bullet_train 1.0.4 → 1.0.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 533e95a2c22629bce2db6569181981dd661621d7a2b17347d210f782554ac6f9
-  data.tar.gz: 7d179440547451b7ff69480478a8f2cb481e79b4b4ee3e80e1f950b219768150
+  metadata.gz: 633b451afdfeee512883e8536928cc2dd247f15139d59e7bfd24cc4d637b735d
+  data.tar.gz: c2a59912f00000e2b72ae5193b6d5cd0ebcd34a736f01260f5abfa1a5c170c94
 SHA512:
-  metadata.gz: '059cb145c72d2adf059902f5d0934d36362ad06ea6dc728a3951057b60758187e4f192e7bd24d62f0030fbd1c3d36e7797ed94ea3cd390b4c955a49fc4653301'
-  data.tar.gz: 108c4abc412f29b2321b1f6acc5c6c6e1e35d358fda6ba14f322dcfb49591c7ccc3c29ca10989e30ffcb915c5c2df727b9f4d4e044776f6e3a6f92d391f91389
+  metadata.gz: 6cacd920c5c13800b167a1d1c3e9ae8fa6d6bc1cea28d1128f7404ce8bd9e0615957aad91b4cb7363bb10ac88823294511344bf9103febe2b0ed830508472cba
+  data.tar.gz: 1bc0e30c37ebd765df530a9d25b65a591736be8420949c68651569347280d7403d3889cdd59933384825c19d5727a25c7d16569a42e9baececfeb2970938b85a

data/app/controllers/account/invitations_controller.rb

@@ -1,146 +1,3 @@
 class Account::InvitationsController < Account::ApplicationController
-  # the 'accept' action isn't covered by cancancan, because simply having the
-  # link is authorization enough to claim membership on a team. see `#accept`
-  # for more information.
-  account_load_and_authorize_resource :invitation, :team, except: [:show]
-
-  # we skip the onboarding requirement for users claiming and invitation.
-  # this way the invitation gets accepted after they complete the devise
-  # workflow, but before they're prompted to complete their onboarding.
-  skip_before_action :ensure_onboarding_is_complete_and_set_next_step, only: :accept
-  skip_before_action :authenticate_user!, only: :accept
-
-  # GET /invitations
-  # GET /invitations.json
-  def index
-    redirect_to [:account, @team, :memberships]
-  end
-
-  # GET /invitations/1
-  # GET /invitations/1.json
-  def show
-    # it's important that we only allow invitations to be shown via their uuid,
-    # otherwise team members can just step the id in the url to claim an
-    # invitation that would escalate their privileges.
-    @invitation = Invitation.find_by(uuid: params[:id])
-    unless @invitation
-      raise I18n.t("global.notifications.not_found")
-    end
-    @team = @invitation.team
-
-    # backfill these objects for the locale magic, since we didn't use `account_load_and_authorize_resource`.
-    @child_object = @invitation
-    @parent_object = @team
-
-    render layout: "devise"
-  end
-
-  # POST /invitations/1/accept
-  # POST /invitations/1/accept.json
-  def accept
-    # unless the user is signed in.
-    if !current_user.present?
-
-      # keep track of the uuid of the invitation so we can reload it
-      # after they sign up. at this point we don't even know if it's
-      # valid, but that's fine.
-      session[:invitation_uuid] = params[:id]
-
-      # also, we'll queue devise up to return to the invitation url after a sign in.
-      session["user_return_to"] = request.path
-
-      # assume the user needs to create an account.
-      # this is not the default for devise, but a sensible default here.
-      redirect_to new_user_registration_path
-
-    else
-
-      @invitation = Invitation.find_by(uuid: params[:id])
-
-      if @invitation
-        @team = @invitation.team
-        if @invitation.is_for?(current_user) || request.post?
-          @invitation.accept_for(current_user)
-          redirect_to account_dashboard_path, notice: I18n.t("invitations.notifications.welcome", team_name: @team.name)
-        else
-          redirect_to account_invitation_path(@invitation.uuid)
-        end
-      else
-        redirect_to account_dashboard_path
-      end
-
-    end
-  end
-
-  # GET /invitations/new
-  def new
-    @invitation.build_membership
-    @cancel_path = only_allow_path(params[:cancel_path])
-  end
-
-  # POST /invitations
-  # POST /invitations.json
-  def create
-    @invitation.membership.team = current_team
-    # this allows notifications to be sent to a user before they've accepted their invitation.
-    @invitation.membership.user_email = @invitation.email
-    @invitation.from_membership = current_membership
-    respond_to do |format|
-      if @invitation.save
-        format.html { redirect_to account_team_invitations_path(@team), notice: I18n.t("invitations.notifications.created") }
-        format.json { render :show, status: :created, location: [:account, @team, @invitation] }
-      else
-        format.html { render :new, status: :unprocessable_entity }
-        format.json { render json: @invitation.errors, status: :unprocessable_entity }
-      end
-    end
-  end
-
-  # DELETE /invitations/1
-  # DELETE /invitations/1.json
-  def destroy
-    @invitation.destroy
-    respond_to do |format|
-      format.html { redirect_to account_team_invitations_path(@team), notice: I18n.t("invitations.notifications.destroyed") }
-      format.json { head :no_content }
-    end
-  end
-
-  private
-
-  def manageable_role_keys
-    helpers.current_membership.manageable_roles.map(&:key)
-  end
-
-  # NOTE this method is only designed to work in the context of creating a invitation.
-  # we don't provide any support for updating invitations.
-  def invitation_params
-    # we use strong params first.
-    strong_params = params.require(:invitation).permit(
-      :email,
-      # 🚅 super scaffolding will insert new fields above this line.
-      # 🚅 super scaffolding will insert new arrays above this line.
-      membership_attributes: [
-        :user_first_name,
-        :user_last_name,
-        role_ids: []
-      ],
-    )
-
-    # after that, we have to be more careful how we assign the roles.
-    # we can't let users assign roles to an invitation that they don't have permission
-    # to assign, but they do have permission to assign some to other team members.
-    if params[:invitation] && params[:invitation][:role_ids].present?
-
-      # ensure the list of role keys from the form only includes keys that they're allowed to assign.
-      assignable_role_keys_from_the_form = params[:invitation][:role_ids].map(&:to_i) & manageable_role_keys
-
-      strong_params[:role_ids] = assignable_role_keys_from_the_form
-
-    end
-
-    # 🚅 super scaffolding will insert processing for new fields above this line.
-
-    strong_params
-  end
+  include Invitations::ControllerBase
 end

data/app/controllers/account/memberships_controller.rb

@@ -1,132 +1,3 @@
 class Account::MembershipsController < Account::ApplicationController
-  account_load_and_authorize_resource :membership, :team, member_actions: [:demote, :promote, :reinvite], collection_actions: [:search]
-
-  def index
-    unless @memberships.count > 0
-      redirect_to account_team_invitations_path(@team), notice: I18n.t("memberships.notifications.no_members")
-    end
-  end
-
-  def search
-    # TODO This is a particularly crazy example where we're doing the search logic ourselves in SQL.
-    # In the future, I could see us replacing this with a recommended example using Elasticsearch and the `searchkick` Ruby Gem.
-    limit = params[:limit] || 100
-    page = [params[:page].to_i, 1].max # Ensure we never have a negative or zero page value
-    search_term = "%#{params[:search]&.upcase}%"
-    offset = (page - 1) * limit
-    # Currently we're only searching on user.first_name, user.last_name, memberships.user_first_name and memberships.user_last_name. Should we also search on the email address?
-    # This query could use impromement.  Currently if you search for "Ad Pal" you wouldn't find a user "Adam Pallozzi"
-    query = "UPPER(first_name) LIKE :search_term OR UPPER(last_name) LIKE :search_term OR UPPER(user_first_name) LIKE :search_term OR UPPER(user_last_name) LIKE :search_term"
-    # We're using left outer join here because we may get memberships that don't belong to a membership yet
-    memberships = @team.memberships.accessible_by(current_ability, :show).left_outer_joins(:user).where(query, search_term: search_term)
-    total_results = memberships.size
-    # the Areal.sql(LOWER(COALESCE...)) part means that if the user record doesn't exist or if there are records that start with a lower case letter, we will still sort everything correctly using the user.first_name instead.
-    memberships_array = memberships.limit(limit).offset(offset).order(Arel.sql("LOWER(COALESCE(first_name, user_first_name) )")).map { |membership| {id: membership.id, text: membership.label_string.to_s} }
-    results = {results: memberships_array, pagination: {more: (total_results > page * limit)}}
-    render json: results.to_json
-  end
-
-  def show
-  end
-
-  def edit
-  end
-
-  # PATCH/PUT /account/memberships/:id
-  # PATCH/PUT /account/memberships/:id.json
-  def update
-    respond_to do |format|
-      if @membership.update(membership_params)
-        format.html { redirect_to [:account, @membership], notice: I18n.t("memberships.notifications.updated") }
-        format.json { render :show, status: :ok, location: [:account, @membership] }
-      else
-        format.html { render :edit, status: :unprocessable_entity }
-        format.json { render json: @membership.errors, status: :unprocessable_entity }
-      end
-    rescue RemovingLastTeamAdminException => _
-      format.html { redirect_to [:account, @team, :memberships], alert: I18n.t("memberships.notifications.cant_demote") }
-      format.json { render json: {exception: I18n.t("memberships.notifications.cant_demote")}, status: :unprocessable_entity }
-    end
-  end
-
-  def demote
-    @membership.roles.delete Role.admin
-    redirect_to account_team_memberships_path(@team)
-  rescue RemovingLastTeamAdminException => _
-    redirect_to account_team_memberships_path(@team), alert: I18n.t("memberships.notifications.cant_demote")
-  end
-
-  def promote
-    @membership.roles << Role.admin unless @membership.roles.include?(Role.admin)
-    redirect_to account_team_memberships_path(@team)
-  end
-
-  def destroy
-    # Instead of destroying the membership, we nullify the user_id and use the membership record as a 'Tombstone' for referencing past associations (eg message at-mentions and Scaffolding::CompletelyConcrete::TangibleThings::Assignment)
-
-    user_was = @membership.user
-    @membership.nullify_user
-
-    if user_was == current_user
-      # if a user removes themselves from a team, we'll have to send them to their dashboard.
-      redirect_to account_dashboard_path, notice: I18n.t("memberships.notifications.you_removed_yourself", team_name: @team.name)
-    else
-      redirect_to [:account, @team, :memberships], notice: I18n.t("memberships.notifications.destroyed")
-    end
-  rescue RemovingLastTeamAdminException
-    redirect_to account_team_memberships_path(@team), alert: I18n.t("memberships.notifications.cant_remove")
-  end
-
-  def reinvite
-    @invitation = Invitation.new(membership: @membership, team: @team, email: @membership.user_email, from_membership: current_membership)
-    if @invitation.save
-      redirect_to [:account, @team, :memberships], notice: I18n.t("account.memberships.notifications.reinvited")
-    else
-      redirect_to [:account, @team, :memberships], notice: "There was an error creating the invitation (#{@invitation.errors.full_messages.to_sentence})"
-    end
-  end
-
-  private
-
-  def manageable_role_keys
-    helpers.current_membership.manageable_roles.map(&:key)
-  end
-
-  # NOTE this method is only designed to work in the context of updating a membership.
-  # we don't provide any support for creating memberships other than by an invitation.
-  def membership_params
-    # we use strong params first.
-    strong_params = params.require(:membership).permit(
-      :user_first_name,
-      :user_last_name,
-      :user_profile_photo_id,
-      # 🚅 super scaffolding will insert new fields above this line.
-      # 🚅 super scaffolding will insert new arrays above this line.
-    )
-
-    # after that, we have to be more careful how we update the roles.
-    # we can't let users remove roles from a membership that they don't have permission
-    # to remove, but we want to allow them to add or remove other roles they do have
-    # permission to assign to other team members.
-    if params[:membership] && params[:membership][:role_ids].present?
-
-      # first, start with the list of role keys already assigned to this membership.
-      existing_role_keys = @membership.role_ids
-
-      # generate a list of role keys we can't allow the current user to remove from this membership.
-      existing_role_keys_that_are_unmanageable = existing_role_keys - manageable_role_keys
-
-      # now let's ensure the list of role keys from the form only includes keys that they're allowed to assign.
-      assignable_role_keys_from_the_form = params[:membership][:role_ids].map(&:to_s) & manageable_role_keys
-
-      # any role keys that are manageable by the current user have to then come from the form data,
-      # otherwise we can assume they were removed by being unchecked.
-      strong_params[:role_ids] = existing_role_keys_that_are_unmanageable + assignable_role_keys_from_the_form
-
-    end
-
-    # 🚅 super scaffolding will insert processing for new fields above this line.
-
-    strong_params
-  end
+  include Account::Memberships::ControllerBase
 end

data/app/controllers/account/onboarding/user_details_controller.rb

@@ -1,63 +1,3 @@
 class Account::Onboarding::UserDetailsController < Account::ApplicationController
-  layout "devise"
-  load_and_authorize_resource class: "User"
-
-  # this is because cancancan doesn't let us set the instance variable name above.
-  before_action do
-    @user = @user_detail
-  end
-
-  # GET /users/1/edit
-  def edit
-    flash[:notice] = nil
-  end
-
-  # PATCH/PUT /users/1
-  # PATCH/PUT /users/1.json
-  def update
-    respond_to do |format|
-      if @user.update(user_params)
-        # if you update your own user account, devise will normally kick you out, so we do this instead.
-        bypass_sign_in current_user.reload
-
-        if @user.details_provided?
-          format.html { redirect_to account_team_path(@user.teams.first), notice: "" }
-        else
-          format.html {
-            flash[:error] = I18n.t("global.notifications.all_fields_required")
-            redirect_to edit_account_onboarding_user_detail_path(@user)
-          }
-        end
-
-        format.json { render :show, status: :ok, location: [:account, @user] }
-      else
-        format.html { render :edit, status: :unprocessable_entity }
-        format.json { render json: @user.errors, status: :unprocessable_entity }
-      end
-    end
-  end
-
-  private
-
-  # Never trust parameters from the scary internet, only allow the white list through.
-  def user_params
-    permitted_attributes = [
-      :first_name,
-      :last_name,
-      :time_zone,
-      # 🚅 super scaffolding will insert new fields above this line.
-    ]
-
-    permitted_hash = {
-      # 🚅 super scaffolding will insert new arrays above this line.
-    }
-
-    if can? :edit, @user.current_team
-      permitted_hash[:current_team_attributes] = [:id, :name]
-    end
-
-    params.require(:user).permit(permitted_attributes, permitted_hash)
-
-    # 🚅 super scaffolding will insert processing for new fields above this line.
-  end
+  include Account::Onboarding::UserDetails::ControllerBase
 end

data/app/controllers/account/onboarding/user_email_controller.rb

@@ -1,65 +1,3 @@
 class Account::Onboarding::UserEmailController < Account::ApplicationController
-  layout "devise"
-  load_and_authorize_resource class: "User"
-
-  # this is because cancancan doesn't let us set the instance variable name above.
-  before_action do
-    @user = @user_email
-  end
-
-  # GET /users/1/edit
-  def edit
-    flash[:notice] = nil
-    if @user.email_is_oauth_placeholder?
-      @user.email = nil
-    end
-  end
-
-  # PATCH/PUT /users/1
-  # PATCH/PUT /users/1.json
-  def update
-    respond_to do |format|
-      if @user.update(user_params)
-        # if you update your own user account, devise will normally kick you out, so we do this instead.
-        bypass_sign_in current_user.reload
-
-        if !@user.email_is_oauth_placeholder?
-          @user.send_welcome_email
-          format.html { redirect_to account_team_path(@user.teams.first), notice: "" }
-        else
-          format.html {
-            flash[:error] = I18n.t("global.notifications.all_fields_required")
-            redirect_to edit_account_onboarding_user_detail_path(@user)
-          }
-        end
-
-        format.json { render :show, status: :ok, location: [:account, @user] }
-      else
-
-        # this is just checking whether the error on the email field is taking the email
-        # address is already taken.
-        @email_taken = begin
-          @user.errors.details[:email].select { |error| error[:error] == :taken }.any?
-        rescue
-          false
-        end
-
-        format.html { render :edit, status: :unprocessable_entity }
-        format.json { render json: @user.errors, status: :unprocessable_entity }
-      end
-    end
-  end
-
-  private
-
-  # Never trust parameters from the scary internet, only allow the white list through.
-  def user_params
-    params.require(:user).permit(
-      :email,
-      # 🚅 super scaffolding will insert new fields above this line.
-      # 🚅 super scaffolding will insert new arrays above this line.
-    )
-
-    # 🚅 super scaffolding will insert processing for new fields above this line.
-  end
+  include Account::Onboarding::UserEmail::ControllerBase
 end

data/app/controllers/account/teams_controller.rb

@@ -1,122 +1,3 @@
 class Account::TeamsController < Account::ApplicationController
-  load_and_authorize_resource :team, class: "Team", prepend: true
-
-  prepend_before_action do
-    if params["action"] == "new"
-      current_user.current_team = nil
-    end
-  end
-
-  before_action :enforce_invitation_only, only: [:create]
-
-  before_action do
-    # for magic locales.
-    @child_object = @team
-  end
-
-  # GET /teams
-  # GET /teams.json
-  def index
-    # if a user doesn't have multiple teams, we try to simplify the team ui/ux
-    # as much as possible. links to this page should go to the current team
-    # dashboard. however, some other links to this page are actually in branch
-    # logic and will not display at all. instead, users will be linked to the
-    # "new team" page. (see the main account sidebar menu for an example of
-    # this.)
-    unless current_user.multiple_teams?
-      redirect_to account_team_path(current_team)
-    end
-  end
-
-  # POST /teams/1/switch
-  def switch_to
-    current_user.current_team = @team
-    current_user.save
-    redirect_to account_dashboard_path
-  end
-
-  # GET /teams/1
-  # GET /teams/1.json
-  def show
-    # I don't think this is the best place to close the loop on the onboarding process, but practically speaking it's
-    # the easiest place to implement this at the moment, because all the onboarding steps redirect here on success.
-    if session[:after_onboarding_url].present?
-      redirect_to session.delete(:after_onboarding_url)
-    end
-
-    current_user.current_team = @team
-    current_user.save
-  end
-
-  # GET /teams/new
-  def new
-    render :new, layout: "devise"
-  end
-
-  # GET /teams/1/edit
-  def edit
-  end
-
-  # POST /teams
-  # POST /teams.json
-  def create
-    @team = Team.new(team_params)
-
-    respond_to do |format|
-      if @team.save
-
-        # also make the creator of the team the default admin.
-        @team.memberships.create(user: current_user, roles: [Role.admin])
-
-        current_user.current_team = @team
-        current_user.former_user = false
-        current_user.save
-
-        format.html { redirect_to [:account, @team], notice: I18n.t("teams.notifications.created") }
-        format.json { render :show, status: :created, location: [:account, @team] }
-      else
-        format.html { render :new, layout: "devise" }
-        format.json { render json: @team.errors, status: :unprocessable_entity }
-      end
-    end
-  end
-
-  # PATCH/PUT /teams/1
-  # PATCH/PUT /teams/1.json
-  def update
-    respond_to do |format|
-      if @team.update(team_params)
-        format.html { redirect_to [:account, @team], notice: I18n.t("teams.notifications.updated") }
-        format.json { render :show, status: :ok, location: [:account, @team] }
-      else
-        format.html { render :edit, status: :unprocessable_entity }
-        format.json { render json: @team.errors, status: :unprocessable_entity }
-      end
-    end
-  end
-
-  # # DELETE /teams/1
-  # # DELETE /teams/1.json
-  # def destroy
-  #   @team.destroy
-  #   respond_to do |format|
-  #     format.html { redirect_to account_teams_url, notice: 'Team was successfully destroyed.' }
-  #     format.json { head :no_content }
-  #   end
-  # end
-
-  private
-
-  # Never trust parameters from the scary internet, only allow the white list through.
-  def team_params
-    params.require(:team).permit(
-      :name,
-      :time_zone,
-      :locale,
-      # 🚅 super scaffolding will insert new fields above this line.
-      # 🚅 super scaffolding will insert new arrays above this line.
-    )
-
-    # 🚅 super scaffolding will insert processing for new fields above this line.
-  end
+  include Account::Teams::ControllerBase
 end

data/app/controllers/account/users_controller.rb

@@ -1,59 +1,3 @@
 class Account::UsersController < Account::ApplicationController
-  load_and_authorize_resource
-
-  before_action do
-    # for magic locales.
-    @child_object = @user
-  end
-
-  # GET /account/users/1/edit
-  def edit
-  end
-
-  # GET /account/users/1
-  def show
-  end
-
-  def updating_password?
-    params[:user].key?(:password)
-  end
-
-  # PATCH/PUT /account/users/1
-  # PATCH/PUT /account/users/1.json
-  def update
-    respond_to do |format|
-      if updating_password? ? @user.update_with_password(user_params) : @user.update_without_password(user_params)
-        # if you update your own user account, devise will normally kick you out, so we do this instead.
-        bypass_sign_in current_user.reload
-        format.html { redirect_to [:edit, :account, @user], notice: t("users.notifications.updated") }
-        format.json { render :show, status: :ok, location: [:account, @user] }
-      else
-        format.html { render :edit, status: :unprocessable_entity }
-        format.json { render json: @user.errors, status: :unprocessable_entity }
-      end
-    end
-  end
-
-  private
-
-  # Never trust parameters from the scary internet, only allow the white list through.
-  def user_params
-    # TODO enforce permissions on updating the user's team name.
-    params.require(:user).permit(
-      :email,
-      :first_name,
-      :last_name,
-      :time_zone,
-      :current_password,
-      :password,
-      :password_confirmation,
-      :profile_photo_id,
-      :locale,
-      # 🚅 super scaffolding will insert new fields above this line.
-      current_team_attributes: [:name],
-      # 🚅 super scaffolding will insert new arrays above this line.
-    )
-
-    # 🚅 super scaffolding will insert processing for new fields above this line.
-  end
+  include Account::Users::ControllerBase
 end

data/app/controllers/concerns/account/invitations/controller_base.rb

@@ -0,0 +1,150 @@
+module Account::Invitations::ControllerBase
+  extend ActiveSupport::Concern
+
+  included do
+    # the 'accept' action isn't covered by cancancan, because simply having the
+    # link is authorization enough to claim membership on a team. see `#accept`
+    # for more information.
+    account_load_and_authorize_resource :invitation, :team, except: [:show]
+
+    # we skip the onboarding requirement for users claiming and invitation.
+    # this way the invitation gets accepted after they complete the devise
+    # workflow, but before they're prompted to complete their onboarding.
+    skip_before_action :ensure_onboarding_is_complete_and_set_next_step, only: :accept
+    skip_before_action :authenticate_user!, only: :accept
+  end
+
+  # GET /invitations
+  # GET /invitations.json
+  def index
+    redirect_to [:account, @team, :memberships]
+  end
+
+  # GET /invitations/1
+  # GET /invitations/1.json
+  def show
+    # it's important that we only allow invitations to be shown via their uuid,
+    # otherwise team members can just step the id in the url to claim an
+    # invitation that would escalate their privileges.
+    @invitation = Invitation.find_by(uuid: params[:id])
+    unless @invitation
+      raise I18n.t("global.notifications.not_found")
+    end
+    @team = @invitation.team
+
+    # backfill these objects for the locale magic, since we didn't use `account_load_and_authorize_resource`.
+    @child_object = @invitation
+    @parent_object = @team
+
+    render layout: "devise"
+  end
+
+  # POST /invitations/1/accept
+  # POST /invitations/1/accept.json
+  def accept
+    # unless the user is signed in.
+    if !current_user.present?
+
+      # keep track of the uuid of the invitation so we can reload it
+      # after they sign up. at this point we don't even know if it's
+      # valid, but that's fine.
+      session[:invitation_uuid] = params[:id]
+
+      # also, we'll queue devise up to return to the invitation url after a sign in.
+      session["user_return_to"] = request.path
+
+      # assume the user needs to create an account.
+      # this is not the default for devise, but a sensible default here.
+      redirect_to new_user_registration_path
+
+    else
+
+      @invitation = Invitation.find_by(uuid: params[:id])
+
+      if @invitation
+        @team = @invitation.team
+        if @invitation.is_for?(current_user) || request.post?
+          @invitation.accept_for(current_user)
+          redirect_to account_dashboard_path, notice: I18n.t("invitations.notifications.welcome", team_name: @team.name)
+        else
+          redirect_to account_invitation_path(@invitation.uuid)
+        end
+      else
+        redirect_to account_dashboard_path
+      end
+
+    end
+  end
+
+  # GET /invitations/new
+  def new
+    @invitation.build_membership
+    @cancel_path = only_allow_path(params[:cancel_path])
+  end
+
+  # POST /invitations
+  # POST /invitations.json
+  def create
+    @invitation.membership.team = current_team
+    # this allows notifications to be sent to a user before they've accepted their invitation.
+    @invitation.membership.user_email = @invitation.email
+    @invitation.from_membership = current_membership
+    respond_to do |format|
+      if @invitation.save
+        format.html { redirect_to account_team_invitations_path(@team), notice: I18n.t("invitations.notifications.created") }
+        format.json { render :show, status: :created, location: [:account, @team, @invitation] }
+      else
+        format.html { render :new, status: :unprocessable_entity }
+        format.json { render json: @invitation.errors, status: :unprocessable_entity }
+      end
+    end
+  end
+
+  # DELETE /invitations/1
+  # DELETE /invitations/1.json
+  def destroy
+    @invitation.destroy
+    respond_to do |format|
+      format.html { redirect_to account_team_invitations_path(@team), notice: I18n.t("invitations.notifications.destroyed") }
+      format.json { head :no_content }
+    end
+  end
+
+  private
+
+  def manageable_role_keys
+    helpers.current_membership.manageable_roles.map(&:key)
+  end
+
+  # NOTE this method is only designed to work in the context of creating a invitation.
+  # we don't provide any support for updating invitations.
+  def invitation_params
+    # we use strong params first.
+    strong_params = params.require(:invitation).permit(
+      :email,
+      # 🚅 super scaffolding will insert new fields above this line.
+      # 🚅 super scaffolding will insert new arrays above this line.
+      membership_attributes: [
+        :user_first_name,
+        :user_last_name,
+        role_ids: []
+      ],
+    )
+
+    # after that, we have to be more careful how we assign the roles.
+    # we can't let users assign roles to an invitation that they don't have permission
+    # to assign, but they do have permission to assign some to other team members.
+    if params[:invitation] && params[:invitation][:role_ids].present?
+
+      # ensure the list of role keys from the form only includes keys that they're allowed to assign.
+      assignable_role_keys_from_the_form = params[:invitation][:role_ids].map(&:to_i) & manageable_role_keys
+
+      strong_params[:role_ids] = assignable_role_keys_from_the_form
+
+    end
+
+    # 🚅 super scaffolding will insert processing for new fields above this line.
+
+    strong_params
+  end
+end

data/app/controllers/concerns/account/memberships/controller_base.rb

@@ -0,0 +1,136 @@
+module Account::Memberships::ControllerBase
+  extend ActiveSupport::Concern
+
+  included do
+    account_load_and_authorize_resource :membership, :team, member_actions: [:demote, :promote, :reinvite], collection_actions: [:search]
+  end
+
+  def index
+    unless @memberships.count > 0
+      redirect_to account_team_invitations_path(@team), notice: I18n.t("memberships.notifications.no_members")
+    end
+  end
+
+  def search
+    # TODO This is a particularly crazy example where we're doing the search logic ourselves in SQL.
+    # In the future, I could see us replacing this with a recommended example using Elasticsearch and the `searchkick` Ruby Gem.
+    limit = params[:limit] || 100
+    page = [params[:page].to_i, 1].max # Ensure we never have a negative or zero page value
+    search_term = "%#{params[:search]&.upcase}%"
+    offset = (page - 1) * limit
+    # Currently we're only searching on user.first_name, user.last_name, memberships.user_first_name and memberships.user_last_name. Should we also search on the email address?
+    # This query could use impromement.  Currently if you search for "Ad Pal" you wouldn't find a user "Adam Pallozzi"
+    query = "UPPER(first_name) LIKE :search_term OR UPPER(last_name) LIKE :search_term OR UPPER(user_first_name) LIKE :search_term OR UPPER(user_last_name) LIKE :search_term"
+    # We're using left outer join here because we may get memberships that don't belong to a membership yet
+    memberships = @team.memberships.accessible_by(current_ability, :show).left_outer_joins(:user).where(query, search_term: search_term)
+    total_results = memberships.size
+    # the Areal.sql(LOWER(COALESCE...)) part means that if the user record doesn't exist or if there are records that start with a lower case letter, we will still sort everything correctly using the user.first_name instead.
+    memberships_array = memberships.limit(limit).offset(offset).order(Arel.sql("LOWER(COALESCE(first_name, user_first_name) )")).map { |membership| {id: membership.id, text: membership.label_string.to_s} }
+    results = {results: memberships_array, pagination: {more: (total_results > page * limit)}}
+    render json: results.to_json
+  end
+
+  def show
+  end
+
+  def edit
+  end
+
+  # PATCH/PUT /account/memberships/:id
+  # PATCH/PUT /account/memberships/:id.json
+  def update
+    respond_to do |format|
+      if @membership.update(membership_params)
+        format.html { redirect_to [:account, @membership], notice: I18n.t("memberships.notifications.updated") }
+        format.json { render :show, status: :ok, location: [:account, @membership] }
+      else
+        format.html { render :edit, status: :unprocessable_entity }
+        format.json { render json: @membership.errors, status: :unprocessable_entity }
+      end
+    rescue RemovingLastTeamAdminException => _
+      format.html { redirect_to [:account, @team, :memberships], alert: I18n.t("memberships.notifications.cant_demote") }
+      format.json { render json: {exception: I18n.t("memberships.notifications.cant_demote")}, status: :unprocessable_entity }
+    end
+  end
+
+  def demote
+    @membership.roles.delete Role.admin
+    redirect_to account_team_memberships_path(@team)
+  rescue RemovingLastTeamAdminException => _
+    redirect_to account_team_memberships_path(@team), alert: I18n.t("memberships.notifications.cant_demote")
+  end
+
+  def promote
+    @membership.roles << Role.admin unless @membership.roles.include?(Role.admin)
+    redirect_to account_team_memberships_path(@team)
+  end
+
+  def destroy
+    # Instead of destroying the membership, we nullify the user_id and use the membership record as a 'Tombstone' for referencing past associations (eg message at-mentions and Scaffolding::CompletelyConcrete::TangibleThings::Assignment)
+
+    user_was = @membership.user
+    @membership.nullify_user
+
+    if user_was == current_user
+      # if a user removes themselves from a team, we'll have to send them to their dashboard.
+      redirect_to account_dashboard_path, notice: I18n.t("memberships.notifications.you_removed_yourself", team_name: @team.name)
+    else
+      redirect_to [:account, @team, :memberships], notice: I18n.t("memberships.notifications.destroyed")
+    end
+  rescue RemovingLastTeamAdminException
+    redirect_to account_team_memberships_path(@team), alert: I18n.t("memberships.notifications.cant_remove")
+  end
+
+  def reinvite
+    @invitation = Invitation.new(membership: @membership, team: @team, email: @membership.user_email, from_membership: current_membership)
+    if @invitation.save
+      redirect_to [:account, @team, :memberships], notice: I18n.t("account.memberships.notifications.reinvited")
+    else
+      redirect_to [:account, @team, :memberships], notice: "There was an error creating the invitation (#{@invitation.errors.full_messages.to_sentence})"
+    end
+  end
+
+  private
+
+  def manageable_role_keys
+    helpers.current_membership.manageable_roles.map(&:key)
+  end
+
+  # NOTE this method is only designed to work in the context of updating a membership.
+  # we don't provide any support for creating memberships other than by an invitation.
+  def membership_params
+    # we use strong params first.
+    strong_params = params.require(:membership).permit(
+      :user_first_name,
+      :user_last_name,
+      :user_profile_photo_id,
+      # 🚅 super scaffolding will insert new fields above this line.
+      # 🚅 super scaffolding will insert new arrays above this line.
+    )
+
+    # after that, we have to be more careful how we update the roles.
+    # we can't let users remove roles from a membership that they don't have permission
+    # to remove, but we want to allow them to add or remove other roles they do have
+    # permission to assign to other team members.
+    if params[:membership] && params[:membership][:role_ids].present?
+
+      # first, start with the list of role keys already assigned to this membership.
+      existing_role_keys = @membership.role_ids
+
+      # generate a list of role keys we can't allow the current user to remove from this membership.
+      existing_role_keys_that_are_unmanageable = existing_role_keys - manageable_role_keys
+
+      # now let's ensure the list of role keys from the form only includes keys that they're allowed to assign.
+      assignable_role_keys_from_the_form = params[:membership][:role_ids].map(&:to_s) & manageable_role_keys
+
+      # any role keys that are manageable by the current user have to then come from the form data,
+      # otherwise we can assume they were removed by being unchecked.
+      strong_params[:role_ids] = existing_role_keys_that_are_unmanageable + assignable_role_keys_from_the_form
+
+    end
+
+    # 🚅 super scaffolding will insert processing for new fields above this line.
+
+    strong_params
+  end
+end

data/app/controllers/concerns/account/onboarding/user_details/controller_base.rb

@@ -0,0 +1,67 @@
+module Account::Onboarding::UserDetails::ControllerBase
+  extend ActiveSupport::Concern
+
+  included do
+    layout "devise"
+    load_and_authorize_resource class: "User"
+
+    # this is because cancancan doesn't let us set the instance variable name above.
+    before_action do
+      @user = @user_detail
+    end
+  end
+
+  # GET /users/1/edit
+  def edit
+    flash[:notice] = nil
+  end
+
+  # PATCH/PUT /users/1
+  # PATCH/PUT /users/1.json
+  def update
+    respond_to do |format|
+      if @user.update(user_params)
+        # if you update your own user account, devise will normally kick you out, so we do this instead.
+        bypass_sign_in current_user.reload
+
+        if @user.details_provided?
+          format.html { redirect_to account_team_path(@user.teams.first), notice: "" }
+        else
+          format.html {
+            flash[:error] = I18n.t("global.notifications.all_fields_required")
+            redirect_to edit_account_onboarding_user_detail_path(@user)
+          }
+        end
+
+        format.json { render :show, status: :ok, location: [:account, @user] }
+      else
+        format.html { render :edit, status: :unprocessable_entity }
+        format.json { render json: @user.errors, status: :unprocessable_entity }
+      end
+    end
+  end
+
+  private
+
+  # Never trust parameters from the scary internet, only allow the white list through.
+  def user_params
+    permitted_attributes = [
+      :first_name,
+      :last_name,
+      :time_zone,
+      # 🚅 super scaffolding will insert new fields above this line.
+    ]
+
+    permitted_hash = {
+      # 🚅 super scaffolding will insert new arrays above this line.
+    }
+
+    if can? :edit, @user.current_team
+      permitted_hash[:current_team_attributes] = [:id, :name]
+    end
+
+    params.require(:user).permit(permitted_attributes, permitted_hash)
+
+    # 🚅 super scaffolding will insert processing for new fields above this line.
+  end
+end

data/app/controllers/concerns/account/onboarding/user_email/controller_base.rb

@@ -0,0 +1,69 @@
+module Account::Onboarding::UserEmail::ControllerBase
+  extend ActiveSupport::Concern
+
+  included do
+    layout "devise"
+    load_and_authorize_resource class: "User"
+
+    # this is because cancancan doesn't let us set the instance variable name above.
+    before_action do
+      @user = @user_email
+    end
+  end
+
+  # GET /users/1/edit
+  def edit
+    flash[:notice] = nil
+    if @user.email_is_oauth_placeholder?
+      @user.email = nil
+    end
+  end
+
+  # PATCH/PUT /users/1
+  # PATCH/PUT /users/1.json
+  def update
+    respond_to do |format|
+      if @user.update(user_params)
+        # if you update your own user account, devise will normally kick you out, so we do this instead.
+        bypass_sign_in current_user.reload
+
+        if !@user.email_is_oauth_placeholder?
+          @user.send_welcome_email
+          format.html { redirect_to account_team_path(@user.teams.first), notice: "" }
+        else
+          format.html {
+            flash[:error] = I18n.t("global.notifications.all_fields_required")
+            redirect_to edit_account_onboarding_user_detail_path(@user)
+          }
+        end
+
+        format.json { render :show, status: :ok, location: [:account, @user] }
+      else
+
+        # this is just checking whether the error on the email field is taking the email
+        # address is already taken.
+        @email_taken = begin
+          @user.errors.details[:email].select { |error| error[:error] == :taken }.any?
+        rescue
+          false
+        end
+
+        format.html { render :edit, status: :unprocessable_entity }
+        format.json { render json: @user.errors, status: :unprocessable_entity }
+      end
+    end
+  end
+
+  private
+
+  # Never trust parameters from the scary internet, only allow the white list through.
+  def user_params
+    params.require(:user).permit(
+      :email,
+      # 🚅 super scaffolding will insert new fields above this line.
+      # 🚅 super scaffolding will insert new arrays above this line.
+    )
+
+    # 🚅 super scaffolding will insert processing for new fields above this line.
+  end
+end

data/app/controllers/concerns/account/teams/controller_base.rb

@@ -0,0 +1,126 @@
+module Account::Teams::ControllerBase
+  extend ActiveSupport::Concern
+
+  included do
+    load_and_authorize_resource :team, class: "Team", prepend: true
+
+    prepend_before_action do
+      if params["action"] == "new"
+        current_user.current_team = nil
+      end
+    end
+
+    before_action :enforce_invitation_only, only: [:create]
+
+    before_action do
+      # for magic locales.
+      @child_object = @team
+    end
+  end
+
+  # GET /teams
+  # GET /teams.json
+  def index
+    # if a user doesn't have multiple teams, we try to simplify the team ui/ux
+    # as much as possible. links to this page should go to the current team
+    # dashboard. however, some other links to this page are actually in branch
+    # logic and will not display at all. instead, users will be linked to the
+    # "new team" page. (see the main account sidebar menu for an example of
+    # this.)
+    unless current_user.multiple_teams?
+      redirect_to account_team_path(current_team)
+    end
+  end
+
+  # POST /teams/1/switch
+  def switch_to
+    current_user.current_team = @team
+    current_user.save
+    redirect_to account_dashboard_path
+  end
+
+  # GET /teams/1
+  # GET /teams/1.json
+  def show
+    # I don't think this is the best place to close the loop on the onboarding process, but practically speaking it's
+    # the easiest place to implement this at the moment, because all the onboarding steps redirect here on success.
+    if session[:after_onboarding_url].present?
+      redirect_to session.delete(:after_onboarding_url)
+    end
+
+    current_user.current_team = @team
+    current_user.save
+  end
+
+  # GET /teams/new
+  def new
+    render :new, layout: "devise"
+  end
+
+  # GET /teams/1/edit
+  def edit
+  end
+
+  # POST /teams
+  # POST /teams.json
+  def create
+    @team = Team.new(team_params)
+
+    respond_to do |format|
+      if @team.save
+
+        # also make the creator of the team the default admin.
+        @team.memberships.create(user: current_user, roles: [Role.admin])
+
+        current_user.current_team = @team
+        current_user.former_user = false
+        current_user.save
+
+        format.html { redirect_to [:account, @team], notice: I18n.t("teams.notifications.created") }
+        format.json { render :show, status: :created, location: [:account, @team] }
+      else
+        format.html { render :new, layout: "devise" }
+        format.json { render json: @team.errors, status: :unprocessable_entity }
+      end
+    end
+  end
+
+  # PATCH/PUT /teams/1
+  # PATCH/PUT /teams/1.json
+  def update
+    respond_to do |format|
+      if @team.update(team_params)
+        format.html { redirect_to [:account, @team], notice: I18n.t("teams.notifications.updated") }
+        format.json { render :show, status: :ok, location: [:account, @team] }
+      else
+        format.html { render :edit, status: :unprocessable_entity }
+        format.json { render json: @team.errors, status: :unprocessable_entity }
+      end
+    end
+  end
+
+  # # DELETE /teams/1
+  # # DELETE /teams/1.json
+  # def destroy
+  #   @team.destroy
+  #   respond_to do |format|
+  #     format.html { redirect_to account_teams_url, notice: 'Team was successfully destroyed.' }
+  #     format.json { head :no_content }
+  #   end
+  # end
+
+  private
+
+  # Never trust parameters from the scary internet, only allow the white list through.
+  def team_params
+    params.require(:team).permit(
+      :name,
+      :time_zone,
+      :locale,
+      # 🚅 super scaffolding will insert new fields above this line.
+      # 🚅 super scaffolding will insert new arrays above this line.
+    )
+
+    # 🚅 super scaffolding will insert processing for new fields above this line.
+  end
+end

data/app/controllers/concerns/account/users/controller_base.rb

@@ -0,0 +1,63 @@
+module Account::Users::ControllerBase
+  extend ActiveSupport::Concern
+
+  include do
+    load_and_authorize_resource
+
+    before_action do
+      # for magic locales.
+      @child_object = @user
+    end
+  end
+
+  # GET /account/users/1/edit
+  def edit
+  end
+
+  # GET /account/users/1
+  def show
+  end
+
+  def updating_password?
+    params[:user].key?(:password)
+  end
+
+  # PATCH/PUT /account/users/1
+  # PATCH/PUT /account/users/1.json
+  def update
+    respond_to do |format|
+      if updating_password? ? @user.update_with_password(user_params) : @user.update_without_password(user_params)
+        # if you update your own user account, devise will normally kick you out, so we do this instead.
+        bypass_sign_in current_user.reload
+        format.html { redirect_to [:edit, :account, @user], notice: t("users.notifications.updated") }
+        format.json { render :show, status: :ok, location: [:account, @user] }
+      else
+        format.html { render :edit, status: :unprocessable_entity }
+        format.json { render json: @user.errors, status: :unprocessable_entity }
+      end
+    end
+  end
+
+  private
+
+  # Never trust parameters from the scary internet, only allow the white list through.
+  def user_params
+    # TODO enforce permissions on updating the user's team name.
+    params.require(:user).permit(
+      :email,
+      :first_name,
+      :last_name,
+      :time_zone,
+      :current_password,
+      :password,
+      :password_confirmation,
+      :profile_photo_id,
+      :locale,
+      # 🚅 super scaffolding will insert new fields above this line.
+      current_team_attributes: [:name],
+      # 🚅 super scaffolding will insert new arrays above this line.
+    )
+
+    # 🚅 super scaffolding will insert processing for new fields above this line.
+  end
+end

data/app/models/concerns/invitations/{core.rb → base.rb}

@@ -1,4 +1,4 @@
-module Invitations::Core
+module Invitations::Base
   extend ActiveSupport::Concern
 
   included do

data/app/models/concerns/memberships/{core.rb → base.rb}

@@ -1,4 +1,4 @@
-module Memberships::Core
+module Memberships::Base
   extend ActiveSupport::Concern
 
   included do

data/app/models/concerns/teams/{core.rb → base.rb}

@@ -1,4 +1,4 @@
-module Teams::Core
+module Teams::Base
   extend ActiveSupport::Concern
 
   included do

data/app/models/concerns/users/{core.rb → base.rb}

@@ -1,4 +1,4 @@
-module Users::Core
+module Users::Base
   extend ActiveSupport::Concern
 
   included do

data/lib/bullet_train/version.rb

@@ -1,3 +1,3 @@
 module BulletTrain
-  VERSION = "1.0.4"
+  VERSION = "1.0.5"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bullet_train
 version: !ruby/object:Gem::Version
-  version: 1.0.4
+  version: 1.0.5
 platform: ruby
 authors:
 - Andrew Culver
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-01-23 00:00:00.000000000 Z
+date: 2022-01-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -41,16 +41,22 @@ files:
 - app/controllers/account/onboarding/user_email_controller.rb
 - app/controllers/account/teams_controller.rb
 - app/controllers/account/users_controller.rb
+- app/controllers/concerns/account/invitations/controller_base.rb
+- app/controllers/concerns/account/memberships/controller_base.rb
+- app/controllers/concerns/account/onboarding/user_details/controller_base.rb
+- app/controllers/concerns/account/onboarding/user_email/controller_base.rb
+- app/controllers/concerns/account/teams/controller_base.rb
+- app/controllers/concerns/account/users/controller_base.rb
 - app/helpers/account/invitations_helper.rb
 - app/helpers/account/memberships_helper.rb
 - app/helpers/account/teams_helper.rb
 - app/helpers/account/users_helper.rb
 - app/helpers/invitation_only_helper.rb
 - app/helpers/invitations_helper.rb
-- app/models/concerns/invitations/core.rb
-- app/models/concerns/memberships/core.rb
-- app/models/concerns/teams/core.rb
-- app/models/concerns/users/core.rb
+- app/models/concerns/invitations/base.rb
+- app/models/concerns/memberships/base.rb
+- app/models/concerns/teams/base.rb
+- app/models/concerns/users/base.rb
 - app/models/invitation.rb
 - app/models/invitations.rb
 - app/models/membership.rb