if current_person.is_admin?
	27	+ :admin
	28	+ elsif current_person == profile
	29	+ :self
	30	+ elsif profile.display_private_info_to?(current_person)
	31	+ :private_content
	32	+ else
	33	+ :logged_user
	34	+ end
	35	+ else
	36	+ :anonymous
	37	+ end
	38	+ PERMISSIONS[current_permission] <= PERMISSIONS[permission]
	39	+ end
	40	+
	41	+ class Image < Entity
	42	+ root 'images', 'image'
	43	+
	44	+ expose :url do \|image, options\|
	45	+ image.public_filename
	46	+ end
	47	+
	48	+ expose :icon_url do \|image, options\|
	49	+ image.public_filename(:icon)
	50	+ end
	51	+
	52	+ expose :minor_url do \|image, options\|
	53	+ image.public_filename(:minor)
	54	+ end
	55	+
	56	+ expose :portrait_url do \|image, options\|
	57	+ image.public_filename(:portrait)
	58	+ end
	59	+
	60	+ expose :thumb_url do \|image, options\|
	61	+ image.public_filename(:thumb)
	62	+ end
	63	+ end
	64	+
	65	+ class CategoryBase < Entity
	66	+ root 'categories', 'category'
	67	+ expose :name, :id, :slug
	68	+ end
	69	+
	70	+ class Category < CategoryBase
	71	+ root 'categories', 'category'
	72	+ expose :full_name do \|category, options\|
	73	+ category.full_name
	74	+ end
	75	+ expose :parent, :using => CategoryBase, if: { parent: true }
	76	+ expose :children, :using => CategoryBase, if: { children: true }
	77	+ expose :image, :using => Image
	78	+ expose :display_color
	79	+ end
	80	+
	81	+ class Region < Category
	82	+ root 'regions', 'region'
	83	+ expose :parent_id
	84	+ end
	85	+
	86	+ class Block < Entity
	87	+ root 'blocks', 'block'
	88	+ expose :id, :type, :settings, :position, :enabled
	89	+ expose :mirror, :mirror_block_id, :title
	90	+ expose :api_content, if: lambda { \|object, options\| options[:display_api_content] \|\| object.display_api_content_by_default? }
	91	+ end
	92	+
	93	+ class Box < Entity
	94	+ root 'boxes', 'box'
	95	+ expose :id, :position
	96	+ expose :blocks, :using => Block do \|box, options\|
	97	+ box.blocks.select {\|block\| block.visible_to_user?(options[:current_person]) }
	98	+ end
	99	+ end
	100	+
	101	+ class Profile < Entity
	102	+ expose :identifier, :name, :id
	103	+ expose :created_at, :format_with => :timestamp
	104	+ expose :updated_at, :format_with => :timestamp
	105	+ expose :additional_data do \|profile, options\|
	106	+ hash ={}
	107	+ profile.public_values.each do \|value\|
	108	+ hash[value.custom_field.name]=value.value
	109	+ end
	110	+
	111	+ private_values = profile.custom_field_values - profile.public_values
	112	+ private_values.each do \|value\|
	113	+ if Entities.can_display_profile_field?(profile,options)
	114	+ hash[value.custom_field.name]=value.value
	115	+ end
	116	+ end
	117	+ hash
	118	+ end
	119	+ expose :image, :using => Image
	120	+ expose :region, :using => Region
	121	+ expose :type
	122	+ expose :custom_header
	123	+ expose :custom_footer
	124	+ end
	125	+
	126	+ class UserBasic < Entity
	127	+ expose :id
	128	+ expose :login
	129	+ end
	130	+
	131	+ class Person < Profile
	132	+ root 'people', 'person'
	133	+ expose :user, :using => UserBasic, documentation: {type: 'User', desc: 'The user data of a person' }
	134	+ expose :vote_count
	135	+ expose :comments_count do \|person, options\|
	136	+ person.comments.count
	137	+ end
	138	+ expose :following_articles_count do \|person, options\|
	139	+ person.following_articles.count
	140	+ end
	141	+ expose :articles_count do \|person, options\|
	142	+ person.articles.count
	143	+ end
	144	+ end
	145	+
	146	+ class Enterprise < Profile
	147	+ root 'enterprises', 'enterprise'
	148	+ end
	149	+
	150	+ class Community < Profile
	151	+ root 'communities', 'community'
	152	+ expose :description
	153	+ expose :admins, :if => lambda { \|community, options\| community.display_info_to? options[:current_person]} do \|community, options\|
	154	+ community.admins.map{\|admin\| {"name"=>admin.name, "id"=>admin.id, "username" => admin.identifier}}
	155	+ end
	156	+ expose :categories, :using => Category
	157	+ expose :members, :using => Person , :if => lambda{ \|community, options\| community.display_info_to? options[:current_person] }
	158	+ end
	159	+
	160	+ class CommentBase < Entity
	161	+ expose :body, :title, :id
	162	+ expose :created_at, :format_with => :timestamp
	163	+ expose :author, :using => Profile
	164	+ expose :reply_of, :using => CommentBase
	165	+ end
	166	+
	167	+ class Comment < CommentBase
	168	+ root 'comments', 'comment'
	169	+ expose :children, as: :replies, :using => Comment
	170	+ end
	171	+
	172	+ class ArticleBase < Entity
	173	+ root 'articles', 'article'
	174	+ expose :id
	175	+ expose :body
	176	+ expose :abstract, documentation: {type: 'String', desc: 'Teaser of the body'}
	177	+ expose :created_at, :format_with => :timestamp
	178	+ expose :updated_at, :format_with => :timestamp
	179	+ expose :title, :documentation => {:type => "String", :desc => "Title of the article"}
	180	+ expose :created_by, :as => :author, :using => Profile, :documentation => {type: 'Profile', desc: 'The profile author that create the article'}
	181	+ expose :profile, :using => Profile, :documentation => {type: 'Profile', desc: 'The profile associated with the article'}
	182	+ expose :categories, :using => Category
	183	+ expose :image, :using => Image
	184	+ expose :votes_for
	185	+ expose :votes_against
	186	+ expose :setting
	187	+ expose :position
	188	+ expose :hits
	189	+ expose :start_date
	190	+ expose :end_date, :documentation => {type: 'DateTime', desc: 'The date of finish of the article'}
	191	+ expose :tag_list
	192	+ expose :children_count
	193	+ expose :slug, :documentation => {:type => "String", :desc => "Trimmed and parsed name of a article"}
	194	+ expose :path
	195	+ expose :followers_count
	196	+ expose :votes_count
	197	+ expose :comments_count
	198	+ expose :archived, :documentation => {:type => "Boolean", :desc => "Defines if a article is readonly"}
	199	+ expose :type
	200	+ expose :comments, using: CommentBase, :if => lambda{\|obj,opt\| opt[:params] && ['1','true',true].include?(opt[:params][:show_comments])}
	201	+ expose :published
	202	+ expose :accept_comments?, as: :accept_comments
	203	+ end
	204	+
	205	+ class Article < ArticleBase
	206	+ root 'articles', 'article'
	207	+ expose :parent, :using => ArticleBase
	208	+ expose :children, :using => ArticleBase do \|article, options\|
	209	+ article.children.published.limit(V1::Articles::MAX_PER_PAGE)
	210	+ end
	211	+ end
	212	+
	213	+ class User < Entity
	214	+ root 'users', 'user'
	215	+
	216	+ attrs = [:id,:login,:email,:activated?]
	217	+ aliases = {:activated? => :activated}
	218	+
	219	+ attrs.each do \|attribute\|
	220	+ name = aliases.has_key?(attribute) ? aliases[attribute] : attribute
	221	+ expose attribute, :as => name, :if => lambda{\|user,options\| Entities.can_display_profile_field?(user.person, options, {:field => attribute})}
	222	+ end
	223	+
	224	+ expose :person, :using => Person, :if => lambda{\|user,options\| user.person.display_info_to? options[:current_person]}
	225	+ expose :permissions, :if => lambda{\|user,options\| Entities.can_display_profile_field?(user.person, options, {:field => :permissions, :permission => :self})} do \|user, options\|
	226	+ output = {}
	227	+ user.person.role_assignments.map do \|role_assigment\|
	228	+ if role_assigment.resource.respond_to?(:identifier) && !role_assigment.role.nil?
	229	+ output[role_assigment.resource.identifier] = role_assigment.role.permissions
	230	+ end
	231	+ end
	232	+ output
	233	+ end
	234	+ end
	235	+
	236	+ class UserLogin < User
	237	+ root 'users', 'user'
	238	+ expose :private_token, documentation: {type: 'String', desc: 'A valid authentication code for post/delete api actions'}, if: lambda {\|object, options\| object.activated? }
	239	+ end
	240	+
	241	+ class Task < Entity
	242	+ root 'tasks', 'task'
	243	+ expose :id
	244	+ expose :type
	245	+ end
	246	+
	247	+ class Environment < Entity
	248	+ expose :name
	249	+ expose :id
	250	+ expose :description
	251	+ expose :settings, if: lambda { \|instance, options\| options[:is_admin] }
	252	+ end
	253	+
	254	+ class Tag < Entity
	255	+ root 'tags', 'tag'
	256	+ expose :name
	257	+ end
	258	+
	259	+ class Activity < Entity
	260	+ root 'activities', 'activity'
	261	+ expose :id, :params, :verb, :created_at, :updated_at, :comments_count, :visible
	262	+ expose :user, :using => Profile
	263	+ expose :target do \|activity, opts\|
	264	+ type_map = {Profile => ::Profile, ArticleBase => ::Article}.find {\|h\| activity.target.kind_of?(h.last)}
	265	+ type_map.first.represent(activity.target) unless type_map.nil?
	266	+ end
	267	+ end
	268	+ end
	269	+end
@@ -0,0 +1,27 @@		@@ -0,0 +1,27 @@
	1	+module Api
	2	+ class Entity < Grape::Entity
	3	+
	4	+ def initialize(object, options = {})
	5	+ object = nil if object.is_a? Exception
	6	+ super object, options
	7	+ end
	8	+
	9	+ def self.represent(objects, options = {})
	10	+ if options[:has_exception]
	11	+ data = super objects, options.merge(is_inner_data: true)
	12	+ if objects.is_a? Exception
	13	+ data.merge ok: false, error: {
	14	+ type: objects.class.name,
	15	+ message: objects.message
	16	+ }
	17	+ else
	18	+ data = data.serializable_hash if data.is_a? Entity
	19	+ data.merge ok: true, error: { type: 'Success', message: '' }
	20	+ end
	21	+ else
	22	+ super objects, options
	23	+ end
	24	+ end
	25	+
	26	+ end
	27	+end
@@ -0,0 +1,421 @@		@@ -0,0 +1,421 @@
	1	+require 'base64'
	2	+require 'tempfile'
	3	+
	4	+module Api
	5	+ module Helpers
	6	+ PRIVATE_TOKEN_PARAM = :private_token
	7	+ DEFAULT_ALLOWED_PARAMETERS = [:parent_id, :from, :until, :content_type, :author_id, :identifier, :archived]
	8	+
	9	+ include SanitizeParams
	10	+ include Noosfero::Plugin::HotSpot
	11	+ include ForgotPasswordHelper
	12	+ include SearchTermHelper
	13	+
	14	+ def set_locale
	15	+ I18n.locale = (params[:lang] \|\| request.env['HTTP_ACCEPT_LANGUAGE'] \|\| 'en')
	16	+ end
	17	+
	18	+ def init_noosfero_plugins
	19	+ plugins
	20	+ end
	21	+
	22	+ def current_user
	23	+ private_token = (params[PRIVATE_TOKEN_PARAM] \|\| headers['Private-Token']).to_s
	24	+ @current_user \|\|= User.find_by private_token: private_token
	25	+ @current_user \|\|= plugins.dispatch("api_custom_login", request).first
	26	+ @current_user
	27	+ end
	28	+
	29	+ def current_person
	30	+ current_user.person unless current_user.nil?
	31	+ end
	32	+
	33	+ def is_admin?(environment)
	34	+ return false unless current_user
	35	+ return current_person.is_admin?(environment)
	36	+ end
	37	+
	38	+ def logout
	39	+ @current_user = nil
	40	+ end
	41	+
	42	+ def environment
	43	+ @environment
	44	+ end
	45	+
	46	+ def present_partial(model, options)
	47	+ if(params[:fields].present?)
	48	+ begin
	49	+ fields = JSON.parse(params[:fields])
	50	+ if fields.present?
	51	+ options.merge!(fields.symbolize_keys.slice(:only, :except))
	52	+ end
	53	+ rescue
	54	+ fields = params[:fields]
	55	+ fields = fields.split(',') if fields.kind_of?(String)
	56	+ options[:only] = Array.wrap(fields)
	57	+ end
	58	+ end
	59	+ present model, options
	60	+ end
	61	+
	62	+ include FindByContents
	63	+
	64	+ ####################################################################
	65	+ #### SEARCH
	66	+ ####################################################################
	67	+ def multiple_search?(searches=nil)
	68	+ ['index', 'category_index'].include?(params[:action]) \|\| (searches && searches.size > 1)
	69	+ end
	70	+ ####################################################################
	71	+
	72	+ def logger
	73	+ logger = Logger.new(File.join(Rails.root, 'log', "#{ENV['RAILS_ENV'] \|\| 'production'}_api.log"))
	74	+ logger.formatter = GrapeLogging::Formatters::Default.new
	75	+ logger
	76	+ end
	77	+
	78	+ def limit
	79	+ limit = params[:limit].to_i
	80	+ limit = default_limit if limit <= 0
	81	+ limit
	82	+ end
	83	+
	84	+ def period(from_date, until_date)
	85	+ return nil if from_date.nil? && until_date.nil?
	86	+
	87	+ begin_period = from_date.nil? ? Time.at(0).to_datetime : from_date
	88	+ end_period = until_date.nil? ? DateTime.now : until_date
	89	+
	90	+ begin_period..end_period
	91	+ end
	92	+
	93	+ def parse_content_type(content_type)
	94	+ return nil if content_type.blank?
	95	+ content_type.split(',').map do \|content_type\|
	96	+ content_type.camelcase
	97	+ end
	98	+ end
	99	+
	100	+ def find_article(articles, id)
	101	+ article = articles.find(id)
	102	+ article.display_to?(current_person) ? article : forbidden!
	103	+ end
	104	+
	105	+ def post_article(asset, params)
	106	+ return forbidden! unless current_person.can_post_content?(asset)
	107	+
	108	+ klass_type = params[:content_type] \|\| params[:article].delete(:type) \|\| TinyMceArticle.name
	109	+ return forbidden! unless klass_type.constantize <= Article
	110	+
	111	+ article = klass_type.constantize.new(params[:article])
	112	+ article.last_changed_by = current_person
	113	+ article.created_by= current_person
	114	+ article.profile = asset
	115	+
	116	+ if !article.save
	117	+ render_api_errors!(article.errors.full_messages)
	118	+ end
	119	+ present_partial article, :with => Entities::Article
	120	+ end
	121	+
	122	+ def present_article(asset)
	123	+ article = find_article(asset.articles, params[:id])
	124	+ present_partial article, :with => Entities::Article, :params => params
	125	+ end
	126	+
	127	+ def present_articles_for_asset(asset, method = 'articles')
	128	+ articles = find_articles(asset, method)
	129	+ present_articles(articles)
	130	+ end
	131	+
	132	+ def present_articles(articles)
	133	+ present_partial paginate(articles), :with => Entities::Article, :params => params
	134	+ end
	135	+
	136	+ def find_articles(asset, method = 'articles')
	137	+ articles = select_filtered_collection_of(asset, method, params)
	138	+ if current_person.present?
	139	+ articles = articles.display_filter(current_person, nil)
	140	+ else
	141	+ articles = articles.published
	142	+ end
	143	+ articles
	144	+ end
	145	+
	146	+ def find_task(asset, id)
	147	+ task = asset.tasks.find(id)
	148	+ current_person.has_permission?(task.permission, asset) ? task : forbidden!
	149	+ end
	150	+
	151	+ def post_task(asset, params)
	152	+ klass_type= params[:content_type].nil? ? 'Task' : params[:content_type]
	153	+ return forbidden! unless klass_type.constantize <= Task
	154	+
	155	+ task = klass_type.constantize.new(params[:task])
	156	+ task.requestor_id = current_person.id
	157	+ task.target_id = asset.id
	158	+ task.target_type = 'Profile'
	159	+
	160	+ if !task.save
	161	+ render_api_errors!(task.errors.full_messages)
	162	+ end
	163	+ present_partial task, :with => Entities::Task
	164	+ end
	165	+
	166	+ def present_task(asset)
	167	+ task = find_task(asset, params[:id])
	168	+ present_partial task, :with => Entities::Task
	169	+ end
	170	+
	171	+ def present_tasks(asset)
	172	+ tasks = select_filtered_collection_of(asset, 'tasks', params)
	173	+ tasks = tasks.select {\|t\| current_person.has_permission?(t.permission, asset)}
	174	+ return forbidden! if tasks.empty? && !current_person.has_permission?(:perform_task, asset)
	175	+ present_partial tasks, :with => Entities::Task
	176	+ end
	177	+
	178	+ def make_conditions_with_parameter(params = {})
	179	+ parsed_params = parser_params(params)
	180	+ conditions = {}
	181	+ from_date = DateTime.parse(parsed_params.delete(:from)) if parsed_params[:from]
	182	+ until_date = DateTime.parse(parsed_params.delete(:until)) if parsed_params[:until]
	183	+
	184	+ conditions[:type] = parse_content_type(parsed_params.delete(:content_type)) unless parsed_params[:content_type].nil?
	185	+
	186	+ conditions[:created_at] = period(from_date, until_date) if from_date \|\| until_date
	187	+ conditions.merge!(parsed_params)
	188	+
	189	+ conditions
	190	+ end
	191	+
	192	+ # changing make_order_with_parameters to avoid sql injection
	193	+ def make_order_with_parameters(object, method, params)
	194	+ order = "created_at DESC"
	195	+ unless params[:order].blank?
	196	+ if params[:order].include? '\'' or params[:order].include? '"'
	197	+ order = "created_at DESC"
	198	+ elsif ['RANDOM()', 'RANDOM'].include? params[:order].upcase
	199	+ order = 'RANDOM()'
	200	+ else
	201	+ field_name, direction = params[:order].split(' ')
	202	+ assoc = object.class.reflect_on_association(method.to_sym)
	203	+ if !field_name.blank? and assoc
	204	+ if assoc.klass.attribute_names.include? field_name
	205	+ if direction.present? and ['ASC','DESC'].include? direction.upcase
	206	+ order = "#{field_name} #{direction.upcase}"
	207	+ end
	208	+ end
	209	+ end
	210	+ end
	211	+ end
	212	+ return order
	213	+ end
	214	+
	215	+ def make_timestamp_with_parameters_and_method(params, method)
	216	+ timestamp = nil
	217	+ if params[:timestamp]
	218	+ datetime = DateTime.parse(params[:timestamp])
	219	+ table_name = method.to_s.singularize.camelize.constantize.table_name
	220	+ timestamp = "#{table_name}.updated_at >= '#{datetime}'"
	221	+ end
	222	+
	223	+ timestamp
	224	+ end
	225	+
	226	+ def by_reference(scope, params)
	227	+ reference_id = params[:reference_id].to_i == 0 ? nil : params[:reference_id].to_i
	228	+ if reference_id.nil?
	229	+ scope
	230	+ else
	231	+ created_at = scope.find(reference_id).created_at
	232	+ scope.send("#{params.key?(:oldest) ? 'older_than' : 'younger_than'}", created_at)
	233	+ end
	234	+ end
	235	+
	236	+ def by_categories(scope, params)
	237	+ category_ids = params[:category_ids]
	238	+ if category_ids.nil?
	239	+ scope
	240	+ else
	241	+ scope.joins(:categories).where(:categories => {:id => category_ids})
	242	+ end
	243	+ end
	244	+
	245	+ def select_filtered_collection_of(object, method, params)
	246	+ conditions = make_conditions_with_parameter(params)
	247	+ order = make_order_with_parameters(object,method,params)
	248	+ timestamp = make_timestamp_with_parameters_and_method(params, method)
	249	+
	250	+ objects = object.send(method)
	251	+ objects = by_reference(objects, params)
	252	+ objects = by_categories(objects, params)
	253	+
	254	+ objects = objects.where(conditions).where(timestamp).reorder(order)
	255	+
	256	+ params[:page] \|\|= 1
	257	+ params[:per_page] \|\|= limit
	258	+ paginate(objects)
	259	+ end
	260	+
	261	+ def authenticate!
	262	+ unauthorized! unless current_user
	263	+ end
	264	+
	265	+ def profiles_for_person(profiles, person)
	266	+ if person
	267	+ profiles.listed_for_person(person)
	268	+ else
	269	+ profiles.visible
	270	+ end
	271	+ end
	272	+
	273	+ # Checks the occurrences of uniqueness of attributes, each attribute must be present in the params hash
	274	+ # or a Bad Request error is invoked.
	275	+ #
	276	+ # Parameters:
	277	+ # keys (unique) - A hash consisting of keys that must be unique
	278	+ def unique_attributes!(obj, keys)
	279	+ keys.each do \|key\|
	280	+ cant_be_saved_request!(key) if obj.find_by(key.to_s => params[key])
	281	+ end
	282	+ end
	283	+
	284	+ def attributes_for_keys(keys)
	285	+ attrs = {}
	286	+ keys.each do \|key\|
	287	+ attrs[key] = params[key] if params[key].present? or (params.has_key?(key) and params[key] == false)
	288	+ end
	289	+ attrs
	290	+ end
	291	+
	292	+ ##########################################
	293	+ # error helpers #
	294	+ ##########################################
	295	+
	296	+ def not_found!
	297	+ render_api_error!('404 Not found', 404)
	298	+ end
	299	+
	300	+ def forbidden!
	301	+ render_api_error!('403 Forbidden', 403)
	302	+ end
	303	+
	304	+ def cant_be_saved_request!(attribute)
	305	+ message = _("(Invalid request) %s can't be saved") % attribute
	306	+ render_api_error!(message, 400)
	307	+ end
	308	+
	309	+ def bad_request!(attribute)
	310	+ message = _("(Invalid request) %s not given") % attribute
	311	+ render_api_error!(message, 400)
	312	+ end
	313	+
	314	+ def something_wrong!
	315	+ message = _("Something wrong happened")
	316	+ render_api_error!(message, 400)
	317	+ end
	318	+
	319	+ def unauthorized!
	320	+ render_api_error!(_('Unauthorized'), 401)
	321	+ end
	322	+
	323	+ def not_allowed!
	324	+ render_api_error!(_('Method Not Allowed'), 405)
	325	+ end
	326	+
	327	+ # javascript_console_message is supposed to be executed as console.log()
	328	+ def render_api_error!(user_message, status, log_message = nil, javascript_console_message = nil)
	329	+ message_hash = {'message' => user_message, :code => status}
	330	+ message_hash[:javascript_console_message] = javascript_console_message if javascript_console_message.present?
	331	+ log_msg = "#{status}, User message: #{user_message}"
	332	+ log_msg = "#{log_message}, #{log_msg}" if log_message.present?
	333	+ log_msg = "#{log_msg}, Javascript Console Message: #{javascript_console_message}" if javascript_console_message.present?
	334	+ logger.error log_msg unless Rails.env.test?
	335	+ error!(message_hash, status)
	336	+ end
	337	+
	338	+ def render_api_errors!(messages)
	339	+ messages = messages.to_a if messages.class == ActiveModel::Errors
	340	+ render_api_error!(messages.join(','), 400)
	341	+ end
	342	+
	343	+ protected
	344	+
	345	+ def set_session_cookie
	346	+ cookies['_noosfero_api_session'] = { value: @current_user.private_token, httponly: true } if @current_user.present?
	347	+ end
	348	+
	349	+ def setup_multitenancy
	350	+ Noosfero::MultiTenancy.setup!(request.host)
	351	+ end
	352	+
	353	+ def detect_stuff_by_domain
	354	+ @domain = Domain.by_name(request.host)
	355	+ if @domain.nil?
	356	+ @environment = Environment.default
	357	+ if @environment.nil? && Rails.env.development?
	358	+ # This should only happen in development ...
	359	+ @environment = Environment.create!(:name => "Noosfero", :is_default => true)
	360	+ end
	361	+ else
	362	+ @environment = @domain.environment
	363	+ end
	364	+ end
	365	+
	366	+ def filter_disabled_plugins_endpoints
	367	+ not_found! if Api::App.endpoint_unavailable?(self, @environment)
	368	+ end
	369	+
	370	+ def asset_with_image params
	371	+ if params.has_key? :image_builder
	372	+ asset_api_params = params
	373	+ asset_api_params[:image_builder] = base64_to_uploadedfile(asset_api_params[:image_builder])
	374	+ return asset_api_params
	375	+ end
	376	+ params
	377	+ end
	378	+
	379	+ def base64_to_uploadedfile(base64_image)
	380	+ tempfile = base64_to_tempfile base64_image
	381	+ converted_image = base64_image
	382	+ converted_image[:tempfile] = tempfile
	383	+ return {uploaded_data: ActionDispatch::Http::UploadedFile.new(converted_image)}
	384	+ end
	385	+
	386	+ def base64_to_tempfile base64_image
	387	+ base64_img_str = base64_image[:tempfile]
	388	+ decoded_base64_str = Base64.decode64(base64_img_str)
	389	+ tempfile = Tempfile.new(base64_image[:filename])
	390	+ tempfile.write(decoded_base64_str.encode("ascii-8bit").force_encoding("utf-8"))
	391	+ tempfile.rewind
	392	+ tempfile
	393	+ end
	394	+ private
	395	+
	396	+ def parser_params(params)
	397	+ parsed_params = {}
	398	+ params.map do \|k,v\|
	399	+ parsed_params[k.to_sym] = v if DEFAULT_ALLOWED_PARAMETERS.include?(k.to_sym)
	400	+ end
	401	+ parsed_params
	402	+ end
	403	+
	404	+ def default_limit
	405	+ 20
	406	+ end
	407	+
	408	+ def parse_content_type(content_type)
	409	+ return nil if content_type.blank?
	410	+ content_type.split(',').map do \|content_type\|
	411	+ content_type.camelcase
	412	+ end
	413	+ end
	414	+
	415	+ def period(from_date, until_date)
	416	+ begin_period = from_date.nil? ? Time.at(0).to_datetime : from_date
	417	+ end_period = until_date.nil? ? DateTime.now : until_date
	418	+ begin_period..end_period
	419	+ end
	420	+ end
	421	+end
@@ -0,0 +1,20 @@		@@ -0,0 +1,20 @@
	1	+module Api
	2	+ module V1
	3	+ class Activities < Grape::API
	4	+ before { authenticate! }
	5	+
	6	+ resource :profiles do
	7	+
	8	+ get ':id/activities' do
	9	+ profile = Profile.find_by id: params[:id]
	10	+
	11	+ not_found! if profile.blank? \|\| profile.secret \|\| !profile.visible
	12	+ forbidden! if !profile.secret && profile.visible && !profile.display_private_info_to?(current_person)
	13	+
	14	+ activities = profile.activities.map(&:activity)
	15	+ present activities, :with => Entities::Activity, :current_person => current_person
	16	+ end
	17	+ end
	18	+ end
	19	+ end
	20	+end
@@ -0,0 +1,303 @@		@@ -0,0 +1,303 @@
	1	+module Api
	2	+ module V1
	3	+ class Articles < Grape::API
	4	+
	5	+ ARTICLE_TYPES = Article.descendants.map{\|a\| a.to_s}
	6	+
	7	+ MAX_PER_PAGE = 50
	8	+
	9	+ resource :articles do
	10	+
	11	+ paginate max_per_page: MAX_PER_PAGE
	12	+ # Collect articles
	13	+ #
	14	+ # Parameters:
	15	+ # from - date where the search will begin. If nothing is passed the default date will be the date of the first article created
	16	+ # oldest - Collect the oldest articles. If nothing is passed the newest articles are collected
	17	+ # limit - amount of articles returned. The default value is 20
	18	+ #
	19	+ # Example Request:
	20	+ # GET host/api/v1/articles?from=2013-04-04-14:41:43&until=2015-04-04-14:41:43&limit=10&private_token=e96fff37c2238fdab074d1dcea8e6317
	21	+
	22	+ desc 'Return all articles of all kinds' do
	23	+ detail 'Get all articles filtered by fields in query params'
	24	+ params Entities::Article.documentation
	25	+ success Entities::Article
	26	+ failure [[403, 'Forbidden']]
	27	+ named 'ArticlesList'
	28	+ headers [
	29	+ 'Per-Page' => {
	30	+ description: 'Total number of records',
	31	+ required: false
	32	+ }
	33	+ ]
	34	+ end
	35	+ get do
	36	+ present_articles_for_asset(environment)
	37	+ end
	38	+
	39	+ desc "Return one article by id" do
	40	+ detail 'Get only one article by id. If not found the "forbidden" http error is showed'
	41	+ params Entities::Article.documentation
	42	+ success Entities::Article
	43	+ failure [[403, 'Forbidden']]
	44	+ named 'ArticleById'
	45	+ end
	46	+ get ':id', requirements: {id: /[0-9]+/} do
	47	+ present_article(environment)
	48	+ end
	49	+
	50	+ post ':id' do
	51	+ article = environment.articles.find(params[:id])
	52	+ return forbidden! unless article.allow_edit?(current_person)
	53	+ article.update_attributes!(asset_with_image(params[:article]))
	54	+ present_partial article, :with => Entities::Article
	55	+ end
	56	+
	57	+ desc 'Report a abuse and/or violent content in a article by id' do
	58	+ detail 'Submit a abuse (in general, a content violation) report about a specific article'
	59	+ params Entities::Article.documentation
	60	+ failure [[400, 'Bad Request']]
	61	+ named 'ArticleReportAbuse'
	62	+ end
	63	+ post ':id/report_abuse' do
	64	+ article = find_article(environment.articles, params[:id])
	65	+ profile = article.profile
	66	+ begin
	67	+ abuse_report = AbuseReport.new(:reason => params[:report_abuse])
	68	+ if !params[:content_type].blank?
	69	+ article = params[:content_type].constantize.find(params[:content_id])
	70	+ abuse_report.content = article_reported_version(article)
	71	+ end
	72	+
	73	+ current_person.register_report(abuse_report, profile)
	74	+
	75	+ if !params[:content_type].blank?
	76	+ abuse_report = AbuseReport.find_by reporter_id: current_person.id, abuse_complaint_id: profile.opened_abuse_complaint.id
	77	+ Delayed::Job.enqueue DownloadReportedImagesJob.new(abuse_report, article)
	78	+ end
	79	+
	80	+ {
	81	+ :success => true,
	82	+ :message => _('Your abuse report was registered. The administrators are reviewing your report.'),
	83	+ }
	84	+ rescue Exception => exception
	85	+ #logger.error(exception.to_s)
	86	+ render_api_error!(_('Your report couldn\'t be saved due to some problem. Please contact the administrator.'), 400)
	87	+ end
	88	+
	89	+ end
	90	+
	91	+ desc "Returns the articles I voted" do
	92	+ detail 'Get the Articles I make a vote'
	93	+ failure [[403, 'Forbidden']]
	94	+ named 'ArticleFollowers'
	95	+ end
	96	+ #FIXME refactor this method
	97	+ get 'voted_by_me' do
	98	+ present_articles(current_person.votes.where(:voteable_type => 'Article').collect(&:voteable))
	99	+ end
	100	+
	101	+ desc 'Perform a vote on a article by id' do
	102	+ detail 'Vote on a specific article with values: 1 (if you like) or -1 (if not)'
	103	+ params Entities::UserLogin.documentation
	104	+ failure [[401,'Unauthorized']]
	105	+ named 'ArticleVote'
	106	+ end
	107	+ post ':id/vote' do
	108	+ authenticate!
	109	+ value = (params[:value] \|\| 1).to_i
	110	+ # FIXME verify allowed values
	111	+ render_api_error!('Vote value not allowed', 400) unless [-1, 1].include?(value)
	112	+ article = find_article(environment.articles, params[:id])
	113	+ begin
	114	+ vote = Vote.new(:voteable => article, :voter => current_person, :vote => value)
	115	+ {:vote => vote.save!}
	116	+ rescue ActiveRecord::RecordInvalid => e
	117	+ render_api_error!(e.message, 400)
	118	+ end
	119	+ end
	120	+
	121	+ desc "Returns the total followers for the article" do
	122	+ detail 'Get the followers of a specific article by id'
	123	+ failure [[403, 'Forbidden']]
	124	+ named 'ArticleFollowers'
	125	+ end
	126	+ get ':id/followers' do
	127	+ article = find_article(environment.articles, params[:id])
	128	+ total = article.person_followers.count
	129	+ {:total_followers => total}
	130	+ end
	131	+
	132	+ desc "Return the articles followed by me"
	133	+ get 'followed_by_me' do
	134	+ present_articles_for_asset(current_person, 'following_articles')
	135	+ end
	136	+
	137	+ desc "Add a follower for the article" do
	138	+ detail 'Add the current user identified by private token, like a follower of a article'
	139	+ params Entities::UserLogin.documentation
	140	+ failure [[401, 'Unauthorized']]
	141	+ named 'ArticleFollow'
	142	+ end
	143	+ post ':id/follow' do
	144	+ authenticate!
	145	+ article = find_article(environment.articles, params[:id])
	146	+ if article.article_followers.exists?(:person_id => current_person.id)
	147	+ {:success => false, :already_follow => true}
	148	+ else
	149	+ article_follower = ArticleFollower.new
	150	+ article_follower.article = article
	151	+ article_follower.person = current_person
	152	+ article_follower.save!
	153	+ {:success => true}
	154	+ end
	155	+ end
	156	+
	157	+ desc 'Return the children of a article identified by id' do
	158	+ detail 'Get all children articles of a specific article'
	159	+ params Entities::Article.documentation
	160	+ failure [[403, 'Forbidden']]
	161	+ named 'ArticleChildren'
	162	+ end
	163	+
	164	+ paginate per_page: MAX_PER_PAGE, max_per_page: MAX_PER_PAGE
	165	+ get ':id/children' do
	166	+ article = find_article(environment.articles, params[:id])
	167	+
	168	+ #TODO make tests for this situation
	169	+ votes_order = params.delete(:order) if params[:order]=='votes_score'
	170	+ articles = select_filtered_collection_of(article, 'children', params)
	171	+ articles = articles.display_filter(current_person, article.profile)
	172	+
	173	+ #TODO make tests for this situation
	174	+ if votes_order
	175	+ articles = articles.joins('left join votes on articles.id=votes.voteable_id').group('articles.id').reorder('sum(coalesce(votes.vote, 0)) DESC')
	176	+ end
	177	+ Article.hit(articles)
	178	+ present_articles(articles)
	179	+ end
	180	+
	181	+ desc 'Return one child of a article identified by id' do
	182	+ detail 'Get a child of a specific article'
	183	+ params Entities::Article.documentation
	184	+ success Entities::Article
	185	+ failure [[403, 'Forbidden']]
	186	+ named 'ArticleChild'
	187	+ end
	188	+ get ':id/children/:child_id' do
	189	+ article = find_article(environment.articles, params[:id])
	190	+ child = find_article(article.children, params[:child_id])
	191	+ child.hit
	192	+ present_partial child, :with => Entities::Article
	193	+ end
	194	+
	195	+ desc 'Suggest a article to another profile' do
	196	+ detail 'Suggest a article to another profile (person, community...)'
	197	+ params Entities::Article.documentation
	198	+ success Entities::Task
	199	+ failure [[401,'Unauthorized']]
	200	+ named 'ArticleSuggest'
	201	+ end
	202	+ post ':id/children/suggest' do
	203	+ authenticate!
	204	+ parent_article = environment.articles.find(params[:id])
	205	+
	206	+ suggest_article = SuggestArticle.new
	207	+ suggest_article.article = params[:article]
	208	+ suggest_article.article[:parent_id] = parent_article.id
	209	+ suggest_article.target = parent_article.profile
	210	+ suggest_article.requestor = current_person
	211	+
	212	+ unless suggest_article.save
	213	+ render_api_errors!(suggest_article.article_object.errors.full_messages)
	214	+ end
	215	+ present_partial suggest_article, :with => Entities::Task
	216	+ end
	217	+
	218	+ # Example Request:
	219	+ # POST api/v1/articles/:id/children?private_token=234298743290432&article[name]=title&article[body]=body
	220	+ desc 'Add a child article to a parent identified by id' do
	221	+ detail 'Create a new article and associate to a parent'
	222	+ params Entities::Article.documentation
	223	+ success Entities::Article
	224	+ failure [[401,'Unauthorized']]
	225	+ named 'ArticleAddChild'
	226	+ end
	227	+ post ':id/children' do
	228	+ parent_article = environment.articles.find(params[:id])
	229	+ params[:article][:parent_id] = parent_article.id
	230	+ post_article(parent_article.profile, params)
	231	+ end
	232	+ end
	233	+
	234	+ resource :profiles do
	235	+ get ':id/home_page' do
	236	+ profiles = environment.profiles
	237	+ profiles = profiles.visible_for_person(current_person)
	238	+ profile = profiles.find_by id: params[:id]
	239	+ present_partial profile.home_page, :with => Entities::Article
	240	+ end
	241	+ end
	242	+
	243	+ kinds = %w[profile community person enterprise]
	244	+ kinds.each do \|kind\|
	245	+ resource kind.pluralize.to_sym do
	246	+ segment "/:#{kind}_id" do
	247	+ resource :articles do
	248	+
	249	+ desc "Return all articles associate with a profile of type #{kind}" do
	250	+ detail 'Get a list of articles of a profile'
	251	+ params Entities::Article.documentation
	252	+ success Entities::Article
	253	+ failure [[403, 'Forbidden']]
	254	+ named 'ArticlesOfProfile'
	255	+ end
	256	+ get do
	257	+ profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
	258	+
	259	+ if params[:path].present?
	260	+ article = profile.articles.find_by path: params[:path]
	261	+ if !article \|\| !article.display_to?(current_person)
	262	+ article = forbidden!
	263	+ end
	264	+
	265	+ present_partial article, :with => Entities::Article
	266	+ else
	267	+
	268	+ present_articles_for_asset(profile)
	269	+ end
	270	+ end
	271	+
	272	+ desc "Return a article associate with a profile of type #{kind}" do
	273	+ detail 'Get only one article of a profile'
	274	+ params Entities::Article.documentation
	275	+ success Entities::Article
	276	+ failure [[403, 'Forbidden']]
	277	+ named 'ArticleOfProfile'
	278	+ end
	279	+ get ':id' do
	280	+ profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
	281	+ present_article(profile)
	282	+ end
	283	+
	284	+ # Example Request:
	285	+ # POST api/v1/{people,communities,enterprises}/:asset_id/articles?private_token=234298743290432&article[name]=title&article[body]=body
	286	+ desc "Add a new article associated with a profile of type #{kind}" do
	287	+ detail 'Create a new article and associate with a profile'
	288	+ params Entities::Article.documentation
	289	+ success Entities::Article
	290	+ failure [[403, 'Forbidden']]
	291	+ named 'ArticleCreateToProfile'
	292	+ end
	293	+ post do
	294	+ profile = environment.send(kind.pluralize).find(params["#{kind}_id"])
	295	+ post_article(profile, params)
	296	+ end
	297	+ end
	298	+ end
	299	+ end
	300	+ end
	301	+ end
	302	+ end
	303	+end
@@ -0,0 +1,15 @@		@@ -0,0 +1,15 @@
	1	+module Api
	2	+ module V1
	3	+
	4	+ class Blocks < Grape::API
	5	+ resource :blocks do
	6	+ get ':id' do
	7	+ block = Block.find(params["id"])
	8	+ return forbidden! unless block.visible_to_user?(current_person)
	9	+ present block, :with => Entities::Block, display_api_content: true
	10	+ end
	11	+ end
	12	+ end
	13	+
	14	+ end
	15	+end