Update all locales with the latest Transifex translations

Remove remaining Timecop usage

.simplecov

@@ -2,10 +2,17 @@
 # frozen_string_literal: true
 
 SimpleCov.start 'rails' do
+  # The rails profile contains some filters already:
+  #
+  # - "/test/"
+  # - "/features/"
+  # - "/spec/"
+  # - "/autotest/"
+  # - /^\/config\//
+  # - /^\/db\//
   add_filter '/bin/'
-  add_filter '/config/'
+  add_filter '/config/' # to include engine config
   add_filter '/script'
-  add_filter '/db'
 
   formatter SimpleCov::Formatter::SimpleFormatter
 end

.undercover

@@ -1,4 +1,9 @@
 #!/bin/env ruby
 # frozen_string_literal: true
 
--c master
+--compare master
+
+# This shouldn't be needed in undercover > 0.7.4
+#
+# * https://github.com/grodowski/undercover/issues/233
+--exclude-files "bin/*,db/*,config/*,spec/*,engines/*/config/*,engines/*/spec/*"

Dockerfile

@@ -2,7 +2,9 @@ FROM ruby:3.1.4-alpine3.19 AS base
 ENV LANG=C.UTF-8 \
     LC_ALL=C.UTF-8 \
     TZ=Europe/London \
-    RAILS_ROOT=/usr/src/app
+    RAILS_ROOT=/usr/src/app \
+    BUNDLE_PATH=/bundles \
+    BUNDLE_APP_CONFIG=/bundles
 RUN apk --no-cache upgrade && \
     apk add --no-cache tzdata postgresql-client imagemagick imagemagick-jpeg && \
     apk add --no-cache --virtual wkhtmltopdf
@@ -14,7 +16,7 @@ FROM base AS development-base
 RUN apk add --no-cache --virtual .build-deps \
     build-base postgresql-dev git nodejs yarn && \
     apk add --no-cache --virtual .dev-utils \
-    bash curl less vim chromium-chromedriver zlib-dev openssl-dev \
+    bash curl less vim chromium-chromedriver zlib-dev openssl-dev cmake\
     readline-dev yaml-dev sqlite-dev libxml2-dev libxslt-dev libffi-dev vips-dev && \
     curl -o /usr/local/bin/wait-for-it https://raw.githubusercontent.com/vishnubob/wait-for-it/master/wait-for-it.sh && \
     chmod +x /usr/local/bin/wait-for-it

Dockerfile.ubuntu

@@ -25,7 +25,8 @@ RUN apt-get update && apt-get install -y \
   libjemalloc-dev \
   libssl-dev \
   ca-certificates \
-  gnupg
+  gnupg \
+  cmake
 
 # Setup ENV variables
 ENV PATH /usr/local/src/rbenv/shims:/usr/local/src/rbenv/bin:/usr/local/src/nodenv/shims:/usr/local/src/nodenv/bin:$PATH

Gemfile

@@ -167,7 +167,6 @@ group :test, :development do
   gem 'rswag'
   gem 'shoulda-matchers'
   gem 'stimulus_reflex_testing', github: "podia/stimulus_reflex_testing", branch: :main
-  gem 'timecop'
 end
 
 group :test do

Gemfile.lock

@@ -842,7 +842,6 @@ GEM
     thor (1.4.0)
     thread-local (1.1.0)
     tilt (2.3.0)
-    timecop (0.9.10)
     timeout (0.4.3)
     ttfunk (1.8.0)
       bigdecimal (~> 3.1)
@@ -912,7 +911,7 @@ GEM
       chronic (>= 0.6.3)
     wicked_pdf (2.8.1)
       activesupport
-    wkhtmltopdf-binary (0.12.6.7)
+    wkhtmltopdf-binary (0.12.6.10)
     xml-simple (1.1.8)
     xpath (3.2.0)
       nokogiri (~> 1.8)
@@ -1049,7 +1048,6 @@ DEPENDENCIES
   stimulus_reflex_testing!
   stringex (~> 2.8.5)
   stripe
-  timecop
   turbo-rails
   turbo_power
   undercover

app/assets/javascripts/admin/payment_methods/controllers/stripe_controller.js.coffee

@@ -15,4 +15,4 @@ angular.module("admin.paymentMethods").controller "StripeController", ($scope, $
     permalink = shops.filter((shop) ->
       shop.id == $scope.paymentMethod.preferred_enterprise_id
     )[0].permalink
-    "/admin/enterprises/#{permalink}/edit#/payment_methods"
+    "/admin/enterprises/#{permalink}/edit#/payment_methods_panel"

app/helpers/admin/enterprises_helper.rb

@@ -71,6 +71,11 @@ module Admin
       "#{enterprise_attachment_removal_panel}_panel"
     end
 
+    def enterprise_sells_options
+      scope = "admin.enterprises.admin_index.sells_options"
+      Enterprise::SELLS.map { |s| [I18n.t(s, scope:), s] }
+    end
+
     private
 
     def build_enterprise_side_menu_items(is_shop:, show_options: ) # rubocop:disable Metrics/MethodLength

app/models/application_record.rb

@@ -9,6 +9,7 @@ class ApplicationRecord < ActiveRecord::Base
   include ArelHelpers::JoinAssociation
 
   self.abstract_class = true
+  self.include_root_in_json = true
 
   def self.image_service
     ENV["S3_BUCKET"].present? ? :amazon_public : :local

app/models/enterprise.rb

@@ -75,6 +75,7 @@ class Enterprise < ApplicationRecord
   has_one :stripe_account, dependent: :destroy
   has_many :vouchers, dependent: :restrict_with_exception
   has_many :connected_apps, dependent: :destroy
+  has_many :dfc_permissions, dependent: :destroy
   has_one :custom_tab, dependent: :destroy
 
   delegate :latitude, :longitude, :city, :state_name, to: :address

app/views/admin/enterprises/_admin_index.html.haml

@@ -28,7 +28,7 @@
             = enterprise_form.check_box :is_primary_producer
             = t('.producer')
           - if spree_current_user.admin?
-            %td= enterprise_form.select :sells, Enterprise::SELLS, {}, class: 'select2 fullwidth'
+            %td= enterprise_form.select :sells, enterprise_sells_options, {}, class: 'select2 fullwidth'
           %td= enterprise_form.check_box :visible, {}, 'public', 'hidden'
           - if spree_current_user.admin?
             %td= enterprise_form.select :owner_id, enterprise.users.map{ |e| [ e.email, e.id ] }, {}, class: "select2 fullwidth"

compose.yaml

@@ -5,20 +5,36 @@ services:
     environment:
       POSTGRES_PASSWORD: f00d
       POSTGRES_USER: ofn
-      POSTGRES_DB: open_food_network_dev
     ports:
       - 5432:5432
     volumes:
       - 'postgres:/var/lib/postgresql/data'
+    healthcheck:
+      test: ["CMD-SHELL", "PGPASSWORD=$$POSTGRES_PASSWORD pg_isready -q -h 127.0.0.1 -p 5432 -U $$POSTGRES_USER || exit 1"]
+      interval: 5s
+      timeout: 10s
+      retries: 10
+
   redis:
     image: redis
+
+  bundler:
+    build: .
+    # Runs once: installs gems into /bundles, writes a checksum sentinel, then exits
+    command: >
+      sh -lc 'bundle install --jobs 4 --retry 3 --quiet;
+              sha256sum Gemfile.lock > /bundles/.Gemfile.lock.sha'
+    volumes:
+      - .:/usr/src/app
+      - gems:/bundles
+    restart: "no"
+
   web:
     tty: true
     stdin_open: true
     build: .
     ports:
       - 3000:3000
-      - 3035:3035
     volumes:
       - .:/usr/src/app
       - gems:/bundles
@@ -26,20 +42,69 @@ services:
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
     depends_on:
-      - db
-      - redis
+      db:
+        condition: service_healthy
+      redis:
+        condition: service_started
+      webpack:
+        condition: service_started
     environment:
       DOCKER: true
+      DEV_CACHING: true
       OFN_DB_HOST: db
       OFN_REDIS_URL: redis://redis/
       OFN_REDIS_JOBS_URL: redis://redis
       OFN_REDIS_TEST_URL: redis://redis/3
+      WEBPACKER_DEV_SERVER_HOST: webpack
+      WEBPACKER_DEV_SERVER_PORT: 3035
+      WEBPACKER_DEV_SERVER_PUBLIC: localhost:3035
+
     command: >
-      bash -c "rm -f tmp/pids/server.pid &&
-               (bundle check || bundle install) &&
-               bundle exec rake db:create &&
-               yarn install &&
-               bundle exec foreman start -f Procfile.docker"
+      sh -lc 'rm -f tmp/pids/server.pid;
+              until [ -f /bundles/.Gemfile.lock.sha ] && sha256sum -c /bundles/.Gemfile.lock.sha >/dev/null 2>&1; do sleep 0.5; done;
+              bundle exec rails db:prepare &&
+              yarn install &&
+              exec bundle exec rails s -b 0.0.0.0 -p 3000'
+
+  sidekiq:
+    build: .
+    command: >
+      sh -lc 'until [ -f /bundles/.Gemfile.lock.sha ] && sha256sum -c /bundles/.Gemfile.lock.sha >/dev/null 2>&1; do sleep 0.5; done;
+              exec bundle exec sidekiq'
+    depends_on:
+      db:
+        condition: service_healthy
+      redis:
+        condition: service_started
+    volumes:
+      - .:/usr/src/app
+      - gems:/bundles
+    environment:
+      DOCKER: true
+      DEV_CACHING: true
+      OFN_DB_HOST: db
+      OFN_REDIS_URL: redis://redis/
+      OFN_REDIS_JOBS_URL: redis://redis
+      OFN_REDIS_TEST_URL: redis://redis/3
+
+  webpack:
+    build: .
+    command: >
+      sh -lc 'until [ -f /bundles/.Gemfile.lock.sha ] && sha256sum -c /bundles/.Gemfile.lock.sha >/dev/null 2>&1; do sleep 0.5; done;
+              exec ./bin/webpack-dev-server'
+    ports:
+      - "3035:3035"
+    volumes:
+      - .:/usr/src/app
+      - gems:/bundles
+    healthcheck:
+      test: ["CMD-SHELL", "wget -qO- http://localhost:3035/webpack-dev-server >/dev/null || wget -qO- http://localhost:3035/sockjs-node/info >/dev/null"]
+      interval: 5s
+      timeout: 3s
+      retries: 30
+
+    environment:
+      WEBPACKER_DEV_SERVER_HOST: 0.0.0.0
 volumes:
   gems:
   postgres:

config/application.rb

@@ -1,24 +1,19 @@
-require_relative 'boot'
+require_relative "boot"
 
 require "rails"
-[
-  "active_record/railtie",
-  "active_storage/engine",
-  "action_controller/railtie",
-  "action_view/railtie",
-  "action_mailer/railtie",
-  "active_job/railtie",
-  "action_cable/engine",
-  # "action_mailbox/engine",
-  # "action_text/engine",
-  "rails/test_unit/railtie",
-  "sprockets/railtie" # Disable this after migrating to Webpacker
-].each do |railtie|
-  begin
-    require railtie
-  rescue LoadError
-  end
-end
+# Pick the frameworks you want:
+require "active_model/railtie"
+require "active_job/railtie"
+require "active_record/railtie"
+require "active_storage/engine"
+require "action_controller/railtie"
+require "action_mailer/railtie"
+# require "action_mailbox/engine"
+# require "action_text/engine"
+require "action_view/railtie"
+require "action_cable/engine"
+require "rails/test_unit/railtie"
+require "sprockets/railtie" # Disable this after migrating to Webpacker
 
 require_relative "../lib/open_food_network/i18n_config"
 require_relative '../lib/spree/core/environment'
@@ -26,15 +21,34 @@ require_relative '../lib/spree/core/mail_interceptor'
 require_relative "../lib/i18n_digests"
 require_relative "../lib/git_utils"
 
-if defined?(Bundler)
-  # If you precompile assets before deploying to production, use this line
-  Bundler.require(*Rails.groups(:assets => %w(development test)))
-  # If you want your assets lazily compiled in production, use this line
-  # Bundler.require(:default, :assets, Rails.env)
-end
+# Require the gems listed in Gemfile, including any gems
+# you've limited to :test, :development, or :production.
+Bundler.require(*Rails.groups(:assets => %w(development test)))
 
 module Openfoodnetwork
   class Application < Rails::Application
+    # Initialize configuration defaults for originally generated Rails version.
+    config.load_defaults 6.1
+    config.action_view.form_with_generates_remote_forms = false
+    config.active_record.cache_versioning = false
+    config.active_record.has_many_inversing = false
+    config.active_record.yaml_column_permitted_classes = [BigDecimal, Symbol, Time,
+                                                          ActiveSupport::TimeWithZone,
+                                                          ActiveSupport::TimeZone]
+
+    # Please, add to the `ignore` list any other `lib` subdirectories that do
+    # not contain `.rb` files, or that should not be reloaded or eager loaded.
+    # Common ones are `templates`, `generators`, or `middleware`, for example.
+    # config.autoload_lib(ignore: %w(assets tasks))
+
+    # Configuration for the application, engines, and railties goes here.
+    #
+    # These settings can be overridden in specific environments using the files
+    # in config/environments, which are processed later.
+    #
+    config.time_zone = ENV["TIMEZONE"]
+    # config.eager_load_paths << Rails.root.join("extras")
+
     # Store a description of the current version
     config.x.git_version = GitUtils::git_version
 
@@ -71,16 +85,6 @@ module Openfoodnetwork
       end
     end
 
-    # filter sensitive information during logging
-    initializer "spree.params.filter" do |app|
-      app.config.filter_parameters += [
-        :password,
-        :password_confirmation,
-        :number,
-        :verification_value
-      ]
-    end
-
     initializer "load_spree_calculators" do |app|
       # Register Spree calculators
       Rails.application.reloader.to_prepare do
@@ -161,10 +165,6 @@ module Openfoodnetwork
     # Activate observers that should always be running.
     # config.active_record.observers = :cacher, :garbage_collector, :forum_observer
 
-    # Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
-    # Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
-    config.time_zone = ENV["TIMEZONE"]
-
     # The default locale is :en and all translations from config/locales/*.rb,yml are auto loaded.
     # config.i18n.load_path += Dir[Rails.root.join('my', 'locales', '*.{rb,yml}').to_s]
     config.i18n.default_locale = OpenFoodNetwork::I18nConfig.default_locale
@@ -184,38 +184,14 @@ module Openfoodnetwork
 
     # Enable the asset pipeline
     config.assets.enabled = true
-
-    # Version of your assets, change this if you want to expire all your assets
-    config.assets.version = '1.2'
+    config.assets.initialize_on_precompile = true
 
     # Unset X-Frame-Options header for embedded pages.
     config.action_dispatch.default_headers.except! "X-Frame-Options"
 
-    # css and js files other than application.* are not precompiled by default
-    # Instead, they must be explicitly included below
-    # http://stackoverflow.com/questions/8012434/what-is-the-purpose-of-config-assets-precompile
-    config.assets.initialize_on_precompile = true
-    config.assets.precompile += ['admin/*.js', 'admin/**/*.js', 'admin_minimal.js']
-    config.assets.precompile += ['web/all.js']
-    config.assets.precompile += ['darkswarm/all.js']
-    config.assets.precompile += ['shared/*']
-    config.assets.precompile += ['mail.scss']
-    config.assets.precompile += ['*.jpg', '*.jpeg', '*.png', '*.gif' '*.svg']
-
     # Highlight code that triggered database queries in logs.
     config.active_record.verbose_query_logs = ENV.fetch("VERBOSE_QUERY_LOGS", false)
 
-    # Apply framework defaults. New recommended defaults are successively added with each Rails version and
-    # include the defaults from previous versions. For more info see:
-    # https://guides.rubyonrails.org/configuring.html#results-of-config-load-defaults
-    config.load_defaults 6.1
-    config.action_view.form_with_generates_remote_forms = false
-    config.active_record.cache_versioning = false
-    config.active_record.has_many_inversing = false
-    config.active_record.yaml_column_permitted_classes = [BigDecimal, Symbol, Time,
-                                                          ActiveSupport::TimeWithZone,
-                                                          ActiveSupport::TimeZone]
-
     config.active_support.escape_html_entities_in_json = true
 
     config.active_job.queue_adapter = :sidekiq

config/boot.rb

@@ -1,7 +1,4 @@
-require 'rubygems'
+ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../Gemfile", __dir__)
 
-# Set up gems listed in the Gemfile.
-ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
-
-require 'bundler/setup' if File.exist?(ENV['BUNDLE_GEMFILE'])
-require 'bootsnap/setup'
+require "bundler/setup" # Set up gems listed in the Gemfile.
+require "bootsnap/setup" # Speed up boot time by caching expensive operations.

config/environment.rb

@@ -1,7 +1,5 @@
-# Load the rails application
-require_relative 'application'
+# Load the Rails application.
+require_relative "application"
 
-# Initialize the rails application
-Openfoodnetwork::Application.initialize!
-
-ActiveRecord::Base.include_root_in_json = true
+# Initialize the Rails application.
+Rails.application.initialize!

config/environments/development.rb

@@ -1,40 +1,87 @@
-Openfoodnetwork::Application.configure do
-  config.action_controller.default_url_options = {host: "localhost", port: 3000}
-  # Settings specified here will take precedence over those in config/application.rb
-  #
+require "active_support/core_ext/integer/time"
+
+Rails.application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+
   # PROFILE switches several settings to a more "production-like" value
   # for profiling and benchmarking the application locally. All changes you
   # make to the app will require restart.
 
-  # In the development environment your application's code is reloaded on
-  # every request.  This slows down response time but is perfect for development
+  # In the development environment your application's code is reloaded any time
+  # it changes. This slows down response time but is perfect for development
   # since you don't have to restart the web server when you make code changes.
   config.cache_classes = !!ENV["PROFILE"]
 
-  config.action_controller.default_url_options = {host: "localhost", port: 3000}
+  # Do not eager load code on boot.
+  config.eager_load = false
+
+  # Show full error reports.
+  config.consider_all_requests_local = true
+
+  # Enable server timing
+  config.server_timing = true
+
+  # Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
+  # Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
+  #
+  # To override this, set the appropriate locale in .env[.*] file.
+  config.time_zone = ENV.fetch("TIMEZONE", "UTC")
+
+  config.log_level = ENV.fetch("DEV_LOG_LEVEL", :debug)
+
+  # Enable/disable caching. By default caching is disabled.
+  # Run rails dev:cache to toggle caching.
+  if Rails.root.join("tmp/caching-dev.txt").exist? || !ENV["PROFILE"] || !!ENV["DEV_CACHING"]
+    config.action_controller.perform_caching = true
+    config.action_controller.enable_fragment_cache_logging = true
 
-  # :file_store is used by default when no cache store is specifically configured.
-  if !!ENV["PROFILE"] || !!ENV["DEV_CACHING"]
     config.cache_store = :redis_cache_store, {
       url: ENV.fetch("OFN_REDIS_URL", "redis://localhost:6379/1"),
       expires_in: 90.minutes
     }
+    config.public_file_server.headers = {
+      "Cache-Control" => "public, max-age=#{2.days.to_i}"
+    }
+  else
+    config.action_controller.perform_caching = false
+
+    config.cache_store = :null_store
   end
 
-  config.eager_load = false
+  config.action_controller.default_url_options = {host: "localhost", port: 3000}
 
-  # Show full error reports and disable caching
-  config.consider_all_requests_local       = true
-  config.action_controller.perform_caching = !!ENV["PROFILE"] || !!ENV["DEV_CACHING"]
+  # Store uploaded files on the local file system (see config/storage.yml for options).
+  # config.active_storage.service = :local
 
-  # Don't care if the mailer can't send
+  # Don't care if the mailer can't send.
   config.action_mailer.raise_delivery_errors = false
 
-  # Print deprecation notices to the Rails logger
+  config.action_mailer.perform_caching = false
+
+  # Show emails using Letter Opener
+  config.action_mailer.delivery_method = :letter_opener
+  config.action_mailer.default_url_options = { host: "localhost:3000" }
+
+  # Print deprecation notices to the Rails logger.
   config.active_support.deprecation = :log
 
-  # Only use best-standards-support built into browsers
-  config.action_dispatch.best_standards_support = :builtin
+  # Raise exceptions for disallowed deprecations.
+  config.active_support.disallowed_deprecation = :raise
+
+  # Tell Active Support which deprecation messages to disallow.
+  config.active_support.disallowed_deprecation_warnings = []
+
+  # Raise an error on page load if there are pending migrations.
+  config.active_record.migration_error = :page_load
+
+  # Highlight code that triggered database queries in logs.
+  config.active_record.verbose_query_logs = true
+
+  # Highlight code that enqueued background job in logs.
+  config.active_job.verbose_enqueue_logs = true
+
+  # Suppress logger output for asset requests.
+  config.assets.quiet = true
 
   # Do not compress assets
   config.assets.compress = false
@@ -59,17 +106,17 @@ Openfoodnetwork::Application.configure do
   #   $ bundle exec rake assets:clean
   config.assets.debug = !!ENV["DEBUG_ASSETS"]
 
-  # Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
-  # Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
-  #
-  # To override this, set the appropriate locale in .env[.*] file.
-  config.time_zone = ENV.fetch("TIMEZONE", "UTC")
+  # Raises error for missing translations.
+  # config.i18n.raise_on_missing_translations = true
 
   config.i18n.fallbacks = [:en]
 
-  # Show emails using Letter Opener
-  config.action_mailer.delivery_method = :letter_opener
-  config.action_mailer.default_url_options = { host: "localhost:3000" }
+  # Annotate rendered view with file names.
+  # config.action_view.annotate_rendered_view_with_filenames = true
 
-  config.log_level = ENV.fetch("DEV_LOG_LEVEL", :debug)
+  # Uncomment if you wish to allow Action Cable access from any origin.
+  # config.action_cable.disable_request_forgery_protection = true
+
+  # Raise error when a before_action's only/except options reference missing actions
+  # config.action_controller.raise_on_missing_callback_actions = true
 end

config/environments/production.rb

@@ -1,69 +1,113 @@
-Openfoodnetwork::Application.configure do
-  # Settings specified here will take precedence over those in config/application.rb
+require "active_support/core_ext/integer/time"
 
+Rails.application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+
+  # Code is not reloaded between requests.
+  config.enable_reloading = false
+
+  # Eager load code on boot. This eager loads most of Rails and
+  # your application in memory, allowing both threaded web servers
+  # and those relying on copy on write to perform better.
+  # Rake tasks automatically ignore this option for performance.
   config.eager_load = true
 
-  # Code is not reloaded between requests
-  config.cache_classes = true
-
-  # Full error reports are disabled and caching is turned on
-  config.consider_all_requests_local       = false
+  # Full error reports are disabled and caching is turned on.
+  config.consider_all_requests_local = false
   config.action_controller.perform_caching = true
 
-  # Disable Rails's static asset server (Apache or nginx will already do this)
+  # Ensures that a master key has been made available in ENV["RAILS_MASTER_KEY"], config/master.key, or an environment
+  # key such as config/credentials/production.key. This key is used to decrypt credentials (and other encrypted files).
+  # config.require_master_key = true
+
+  # Disable serving static files from `public/`, relying on NGINX/Apache to do so instead.
   config.public_file_server.enabled = false
 
+  # Compress CSS using a preprocessor.
+  # config.assets.css_compressor = :sass
+
+  # Do not fall back to assets pipeline if a precompiled asset is missed.
+  config.assets.compile = false
+
+  # Enable serving of images, stylesheets, and JavaScripts from an asset server.
+  # config.asset_host = "http://assets.example.com"
+
   # Compress JavaScripts and CSS
   config.assets.compress = true
 
-  # Don't fallback to assets pipeline if a precompiled asset is missed
-  config.assets.compile = false
-
   # Generate digests for assets URLs
   config.assets.digest = true
 
-  # Defaults to Rails.root.join("public/assets")
-  # config.assets.manifest = YOUR_PATH
+  # Specifies the header that your server uses for sending files.
+  # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for Apache
+  # config.action_dispatch.x_sendfile_header = "X-Accel-Redirect" # for NGINX
 
-  # Specifies the header that your server uses for sending files
-  # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache
-  # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx
+  # Store uploaded files on the local file system (see config/storage.yml for options).
+  # We set it in application.rb.
+  # config.active_storage.service = :local
+
+  # Mount Action Cable outside main process or domain.
+  # config.action_cable.mount_path = nil
+  # config.action_cable.url = "wss://example.com/cable"
+  # config.action_cable.allowed_request_origins = [ "http://example.com", /http:\/\/example.*/ ]
+  config.action_cable.url = "#{ENV['OFN_URL']}/cable"
+  config.action_cable.allowed_request_origins = [/http:\/\/#{ENV['OFN_URL']}\/*/, /https:\/\/#{ENV['OFN_URL']}\/*/]
+
+  # Assume all access to the app is happening through a SSL-terminating reverse proxy.
+  # Can be used together with config.force_ssl for Strict-Transport-Security and secure cookies.
+  # config.assume_ssl = true
 
   # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
   config.force_ssl = true
 
-  # Use https in email links
-  config.action_mailer.default_url_options = { protocol: 'https' }
+  # Log to STDOUT by default
+  config.logger = ActiveSupport::Logger.new(STDOUT)
+    .tap  { |logger| logger.formatter = ::Logger::Formatter.new }
+    .then { |logger| ActiveSupport::TaggedLogging.new(logger) }
 
-  # Set log level (default is :debug in Rails 4)
-  config.log_level = :info
-
-  # Configure logging:
-  config.log_formatter = Logger::Formatter.new.tap { |f| f.datetime_format = "%Y-%m-%d %H:%M:%S" }
+  # Prepend all log lines with the following tags.
   config.log_tags = [:request_id]
 
-  # Use a different cache store in production
+  # "info" includes generic and useful information about system operation, but avoids logging too much
+  # information to avoid inadvertent exposure of personally identifiable information (PII). If you
+  # want to log everything, set the level to "debug".
+  config.log_level = ENV.fetch("RAILS_LOG_LEVEL", "info")
+
+  # Use a different cache store in production.
+  # config.cache_store = :mem_cache_store
   config.cache_store = :redis_cache_store, {
     url: ENV.fetch("OFN_REDIS_URL", "redis://localhost:6380/0"),
     reconnect_attempts: 1
   }
 
-  config.action_cable.url = "#{ENV['OFN_URL']}/cable"
-  config.action_cable.allowed_request_origins = [/http:\/\/#{ENV['OFN_URL']}\/*/, /https:\/\/#{ENV['OFN_URL']}\/*/]
+  # Use a real queuing backend for Active Job (and separate queues per environment).
+  # config.active_job.queue_adapter = :resque
+  # config.active_job.queue_name_prefix = "openfoodnetwork_production"
 
-  # Enable serving of images, stylesheets, and JavaScripts from an asset server
-  # config.action_controller.asset_host = "http://assets.example.com"
+  config.action_mailer.perform_caching = false
 
-  # Disable delivery errors, bad email addresses will be ignored
+  # Ignore bad email addresses and do not raise email delivery errors.
+  # Set this to true and configure the email server for immediate delivery to raise delivery errors.
   # config.action_mailer.raise_delivery_errors = false
 
-  # Enable threaded mode
-  # config.threadsafe!
+  # Use https in email links
+  config.action_mailer.default_url_options = { protocol: 'https' }
 
   # Enable locale fallbacks for I18n (makes lookups for any locale fall back to
-  # the I18n.default_locale when a translation can not be found)
+  # the I18n.default_locale when a translation cannot be found).
   config.i18n.fallbacks = [:en]
 
   # Send deprecation notices to registered listeners
   config.active_support.deprecation = :notify
+
+  # Do not dump schema after migrations.
+  config.active_record.dump_schema_after_migration = false
+
+  # Enable DNS rebinding protection and other `Host` header attacks.
+  # config.hosts = [
+  #   "example.com",     # Allow requests from example.com
+  #   /.*\.example\.com/ # Allow requests from subdomains like `www.example.com`
+  # ]
+  # Skip DNS rebinding protection for the default health check endpoint.
+  # config.host_authorization = { exclude: ->(request) { request.path == "/up" } }
 end

config/environments/test.rb

@@ -1,17 +1,38 @@
-Openfoodnetwork::Application.configure do
-  # Settings specified here will take precedence over those in config/application.rb
+require "active_support/core_ext/integer/time"
 
-  # The test environment is used exclusively to run your application's
-  # test suite.  You never need to work with it otherwise.  Remember that
-  # your test database is "scratch space" for the test suite and is wiped
-  # and recreated between test runs.  Don't rely on the data there!
+# The test environment is used exclusively to run your application's
+# test suite. You never need to work with it otherwise. Remember that
+# your test database is "scratch space" for the test suite and is wiped
+# and recreated between test runs. Don't rely on the data there!
+
+Rails.application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+
+  # While tests run files are not watched, reloading is not necessary.
+  config.enable_reloading = false
+
+  # StimulusReflex requires caching to be enabled.
   config.cache_classes = false
 
+  # Eager loading loads your entire application. When running a single test locally,
+  # this is usually not necessary, and can slow down your test suite. However, it's
+  # recommended that you enable it in continuous integration systems to ensure eager
+  # loading is working properly before deploying your code.
+  # config.eager_load = ENV["CI"].present?
   config.eager_load = false
 
-  # Configure static asset server for tests with Cache-Control for performance
+  config.time_zone = ENV.fetch("TIMEZONE", "UTC")
+
+  # Configure public file server for tests with Cache-Control for performance.
   config.public_file_server.enabled = true
-  config.public_file_server.headers = { 'Cache-Control' => 'public, max-age=3600' }
+  config.public_file_server.headers = {
+    "Cache-Control" => "public, max-age=#{1.hour.to_i}"
+  }
+
+  # Show full error reports and disable caching.
+  config.consider_all_requests_local = true
+  config.action_controller.perform_caching = false
+  # config.cache_store = :null_store
 
   # Separate cache stores when running in parallel
   config.cache_store = :redis_cache_store, {
@@ -20,40 +41,31 @@ Openfoodnetwork::Application.configure do
     reconnect_attempts: 1
   }
 
-  # Show full error reports and disable caching
-  config.consider_all_requests_local       = true
-  config.action_controller.perform_caching = false
+  # Render exception templates for rescuable exceptions and raise for other exceptions.
+  config.action_dispatch.show_exceptions = :rescuable
 
-  # Raise exceptions instead of rendering exception templates
-  config.action_dispatch.show_exceptions = false
+  # Disable request forgery protection in test environment.
+  config.action_controller.allow_forgery_protection = false
 
-  # Disable request forgery protection in test environment
-  config.action_controller.allow_forgery_protection    = false
+  # Store uploaded files on the local file system in a temporary directory.
+  # config.active_storage.service = :test
+
+  config.action_mailer.perform_caching = false
 
   # Tell Action Mailer not to deliver emails to the real world.
   # The :test delivery method accumulates sent emails in the
   # ActionMailer::Base.deliveries array.
   config.action_mailer.delivery_method = :test
 
-  # Tests should fail when translations are missing.
-  config.i18n.raise_on_missing_translations = true
-
-  config.time_zone = ENV.fetch("TIMEZONE", "UTC")
-
-  # Tests assume English text on the site.
-  config.i18n.default_locale = "en"
-  config.i18n.available_locales = ['en', 'es', 'pt']
-  config.i18n.fallbacks = [:en]
-  I18n.locale = config.i18n.locale = config.i18n.default_locale
-
-  # Use SQL instead of Active Record's schema dumper when creating the test database.
-  # This is necessary if your schema can't be completely dumped by the schema dumper,
-  # like if you have constraints or database-specific column types
-  # config.active_record.schema_format = :sql
-
-  # Print deprecation notices to the stderr
+  # Print deprecation notices to the stderr.
   # config.active_support.deprecation = :stderr
 
+  # Raise exceptions for disallowed deprecations.
+  config.active_support.disallowed_deprecation = :raise
+
+  # Tell Active Support which deprecation messages to disallow.
+  config.active_support.disallowed_deprecation_warnings = []
+
   # Fail tests on deprecated code unless it's a known case to solve.
   Rails.application.deprecators.behavior = ->(message, callstack, deprecator) do
     allowed_warnings = [
@@ -82,5 +94,20 @@ Openfoodnetwork::Application.configure do
     end
   end
 
+  # Raises error for missing translations.
+  config.i18n.raise_on_missing_translations = true
+
+  # Tests assume English text on the site.
+  config.i18n.default_locale = "en"
+  config.i18n.available_locales = ['en', 'es', 'pt']
+  config.i18n.fallbacks = [:en]
+  I18n.locale = config.i18n.locale = config.i18n.default_locale
+
+  # Annotate rendered view with file names.
+  # config.action_view.annotate_rendered_view_with_filenames = true
+
+  # Raise error when a before_action's only/except options reference missing actions
+  # config.action_controller.raise_on_missing_callback_actions = true
+
   config.active_job.queue_adapter = :test
 end

config/initializers/assets.rb

@@ -1 +1,24 @@
+# Be sure to restart your server when you modify this file.
+
+# Version of your assets, change this if you want to expire all your assets.
+Rails.application.config.assets.version = "1.2"
+
+# Add additional assets to the asset load path.
 Rails.application.config.assets.paths << Rails.root.join('node_modules')
+
+# Precompile additional assets.
+# application.js, application.css, and all non-JS/CSS in the app/assets
+# folder are already added.
+# Rails.application.config.assets.precompile += %w( admin.js admin.css )
+
+# css and js files other than application.* are not precompiled by default
+# Instead, they must be explicitly included below
+# http://stackoverflow.com/questions/8012434/what-is-the-purpose-of-config-assets-precompile
+Rails.application.config.assets.precompile += [
+  'admin/*.js', 'admin/**/*.js', 'admin_minimal.js',
+  'web/all.js',
+  'darkswarm/all.js',
+  'shared/*',
+  'mail.scss',
+  '*.jpg', '*.jpeg', '*.png', '*.gif' '*.svg',
+]

config/initializers/content_security_policy.rb

@@ -1,8 +1,8 @@
 # Be sure to restart your server when you modify this file.
 
-# Define an application-wide content security policy
-# For further information see the following documentation
-# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+# Define an application-wide content security policy.
+# See the Securing Rails Applications Guide for more information:
+# https://guides.rubyonrails.org/security.html#content-security-policy-header
 
 Rails.application.config.content_security_policy do |policy|
   policy.default_src :self, :https
@@ -23,15 +23,11 @@ Rails.application.config.content_security_policy do |policy|
 
   # Specify URI for violation reports
   # policy.report_uri "/csp-violation-report-endpoint"
+
+  # Generate session nonces for permitted importmap, inline scripts, and inline styles.
+  # config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
+  # config.content_security_policy_nonce_directives = %w(script-src style-src)
+
+  # Report violations without enforcing the policy.
+  # config.content_security_policy_report_only = true
 end
-
-# If you are using UJS then enable automatic nonce generation
-# Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
-
-# Set the nonce only to specific directives
-# Rails.application.config.content_security_policy_nonce_directives = %w(script-src)
-
-# Report CSP violations to a specified URI
-# For further information see the following documentation:
-# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
-# Rails.application.config.content_security_policy_report_only = true

config/initializers/filter_parameter_logging.rb

@@ -1,4 +1,12 @@
 # frozen_string_literal: true
 
-# Configure sensitive parameters which will be filtered from the log file.
-Rails.application.config.filter_parameters += [:password, :vine_api_key, :vine_secret]
+# Be sure to restart your server when you modify this file.
+
+# Configure parameters to be partially matched (e.g. passw matches password) and filtered from the log file.
+# Use this to limit dissemination of sensitive information.
+# See the ActiveSupport::ParameterFilter documentation for supported notations and behaviors.
+Rails.application.config.filter_parameters += [
+  :passw, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn,
+  :number, :verification_value,
+  :vine_api_key, :vine_secret,
+]

config/initializers/inflections.rb

@@ -1,13 +1,20 @@
 # Be sure to restart your server when you modify this file.
 
-# Add new inflection rules using the following format
-# (all these examples are active by default):
-# ActiveSupport::Inflector.inflections do |inflect|
-#   inflect.plural /^(ox)$/i, '\1en'
-#   inflect.singular /^(ox)en/i, '\1'
-#   inflect.irregular 'person', 'people'
+# Add new inflection rules using the following format. Inflections
+# are locale specific, and you may define rules for as many different
+# locales as you wish. All of these examples are active by default:
+# ActiveSupport::Inflector.inflections(:en) do |inflect|
+#   inflect.plural /^(ox)$/i, "\\1en"
+#   inflect.singular /^(ox)en/i, "\\1"
+#   inflect.irregular "person", "people"
 #   inflect.uncountable %w( fish sheep )
 # end
+
+# These inflection rules are supported but not enabled by default:
+# ActiveSupport::Inflector.inflections(:en) do |inflect|
+#   inflect.acronym "RESTful"
+# end
+
 Rails.autoloaders.each do |autoloader|
   autoloader.inflector.inflect(
     "stripe_sca" => "StripeSCA"

config/initializers/new_framework_defaults_7_0.rb

@@ -0,0 +1,143 @@
+# Be sure to restart your server when you modify this file.
+#
+# This file eases your Rails 7.0 framework defaults upgrade.
+#
+# Uncomment each configuration one by one to switch to the new default.
+# Once your application is ready to run with all new defaults, you can remove
+# this file and set the `config.load_defaults` to `7.0`.
+#
+# Read the Guide for Upgrading Ruby on Rails for more info on each option.
+# https://guides.rubyonrails.org/upgrading_ruby_on_rails.html
+
+# `button_to` view helper will render `<button>` element, regardless of whether
+# or not the content is passed as the first argument or as a block.
+# Rails.application.config.action_view.button_to_generates_button_tag = true
+
+# `stylesheet_link_tag` view helper will not render the media attribute by default.
+# Rails.application.config.action_view.apply_stylesheet_media_default = false
+
+# Change the digest class for the key generators to `OpenSSL::Digest::SHA256`.
+# Changing this default means invalidate all encrypted messages generated by
+# your application and, all the encrypted cookies. Only change this after you
+# rotated all the messages using the key rotator.
+#
+# See upgrading guide for more information on how to build a rotator.
+# https://guides.rubyonrails.org/v7.0/upgrading_ruby_on_rails.html
+# Rails.application.config.active_support.key_generator_hash_digest_class = OpenSSL::Digest::SHA256
+
+# Change the digest class for ActiveSupport::Digest.
+# Changing this default means that for example Etags change and
+# various cache keys leading to cache invalidation.
+# Rails.application.config.active_support.hash_digest_class = OpenSSL::Digest::SHA256
+
+# Don't override ActiveSupport::TimeWithZone.name and use the default Ruby
+# implementation.
+# Rails.application.config.active_support.remove_deprecated_time_with_zone_name = true
+
+# Calls `Rails.application.executor.wrap` around test cases.
+# This makes test cases behave closer to an actual request or job.
+# Several features that are normally disabled in test, such as Active Record query cache
+# and asynchronous queries will then be enabled.
+# Rails.application.config.active_support.executor_around_test_case = true
+
+# Set both the `:open_timeout` and `:read_timeout` values for `:smtp` delivery method.
+# Rails.application.config.action_mailer.smtp_timeout = 5
+
+# The ActiveStorage video previewer will now use scene change detection to generate
+# better preview images (rather than the previous default of using the first frame
+# of the video).
+# Rails.application.config.active_storage.video_preview_arguments =
+#   "-vf 'select=eq(n\\,0)+eq(key\\,1)+gt(scene\\,0.015),loop=loop=-1:size=2,trim=start_frame=1' -frames:v 1 -f image2"
+
+# Automatically infer `inverse_of` for associations with a scope.
+# Rails.application.config.active_record.automatic_scope_inversing = true
+
+# Raise when running tests if fixtures contained foreign key violations
+# Rails.application.config.active_record.verify_foreign_keys_for_fixtures = true
+
+# Disable partial inserts.
+# This default means that all columns will be referenced in INSERT queries
+# regardless of whether they have a default or not.
+# Rails.application.config.active_record.partial_inserts = false
+
+# Protect from open redirect attacks in `redirect_back_or_to` and `redirect_to`.
+# Rails.application.config.action_controller.raise_on_open_redirects = true
+
+# Change the variant processor for Active Storage.
+# Changing this default means updating all places in your code that
+# generate variants to use image processing macros and ruby-vips
+# operations. See the upgrading guide for detail on the changes required.
+# The `:mini_magick` option is not deprecated; it's fine to keep using it.
+# Rails.application.config.active_storage.variant_processor = :vips
+
+# Enable parameter wrapping for JSON.
+# Previously this was set in an initializer. It's fine to keep using that initializer if you've customized it.
+# To disable parameter wrapping entirely, set this config to `false`.
+# Rails.application.config.action_controller.wrap_parameters_by_default = true
+
+# Specifies whether generated namespaced UUIDs follow the RFC 4122 standard for namespace IDs provided as a
+# `String` to `Digest::UUID.uuid_v3` or `Digest::UUID.uuid_v5` method calls.
+#
+# See https://guides.rubyonrails.org/configuring.html#config-active-support-use-rfc4122-namespaced-uuids for
+# more information.
+# Rails.application.config.active_support.use_rfc4122_namespaced_uuids = true
+
+# Change the default headers to disable browsers' flawed legacy XSS protection.
+# Rails.application.config.action_dispatch.default_headers = {
+#   "X-Frame-Options" => "SAMEORIGIN",
+#   "X-XSS-Protection" => "0",
+#   "X-Content-Type-Options" => "nosniff",
+#   "X-Download-Options" => "noopen",
+#   "X-Permitted-Cross-Domain-Policies" => "none",
+#   "Referrer-Policy" => "strict-origin-when-cross-origin"
+# }
+
+
+# ** Please read carefully, this must be configured in config/application.rb **
+# Change the format of the cache entry.
+# Changing this default means that all new cache entries added to the cache
+# will have a different format that is not supported by Rails 6.1 applications.
+# Only change this value after your application is fully deployed to Rails 7.0
+# and you have no plans to rollback.
+# When you're ready to change format, add this to `config/application.rb` (NOT this file):
+#  config.active_support.cache_format_version = 7.0
+
+
+# Cookie serializer: 2 options
+#
+# If you're upgrading and haven't set `cookies_serializer` previously, your cookie serializer
+# is `:marshal`. The default for new apps is `:json`.
+#
+# Rails.application.config.action_dispatch.cookies_serializer = :json
+#
+#
+# To migrate an existing application to the `:json` serializer, use the `:hybrid` option.
+#
+# Rails transparently deserializes existing (Marshal-serialized) cookies on read and
+# re-writes them in the JSON format.
+#
+# It is fine to use `:hybrid` long term; you should do that until you're confident *all* your cookies
+# have been converted to JSON. To keep using `:hybrid` long term, move this config to its own
+# initializer or to `config/application.rb`.
+#
+# Rails.application.config.action_dispatch.cookies_serializer = :hybrid
+#
+#
+# If your cookies can't yet be serialized to JSON, keep using `:marshal` for backward-compatibility.
+#
+# If you have configured the serializer elsewhere, you can remove this section of the file.
+#
+# See https://guides.rubyonrails.org/action_controller_overview.html#cookies for more information.
+
+# Change the return value of `ActionDispatch::Request#content_type` to the Content-Type header without modification.
+# Rails.application.config.action_dispatch.return_only_request_media_type_on_content_type = false
+
+# Active Storage `has_many_attached` relationships will default to replacing the current collection instead of appending to it.
+# Thus, to support submitting an empty collection, the `file_field` helper will render an hidden field `include_hidden` by default when `multiple_file_field_include_hidden` is set to `true`.
+# See https://guides.rubyonrails.org/configuring.html#config-active-storage-multiple-file-field-include-hidden for more information.
+# Rails.application.config.active_storage.multiple_file_field_include_hidden = true
+
+# ** Please read carefully, this must be configured in config/application.rb (NOT this file) **
+# Disables the deprecated #to_s override in some Ruby core classes
+# See https://guides.rubyonrails.org/configuring.html#config-active-support-disable-to-s-conversion for more information.
+# config.active_support.disable_to_s_conversion = true

config/initializers/new_framework_defaults_7_1.rb

@@ -0,0 +1,280 @@
+# Be sure to restart your server when you modify this file.
+#
+# This file eases your Rails 7.1 framework defaults upgrade.
+#
+# Uncomment each configuration one by one to switch to the new default.
+# Once your application is ready to run with all new defaults, you can remove
+# this file and set the `config.load_defaults` to `7.1`.
+#
+# Read the Guide for Upgrading Ruby on Rails for more info on each option.
+# https://guides.rubyonrails.org/upgrading_ruby_on_rails.html
+
+###
+# No longer add autoloaded paths into `$LOAD_PATH`. This means that you won't be able
+# to manually require files that are managed by the autoloader, which you shouldn't do anyway.
+#
+# This will reduce the size of the load path, making `require` faster if you don't use bootsnap, or reduce the size
+# of the bootsnap cache if you use it.
+#
+# To set this configuration, add the following line to `config/application.rb` (NOT this file):
+#   config.add_autoload_paths_to_load_path = false
+
+###
+# Remove the default X-Download-Options headers since it is used only by Internet Explorer.
+# If you need to support Internet Explorer, add back `"X-Download-Options" => "noopen"`.
+#++
+# Rails.application.config.action_dispatch.default_headers = {
+#   "X-Frame-Options" => "SAMEORIGIN",
+#   "X-XSS-Protection" => "0",
+#   "X-Content-Type-Options" => "nosniff",
+#   "X-Permitted-Cross-Domain-Policies" => "none",
+#   "Referrer-Policy" => "strict-origin-when-cross-origin"
+# }
+
+###
+# Do not treat an `ActionController::Parameters` instance
+# as equal to an equivalent `Hash` by default.
+#++
+# Rails.application.config.action_controller.allow_deprecated_parameters_hash_equality = false
+
+###
+# Active Record Encryption now uses SHA-256 as its hash digest algorithm.
+#
+# There are 3 scenarios to consider.
+#
+# 1. If you have data encrypted with previous Rails versions, and you have
+# +config.active_support.key_generator_hash_digest_class+ configured as SHA1 (the default
+# before Rails 7.0), you need to configure SHA-1 for Active Record Encryption too:
+#++
+# Rails.application.config.active_record.encryption.hash_digest_class = OpenSSL::Digest::SHA1
+#
+# 2. If you have +config.active_support.key_generator_hash_digest_class+ configured as SHA256 (the new default
+# in 7.0), then you need to configure SHA-256 for Active Record Encryption:
+#++
+# Rails.application.config.active_record.encryption.hash_digest_class = OpenSSL::Digest::SHA256
+#
+# 3. If you don't currently have data encrypted with Active Record encryption, you can disable this setting to
+# configure the default behavior starting 7.1+:
+#++
+# Rails.application.config.active_record.encryption.support_sha1_for_non_deterministic_encryption = false
+
+###
+# No longer run after_commit callbacks on the first of multiple Active Record
+# instances to save changes to the same database row within a transaction.
+# Instead, run these callbacks on the instance most likely to have internal
+# state which matches what was committed to the database, typically the last
+# instance to save.
+#++
+# Rails.application.config.active_record.run_commit_callbacks_on_first_saved_instances_in_transaction = false
+
+###
+# Configures SQLite with a strict strings mode, which disables double-quoted string literals.
+#
+# SQLite has some quirks around double-quoted string literals.
+# It first tries to consider double-quoted strings as identifier names, but if they don't exist
+# it then considers them as string literals. Because of this, typos can silently go unnoticed.
+# For example, it is possible to create an index for a non existing column.
+# See https://www.sqlite.org/quirks.html#double_quoted_string_literals_are_accepted for more details.
+#++
+# Rails.application.config.active_record.sqlite3_adapter_strict_strings_by_default = true
+
+###
+# Disable deprecated singular associations names.
+#++
+# Rails.application.config.active_record.allow_deprecated_singular_associations_name = false
+
+###
+# Enable the Active Job `BigDecimal` argument serializer, which guarantees
+# roundtripping. Without this serializer, some queue adapters may serialize
+# `BigDecimal` arguments as simple (non-roundtrippable) strings.
+#
+# When deploying an application with multiple replicas, old (pre-Rails 7.1)
+# replicas will not be able to deserialize `BigDecimal` arguments from this
+# serializer. Therefore, this setting should only be enabled after all replicas
+# have been successfully upgraded to Rails 7.1.
+#++
+# Rails.application.config.active_job.use_big_decimal_serializer = true
+
+###
+# Specify if an `ArgumentError` should be raised if `Rails.cache` `fetch` or
+# `write` are given an invalid `expires_at` or `expires_in` time.
+# Options are `true`, and `false`. If `false`, the exception will be reported
+# as `handled` and logged instead.
+#++
+# Rails.application.config.active_support.raise_on_invalid_cache_expiration_time = true
+
+###
+# Specify whether Query Logs will format tags using the SQLCommenter format
+# (https://open-telemetry.github.io/opentelemetry-sqlcommenter/), or using the legacy format.
+# Options are `:legacy` and `:sqlcommenter`.
+#++
+# Rails.application.config.active_record.query_log_tags_format = :sqlcommenter
+
+###
+# Specify the default serializer used by `MessageEncryptor` and `MessageVerifier`
+# instances.
+#
+# The legacy default is `:marshal`, which is a potential vector for
+# deserialization attacks in cases where a message signing secret has been
+# leaked.
+#
+# In Rails 7.1, the new default is `:json_allow_marshal` which serializes and
+# deserializes with `ActiveSupport::JSON`, but can fall back to deserializing
+# with `Marshal` so that legacy messages can still be read.
+#
+# In Rails 7.2, the default will become `:json` which serializes and
+# deserializes with `ActiveSupport::JSON` only.
+#
+# Alternatively, you can choose `:message_pack` or `:message_pack_allow_marshal`,
+# which serialize with `ActiveSupport::MessagePack`. `ActiveSupport::MessagePack`
+# can roundtrip some Ruby types that are not supported by JSON, and may provide
+# improved performance, but it requires the `msgpack` gem.
+#
+# For more information, see
+# https://guides.rubyonrails.org/v7.1/configuring.html#config-active-support-message-serializer
+#
+# If you are performing a rolling deploy of a Rails 7.1 upgrade, wherein servers
+# that have not yet been upgraded must be able to read messages from upgraded
+# servers, first deploy without changing the serializer, then set the serializer
+# in a subsequent deploy.
+#++
+# Rails.application.config.active_support.message_serializer = :json_allow_marshal
+
+###
+# Enable a performance optimization that serializes message data and metadata
+# together. This changes the message format, so messages serialized this way
+# cannot be read by older versions of Rails. However, messages that use the old
+# format can still be read, regardless of whether this optimization is enabled.
+#
+# To perform a rolling deploy of a Rails 7.1 upgrade, wherein servers that have
+# not yet been upgraded must be able to read messages from upgraded servers,
+# leave this optimization off on the first deploy, then enable it on a
+# subsequent deploy.
+#++
+# Rails.application.config.active_support.use_message_serializer_for_metadata = true
+
+###
+# Set the maximum size for Rails log files.
+#
+# `config.load_defaults 7.1` does not set this value for environments other than
+# development and test.
+#++
+# if Rails.env.local?
+#   Rails.application.config.log_file_size = 100 * 1024 * 1024
+# end
+
+###
+# Enable raising on assignment to attr_readonly attributes. The previous
+# behavior would allow assignment but silently not persist changes to the
+# database.
+#++
+# Rails.application.config.active_record.raise_on_assign_to_attr_readonly = true
+
+###
+# Enable validating only parent-related columns for presence when the parent is mandatory.
+# The previous behavior was to validate the presence of the parent record, which performed an extra query
+# to get the parent every time the child record was updated, even when parent has not changed.
+#++
+# Rails.application.config.active_record.belongs_to_required_validates_foreign_key = false
+
+###
+# Enable precompilation of `config.filter_parameters`. Precompilation can
+# improve filtering performance, depending on the quantity and types of filters.
+#++
+# Rails.application.config.precompile_filter_parameters = true
+
+###
+# Enable before_committed! callbacks on all enrolled records in a transaction.
+# The previous behavior was to only run the callbacks on the first copy of a record
+# if there were multiple copies of the same record enrolled in the transaction.
+#++
+# Rails.application.config.active_record.before_committed_on_all_records = true
+
+###
+# Disable automatic column serialization into YAML.
+# To keep the historic behavior, you can set it to `YAML`, however it is
+# recommended to explicitly define the serialization method for each column
+# rather than to rely on a global default.
+#++
+# Rails.application.config.active_record.default_column_serializer = nil
+
+###
+# Enable a performance optimization that serializes Active Record models
+# in a faster and more compact way.
+#
+# To perform a rolling deploy of a Rails 7.1 upgrade, wherein servers that have
+# not yet been upgraded must be able to read caches from upgraded servers,
+# leave this optimization off on the first deploy, then enable it on a
+# subsequent deploy.
+#++
+# Rails.application.config.active_record.marshalling_format_version = 7.1
+
+###
+# Run `after_commit` and `after_*_commit` callbacks in the order they are defined in a model.
+# This matches the behaviour of all other callbacks.
+# In previous versions of Rails, they ran in the inverse order.
+#++
+# Rails.application.config.active_record.run_after_transaction_callbacks_in_order_defined = true
+
+###
+# Whether a `transaction` block is committed or rolled back when exited via `return`, `break` or `throw`.
+#++
+# Rails.application.config.active_record.commit_transaction_on_non_local_return = true
+
+###
+# Controls when to generate a value for <tt>has_secure_token</tt> declarations.
+#++
+# Rails.application.config.active_record.generate_secure_token_on = :initialize
+
+###
+# ** Please read carefully, this must be configured in config/application.rb **
+#
+# Change the format of the cache entry.
+#
+# Changing this default means that all new cache entries added to the cache
+# will have a different format that is not supported by Rails 7.0
+# applications.
+#
+# Only change this value after your application is fully deployed to Rails 7.1
+# and you have no plans to rollback.
+# When you're ready to change format, add this to `config/application.rb` (NOT
+# this file):
+#   config.active_support.cache_format_version = 7.1
+
+###
+# Configure Action View to use HTML5 standards-compliant sanitizers when they are supported on your
+# platform.
+#
+# `Rails::HTML::Sanitizer.best_supported_vendor` will cause Action View to use HTML5-compliant
+# sanitizers if they are supported, else fall back to HTML4 sanitizers.
+#
+# In previous versions of Rails, Action View always used `Rails::HTML4::Sanitizer` as its vendor.
+#++
+# Rails.application.config.action_view.sanitizer_vendor = Rails::HTML::Sanitizer.best_supported_vendor
+
+###
+# Configure Action Text to use an HTML5 standards-compliant sanitizer when it is supported on your
+# platform.
+#
+# `Rails::HTML::Sanitizer.best_supported_vendor` will cause Action Text to use HTML5-compliant
+# sanitizers if they are supported, else fall back to HTML4 sanitizers.
+#
+# In previous versions of Rails, Action Text always used `Rails::HTML4::Sanitizer` as its vendor.
+#++
+# Rails.application.config.action_text.sanitizer_vendor = Rails::HTML::Sanitizer.best_supported_vendor
+
+###
+# Configure the log level used by the DebugExceptions middleware when logging
+# uncaught exceptions during requests.
+#++
+# Rails.application.config.action_dispatch.debug_exception_log_level = :error
+
+###
+# Configure the test helpers in Action View, Action Dispatch, and rails-dom-testing to use HTML5
+# parsers.
+#
+# Nokogiri::HTML5 isn't supported on JRuby, so JRuby applications must set this to :html4.
+#
+# In previous versions of Rails, these test helpers always used an HTML4 parser.
+#++
+# Rails.application.config.dom_testing_default_html_version = :html5

config/initializers/permissions_policy.rb

@@ -0,0 +1,13 @@
+# Be sure to restart your server when you modify this file.
+
+# Define an application-wide HTTP permissions policy. For further
+# information see: https://developers.google.com/web/updates/2018/06/feature-policy
+
+# Rails.application.config.permissions_policy do |policy|
+#   policy.camera      :none
+#   policy.gyroscope   :none
+#   policy.microphone  :none
+#   policy.usb         :none
+#   policy.fullscreen  :self
+#   policy.payment     :self, "https://secure.example.com"
+# end

config/locales/cy.yml

@@ -1446,6 +1446,8 @@ cy:
         visible: Gweladwy?
         owner: Perchennog
         producer: Cynhyrchydd
+        sells_options:
+          none: dim
       change_type_form:
         producer_profile: Proffil Cynhyrchydd
         connect_ofn: Cysylltu trwy'r Open Food Network

config/locales/en.yml

@@ -1518,6 +1518,11 @@ en:
         visible: Visible?
         owner: Owner
         producer: Producer
+        sells_options:
+          unspecified: unspecified
+          none: none
+          own: own
+          any: any
       change_type_form:
         producer_profile: Producer Profile
         connect_ofn: Connect through OFN

config/locales/en_CA.yml

@@ -1447,6 +1447,8 @@ en_CA:
         visible: Visible?
         owner: Owner
         producer: Producer
+        sells_options:
+          none: none
       change_type_form:
         producer_profile: Producer Profile
         connect_ofn: Connect through OFN
@@ -3618,7 +3620,7 @@ en_CA:
             removed_terms_and_conditions_successfully: "Terms and Conditions file removed successfully"
     insufficient_stock: "Insufficient stock available, only %{on_hand} remaining"
     out_of_stock:
-      reduced_stock_available: Reduced stock available
+      reduced_stock_available: 'Reduced stock '
       out_of_stock_text: >
           While you've been shopping, the stock levels for one or more of the products
           in your cart have reduced. Here's what's changed:

config/locales/en_FR.yml

@@ -1447,6 +1447,8 @@ en_FR:
         visible: Visible?
         owner: Owner
         producer: Producer
+        sells_options:
+          none: none
       change_type_form:
         producer_profile: Producer Profile
         connect_ofn: Connect through OFN

config/locales/en_GB.yml

@@ -1447,6 +1447,8 @@ en_GB:
         visible: Visible?
         owner: Owner
         producer: Producer
+        sells_options:
+          none: none
       change_type_form:
         producer_profile: Producer Profile
         connect_ofn: Connect through OFN

config/locales/fi.yml

@@ -1445,6 +1445,8 @@ fi:
         visible: Näkyvissä?
         owner: Omistaja
         producer: Tuottaja
+        sells_options:
+          none: ei yhtään
       change_type_form:
         producer_profile: Tuottajan profiili
         connect_ofn: Yhdistä OFN:n kautta

config/locales/fr.yml

@@ -1449,6 +1449,8 @@ fr:
         visible: Visible?
         owner: Gestionnaire principal
         producer: Producteur
+        sells_options:
+          none: aucun
       change_type_form:
         producer_profile: Profil simple
         connect_ofn: Pour apparaître sur la carte et la liste des producteurs

config/locales/fr_CA.yml

@@ -1451,6 +1451,8 @@ fr_CA:
         visible: Visible?
         owner: Gérant
         producer: Producteur
+        sells_options:
+          none: aucun
       change_type_form:
         producer_profile: Profil producteur
         connect_ofn: Gagnez en visibilité via OFN

config/locales/hu.yml

@@ -1383,6 +1383,8 @@ hu:
         visible: Látható?
         owner: Tulajdonos
         producer: Termelő
+        sells_options:
+          none: n.a.
       change_type_form:
         producer_profile: Termelői Profil
         connect_ofn: Csatlakozás OFN-en keresztül

engines/dfc_provider/app/controllers/dfc_provider/addresses_controller.rb

@@ -30,8 +30,7 @@ module DfcProvider
     # - Spree::Shipment
     # - Subscription
     def authorized(address)
-      current_user.ship_address_id == address.id ||
-        current_user.bill_address_id == address.id ||
+      user_address(address) ||
         [
           customer_address(address),
           public_enterprise_group_address(address),
@@ -40,6 +39,13 @@ module DfcProvider
         ].any?(&:exists?)
     end
 
+    def user_address(address)
+      return false if current_user.is_a? ApiUser
+
+      current_user.ship_address_id == address.id ||
+        current_user.bill_address_id == address.id
+    end
+
     def customer_address(address)
       current_user.customers.where(bill_address: address).or(
         current_user.customers.where(ship_address: address)

engines/dfc_provider/app/controllers/dfc_provider/application_controller.rb

@@ -3,12 +3,15 @@
 # Controller used to provide the API products for the DFC application
 module DfcProvider
   class ApplicationController < ActionController::Base
+    class Unauthorized < StandardError; end
+
     include ActiveStorage::SetCurrent
 
     protect_from_forgery with: :null_session
 
     rescue_from ActiveRecord::RecordNotFound, with: :not_found
     rescue_from CanCan::AccessDenied, with: :unauthorized
+    rescue_from Unauthorized, with: :unauthorized
 
     before_action :check_authorization
 
@@ -16,6 +19,13 @@ module DfcProvider
 
     private
 
+    def require_permission(scope)
+      return if current_user.is_a? Spree::User
+      return if current_user.permissions(scope).where(enterprise: current_enterprise).exists?
+
+      raise Unauthorized
+    end
+
     def check_authorization
       unauthorized if current_user.nil?
     end

engines/dfc_provider/app/controllers/dfc_provider/catalog_items_controller.rb

@@ -7,6 +7,8 @@ module DfcProvider
     before_action :check_enterprise
 
     def index
+      require_permission "ReadProducts"
+
       enterprises = current_user.enterprises.map do |enterprise|
         EnterpriseBuilder.enterprise(enterprise)
       end

engines/dfc_provider/app/services/api_user.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+# Authorised user or client using the API
+class ApiUser
+  CLIENT_MAP = {
+    "https://waterlooregionfood.ca/portal/profile" => "cqcm-dev",
+  }.freeze
+
+  def self.from_client_id(client_id)
+    id = CLIENT_MAP[client_id]
+
+    new(id) if id
+  end
+
+  attr_reader :id
+
+  def initialize(id)
+    @id = id
+  end
+
+  def admin?
+    false
+  end
+
+  def customers
+    Customer.none
+  end
+
+  def enterprises
+    Enterprise.where(dfc_permissions: permissions("ReadEnterprise"))
+  end
+
+  def permissions(scope)
+    DfcPermission.where(grantee: id, scope:)
+  end
+end

engines/dfc_provider/app/services/authorization_control.rb

@@ -1,17 +1,29 @@
 # frozen_string_literal: true
 
-# Service used to authorize the user on DCF Provider API
+# Authorize the user on the DFC API
+#
 # It controls an OICD Access token and an enterprise.
 class AuthorizationControl
-  # Copied from: https://login.lescommuns.org/auth/realms/data-food-consortium/
-  LES_COMMUNES_PUBLIC_KEY = <<~KEY
-    -----BEGIN PUBLIC KEY-----
-    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl68JGqAILFzoi/1+6siXXp2vylu+7mPjYKjKelTtHFYXWVkbmVptCsamHlY3jRhqSQYe6M1SKfw8D+uXrrWsWficYvpdlV44Vm7uETZOr1/XBOjpWOi1vLmBVtX6jFeqN1BxfE1PxLROAiGn+MeMg90AJKShD2c5RoNv26e20dgPhshRVFPUGru+0T1RoKyIa64z/qcTcTVD2V7KX+ANMweRODdoPAzQFGGjTnL1uUqIdUwSfHSpXYnKxXOsnPC3Mowkv8UIGWWDxS/yzhWc7sOk1NmC7pb+Cg7G8NKj+Pp9qQZnXF39Dg95ZsxJrl6fyPFvTo3zf9CPG/fUM1CkkwIDAQAB
-    -----END PUBLIC KEY-----
-  KEY
+  PUBLIC_KEYS = {
+    # Copied from: https://login.lescommuns.org/auth/realms/data-food-consortium/
+    "https://login.lescommuns.org/auth/realms/data-food-consortium" => <<~KEY,
+      -----BEGIN PUBLIC KEY-----
+      MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl68JGqAILFzoi/1+6siXXp2vylu+7mPjYKjKelTtHFYXWVkbmVptCsamHlY3jRhqSQYe6M1SKfw8D+uXrrWsWficYvpdlV44Vm7uETZOr1/XBOjpWOi1vLmBVtX6jFeqN1BxfE1PxLROAiGn+MeMg90AJKShD2c5RoNv26e20dgPhshRVFPUGru+0T1RoKyIa64z/qcTcTVD2V7KX+ANMweRODdoPAzQFGGjTnL1uUqIdUwSfHSpXYnKxXOsnPC3Mowkv8UIGWWDxS/yzhWc7sOk1NmC7pb+Cg7G8NKj+Pp9qQZnXF39Dg95ZsxJrl6fyPFvTo3zf9CPG/fUM1CkkwIDAQAB
+      -----END PUBLIC KEY-----
+    KEY
 
-  def self.public_key
-    OpenSSL::PKey::RSA.new(LES_COMMUNES_PUBLIC_KEY)
+    # Copied from: https://kc.cqcm.startinblox.com/realms/startinblox
+    "https://kc.cqcm.startinblox.com/realms/startinblox" => <<~KEY,
+      -----BEGIN PUBLIC KEY-----
+      MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqtvdb3BdHoLnNeMLaWd7nugPwdRAJJpdSySTtttEQY2/v1Q3byJ/kReSNGrUNkPVkOeDN3milgN5Apz+sNCwbtzOCulyFMmvuIOZFBqz5tcgwjZinSwpGBXpn6ehXyCET2LlcfLYAPA9axtaNg9wBLIHoxIPWpa2LcZstogyZY/yKUZXQTDqM5B5TyUkPN89xHFdq8SQuXPasbpYl7mGhZHkTDHiKZ9VK7K5tqsEZTD9dCuTGMKsthbOrlDnc9bAJ3PyKLRdib21Y1GGlTozo4Y/1q448E/DFp5rVC6jG6JFnsEnP0WVn+6qz7yxI7IfUU2YSAGgtGYaQkWtEfED0QIDAQAB
+      -----END PUBLIC KEY-----
+    KEY
+  }.freeze
+
+  def self.public_key(token)
+    unverified_payload = JWT.decode(token, nil, false, { algorithm: "RS256" }).first
+    key = PUBLIC_KEYS[unverified_payload["iss"]]
+    OpenSSL::PKey::RSA.new(key)
   end
 
   def initialize(request)
@@ -27,7 +39,11 @@ class AuthorizationControl
   private
 
   def oidc_user
-    find_ofn_user(decode_token) if access_token
+    return unless access_token
+
+    payload = decode_token
+
+    find_ofn_user(payload) || client_user(payload)
   end
 
   def ofn_api_user
@@ -41,7 +57,7 @@ class AuthorizationControl
   def decode_token
     JWT.decode(
       access_token,
-      self.class.public_key,
+      self.class.public_key(access_token),
       true, { algorithm: "RS256" }
     ).first
   end
@@ -59,4 +75,8 @@ class AuthorizationControl
 
     OidcAccount.find_by(uid: payload["email"])&.user
   end
+
+  def client_user(payload)
+    ApiUser.from_client_id(payload["client_id"])
+  end
 end

engines/dfc_provider/spec/requests/catalog_items_spec.rb

@@ -3,6 +3,7 @@
 require_relative "../swagger_helper"
 
 RSpec.describe "CatalogItems", swagger_doc: "dfc.yaml" do
+  let(:Authorization) { nil }
   let(:user) { create(:oidc_user, id: 12_345) }
   let(:enterprise) {
     create(
@@ -35,8 +36,15 @@ RSpec.describe "CatalogItems", swagger_doc: "dfc.yaml" do
 
     get "List CatalogItems" do
       produces "application/json"
+      security [oidc_token: []]
 
       response "404", "not found" do
+        context "as platform user" do
+          include_context "authenticated as platform"
+          let(:enterprise_id) { 10_000 }
+          run_test!
+        end
+
         context "without enterprises" do
           let(:enterprise_id) { "default" }
 
@@ -53,6 +61,25 @@ RSpec.describe "CatalogItems", swagger_doc: "dfc.yaml" do
       response "200", "success" do
         before { product }
 
+        context "as platform user" do
+          include_context "authenticated as platform"
+
+          let(:enterprise_id) { 10_000 }
+
+          before {
+            DfcPermission.create!(
+              user:, enterprise_id:,
+              scope: "ReadEnterprise", grantee: "cqcm-dev",
+            )
+            DfcPermission.create!(
+              user:, enterprise_id:,
+              scope: "ReadProducts", grantee: "cqcm-dev",
+            )
+          }
+
+          run_test!
+        end
+
         context "with default enterprise id" do
           let(:enterprise_id) { "default" }
 
@@ -75,11 +102,31 @@ RSpec.describe "CatalogItems", swagger_doc: "dfc.yaml" do
       end
 
       response "401", "unauthorized" do
-        let(:enterprise_id) { "default" }
+        context "as platform user" do
+          include_context "authenticated as platform"
 
-        before { login_as nil }
+          let(:enterprise_id) { 10_000 }
 
-        run_test!
+          before {
+            product
+
+            DfcPermission.create!(
+              user:, enterprise_id:,
+              scope: "ReadEnterprise", grantee: "cqcm-dev",
+            )
+            # But no ReadProducts permission.
+          }
+
+          run_test!
+        end
+
+        context "without authorisation" do
+          let(:enterprise_id) { "default" }
+
+          before { login_as nil }
+
+          run_test!
+        end
       end
     end
   end

engines/dfc_provider/spec/requests/enterprises_spec.rb

@@ -3,6 +3,7 @@
 require_relative "../swagger_helper"
 
 RSpec.describe "Enterprises", swagger_doc: "dfc.yaml" do
+  let(:Authorization) { nil }
   let!(:user) { create(:oidc_user) }
   let!(:enterprise) do
     create(
@@ -51,6 +52,21 @@ RSpec.describe "Enterprises", swagger_doc: "dfc.yaml" do
       produces "application/json"
 
       response "200", "successful" do
+        context "as platform user" do
+          include_context "authenticated as platform"
+
+          let(:id) { 10_000 }
+
+          before {
+            DfcPermission.create!(
+              user:, enterprise_id: id,
+              scope: "ReadEnterprise", grantee: "cqcm-dev",
+            )
+          }
+
+          run_test!
+        end
+
         context "without enterprise id" do
           let(:id) { "default" }
 

engines/dfc_provider/spec/requests/product_groups_spec.rb

@@ -13,6 +13,7 @@ RSpec.describe "ProductGroups", swagger_doc: "dfc.yaml" do
       variants: [variant]
     )
   }
+  let(:Authorization) { nil }
   let(:variant) {
     build(:base_variant, id: 10_001, unit_value: 1, primary_taxon: taxon, supplier: enterprise)
   }
@@ -34,10 +35,28 @@ RSpec.describe "ProductGroups", swagger_doc: "dfc.yaml" do
 
     get "Show ProductGroup" do
       produces "application/json"
+      security [oidc_token: []]
 
       response "200", "success" do
         let(:id) { product.id }
 
+        context "as platform user" do
+          include_context "authenticated as platform"
+
+          before {
+            DfcPermission.create!(
+              user:, enterprise_id:,
+              scope: "ReadEnterprise", grantee: "cqcm-dev",
+            )
+            DfcPermission.create!(
+              user:, enterprise_id:,
+              scope: "ReadProducts", grantee: "cqcm-dev",
+            )
+          }
+
+          run_test!
+        end
+
         run_test! do
           expect(json_response["@id"]).to eq "http://test.host/api/dfc/product_groups/90000"
 

engines/dfc_provider/spec/services/affiliate_sales_query_spec.rb

@@ -11,11 +11,11 @@ RSpec.describe AffiliateSalesQuery do
     let(:yesterday) { Time.zone.yesterday }
     let(:tomorrow) { Time.zone.tomorrow }
 
-    around do |example|
+    before do
       # Query dates are interpreted as UTC while the spec runs in
       # Melbourne time. At noon in Melbourne, the date is the same.
       # That simplifies the spec.
-      Timecop.travel(Time.zone.today.noon, &example)
+      travel_to(Time.zone.today.noon)
     end
 
     it "returns data" do

engines/dfc_provider/spec/services/api_user_spec.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+require_relative "../spec_helper"
+
+RSpec.describe ApiUser do
+  subject(:user) { described_class.new("cqcm-dev") }
+
+  describe "#customers" do
+    it "returns nothing" do
+      expect(user.customers).to be_empty
+    end
+  end
+end

engines/dfc_provider/spec/services/authorization_control_spec.rb

@@ -8,6 +8,23 @@ RSpec.describe AuthorizationControl do
   let(:user) { create(:oidc_user) }
 
   describe "with OIDC token" do
+    it "accepts a token from Les Communs" do
+      user.oidc_account.update!(uid: "testdfc@protonmail.com")
+      lc_token = file_fixture("les_communs_access_token.jwt").read
+
+      travel_to(Date.parse("2025-06-13")) do
+        expect(auth(oidc_token: lc_token).user).to eq user
+      end
+    end
+
+    it "accepts a token from Startin'Blox" do
+      sib_token = file_fixture("startinblox_access_token.jwt").read
+
+      travel_to(Date.parse("2025-06-13")) do
+        expect(auth(oidc_token: sib_token).user.id).to eq "cqcm-dev"
+      end
+    end
+
     it "finds the right user" do
       create(:oidc_user) # another user
       token = allow_token_for(email: user.email)

engines/dfc_provider/spec/support/shared_contexts/authenticated_as_platform.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+# Authenticate via Authoriztion token
+RSpec.shared_context "authenticated as platform" do
+  let(:Authorization) {
+    "Bearer #{file_fixture('startinblox_access_token.jwt').read}"
+  }
+
+  before do
+    # Once upon a time when the access token hadn't expired yet...
+    travel_to(Date.parse("2025-06-13"))
+
+    # Reset any login via session cookie.
+    login_as nil
+  end
+end

lib/open_food_network/permissions.rb

@@ -113,7 +113,9 @@ module OpenFoodNetwork
     end
 
     def managed_enterprises
-      @managed_enterprises ||= Enterprise.managed_by(@user)
+      return Enterprise.all if admin?
+
+      @user.enterprises
     end
 
     def coordinated_order_cycles

package.json

@@ -10,7 +10,7 @@
     "pretty-quick": "pretty-quick"
   },
   "dependencies": {
-    "@floating-ui/dom": "^1.7.3",
+    "@floating-ui/dom": "^1.7.4",
     "@hotwired/stimulus": "^3.2",
     "@hotwired/turbo": "^8.0.13",
     "@rails/webpacker": "5.4.4",

spec/base_spec_helper.rb

@@ -257,6 +257,7 @@ RSpec.configure do |config|
   config.include OpenFoodNetwork::FiltersHelper
   config.include OpenFoodNetwork::EnterpriseGroupsHelper
   config.include OpenFoodNetwork::HtmlHelper
+  config.include ActiveSupport::Testing::TimeHelpers
   config.include ActionView::Helpers::DateHelper
   config.include OpenFoodNetwork::PerformanceHelper
   config.include ActiveJob::TestHelper

spec/controllers/admin/order_cycles_controller_spec.rb

@@ -142,7 +142,7 @@ RSpec.describe Admin::OrderCyclesController do
               select: {
                 enterprise_fees: 3,
                 enterprise_groups: 1,
-                enterprises: 22,
+                enterprises: 19,
                 exchanges: 7,
                 order_cycles: 6,
                 proxy_orders: 1,

spec/fixtures/files/les_communs_access_token.jwt

@@ -0,0 +1 @@
+eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJKVjg1bVRtUmh1MGtSeGNNb0FGUFl5azJMbS1WTExYV25HOG9HbUxNUkowIn0.eyJleHAiOjE3NDk3ODkyMzYsImlhdCI6MTc0OTc4NzQzNiwiYXV0aF90aW1lIjoxNzQ5Nzg3NDMzLCJqdGkiOiJmM2Q2ZGNmMi1lNGMwLTQyNzItODQzNC00NWFhZDczOTllYzUiLCJpc3MiOiJodHRwczovL2xvZ2luLmxlc2NvbW11bnMub3JnL2F1dGgvcmVhbG1zL2RhdGEtZm9vZC1jb25zb3J0aXVtIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6IjVmZjNhZjc4LTk0YTItNGI1Yi04ZGFkLWE3YzFkZWE4ODE2YSIsInR5cCI6IkJlYXJlciIsImF6cCI6ImNvb3BjaXJjdWl0cyIsIm5vbmNlIjoiMTZkNmM3OGZkNTcwOWRkMjVkNzNkYzYwMmViNDBiZGYiLCJzZXNzaW9uX3N0YXRlIjoiYmE4Y2M0ZWYtMDJmMC00ZjVmLWFiMWEtMDUyNGRiNGViNzI5IiwiYWxsb3dlZC1vcmlnaW5zIjpbIiJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgZW1haWwgb2ZmbGluZV9hY2Nlc3MiLCJzaWQiOiJiYThjYzRlZi0wMmYwLTRmNWYtYWIxYS0wNTI0ZGI0ZWI3MjkiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsIm5hbWUiOiJ0ZXN0IGRmYyIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3RkZmNAcHJvdG9ubWFpbC5jb20iLCJsb2NhbGUiOiJlbiIsImdpdmVuX25hbWUiOiJ0ZXN0IiwiZmFtaWx5X25hbWUiOiJkZmMiLCJlbWFpbCI6InRlc3RkZmNAcHJvdG9ubWFpbC5jb20ifQ.NTuzVgy8es0GHKqGPmHgVaV8Kzz9uuFAiWgixLubfh8fl2OccFDxccNKyiTczj4wHD4jItdHPIxz-x9ZX2Ao7lwMFLno69KWjAK2eLpA8Fnu4stftlswfHqD0W-wzG0Cx24H6jXZbsM5tm1FYgQYwrlZ-uqwQOabN_cA_cTrwHmMTNVCjwCisScq7Np7r1me-4YEABmTGR362_eJVn2bRppG_7s12yjEAH_mcTyALXqlXNaF0XihDCxjmK8ybJiGy6_QwhEJci6EWqJ-w9H6ckheq94xTM5WpanQ4-ZHEm2TZlq2MOfMBVsknhwnGI0b-GbtSJrs7urWsopQyWSuhw

spec/fixtures/files/startinblox_access_token.jwt

@@ -0,0 +1 @@
+eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJRRlJES1daQ2hzMllQYnRqYl9yQUtwQzNzMFo0T2FCMEtFQ056NnlxWHQ0In0.eyJleHAiOjE3NDk3ODk3MDcsImlhdCI6MTc0OTc4OTQwNywianRpIjoiOWE4ODU4NDAtODhjNy00OTliLWIyOGUtMmE5ZmViM2EyNmU0IiwiaXNzIjoiaHR0cHM6Ly9rYy5jcWNtLnN0YXJ0aW5ibG94LmNvbS9yZWFsbXMvc3RhcnRpbmJsb3giLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNWZlM2MyNmMtMjczNi00OGE0LWI2Y2YtYTllM2JjZmNkZjAwIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiaHR0cHM6Ly93YXRlcmxvb3JlZ2lvbmZvb2QuY2EvcG9ydGFsL3Byb2ZpbGUiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiIsImRlZmF1bHQtcm9sZXMtc3RhcnRpbmJsb3giXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6IlJlYWRFbnRlcnByaXNlIFJlYWRQcm9kdWN0cyIsImNsaWVudEhvc3QiOiIxNzIuMTguMC4xIiwiY2xpZW50QWRkcmVzcyI6IjE3Mi4xOC4wLjEiLCJjbGllbnRfaWQiOiJodHRwczovL3dhdGVybG9vcmVnaW9uZm9vZC5jYS9wb3J0YWwvcHJvZmlsZSJ9.Ln7wY0_ptRAza7M8w3yXU02TvluH028uaoJ5VHiN9-PnakokzHve7SCuSd1hvVikYAivWFIBRP97vwfpb_DW-d9Afk_XcQqcA0L36ynUIZ69X5uQ2zakEW0kB6pwqd8AL8tlWVUg2PixBXJ6daJcgWNF7RlKXg6wgy4JYL_VxD3VJjST911-z4_TMuQ2OC-3SJNwNv3BspSmUXm7F6y8xGFN7wuCPjU90WIiZ_vxTbVdM0zNtBM0uMJFeFv2_ZzoJIIiNHYLWtD3LrKcXePLSejpo-DPVWR_lGdDdM7BmzOHPKZ9KMaV-oa3lYNYC5shhJOpoB3vHngtdYdv8jq7Cg

spec/helpers/admin/enterprises_helper_spec.rb

@@ -50,4 +50,10 @@ RSpec.describe Admin::EnterprisesHelper do
       expect(visible_items.pluck(:name)).to include "connected_apps"
     end
   end
+
+  describe '#enterprise_sells_options' do
+    it 'returns sells options with translations' do
+      expect(helper.enterprise_sells_options.map(&:first)).to eq %w[unspecified none own any]
+    end
+  end
 end

spec/jobs/heartbeat_job_spec.rb

@@ -8,8 +8,8 @@ RSpec.describe HeartbeatJob do
 
     before { Spree::Config.last_job_queue_heartbeat_at = nil }
 
-    around do |example|
-      Timecop.freeze(run_time) { example.run }
+    before do
+      travel_to(run_time)
     end
 
     it "updates the last_job_queue_heartbeat_at config var" do

spec/jobs/open_order_cycle_job_spec.rb

@@ -7,8 +7,8 @@ RSpec.describe OpenOrderCycleJob do
   let(:order_cycle) { create(:simple_order_cycle, orders_open_at: now) }
   subject { OpenOrderCycleJob.perform_now(order_cycle.id) }
 
-  around do |example|
-    Timecop.freeze(now) { example.run }
+  before do
+    freeze_time
   end
 
   it "marks as open" do

spec/jobs/webhook_delivery_job_spec.rb

@@ -23,7 +23,7 @@ RSpec.describe WebhookDeliveryJob do
   end
 
   it "delivers a payload" do
-    Timecop.freeze do
+    freeze_time do
       expected_body = {
         id: /.+/,
         at: at.to_s,

spec/lib/reports/enterprise_fee_summary/renderers/csv_renderer_spec.rb

@@ -80,7 +80,7 @@ require "spec_helper"
 #   end
 
 #   it "generates filename correctly" do
-#     Timecop.freeze(Time.zone.local(2018, 10, 9, 7, 30, 0)) do
+#     travel_to(Time.zone.local(2018, 10, 9, 7, 30, 0)) do
 #       filename = renderer.__send__(:filename)
 #       expect(filename).to eq("enterprise_fee_summary_20181009.csv")
 #     end

spec/lib/reports/xero_invoices_report_spec.rb

@@ -13,7 +13,7 @@ module Reporting
         describe "option defaults" do
           let(:report) { Base.new user }
 
-          around { |example| Timecop.travel(Time.zone.local(2015, 5, 5, 14, 0, 0)) { example.run } }
+          before { travel_to(Time.zone.local(2015, 5, 5, 14, 0, 0)) }
 
           it "uses defaults when blank params are passed" do
             expect(report.params).to eq(invoice_date: Date.civil(2015, 5, 5),

spec/models/enterprise_caching_spec.rb

@@ -149,6 +149,6 @@ RSpec.describe Enterprise do
   end
 
   def later(&)
-    Timecop.travel(1.day.from_now, &)
+    travel(1.day, &)
   end
 end

spec/models/order_cycle_spec.rb

@@ -304,7 +304,7 @@ RSpec.describe OrderCycle do
     let(:oc) { build_stubbed(:simple_order_cycle) }
 
     it "reports status when an order cycle is upcoming" do
-      Timecop.freeze(oc.orders_open_at - 1.second) do
+      travel_to(oc.orders_open_at - 1.second) do
         expect(oc).not_to be_undated
         expect(oc).to     be_dated
         expect(oc).to     be_upcoming
@@ -322,7 +322,7 @@ RSpec.describe OrderCycle do
     end
 
     it "reports status when an order cycle has closed" do
-      Timecop.freeze(oc.orders_close_at + 1.second) do
+      travel_to(oc.orders_close_at + 1.second) do
         expect(oc).not_to be_undated
         expect(oc).to     be_dated
         expect(oc).not_to be_upcoming

spec/models/proxy_order_spec.rb

@@ -7,10 +7,8 @@ RSpec.describe ProxyOrder do
     let(:order_cycle) { create(:simple_order_cycle) }
     let(:subscription) { create(:subscription) }
 
-    around do |example|
-      # We are testing if database columns have been set to "now".
-      Timecop.freeze(Time.zone.now) { example.run }
-    end
+    # We are testing if database columns have been set to "now".
+    before { freeze_time }
 
     context "when the order cycle is not yet closed" do
       let(:proxy_order) {
@@ -94,9 +92,7 @@ RSpec.describe ProxyOrder do
     let(:proxy_order) { create(:proxy_order, order:, canceled_at: Time.zone.now) }
     let(:order_cycle) { proxy_order.order_cycle }
 
-    around do |example|
-      Timecop.freeze(Time.zone.now) { example.run }
-    end
+    before { freeze_time }
 
     context "when the order cycle is not yet closed" do
       before { order_cycle.update(orders_open_at: 1.day.ago, orders_close_at: 3.days.from_now) }

spec/models/terms_of_service_file_spec.rb

@@ -40,7 +40,7 @@ RSpec.describe TermsOfServiceFile do
     let(:subject) { TermsOfServiceFile.updated_at }
 
     it "gives the most conservative time if not known" do
-      Timecop.freeze do
+      freeze_time do
         expect(subject).to eq Time.zone.now
       end
     end

spec/services/vine/jwt_service_spec.rb

@@ -21,7 +21,7 @@ RSpec.describe Vine::JwtService do
 
     it "includes issuing time" do
       generate_time = Time.zone.now
-      Timecop.freeze(generate_time) do
+      travel_to(generate_time) do
         token = subject.generate_token
 
         payload = decode(token, vine_secret)
@@ -32,7 +32,7 @@ RSpec.describe Vine::JwtService do
 
     it "includes expirations time" do
       generate_time = Time.zone.now
-      Timecop.freeze(generate_time) do
+      travel_to(generate_time) do
         token = subject.generate_token
 
         payload = decode(token, vine_secret)

spec/support/timecop.rb

@@ -1,3 +0,0 @@
-# frozen_string_literal: true
-
-Timecop.safe_mode = true

spec/system/admin/enterprises/terms_and_conditions_spec.rb

@@ -34,7 +34,7 @@ RSpec.describe "Uploading Terms and Conditions PDF" do
         attach_file "enterprise[terms_and_conditions]", original_terms, make_visible: true
 
         time = Time.zone.local(2002, 4, 13, 0, 0, 0)
-        Timecop.freeze(run_time = time) do
+        travel_to(run_time = time) do
           click_button "Update"
           expect(distributor.reload.terms_and_conditions_blob.created_at).to eq run_time
         end

spec/system/admin/payment_method_spec.rb

@@ -73,10 +73,24 @@ RSpec.describe '
         select2_select "Missing", from: "payment_method_preferred_enterprise_id"
         expect(page).to have_selector "#stripe-account-status .alert-box.error",
                                       text: 'No Stripe account exists for this enterprise.'
-        connect_one = 'Connect One'
-        expect(page).to have_link connect_one,
-                                  href: edit_admin_enterprise_path(missing_account_enterprise,
-                                                                   anchor: "/payment_methods")
+        click_link 'Connect One' # opens in new tab
+
+        new_window = windows.last
+        page.within_window new_window do
+          expect(page).to have_content "Settings: Missing"
+          # we should be on the Payment Methods tab already
+          expect(page).to have_content "Use the button to the right to get started."
+          page.find("a", text: "Connect with Stripe").click # it's not a proper link without href
+
+          expect(page).to have_content "connect your Stripe account to the OFN."
+          href = connect_admin_stripe_accounts_path(enterprise_id: missing_account_enterprise)
+          expect(page).to have_link "I Agree", href:
+
+          # Blocked by capybara. probably don't need to test this.
+          # click_link "I Agree"
+          # expect(page).to have_current_path("https://connect.stripe.com/", url: true)
+        end
+        new_window.close
 
         select2_select "Revoked", from: "payment_method_preferred_enterprise_id"
         expect(page).to have_selector "#stripe-account-status .alert-box.error",

spec/system/admin/reports/orders_and_distributors_spec.rb

@@ -13,10 +13,6 @@ RSpec.describe "Orders And Distributors" do
     let!(:distributor2) { create(:distributor_enterprise, name: "By Moto") }
     let!(:completed_at) { Time.zone.now.to_fs(:db) }
 
-    around do |example|
-      Timecop.travel(completed_at) { example.run }
-    end
-
     let!(:order) {
       create(:order_ready_to_ship, distributor_id: distributor.id, completed_at:)
     }
@@ -25,6 +21,10 @@ RSpec.describe "Orders And Distributors" do
     }
     let(:variant) { order.variants.first }
 
+    before do
+      travel_to(completed_at)
+    end
+
     context "as an enterprise user" do
       let(:header) {
         ["Order date", "Order Id", "Customer Name", "Customer Email", "Customer Phone",

spec/system/admin/reports/orders_and_fulfillment_spec.rb

@@ -116,9 +116,10 @@ RSpec.describe "Orders And Fulfillment" do
         let(:datetime_start1) { 1600.hours.ago } # 1600 hours in the past
         let(:datetime_start2) { 1800.hours.ago } # 1600 hours in the past
         let(:datetime_end) { 1400.hours.ago } # 1400 hours in the past
+
         before do
-          Timecop.travel(completed_at1) { order1.finalize! }
-          Timecop.travel(completed_at2) { order2.finalize! }
+          travel_to(completed_at1) { order1.finalize! }
+          travel_to(completed_at2) { order2.finalize! }
         end
 
         it "is precise to time of day, not just date" do

spec/system/admin/reports/packing_report_spec.rb

@@ -6,8 +6,8 @@ RSpec.describe "Packing Reports" do
   include AuthenticationHelper
   include WebHelper
 
-  around do |example|
-    Timecop.freeze(Time.zone.now.strftime("%Y-%m-%d 00:00")) { example.run }
+  before do
+    travel_to(Time.zone.now.strftime("%Y-%m-%d 00:00"))
   end
 
   let!(:open_datetime) { 1.month.ago.strftime("%Y-%m-%d 00:00") }

spec/system/admin/reports_spec.rb

@@ -102,13 +102,13 @@ RSpec.describe '
       expect(content).to match "<th>\nFirst Name\n</th>"
 
       # Let's also check the expiry of the emailed link:
-      Timecop.travel(3.days.from_now) do
+      travel(3.days) do
         content = URI.parse(report_link).read
         expect(content).to match "<th>\nFirst Name\n</th>"
       end
 
       # The link should still expire though:
-      Timecop.travel(3.months.from_now) do
+      travel(3.months) do
         expect { URI.parse(report_link).read }
           .to raise_error OpenURI::HTTPError, "404 Not Found"
       end
@@ -625,15 +625,13 @@ RSpec.describe '
         order1.update_order!
         order1.update!(email: 'customer@email.com')
         order1.shipment.update(included_tax_total: 10.06)
-        Timecop.travel(Time.zone.local(2021, 4, 25, 14, 0, 0)) { order1.finalize! }
+        travel_to(Time.zone.local(2021, 4, 25, 14, 0, 0)) { order1.finalize! }
         order1.reload
         order1.create_tax_charge!
       end
 
-      around do |example|
-        Timecop.travel(Time.zone.local(2021, 4, 26, 14, 0, 0)) do
-          example.run
-        end
+      before do
+        travel_to(Time.zone.local(2021, 4, 26, 14, 0, 0))
       end
 
       context "summary report" do

spec/system/consumer/authentication_spec.rb

@@ -139,7 +139,7 @@ RSpec.describe "Authentication" do
             end
 
             it "succeeding after time threshold" do
-              Timecop.travel(30.seconds.from_now) do
+              travel(30.seconds) do
                 fill_in "Your email", with: "test@foo.com"
                 fill_in "Choose a password", with: "test12345"
                 fill_in "Confirm password", with: "test12345"

spec/system/consumer/caching/shops_caching_spec.rb

@@ -29,7 +29,7 @@ RSpec.describe "Shops caching", caching: true do
 
     it "keeps data cached for a short time on subsequent requests" do
       # Ensure sufficient time for requests to load and timed caches to expire
-      Timecop.travel(10.minutes.ago) do
+      travel(-10.minutes) do
         visit shops_path
 
         expect(page).to have_content distributor.name
@@ -95,7 +95,7 @@ RSpec.describe "Shops caching", caching: true do
 
     it "keeps data cached for a short time on subsequent requests" do
       # Ensure sufficient time for requests to load and timed caches to expire
-      Timecop.travel(10.minutes.ago) do
+      travel(-10.minutes) do
         visit enterprise_shop_path(distributor)
 
         # The page HTML contains the cached text but we need to test for the

swagger/dfc.yaml

@@ -137,6 +137,8 @@ paths:
         type: string
     get:
       summary: List CatalogItems
+      security:
+      - oidc_token: []
       tags:
       - CatalogItems
       responses:
@@ -578,13 +580,7 @@ paths:
                     "@id": http://test.host/api/dfc/enterprises/10000/platforms
                     dfc-t:platforms:
                       "@type": rdf:List
-                      "@list":
-                      - "@type": dfc-t:Platform
-                        "@id": https://api.proxy-dev.cqcm.startinblox.com/profile
-                        localId: cqcm-dev
-                        dfc-t:hasAssignedScopes:
-                          "@type": rdf:List
-                          "@list": []
+                      "@list": []
   "/api/dfc/enterprises/{enterprise_id}/platforms/{platform_id}":
     parameters:
     - name: enterprise_id
@@ -634,24 +630,18 @@ paths:
                     dfc-t:hasAssignedScopes:
                       "@type": rdf:List
                       "@list":
-                      - "@id": https://example.com/scopes/ReadEnterprise
+                      - "@id": https://github.com/datafoodconsortium/taxonomies/releases/latest/download/scopes.rdf#ReadEnterprise
                         "@type": dfc-t:Scope
-                        dfc-t:scope: ReadEnterprise
-                      - "@id": https://example.com/scopes/WriteEnterprise
+                      - "@id": https://github.com/datafoodconsortium/taxonomies/releases/latest/download/scopes.rdf#WriteEnterprise
                         "@type": dfc-t:Scope
-                        dfc-t:scope: WriteEnterprise
-                      - "@id": https://example.com/scopes/ReadProducts
+                      - "@id": https://github.com/datafoodconsortium/taxonomies/releases/latest/download/scopes.rdf#ReadProducts
                         "@type": dfc-t:Scope
-                        dfc-t:scope: ReadProducts
-                      - "@id": https://example.com/scopes/WriteProducts
+                      - "@id": https://github.com/datafoodconsortium/taxonomies/releases/latest/download/scopes.rdf#WriteProducts
                         "@type": dfc-t:Scope
-                        dfc-t:scope: WriteProducts
-                      - "@id": https://example.com/scopes/ReadOrders
+                      - "@id": https://github.com/datafoodconsortium/taxonomies/releases/latest/download/scopes.rdf#ReadOrders
                         "@type": dfc-t:Scope
-                        dfc-t:scope: ReadOrders
-                      - "@id": https://example.com/scopes/WriteOrders
+                      - "@id": https://github.com/datafoodconsortium/taxonomies/releases/latest/download/scopes.rdf#WriteOrders
                         "@type": dfc-t:Scope
-                        dfc-t:scope: WriteOrders
       requestBody:
         content:
           application/json:
@@ -688,6 +678,8 @@ paths:
         type: string
     get:
       summary: Show ProductGroup
+      security:
+      - oidc_token: []
       tags:
       - ProductGroups
       responses:

yarn.lock

@@ -1134,10 +1134,10 @@
   dependencies:
     "@floating-ui/utils" "^0.2.10"
 
-"@floating-ui/dom@^1.7.3":
-  version "1.7.3"
-  resolved "https://registry.yarnpkg.com/@floating-ui/dom/-/dom-1.7.3.tgz#6174ac3409e6a064bbdf1f4bb07188ee9461f8cf"
-  integrity sha512-uZA413QEpNuhtb3/iIKoYMSK07keHPYeXF02Zhd6e213j+d1NamLix/mCLxBUDW/Gx52sPH2m+chlUsyaBs/Ag==
+"@floating-ui/dom@^1.7.4":
+  version "1.7.4"
+  resolved "https://registry.yarnpkg.com/@floating-ui/dom/-/dom-1.7.4.tgz#ee667549998745c9c3e3e84683b909c31d6c9a77"
+  integrity sha512-OOchDgh4F2CchOX94cRVqhvy7b3AFb+/rQXyswmzmGakRfkMgoWVjfnLWkRirfLEfuD4ysVW16eXzwt3jHIzKA==
   dependencies:
     "@floating-ui/core" "^1.7.3"
     "@floating-ui/utils" "^0.2.10"
@@ -2729,12 +2729,12 @@ ci-info@^3.2.0:
   integrity sha512-dVqRX7fLUm8J6FgHJ418XuIgDLZDkYcDFTeL6TA2gt5WlIZUQrrH6EZrNClwT/H0FateUsZkGIOPRrLbP+PR9A==
 
 cipher-base@^1.0.0, cipher-base@^1.0.1, cipher-base@^1.0.3:
-  version "1.0.4"
-  resolved "https://registry.yarnpkg.com/cipher-base/-/cipher-base-1.0.4.tgz#8760e4ecc272f4c363532f926d874aae2c1397de"
-  integrity sha512-Kkht5ye6ZGmwv40uUDZztayT2ThLQGfnj/T71N/XzeZeo3nf8foyW7zGTsPYkEya3m5f3cAypH+qe7YOrM1U2Q==
+  version "1.0.6"
+  resolved "https://registry.yarnpkg.com/cipher-base/-/cipher-base-1.0.6.tgz#8fe672437d01cd6c4561af5334e0cc50ff1955f7"
+  integrity sha512-3Ek9H3X6pj5TgenXYtNWdaBon1tgYCaebd+XPg0keyjEbEfkD4KkmAxkQ/i1vYvxdcT5nscLBfq9VJRmCBcFSw==
   dependencies:
-    inherits "^2.0.1"
-    safe-buffer "^5.0.1"
+    inherits "^2.0.4"
+    safe-buffer "^5.2.1"
 
 cjs-module-lexer@^1.0.0:
   version "1.2.2"
@@ -8352,12 +8352,13 @@ setprototypeof@1.2.0:
   integrity sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw==
 
 sha.js@^2.4.0, sha.js@^2.4.11, sha.js@^2.4.8:
-  version "2.4.11"
-  resolved "https://registry.yarnpkg.com/sha.js/-/sha.js-2.4.11.tgz#37a5cf0b81ecbc6943de109ba2960d1b26584ae7"
-  integrity sha512-QMEp5B7cftE7APOjk5Y6xgrbWu+WkLVQwk8JNjZ8nKRciZaByEW6MubieAiToS7+dwvrjGhH8jRXz3MVd0AYqQ==
+  version "2.4.12"
+  resolved "https://registry.yarnpkg.com/sha.js/-/sha.js-2.4.12.tgz#eb8b568bf383dfd1867a32c3f2b74eb52bdbf23f"
+  integrity sha512-8LzC5+bvI45BjpfXU8V5fdU2mfeKiQe1D1gIMn7XUlF3OTUrpdJpPPH4EMAnF0DsHHdSZqCdSss5qCmJKuiO3w==
   dependencies:
-    inherits "^2.0.1"
-    safe-buffer "^5.0.1"
+    inherits "^2.0.4"
+    safe-buffer "^5.2.1"
+    to-buffer "^1.2.0"
 
 shebang-command@^1.2.0:
   version "1.2.0"