bullet_train 1.0.3 → 1.0.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9f2cca75b5672450c75a47b97cf486366a177d303fa6478be29cbb014dfb5908
-  data.tar.gz: db2bdf3ac241c0f7dcad0be1f2b313ce2bfb852c93000b1f4036607d205b3f49
+  metadata.gz: 91587205ff146fede77d497b179accabc819d44eca37b45a073b5e97bf0fdfd0
+  data.tar.gz: ea97e2ea8db1e6a2ce999bc06032777bc35b6d7ba6ef8f1740a408601f4a2bc7
 SHA512:
-  metadata.gz: 2a49b488046b59fc31a12aadd6f2d24d5e2854e4c0c4bb79527d1d4a3b91222e52d031f618b9410a840a5575274118492e3dc8a2043e47150721b28ebf9628c4
-  data.tar.gz: 1c5255a146db443035ab26542eccfdd4a51e605c185369d419f9f0cf532c8eae6e182be6623d35af072e46d962d06fdcdb025a6cc2361b414147a4f9d1a5e15c
+  metadata.gz: 119ac0424011467fd3aeab95aba0213aae4711ea1246288cd38b597149a685e2874e1891371ab680a0a0f3f8e50834a2faa501670379c633c40a62a05ad5bab5
+  data.tar.gz: 2c958dd9a290d69143dd2829018054fb5a28b35d85d3635f311cc1814087fee3ebc83d9c2f7e9dd238a3b527e24b7e251db8d0efc626ac22b082fa980775f6ca

data/app/controllers/account/invitations_controller.rb

@@ -1,146 +1,3 @@
 class Account::InvitationsController < Account::ApplicationController
-  # the 'accept' action isn't covered by cancancan, because simply having the
-  # link is authorization enough to claim membership on a team. see `#accept`
-  # for more information.
-  account_load_and_authorize_resource :invitation, :team, except: [:show]
-
-  # we skip the onboarding requirement for users claiming and invitation.
-  # this way the invitation gets accepted after they complete the devise
-  # workflow, but before they're prompted to complete their onboarding.
-  skip_before_action :ensure_onboarding_is_complete_and_set_next_step, only: :accept
-  skip_before_action :authenticate_user!, only: :accept
-
-  # GET /invitations
-  # GET /invitations.json
-  def index
-    redirect_to [:account, @team, :memberships]
-  end
-
-  # GET /invitations/1
-  # GET /invitations/1.json
-  def show
-    # it's important that we only allow invitations to be shown via their uuid,
-    # otherwise team members can just step the id in the url to claim an
-    # invitation that would escalate their privileges.
-    @invitation = Invitation.find_by(uuid: params[:id])
-    unless @invitation
-      raise I18n.t("global.notifications.not_found")
-    end
-    @team = @invitation.team
-
-    # backfill these objects for the locale magic, since we didn't use `account_load_and_authorize_resource`.
-    @child_object = @invitation
-    @parent_object = @team
-
-    render layout: "devise"
-  end
-
-  # POST /invitations/1/accept
-  # POST /invitations/1/accept.json
-  def accept
-    # unless the user is signed in.
-    if !current_user.present?
-
-      # keep track of the uuid of the invitation so we can reload it
-      # after they sign up. at this point we don't even know if it's
-      # valid, but that's fine.
-      session[:invitation_uuid] = params[:id]
-
-      # also, we'll queue devise up to return to the invitation url after a sign in.
-      session["user_return_to"] = request.path
-
-      # assume the user needs to create an account.
-      # this is not the default for devise, but a sensible default here.
-      redirect_to new_user_registration_path
-
-    else
-
-      @invitation = Invitation.find_by(uuid: params[:id])
-
-      if @invitation
-        @team = @invitation.team
-        if @invitation.is_for?(current_user) || request.post?
-          @invitation.accept_for(current_user)
-          redirect_to account_dashboard_path, notice: I18n.t("invitations.notifications.welcome", team_name: @team.name)
-        else
-          redirect_to account_invitation_path(@invitation.uuid)
-        end
-      else
-        redirect_to account_dashboard_path
-      end
-
-    end
-  end
-
-  # GET /invitations/new
-  def new
-    @invitation.build_membership
-    @cancel_path = only_allow_path(params[:cancel_path])
-  end
-
-  # POST /invitations
-  # POST /invitations.json
-  def create
-    @invitation.membership.team = current_team
-    # this allows notifications to be sent to a user before they've accepted their invitation.
-    @invitation.membership.user_email = @invitation.email
-    @invitation.from_membership = current_membership
-    respond_to do |format|
-      if @invitation.save
-        format.html { redirect_to account_team_invitations_path(@team), notice: I18n.t("invitations.notifications.created") }
-        format.json { render :show, status: :created, location: [:account, @team, @invitation] }
-      else
-        format.html { render :new, status: :unprocessable_entity }
-        format.json { render json: @invitation.errors, status: :unprocessable_entity }
-      end
-    end
-  end
-
-  # DELETE /invitations/1
-  # DELETE /invitations/1.json
-  def destroy
-    @invitation.destroy
-    respond_to do |format|
-      format.html { redirect_to account_team_invitations_path(@team), notice: I18n.t("invitations.notifications.destroyed") }
-      format.json { head :no_content }
-    end
-  end
-
-  private
-
-  def manageable_role_keys
-    helpers.current_membership.manageable_roles.map(&:key)
-  end
-
-  # NOTE this method is only designed to work in the context of creating a invitation.
-  # we don't provide any support for updating invitations.
-  def invitation_params
-    # we use strong params first.
-    strong_params = params.require(:invitation).permit(
-      :email,
-      # 🚅 super scaffolding will insert new fields above this line.
-      # 🚅 super scaffolding will insert new arrays above this line.
-      membership_attributes: [
-        :user_first_name,
-        :user_last_name,
-        role_ids: []
-      ],
-    )
-
-    # after that, we have to be more careful how we assign the roles.
-    # we can't let users assign roles to an invitation that they don't have permission
-    # to assign, but they do have permission to assign some to other team members.
-    if params[:invitation] && params[:invitation][:role_ids].present?
-
-      # ensure the list of role keys from the form only includes keys that they're allowed to assign.
-      assignable_role_keys_from_the_form = params[:invitation][:role_ids].map(&:to_i) & manageable_role_keys
-
-      strong_params[:role_ids] = assignable_role_keys_from_the_form
-
-    end
-
-    # 🚅 super scaffolding will insert processing for new fields above this line.
-
-    strong_params
-  end
+  include Invitations::ControllerBase
 end

data/app/controllers/account/memberships_controller.rb

@@ -1,132 +1,3 @@
 class Account::MembershipsController < Account::ApplicationController
-  account_load_and_authorize_resource :membership, :team, member_actions: [:demote, :promote, :reinvite], collection_actions: [:search]
-
-  def index
-    unless @memberships.count > 0
-      redirect_to account_team_invitations_path(@team), notice: I18n.t("memberships.notifications.no_members")
-    end
-  end
-
-  def search
-    # TODO This is a particularly crazy example where we're doing the search logic ourselves in SQL.
-    # In the future, I could see us replacing this with a recommended example using Elasticsearch and the `searchkick` Ruby Gem.
-    limit = params[:limit] || 100
-    page = [params[:page].to_i, 1].max # Ensure we never have a negative or zero page value
-    search_term = "%#{params[:search]&.upcase}%"
-    offset = (page - 1) * limit
-    # Currently we're only searching on user.first_name, user.last_name, memberships.user_first_name and memberships.user_last_name. Should we also search on the email address?
-    # This query could use impromement.  Currently if you search for "Ad Pal" you wouldn't find a user "Adam Pallozzi"
-    query = "UPPER(first_name) LIKE :search_term OR UPPER(last_name) LIKE :search_term OR UPPER(user_first_name) LIKE :search_term OR UPPER(user_last_name) LIKE :search_term"
-    # We're using left outer join here because we may get memberships that don't belong to a membership yet
-    memberships = @team.memberships.accessible_by(current_ability, :show).left_outer_joins(:user).where(query, search_term: search_term)
-    total_results = memberships.size
-    # the Areal.sql(LOWER(COALESCE...)) part means that if the user record doesn't exist or if there are records that start with a lower case letter, we will still sort everything correctly using the user.first_name instead.
-    memberships_array = memberships.limit(limit).offset(offset).order(Arel.sql("LOWER(COALESCE(first_name, user_first_name) )")).map { |membership| {id: membership.id, text: membership.label_string.to_s} }
-    results = {results: memberships_array, pagination: {more: (total_results > page * limit)}}
-    render json: results.to_json
-  end
-
-  def show
-  end
-
-  def edit
-  end
-
-  # PATCH/PUT /account/memberships/:id
-  # PATCH/PUT /account/memberships/:id.json
-  def update
-    respond_to do |format|
-      if @membership.update(membership_params)
-        format.html { redirect_to [:account, @membership], notice: I18n.t("memberships.notifications.updated") }
-        format.json { render :show, status: :ok, location: [:account, @membership] }
-      else
-        format.html { render :edit, status: :unprocessable_entity }
-        format.json { render json: @membership.errors, status: :unprocessable_entity }
-      end
-    rescue RemovingLastTeamAdminException => _
-      format.html { redirect_to [:account, @team, :memberships], alert: I18n.t("memberships.notifications.cant_demote") }
-      format.json { render json: {exception: I18n.t("memberships.notifications.cant_demote")}, status: :unprocessable_entity }
-    end
-  end
-
-  def demote
-    @membership.roles.delete Role.admin
-    redirect_to account_team_memberships_path(@team)
-  rescue RemovingLastTeamAdminException => _
-    redirect_to account_team_memberships_path(@team), alert: I18n.t("memberships.notifications.cant_demote")
-  end
-
-  def promote
-    @membership.roles << Role.admin unless @membership.roles.include?(Role.admin)
-    redirect_to account_team_memberships_path(@team)
-  end
-
-  def destroy
-    # Instead of destroying the membership, we nullify the user_id and use the membership record as a 'Tombstone' for referencing past associations (eg message at-mentions and Scaffolding::CompletelyConcrete::TangibleThings::Assignment)
-
-    user_was = @membership.user
-    @membership.nullify_user
-
-    if user_was == current_user
-      # if a user removes themselves from a team, we'll have to send them to their dashboard.
-      redirect_to account_dashboard_path, notice: I18n.t("memberships.notifications.you_removed_yourself", team_name: @team.name)
-    else
-      redirect_to [:account, @team, :memberships], notice: I18n.t("memberships.notifications.destroyed")
-    end
-  rescue RemovingLastTeamAdminException
-    redirect_to account_team_memberships_path(@team), alert: I18n.t("memberships.notifications.cant_remove")
-  end
-
-  def reinvite
-    @invitation = Invitation.new(membership: @membership, team: @team, email: @membership.user_email, from_membership: current_membership)
-    if @invitation.save
-      redirect_to [:account, @team, :memberships], notice: I18n.t("account.memberships.notifications.reinvited")
-    else
-      redirect_to [:account, @team, :memberships], notice: "There was an error creating the invitation (#{@invitation.errors.full_messages.to_sentence})"
-    end
-  end
-
-  private
-
-  def manageable_role_keys
-    helpers.current_membership.manageable_roles.map(&:key)
-  end
-
-  # NOTE this method is only designed to work in the context of updating a membership.
-  # we don't provide any support for creating memberships other than by an invitation.
-  def membership_params
-    # we use strong params first.
-    strong_params = params.require(:membership).permit(
-      :user_first_name,
-      :user_last_name,
-      :user_profile_photo_id,
-      # 🚅 super scaffolding will insert new fields above this line.
-      # 🚅 super scaffolding will insert new arrays above this line.
-    )
-
-    # after that, we have to be more careful how we update the roles.
-    # we can't let users remove roles from a membership that they don't have permission
-    # to remove, but we want to allow them to add or remove other roles they do have
-    # permission to assign to other team members.
-    if params[:membership] && params[:membership][:role_ids].present?
-
-      # first, start with the list of role keys already assigned to this membership.
-      existing_role_keys = @membership.role_ids
-
-      # generate a list of role keys we can't allow the current user to remove from this membership.
-      existing_role_keys_that_are_unmanageable = existing_role_keys - manageable_role_keys
-
-      # now let's ensure the list of role keys from the form only includes keys that they're allowed to assign.
-      assignable_role_keys_from_the_form = params[:membership][:role_ids].map(&:to_s) & manageable_role_keys
-
-      # any role keys that are manageable by the current user have to then come from the form data,
-      # otherwise we can assume they were removed by being unchecked.
-      strong_params[:role_ids] = existing_role_keys_that_are_unmanageable + assignable_role_keys_from_the_form
-
-    end
-
-    # 🚅 super scaffolding will insert processing for new fields above this line.
-
-    strong_params
-  end
+  include Account::Memberships::ControllerBase
 end

data/app/controllers/account/onboarding/user_details_controller.rb

@@ -1,63 +1,3 @@
 class Account::Onboarding::UserDetailsController < Account::ApplicationController
-  layout "devise"
-  load_and_authorize_resource class: "User"
-
-  # this is because cancancan doesn't let us set the instance variable name above.
-  before_action do
-    @user = @user_detail
-  end
-
-  # GET /users/1/edit
-  def edit
-    flash[:notice] = nil
-  end
-
-  # PATCH/PUT /users/1
-  # PATCH/PUT /users/1.json
-  def update
-    respond_to do |format|
-      if @user.update(user_params)
-        # if you update your own user account, devise will normally kick you out, so we do this instead.
-        bypass_sign_in current_user.reload
-
-        if @user.details_provided?
-          format.html { redirect_to account_team_path(@user.teams.first), notice: "" }
-        else
-          format.html {
-            flash[:error] = I18n.t("global.notifications.all_fields_required")
-            redirect_to edit_account_onboarding_user_detail_path(@user)
-          }
-        end
-
-        format.json { render :show, status: :ok, location: [:account, @user] }
-      else
-        format.html { render :edit, status: :unprocessable_entity }
-        format.json { render json: @user.errors, status: :unprocessable_entity }
-      end
-    end
-  end
-
-  private
-
-  # Never trust parameters from the scary internet, only allow the white list through.
-  def user_params
-    permitted_attributes = [
-      :first_name,
-      :last_name,
-      :time_zone,
-      # 🚅 super scaffolding will insert new fields above this line.
-    ]
-
-    permitted_hash = {
-      # 🚅 super scaffolding will insert new arrays above this line.
-    }
-
-    if can? :edit, @user.current_team
-      permitted_hash[:current_team_attributes] = [:id, :name]
-    end
-
-    params.require(:user).permit(permitted_attributes, permitted_hash)
-
-    # 🚅 super scaffolding will insert processing for new fields above this line.
-  end
+  include Account::Onboarding::UserDetails::ControllerBase
 end

data/app/controllers/account/onboarding/user_email_controller.rb

@@ -1,65 +1,3 @@
 class Account::Onboarding::UserEmailController < Account::ApplicationController
-  layout "devise"
-  load_and_authorize_resource class: "User"
-
-  # this is because cancancan doesn't let us set the instance variable name above.
-  before_action do
-    @user = @user_email
-  end
-
-  # GET /users/1/edit
-  def edit
-    flash[:notice] = nil
-    if @user.email_is_oauth_placeholder?
-      @user.email = nil
-    end
-  end
-
-  # PATCH/PUT /users/1
-  # PATCH/PUT /users/1.json
-  def update
-    respond_to do |format|
-      if @user.update(user_params)
-        # if you update your own user account, devise will normally kick you out, so we do this instead.
-        bypass_sign_in current_user.reload
-
-        if !@user.email_is_oauth_placeholder?
-          @user.send_welcome_email
-          format.html { redirect_to account_team_path(@user.teams.first), notice: "" }
-        else
-          format.html {
-            flash[:error] = I18n.t("global.notifications.all_fields_required")
-            redirect_to edit_account_onboarding_user_detail_path(@user)
-          }
-        end
-
-        format.json { render :show, status: :ok, location: [:account, @user] }
-      else
-
-        # this is just checking whether the error on the email field is taking the email
-        # address is already taken.
-        @email_taken = begin
-          @user.errors.details[:email].select { |error| error[:error] == :taken }.any?
-        rescue
-          false
-        end
-
-        format.html { render :edit, status: :unprocessable_entity }
-        format.json { render json: @user.errors, status: :unprocessable_entity }
-      end
-    end
-  end
-
-  private
-
-  # Never trust parameters from the scary internet, only allow the white list through.
-  def user_params
-    params.require(:user).permit(
-      :email,
-      # 🚅 super scaffolding will insert new fields above this line.
-      # 🚅 super scaffolding will insert new arrays above this line.
-    )
-
-    # 🚅 super scaffolding will insert processing for new fields above this line.
-  end
+  include Account::Onboarding::UserEmail::ControllerBase
 end

data/app/controllers/account/teams_controller.rb

@@ -1,122 +1,3 @@
 class Account::TeamsController < Account::ApplicationController
-  load_and_authorize_resource :team, class: "Team", prepend: true
-
-  prepend_before_action do
-    if params["action"] == "new"
-      current_user.current_team = nil
-    end
-  end
-
-  before_action :enforce_invitation_only, only: [:create]
-
-  before_action do
-    # for magic locales.
-    @child_object = @team
-  end
-
-  # GET /teams
-  # GET /teams.json
-  def index
-    # if a user doesn't have multiple teams, we try to simplify the team ui/ux
-    # as much as possible. links to this page should go to the current team
-    # dashboard. however, some other links to this page are actually in branch
-    # logic and will not display at all. instead, users will be linked to the
-    # "new team" page. (see the main account sidebar menu for an example of
-    # this.)
-    unless current_user.multiple_teams?
-      redirect_to account_team_path(current_team)
-    end
-  end
-
-  # POST /teams/1/switch
-  def switch_to
-    current_user.current_team = @team
-    current_user.save
-    redirect_to account_dashboard_path
-  end
-
-  # GET /teams/1
-  # GET /teams/1.json
-  def show
-    # I don't think this is the best place to close the loop on the onboarding process, but practically speaking it's
-    # the easiest place to implement this at the moment, because all the onboarding steps redirect here on success.
-    if session[:after_onboarding_url].present?
-      redirect_to session.delete(:after_onboarding_url)
-    end
-
-    current_user.current_team = @team
-    current_user.save
-  end
-
-  # GET /teams/new
-  def new
-    render :new, layout: "devise"
-  end
-
-  # GET /teams/1/edit
-  def edit
-  end
-
-  # POST /teams
-  # POST /teams.json
-  def create
-    @team = Team.new(team_params)
-
-    respond_to do |format|
-      if @team.save
-
-        # also make the creator of the team the default admin.
-        @team.memberships.create(user: current_user, roles: [Role.admin])
-
-        current_user.current_team = @team
-        current_user.former_user = false
-        current_user.save
-
-        format.html { redirect_to [:account, @team], notice: I18n.t("teams.notifications.created") }
-        format.json { render :show, status: :created, location: [:account, @team] }
-      else
-        format.html { render :new, layout: "devise" }
-        format.json { render json: @team.errors, status: :unprocessable_entity }
-      end
-    end
-  end
-
-  # PATCH/PUT /teams/1
-  # PATCH/PUT /teams/1.json
-  def update
-    respond_to do |format|
-      if @team.update(team_params)
-        format.html { redirect_to [:account, @team], notice: I18n.t("teams.notifications.updated") }
-        format.json { render :show, status: :ok, location: [:account, @team] }
-      else
-        format.html { render :edit, status: :unprocessable_entity }
-        format.json { render json: @team.errors, status: :unprocessable_entity }
-      end
-    end
-  end
-
-  # # DELETE /teams/1
-  # # DELETE /teams/1.json
-  # def destroy
-  #   @team.destroy
-  #   respond_to do |format|
-  #     format.html { redirect_to account_teams_url, notice: 'Team was successfully destroyed.' }
-  #     format.json { head :no_content }
-  #   end
-  # end
-
-  private
-
-  # Never trust parameters from the scary internet, only allow the white list through.
-  def team_params
-    params.require(:team).permit(
-      :name,
-      :time_zone,
-      :locale,
-      # 🚅 super scaffolding will insert new fields above this line.
-      # 🚅 super scaffolding will insert new arrays above this line.
-    )
-
-    # 🚅 super scaffolding will insert processing for new fields above this line.
-  end
+  include Account::Teams::ControllerBase
 end

data/app/controllers/account/users_controller.rb

@@ -1,59 +1,3 @@
 class Account::UsersController < Account::ApplicationController
-  load_and_authorize_resource
-
-  before_action do
-    # for magic locales.
-    @child_object = @user
-  end
-
-  # GET /account/users/1/edit
-  def edit
-  end
-
-  # GET /account/users/1
-  def show
-  end
-
-  def updating_password?
-    params[:user].key?(:password)
-  end
-
-  # PATCH/PUT /account/users/1
-  # PATCH/PUT /account/users/1.json
-  def update
-    respond_to do |format|
-      if updating_password? ? @user.update_with_password(user_params) : @user.update_without_password(user_params)
-        # if you update your own user account, devise will normally kick you out, so we do this instead.
-        bypass_sign_in current_user.reload
-        format.html { redirect_to [:edit, :account, @user], notice: t("users.notifications.updated") }
-        format.json { render :show, status: :ok, location: [:account, @user] }
-      else
-        format.html { render :edit, status: :unprocessable_entity }
-        format.json { render json: @user.errors, status: :unprocessable_entity }
-      end
-    end
-  end
-
-  private
-
-  # Never trust parameters from the scary internet, only allow the white list through.
-  def user_params
-    # TODO enforce permissions on updating the user's team name.
-    params.require(:user).permit(
-      :email,
-      :first_name,
-      :last_name,
-      :time_zone,
-      :current_password,
-      :password,
-      :password_confirmation,
-      :profile_photo_id,
-      :locale,
-      # 🚅 super scaffolding will insert new fields above this line.
-      current_team_attributes: [:name],
-      # 🚅 super scaffolding will insert new arrays above this line.
-    )
-
-    # 🚅 super scaffolding will insert processing for new fields above this line.
-  end
+  include Account::Users::ControllerBase
 end