Registry CSV

verify csrf for remote form submissions

Gemfile.lock

@@ -96,10 +96,10 @@ GEM
     aes_key_wrap (1.1.0)
     ast (2.4.2)
     aws-eventstream (1.2.0)
-    aws-partitions (1.664.0)
+    aws-partitions (1.675.0)
     aws-record (2.9.0)
       aws-sdk-dynamodb (~> 1.18)
-    aws-sdk-core (3.168.1)
+    aws-sdk-core (3.168.4)
       aws-eventstream (~> 1, >= 1.0.2)
       aws-partitions (~> 1, >= 1.651.0)
       aws-sigv4 (~> 1.5)
@@ -128,11 +128,11 @@ GEM
     bcrypt (3.1.18)
     bindata (2.4.14)
     bindex (0.8.1)
-    bootsnap (1.14.0)
+    bootsnap (1.15.0)
       msgpack (~> 1.2)
     brakeman (5.4.0)
     builder (3.2.4)
-    bullet (7.0.3)
+    bullet (7.0.4)
       activesupport (>= 3.0.0)
       uniform_notifier (~> 1.11)
     bundler-audit (0.9.1)
@@ -151,7 +151,7 @@ GEM
       nokogiri (~> 1.6)
       rubyzip (~> 1.1)
       tilt (>= 1.4)
-    carrierwave (2.2.2)
+    carrierwave (2.2.3)
       activemodel (>= 5.0.0)
       activesupport (>= 5.0.0)
       addressable (~> 2.6)
@@ -227,12 +227,12 @@ GEM
     jbuilder (2.11.5)
       actionview (>= 5.0.0)
       activesupport (>= 5.0.0)
-    jmespath (1.6.1)
+    jmespath (1.6.2)
     jquery-rails (4.5.1)
       rails-dom-testing (>= 1, < 3)
       railties (>= 4.2.0)
       thor (>= 0.14, < 2.0)
-    json (2.6.2)
+    json (2.6.3)
     json-jwt (1.15.3)
       activesupport (>= 4.2)
       aes_key_wrap
@@ -261,15 +261,18 @@ GEM
     loofah (2.19.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
-    mail (2.7.1)
+    mail (2.8.0)
       mini_mime (>= 0.1.1)
+      net-imap
+      net-pop
+      net-smtp
     marcel (1.0.2)
     matrix (0.4.2)
     method_source (1.0.0)
     mime-types (3.4.1)
       mime-types-data (~> 3.2015)
     mime-types-data (3.2022.0105)
-    mini_magick (4.11.0)
+    mini_magick (4.12.0)
     mini_mime (1.1.2)
     mini_portile2 (2.8.0)
     minitest (5.16.3)
@@ -287,10 +290,10 @@ GEM
       net-protocol
     newrelic_rpm (8.13.0)
     nio4r (2.5.8)
-    nokogiri (1.13.9)
+    nokogiri (1.13.10)
       mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
-    nokogiri (1.13.9-x86_64-darwin)
+    nokogiri (1.13.10-x86_64-darwin)
       racc (~> 1.4)
     oauth2 (2.0.9)
       faraday (>= 0.17.3, < 3.0)
@@ -314,20 +317,20 @@ GEM
       activerecord (>= 5.2)
       request_store (~> 1.1)
     parallel (1.22.1)
-    parser (3.1.2.1)
+    parser (3.1.3.0)
       ast (~> 2.4.1)
     pg (1.4.5)
     pry (0.14.1)
       coderay (~> 1.1)
       method_source (~> 1.0)
-    public_suffix (5.0.0)
+    public_suffix (5.0.1)
     puma (5.6.5)
       nio4r (~> 2.0)
-    racc (1.6.0)
+    racc (1.6.1)
     rack (2.2.4)
     rack-cors (1.1.1)
       rack (>= 2.0.0)
-    rack-protection (3.0.3)
+    rack-protection (3.0.4)
       rack
     rack-test (2.0.2)
       rack (>= 1.3)
@@ -401,7 +404,7 @@ GEM
     rspec-support (3.11.1)
     rspec_junit_formatter (0.5.1)
       rspec-core (>= 2, < 4, != 2.12.0)
-    rubocop (1.39.0)
+    rubocop (1.40.0)
       json (~> 2.3)
       parallel (~> 1.10)
       parser (>= 3.1.2.1)
@@ -411,7 +414,7 @@ GEM
       rubocop-ast (>= 1.23.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 3.0)
-    rubocop-ast (1.23.0)
+    rubocop-ast (1.24.0)
       parser (>= 3.1.1.0)
     rubocop-rails (2.17.3)
       activesupport (>= 4.2.0)
@@ -461,7 +464,7 @@ GEM
       activesupport (>= 5.2)
       sprockets (>= 3.0.0)
     ssrf_filter (1.1.1)
-    stimulus-rails (1.1.1)
+    stimulus-rails (1.2.1)
       railties (>= 6.0.0)
     thor (1.2.1)
     tilt (2.0.11)

app/controllers/admin/digital_products_controller.rb

@@ -11,15 +11,25 @@ class DigitalProductsController < AdminController
     ]
 
     def index
-      if admin_permissions?
-        @digital_products = DigitalProduct.all
-      else
-        @digital_products = DigitalProduct.with_role(:contact, current_user)
-      end
 
-      @digital_products = @digital_products
-        .order(:name, :service)
-        .page(params[:page])
+      respond_to do |format|
+        format.html do
+          if admin_permissions?
+            @digital_products = DigitalProduct.all
+          else
+            @digital_products = DigitalProduct.with_role(:contact, current_user)
+          end
+
+          @digital_products = @digital_products
+            .order(:name, :service)
+            .page(params[:page])
+        end
+
+        format.csv do
+          csv_content = DigitalProduct.to_csv
+          send_data csv_content
+        end
+      end
     end
 
     def review

app/controllers/admin/digital_service_accounts_controller.rb

@@ -11,15 +11,24 @@ class DigitalServiceAccountsController < AdminController
     ]
 
     def index
-      if admin_permissions?
-        @digital_service_accounts = DigitalServiceAccount.all
-      else
-        @digital_service_accounts = DigitalServiceAccount.with_role(:contact, current_user)
+      respond_to do |format|
+        if admin_permissions?
+          @digital_service_accounts = DigitalServiceAccount.all
+        else
+          @digital_service_accounts = DigitalServiceAccount.with_role(:contact, current_user)
+        end
+
+        @digital_service_accounts = @digital_service_accounts
+          .order(:name)
+          .page(params[:page])
+
+        format.html {}
+
+        format.csv do
+          csv_content = DigitalServiceAccount.to_csv
+          send_data csv_content
+        end
       end
-
-      @digital_service_accounts = @digital_service_accounts
-        .order(:name)
-        .page(params[:page])
     end
 
     def review

app/controllers/admin/forms_controller.rb

@@ -474,6 +474,7 @@ def form_params
         :department,
         :bureau,
         :load_css,
+        :verify_csrf,
         :ui_truncate_text_responses,
         :question_text_01,
         :question_text_02,

app/controllers/application_controller.rb

@@ -254,6 +254,12 @@ def paginate(scope, default_per_page = 20)
     }, collection]
   end
 
+  # customized response for `#verify_authenticity_token`
+  def handle_unverified_request
+    render json: { messages: { submission: ["invalid CSRF authenticity token"] } }, status: :unprocessable_entity
+  end
+
+
   private
 
   # For Devise

app/controllers/submissions_controller.rb

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
 class SubmissionsController < ApplicationController
-  protect_from_forgery only: []
   before_action :set_form, only: %i[new create]
+  append_before_action :verify_authenticity_token, if: :form_requires_verification
 
   layout 'public', only: :new
 
@@ -141,4 +141,8 @@ def submission_params
     permitted_fields << %i[language location_code referer page fba_directive]
     params.require(:submission).permit(permitted_fields)
   end
+
+  def form_requires_verification
+    @form.verify_csrf?
+  end
 end

app/models/digital_product.rb

@@ -47,4 +47,47 @@ def sponsoring_agencies
   def contacts
     User.with_role(:contact, self)
   end
+
+  def contact_emails
+    contacts.collect(&:email).join(", ")
+  end
+
+  def organization_names
+    Organization.find(self.organization_list).collect(&:name).join(", ")
+  end
+
+  def self.to_csv
+    attributes = DigitalProduct.first.attributes.keys
+
+    digital_products = DigitalProduct.all
+
+    attributes = [
+      :id,
+      :name,
+      :contact_emails,
+      :organization_names,
+      :url,
+      :code_repository_url,
+      :language,
+      :tag_list,
+      :service,
+      :short_description,
+      :long_description,
+      :notes,
+      :certified_at,
+      :created_at,
+      :updated_at,
+      :aasm_state,
+      :legacy_id,
+      :legacy_notes,
+    ]
+
+    CSV.generate(headers: true) do |csv|
+      csv << attributes
+
+      digital_products.each do |digital_service_account|
+        csv << attributes.map { |attr| digital_service_account.send(attr) }
+      end
+    end
+  end
 end

app/models/digital_service_account.rb

@@ -83,4 +83,89 @@ def self.list
     ]
   end
 
+  def user_email
+    return nil unless self.user_id
+    if user
+      return user.email
+    end
+  end
+
+  def contact_emails
+    contacts.collect(&:email).join(", ")
+  end
+
+  def organization_names
+    Organization.find(self.organization_list).collect(&:name).join(", ")
+  end
+
+  def self.to_csv
+    header_attributes = DigitalServiceAccount.first.attributes.keys
+
+    digital_service_accounts = DigitalServiceAccount.all
+
+    attributes = [
+      :id,
+      :account,
+      :name,
+      :user_email,
+      :contact_emails,
+      :organization_names,
+      :tag_list,
+      :service,
+      :service_url,
+      :language,
+      :short_description,
+      :long_description,
+      :notes,
+      :certified_at,
+      :created_at,
+      :updated_at,
+      :aasm_state,
+      :legacy_id,
+      :legacy_notes,
+    ]
+
+    CSV.generate(headers: true) do |csv|
+      csv << attributes
+
+      digital_service_accounts.each do |digital_service_account|
+        csv << attributes.map { |attr| digital_service_account.send(attr) }
+      end
+    end
+  end
+
+  def self.list2
+    {
+      'Disqus' => "https://disqus.com/",
+      'Eventbrite' => '',
+      'Facebook' => '',
+      'Flickr' => '',
+      'Foursquare' => '',
+      'Giphy' => '',
+      'Github' => '',
+      'Google plus' => '',
+      'Ideascale' => '',
+      'Instagram' => '',
+      'Linkedin' => '',
+      'Livestream' => '',
+      'Mastodon' => '',
+      'Medium' => '',
+      'Myspace' => '',
+      'Pinterest' => '',
+      'Reddit' => '',
+      'Scribd' => '',
+      'Slideshare' => '',
+      'Socrata' => '',
+      'Storify' => '',
+      'Tumblr' => '',
+      'Twitter' => '',
+      'Uservoice' => '',
+      'Ustream' => '',
+      'Vimeo' => '',
+      'Yelp' => '',
+      'Youtube' => '',
+      'Other' => nil
+    }
+  end
+
 end

app/views/admin/forms/delivery.html.erb

@@ -90,6 +90,14 @@
         </div>
         <br>
         <%= render 'components/whitelist_options', f: f %>
+        <div class="grid-row">
+          <div class="grid-col-6">
+            <div class="field">
+              <%= f.label :verify_csrf, class: "usa-label" %>
+              <%= f.check_box :verify_csrf, class: "usa-checkbox" %>
+            </div>
+          </div>
+        </div>
         <p>
           <%= f.submit (@form.persisted? ? "Update Form" : "Create Form"), class: "usa-button" %>
         </p>