card-mod-account 0.11.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 446ac1cbd57b9473bffdf6fdb91303bc86cbcdcf584e2fafe48fc306da050580
+  data.tar.gz: eecb9da6a9312154ec015ac20353061b8d2839a6c61d2dacabe9c2d3377603b9
+SHA512:
+  metadata.gz: 9472b1ed791997464de8a57adad65d83b9021df74750f76edaab8fddfb51df493801f659c861a870ae29994e806add8add7e8aa8f07c73954b159f9e288ed050
+  data.tar.gz: 8525e80cacd92f2d5c7ce960bbdda0be8fc63441fb3cb408080bbf03a0d9fe2c302da16ab60b117c923d5141bd1a62611e3bc48ad61cc677c6ac62729b1bce36

data/README.md

@@ -0,0 +1,6 @@
+<!--
+# @title README: account mod
+-->
+# account
+
+Create and manage accounts with cards. 

data/set/abstract/account_field.rb

@@ -0,0 +1,17 @@
+
+# allow account owner to update account field content
+def ok_to_update
+  return true if own_account? && !name_changed? && !type_id_changed?
+
+  super
+end
+
+# force inherit permission on create
+# (cannot be done with rule, because sets are not addressable)
+def permission_rule_id action
+  if action == :create
+    left_permission_rule_id action
+  else
+    super
+  end
+end

data/set/abstract/accountable.rb

@@ -0,0 +1,49 @@
+def account
+  fetch :account, new: {}
+end
+
+def default_account_status
+  "active"
+end
+
+def current_account?
+  id && Auth.current_id == id
+end
+
+format :html do
+  def default_bridge_tab
+    card.current_account? ? :account_tab : super
+  end
+
+  view :account_tab do
+    bridge_pill_sections "Account" do
+      [["Settings", account_details_items],
+       ["Content", account_content_items]]
+    end
+  end
+
+  def show_account_tab?
+    card.account.real?
+  end
+
+  def account_formgroups
+    Auth.as_bot do
+      subformat(card.account)._render :content_formgroups, structure: true
+    end
+  end
+
+  def account_details_items
+    [
+      ["Email and Password", :account,
+       { path: { slot: { hide: %i[help_link bridge_link] } } }],
+      ["Roles", :roles,
+       { path:  { view: :content_with_edit_button } }],
+      ["Notifications", :follow]
+    ]
+  end
+
+  def account_content_items
+    [["Created", :created],
+     ["Edited", :edited]]
+  end
+end

data/set/all/account.rb

@@ -0,0 +1,97 @@
+module ClassMethods
+  def default_accounted_type_id
+    UserID
+  end
+end
+
+def account
+  fetch :account
+end
+
+def parties
+  @parties ||= (all_enabled_roles << id).flatten.reject(&:blank?)
+end
+
+def among? ok_ids
+  ok_ids.any? do |ok_id|
+    ok_id == AnyoneID ||
+      (ok_id == AnyoneWithRoleID && all_enabled_roles.size > 1) ||
+      parties.member?(ok_id)
+  end
+end
+
+def own_account?
+  # card is +*account card of signed_in user.
+  name.part_names[0].key == Auth.as_card.key &&
+    name.part_names[1].key == Card[:account].key
+end
+
+def read_rules
+  @read_rules ||= fetch_read_rules
+end
+
+def read_rules_hash
+  @read_rules_hash ||= read_rules.each_with_object({}) { |id, h| h[id] = true }
+end
+
+def fetch_read_rules
+  return [] if id == WagnBotID # always_ok, so not needed
+
+  ([AnyoneID] + parties).each_with_object([]) do |party_id, rule_ids|
+    next unless (cache = Card::Rule.read_rule_cache[party_id])
+    rule_ids.concat cache
+  end
+end
+
+def clear_roles
+  @parties = @all_roles = @all_active_roles = @read_rules = nil
+end
+
+def with_clear_roles
+  a, b, c, d = @parties, @all_roles, @all_active_roles, @read_rules
+  yield
+ensure
+  @parties, @all_roles, @all_active_roles, @read_rules = a, b, c, d
+end
+
+def all_enabled_roles
+  @all_active_roles ||= (id == AnonymousID ? [] : enabled_role_ids)
+end
+
+def all_roles
+  @all_roles ||= (id == AnonymousID ? [] : fetch_roles)
+end
+
+def enabled_role_ids
+  Auth.as_bot do
+    # workaround for broken migrations
+    return fetch_roles unless Card::Codename.exists? :enabled_roles
+
+    enabled = enabled_roles_card
+    enabled.virtual? ? enabled.item_ids : fetch_roles
+  end
+end
+
+def enabled_roles_card
+  fetch :enabled_roles, eager_cache: true, new: { type_id: SessionID }
+end
+
+def fetch_roles
+  [AnyoneSignedInID] + role_ids_from_roles_trait
+end
+
+def role_ids_from_roles_trait
+  Auth.as_bot do
+    role_trait = fetch :roles
+    role_trait ? role_trait.item_ids : []
+  end
+end
+
+event :generate_token do
+  Digest::SHA1.hexdigest "--#{Time.zone.now.to_f}--#{rand 10}--"
+end
+
+event :set_stamper, :prepare_to_validate do
+  self.updater_id = Auth.current_id
+  self.creator_id = updater_id if new_card?
+end

data/set/right/account.rb

@@ -0,0 +1,58 @@
+# -*- encoding : utf-8 -*-
+
+card_accessor :email
+card_accessor :password
+card_accessor :salt
+card_accessor :status
+card_accessor :api_key
+
+require_field :email
+
+def accounted
+  left
+end
+
+def accounted_id
+  left_id
+end
+
+def ok_to_read
+  own_account? ? true : super
+end
+
+# allow account owner to update account field content
+def ok_to_update
+  return true if own_account? && !name_changed? && !type_id_changed?
+
+  super
+end
+
+def changes_visible? act
+  act.actions_affecting(act.card).each do |action|
+    return true if action.card.ok? :read
+  end
+  false
+end
+
+def send_account_email email_template
+  ecard = Card[email_template]
+  unless ecard&.type_id == EmailTemplateID
+    raise Card::Error, "invalid email template: #{email_template}"
+  end
+
+  ecard.deliver self, to: email
+end
+
+def validate_api_key! api_key
+  api_key_card.validate! api_key
+end
+
+def method_missing method, *args
+  super unless args.empty? && (matches = method.match(/^(?<status>.*)\?$/))
+
+  status == matches[:status]
+end
+
+def respond_to_missing? method, _include_private=false
+  method.match?(/\?/) ? true : super
+end

data/set/right/account/events.rb

@@ -0,0 +1,99 @@
+#### ON CREATE
+
+event :set_default_salt, :prepare_to_validate, on: :create do
+  add_subfield(:salt).generate
+end
+
+event :set_default_status, :prepare_to_validate, on: :create do
+  add_subfield :status, content: (accounted&.try(:default_account_status) || "active")
+end
+
+# ON UPDATE
+
+# reset password emails contain a link to update the +*account card
+# and trigger this event
+event :reset_password, :prepare_to_validate, on: :update, trigger: :required do
+  verifying_token :reset_password_success, :reset_password_failure
+end
+
+event :verify_and_activate, :prepare_to_validate, on: :update, trigger: :required do
+  activatable do
+    verifying_token :verify_and_activate_success, :verify_and_activate_failure
+    add_subcard(accounted)&.try :activate_accounted
+  end
+end
+
+event :password_redirect, :finalize, on: :update, when: :password_redirect? do
+  success << { id: name, view: "edit" }
+end
+
+# INTEGRATION
+
+%i[password_reset_email verification_email welcome_email].each do |email|
+  event "send_#{email}".to_sym, :integrate, trigger: :required do
+    send_account_email email
+  end
+end
+
+## EVENT HELPERS
+
+def activatable
+  abort :failure, "no field manipulation mid-activation" if subcards.present?
+  # above is necessary because activation uses super user (Decko Bot),
+  # so allowing subcards would be unsafe
+  yield
+end
+
+# note: this only works in the context of an action.
+# if run independently, it will not activate an account
+event :activate_account do
+  add_subfield :status, content: "active"
+  trigger_event! :send_welcome_email
+end
+
+def verifying_token success, failure
+  requiring_token do |token|
+    result = Auth::Token.decode token
+    if result.is_a?(String)
+      send failure, result
+    else
+      send success
+    end
+  end
+end
+
+def requiring_token
+  if !(token = Env.params[:token])
+    errors.add :token, "is required"
+  else
+    yield token
+  end
+end
+
+def password_redirect?
+  Auth.current_id == accounted_id && password.blank?
+end
+
+def verify_and_activate_success
+  Auth.signin accounted_id
+  Auth.as_bot # use admin permissions for rest of action
+  activate_account
+  success << ""
+end
+
+def verify_and_activate_failure error_message
+  send_verification_email
+  errors.add :content,
+             "Sorry, #{error_message}. Please check your email for a new activation link."
+end
+
+def reset_password_success
+  Auth.signin accounted_id
+  success << { id: name, view: :edit }
+  abort :success
+end
+
+def reset_password_failure error_message
+  Auth.as_bot { send_password_reset_email }
+  errors.add :content, tr(:sorry_email_reset, error_msg: error_message)
+end

data/set/right/account/views.rb

@@ -0,0 +1,65 @@
+format do
+  view :verify_url, cache: :never do
+    raise Error::PermissionDenied unless card.ok?(:create) || card.action
+
+    token_url :verify_and_activate, anonymous: true
+  end
+
+  view :reset_password_url do
+    raise Error::PermissionDenied unless card.password_card.ok? :update
+
+    token_url :reset_password
+  end
+
+  view :token_expiry do
+    "(#{token_expiry_sentence}"
+  end
+
+  view :token_days do
+    Card.config.token_expiry / 1.day
+  end
+
+  # DEPRECATED
+  view :verify_days, :token_days
+  view :reset_password_days, :token_days
+
+  def token_url trigger, extra_payload={}
+    card_url path(action: :update,
+                  card: { trigger: trigger },
+                  token: new_token(extra_payload))
+  end
+
+  def token_expiry_sentence
+    "Link will expire in #{render_token_days} days"
+  end
+
+  def new_token extra_payload
+    Auth::Token.encode card.accounted_id, extra_payload
+  end
+end
+
+format :html do
+  view :core do
+    [account_field_nest(:email, "email"),
+     account_field_nest(:password, "password")]
+  end
+
+  def account_field_nest field, title
+    field_nest field, title: title, view: :labeled
+    # edit: :inline, hide: [:help_link, :bridge_link]
+  end
+
+  before :content_formgroups do
+    voo.edit_structure = [[:email, "email"], [:password, "password"]]
+  end
+
+  view :token_expiry do
+    "<p><em>#{token_expiry_sentence}</em></p>"
+  end
+end
+
+format :email_html do
+  def mail context, fields
+    super context, fields.reverse_merge(to: card.email)
+  end
+end

data/set/right/api_key.rb

@@ -0,0 +1,48 @@
+include_set Abstract::AccountField
+
+# DURATIONS = "second|minute|hour|day|week|month|year".freeze
+
+def history?
+  false
+end
+
+view :raw do
+  tr :private_data
+end
+
+def validate! api_key
+  error =
+    case
+    when !real?             then [:token_not_found, tr(:error_token_not_found)]
+    # when expired?           then [:token_expired, tr(:error_token_expired)]
+    when content != api_key then [:incorrect_token, tr(:error_incorrect_token)]
+    end
+  errors.add(*error) if error
+  error.nil?
+end
+
+# def expired?
+#   !permanent? && updated_at <= term.ago
+# end
+#
+# def permanent?
+#   term == "permanent"
+# end
+
+# def term
+#   @term ||=
+#     if expiration.present?
+#       term_from_string expiration
+#     else
+#       Card.config.token_expiry
+#     end
+# end
+
+# def term_from_string string
+#   string.strip!
+#   return "permanent" if string == "none"
+#   re_match = /^(\d+)[\.\s]*(#{DURATIONS})s?$/.match(string)
+#   number, unit = re_match.captures if re_match
+#   raise Card::Open::Error, tr(:exception_bad_expiration, example: '2 days') unless unit
+#   number.to_i.send unit
+# end

data/set/right/email.rb

@@ -0,0 +1,46 @@
+# -*- encoding : utf-8 -*-
+
+include_set Abstract::AccountField
+
+event :validate_email, :validate, on: :save do
+  return unless content?
+
+  self.content = content.strip
+  return if content.match?(/^([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})$/i)
+
+  errors.add :content, tr(:error_invalid_address)
+end
+
+event :validate_unique_email, after: :validate_email, on: :save do
+  if content.present?
+    Auth.as_bot do
+      cql = { right_id: EmailID, eq: content, return: :id }
+      cql[:not] = { id: id } if id
+      cql_comment = tr(:search_email_duplicate, content: content)
+      if Card.search(cql, cql_comment).first
+        errors.add :content, tr(:error_not_unique)
+      end
+    end
+  end
+end
+
+event :downcase_email, :prepare_to_validate, on: :save do
+  return if !content || content == content.downcase
+  self.content = content.downcase
+end
+
+def email_required?
+  !left.system?
+end
+
+def ok_to_read
+  if own_email? || Auth.always_ok?
+    true
+  else
+    deny_because tr(:deny_email_restricted)
+  end
+end
+
+def own_email?
+  name.part_names[0].key == Auth.as_card.key
+end

data/set/right/password.rb

@@ -0,0 +1,51 @@
+include_set Abstract::AccountField
+
+def history?
+  false
+end
+
+def ok_to_read
+  own_account? ? true : super
+end
+
+event :encrypt_password, :store,
+      on: :save, changed: :content,
+      when: proc { !Card::Env[:no_password_encryptions] } do
+  # no_password_encryptions = hack for import - fix with api for ignoring events
+  salt = left&.salt
+  self.content = Auth.encrypt content, salt
+
+  # errors.add :password, 'need a valid salt'
+  # turns out we have a lot of existing account without a salt.
+  # not sure when that broke??
+end
+
+event :validate_password, :validate, on: :save do
+  return if content.length > 3
+
+  errors.add :password, tr(:password_length)
+end
+
+event :validate_password_present, :prepare_to_validate, on: :update do
+  abort :success if content.blank?
+end
+
+view :raw do
+  tr :encrypted
+end
+
+format :html do
+  view :core, wrap: :em do
+    render_raw
+  end
+
+  view :input do
+    card.content = ""
+    password_field :content, class: "d0-card-content", autocomplete: autocomplete?
+  end
+
+  def autocomplete?
+    return "on" if @parent && @parent.card.name == "*signin+*account" # HACK
+    "off"
+  end
+end

data/set/right/roles.rb

@@ -0,0 +1,27 @@
+event :validate_permission_to_assign_roles, :validate, on: :save do
+  return unless (fr = forbidden_roles).present?
+
+  errors.add :permission_denied,
+             "You don't have permission to assign the role#{'s' if fr.size > 1} "\
+             "#{fr.map(&:name).to_sentence}"   # LOCALIZE
+end
+
+def forbidden_roles
+  # restore old roles for permission check
+  with_old_role_permissions do |new_roles|
+    new_roles.select do |card|
+      !Card.fetch(card, "*members").ok? :update
+    end
+  end
+end
+
+def with_old_role_permissions
+  new_roles = item_cards
+  new_content = content
+  left.clear_roles
+  Auth.update_always_cache Card::Auth.as_id, nil
+  self.content = db_content_before_act
+  yield new_roles
+ensure
+  self.content = new_content
+end

data/set/right/salt.rb

@@ -0,0 +1,13 @@
+include_set Abstract::AccountField
+
+def generate
+  self.content = Digest::SHA1.hexdigest "--#{Time.zone.now}--"
+end
+
+def history?
+  false
+end
+
+view :raw do
+  tr :private_data
+end

data/set/right/status.rb

@@ -0,0 +1,18 @@
+include_set Abstract::AccountField
+include_set Abstract::Pointer
+
+def input_type
+  :radio
+end
+
+def option_names
+  %w[unapproved unverified active blocked system]
+end
+
+def ok_to_update
+  if own_account? && !Auth.always_ok?
+    deny_because you_cant(tr(:deny_not_change_own_account))
+  else
+    super
+  end
+end

data/set/self/captcha.rb

@@ -0,0 +1,5 @@
+setting_opts group: :permission,
+             position: 5,
+             help_text: "Anti-spam setting.  Requires non-signed-in users to complete a "\
+                        "[[http://decko.org/captcha|captcha]] before adding or editing "\
+                        "cards (where permitted)."

data/set/self/signin.rb

@@ -0,0 +1,226 @@
+# The Sign In card manages logging in and out of the site.
+#
+# /:signin (core view) gives the login ui
+# /:signin?view=edit gives the forgot password ui
+
+# /update/:signin is the login action
+# /delete/:signin is the logout action
+
+# authentication event
+event :signin, :validate, on: :update do
+  email = subfield :email
+  email &&= email.content
+  pword = subfield :password
+  pword &&= pword.content
+
+  authenticate_or_abort email, pword
+end
+
+# abort after successful signin (do not save card)
+event :signin_success, after: :signin do
+  abort :success
+end
+
+event :signout, :validate, on: :delete do
+  Env.reset_session
+  Auth.signin AnonymousID
+  abort :success
+end
+
+# triggered by clicking "Reset my Password", this sends out the verification password
+# and aborts (does not sign in)
+event :send_reset_password_token, before: :signin, on: :update, trigger: :required do
+  email = subfield(:email)&.content
+  send_reset_password_email_or_fail email
+end
+
+def ok_to_read
+  true
+end
+
+def recaptcha_on?
+  false
+end
+
+def i18n_signin key
+  I18n.t key, scope: "mod.card-mod-account.set.self.signin"
+end
+
+def authenticate_or_abort email, pword
+  abort_unless email, :email_missing
+  abort_unless pword, :password_missing
+  authenticate_and_signin(email, pword) || failed_signin(email)
+end
+
+def authenticate_and_signin email, pword
+  return unless (account = Auth.authenticate email, pword)
+
+  Auth.signin account.left_id
+end
+
+def failed_signin email
+  errors.add :signin, signin_error_message(account_for(email))
+  abort :failure
+end
+
+def abort_unless value, error_key
+  abort :failure, i18n_signin(error_key) unless value
+end
+
+def signin_error_message account
+  case
+  when account.nil?     then i18n_signin(:error_unknown_email)
+  when !account.active? then i18n_signin(:error_not_active)
+  else                       i18n_signin(:error_wrong_password)
+  end
+end
+
+def error_on field, error_key
+  errors.add field, i18n_signin(error_key)
+end
+
+def account_for email
+  Auth.find_account_by_email email
+end
+
+def send_reset_password_email_or_fail email
+  aborting do
+    break errors.add :email, i18n_signin(:error_blank) if email.blank?
+
+    if (account = Auth.find_account_by_email(email))&.active?
+      Auth.as_bot { account.send_password_reset_email }
+    elsif account
+      errors.add :account, i18n_signin(:error_not_active)
+    else
+      errors.add :email, i18n_signin(:error_not_recognized)
+    end
+  end
+end
+
+def send_reset_password_email_or_fail email
+  aborting do
+    break if blank_email? email
+
+    if (account = account_for email)&.active?
+      send_reset_password_email account
+    else
+      reset_password_fail account
+    end
+  end
+end
+
+def blank_email? email
+  return false if email.present?
+
+  error_on :email, :error_blank
+end
+
+def send_reset_password_email account
+  Auth.as_bot { account.send_password_reset_email }
+end
+
+def reset_password_fail account
+  if account
+    error_on :account, :error_not_active
+  else
+    error_on :email, :error_not_recognized
+  end
+end
+
+format :html do
+  view :core, cache: :never do
+    voo.edit_structure = [signin_field(:email), signin_field(:password)]
+    with_nest_mode :edit do
+      card_form :update, recaptcha: :off, success: signin_success do
+        [
+          _render_content_formgroups,
+          _render_signin_buttons
+        ]
+      end
+    end
+  end
+
+  view :open do
+    voo.show :help
+    voo.hide :menu
+    super()
+  end
+
+  # FIXME: need a generic solution for this
+  view :title do
+    voo.title ||= I18n.t(:sign_in_title, scope: "mod.card-mod-account.set.self.signin")
+    super()
+  end
+
+  view :open_content do
+    # annoying step designed to avoid table of contents.  sigh
+    _render_core
+  end
+
+  view :one_line_content do
+    ""
+  end
+
+  view :reset_password_success do
+    # 'Check your email for a link to reset your password'
+    frame { I18n.t(:check_email, scope: "mod.card-mod-account.set.self.signin") }
+  end
+
+  view :signin_buttons do
+    button_formgroup do
+      [signin_button, signup_link, reset_password_link]
+    end
+  end
+
+  # FORGOT PASSWORD
+  view :edit do
+    reset_password_voo
+    Auth.as_bot { super() }
+  end
+
+  def reset_password_voo
+    voo.title ||= card.i18n_signin(:forgot_password)
+    voo.edit_structure = [signin_field(:email)]
+    voo.hide :help
+  end
+
+  view :edit_buttons do
+    text = I18n.t :reset_my_password, scope: "mod.card-mod-account.set.self.signin"
+    button_tag text, situation: "primary", class: "_close-modal-on-success"
+  end
+
+  def signin_success
+    "REDIRECT: #{Env.interrupted_action || '*previous'}"
+  end
+
+  def signin_button
+    text = I18n.t :sign_in, scope: "mod.card-mod-account.set.self.signin"
+    button_tag text, situation: "primary"
+  end
+
+  def signup_link
+    text = I18n.t :or_sign_up, scope: "mod.card-mod-account.set.self.signin"
+    subformat(Card[:account_links]).render! :sign_up, title: text
+  end
+
+  def reset_password_link
+    text = I18n.t :reset_password, scope: "mod.card-mod-account.set.self.signin"
+    link = link_to_view :edit, text, path: { slot: { hide: :bridge_link } }
+    # FIXME: inline styling
+    raw("<div style='float:right'>#{link}</div>")
+  end
+
+  def edit_view_hidden
+    hidden_tags card: { trigger: :send_reset_password_token }
+  end
+
+  def edit_success
+    { view: :reset_password_success }
+  end
+
+  def signin_field name
+    nest_name = "".to_name.trait(name)
+    [nest_name, { title: name.to_s, view: "titled",
+                  nest_name: nest_name, skip_perms: true }]
+  end
+end

data/set/type/role.rb

@@ -0,0 +1,21 @@
+def disabled?
+  Auth.current&.fetch(:disabled_roles)&.item_ids&.include? id
+end
+
+format :html do
+  view :link_with_checkbox, cache: :never do
+    role_checkbox
+  end
+
+  def role_checkbox
+    name = card.disabled? ? "add_item" : "drop_item"
+    subformat(Auth.current.field(:disabled_roles, new: {})).card_form :update do
+      [check_box_tag(name, card.id, !card.disabled?, class: "_edit-item"),
+       render_link]
+    end
+  end
+
+  def related_by_content_items
+    super.unshift ["members", :members]
+  end
+end

data/set/type/signup.rb

@@ -0,0 +1,54 @@
+include_set Abstract::Accountable
+
+require_field :account
+
+def default_account_status
+  can_approve? ? "unverified" : "unapproved"
+end
+
+def can_approve?
+  Card.new(type_id: Card.default_accounted_type_id).ok? :create
+end
+
+def activate_accounted
+  self.type_id = Card.default_accounted_type_id
+end
+
+event :auto_approve_with_verification, :validate, on: :create, when: :can_approve? do
+  request_verification
+end
+
+event :approve_with_verification, :validate, on: :update, trigger: :required do
+  approvable { request_verification }
+end
+
+event :approve_without_verification, :validate, on: :update, trigger: :required do
+  # TODO: if validated here, add trigger and activate in storage phase
+  approvable do
+    activate_accounted
+    account_subfield.activate_account
+  end
+end
+
+event :act_as_current_for_integrate_stage, :integrate, on: :create do
+  # needs justification!
+  Auth.current_id = id
+end
+
+def account_subfield
+  subfield(:account) || add_subfield(:account)
+end
+
+def request_verification
+  acct = account_subfield
+  acct.add_subfield :status, content: "unverified"
+  acct.trigger_event! :send_verification_email
+end
+
+def approvable
+  if can_approve?
+    yield
+  else
+    abort :failure, "illegal approval" # raise permission denied?
+  end
+end

data/set/type/signup/core.haml

@@ -0,0 +1,4 @@
+- unless card.new_card? # necessary?
+  .invite-links
+    = lines.map { |h| "<div>#{h}</div>" }.join "\n"
+    = body

data/set/type/signup/views.rb

@@ -0,0 +1,93 @@
+format :html do
+  def invitation?
+    Auth.signed_in? && card.can_approve?
+  end
+
+  view :new do
+    voo.title = invitation? ? tr(:invite) : tr(:sign_up)
+    super()
+  end
+
+  view :content_formgroups do
+    [account_formgroups, (card.structure ? edit_slot : "")].join
+  end
+
+  view :new_buttons do
+    button_formgroup do
+      [standard_create_button, invite_button].compact
+    end
+  end
+
+  def invite_button
+    return unless invitation?
+    button_tag "Send Invitation", situation: "primary"
+  end
+
+  view :core, template: :haml do
+    @lines = [signup_line] + account_lines
+    @body = process_content _render_raw
+  end
+
+  def signup_line
+    ["<strong>#{safe_name}</strong>",
+     ("was" if invited?),
+     "signed up on #{format_date card.created_at}"].compact.join " "
+  end
+
+  def invited?
+    !self_signup?
+  end
+
+  def self_signup?
+    card.creator_id == AnonymousID
+  end
+
+  def account_lines
+    if card.account
+      verification_lines
+    else
+      [tr(:missing_account)]
+    end
+  end
+
+  def verification_lines
+    [verification_sent_line, verification_link_line].compact
+  end
+
+  def verification_sent_line
+    account = card.account
+    return unless account.email_card.ok?(:read)
+    "A verification email has been sent to #{account.email}"
+  end
+
+  def verification_link_line
+    links = verification_links
+    return if links.empty?
+    links.join " "
+  end
+
+  def verification_links
+    [approve_with_token_link, approve_without_token_link, deny_link].compact
+  end
+
+  def approve_with_token_link
+    action = card.account.status == "unverified" ? "Resend" : "Send"
+    approval_link "#{action} verification email", :with
+  end
+
+  def approve_without_token_link
+    approval_link "Approve without verification", :without
+  end
+
+  def approval_link text, with_or_without
+    return unless card.can_approve?
+    link_to_card card, text,
+                 path: { action: :update,
+                         card: { trigger: "approve_#{with_or_without}_verification" } }
+  end
+
+  def deny_link
+    return unless card.ok? :delete
+    link_to_card card, "Deny and delete", path: { action: :delete }
+  end
+end

data/set/type/user.rb

@@ -0,0 +1,67 @@
+include_set Abstract::Accountable
+
+attr_accessor :email
+
+format :html do
+  view :setup, unknown: true, perms: ->(_fmt) { Auth.needs_setup? } do
+    with_nest_mode :edit do
+      voo.title = "Your deck is ready to go!" # LOCALIZE
+      voo.show! :help
+      voo.hide! :menu
+      voo.help = haml :setup_help
+      Auth.as_bot { setup_form }
+    end
+  end
+
+  def setup_form
+    frame_and_form :create do
+      [
+        setup_hidden_fields,
+        _render_name_formgroup,
+        account_formgroups,
+        setup_form_buttons
+      ]
+    end
+  end
+
+  def setup_form_buttons
+    button_formgroup { setup_button }
+  end
+
+  def setup_button
+    submit_button text: "Set up", disable_with: "Setting up"
+  end
+
+  def setup_hidden_fields
+    hidden_tags(
+      setup: true,
+      success: "REDIRECT: #{path mark: ''}",
+      "card[type_id]" => Card.default_accounted_type_id
+    )
+  end
+end
+
+def setup?
+  Card::Env.params[:setup]
+end
+
+event :setup_as_bot, before: :check_permissions, on: :create, when: :setup? do
+  abort :failure unless Auth.needs_setup?
+  Auth.as_bot
+  # we need bot authority to set the initial administrator roles
+  # this is granted and inspected here as a separate event for
+  # flexibility and security when configuring initial setups
+end
+
+event :setup_first_user, :prepare_to_store, on: :create, when: :setup? do
+  add_subcard "signup alert email+*to", content: name
+  add_subfield :roles, content: roles_for_first_user
+end
+
+def roles_for_first_user
+  %i[help_desk shark administrator].map(&:cardname)
+end
+
+event :signin_after_setup, :integrate, on: :create, when: :setup? do
+  Auth.signin id
+end

data/set/type/user/setup_help.haml

@@ -0,0 +1,10 @@
+%h3 First, set up an account.
+.pb-2
+  As the first account holder for this deck, you will automatically have several
+  permissioned roles. You can configure these roles at any time.
+
+
+- if Card.config.action_mailer.perform_deliveries == false
+  .bg-warning.p-3
+    WARNING: Email delivery is turned off.
+    Change settings in config/application.rb to send sign up notifications.

data/set/type_plus_right/user/email.rb

@@ -0,0 +1,13 @@
+# supports legacy references to <User>+*email
+# (standard representation is now <User>+*account+*email)
+view :raw do
+  card.content_email || card.account_email || ""
+end
+
+def content_email
+  content if real?
+end
+
+def account_email
+  left&.account&.email
+end

metadata

@@ -0,0 +1,124 @@
+--- !ruby/object:Gem::Specification
+name: card-mod-account
+version: !ruby/object:Gem::Version
+  version: 0.11.0
+platform: ruby
+authors:
+- Ethan McCutchen
+- Philipp Kühl
+- Gerry Gleason
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2020-12-24 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: card
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.101.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.101.0
+- !ruby/object:Gem::Dependency
+  name: card-mod-email
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.11.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.11.0
+- !ruby/object:Gem::Dependency
+  name: card-mod-permissions
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.11.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.11.0
+- !ruby/object:Gem::Dependency
+  name: card-mod-list
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.11.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.11.0
+description: ''
+email:
+- info@decko.org
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- README.md
+- set/abstract/account_field.rb
+- set/abstract/accountable.rb
+- set/all/account.rb
+- set/right/account.rb
+- set/right/account/events.rb
+- set/right/account/views.rb
+- set/right/api_key.rb
+- set/right/email.rb
+- set/right/password.rb
+- set/right/roles.rb
+- set/right/salt.rb
+- set/right/status.rb
+- set/self/captcha.rb
+- set/self/signin.rb
+- set/type/role.rb
+- set/type/signup.rb
+- set/type/signup/core.haml
+- set/type/signup/views.rb
+- set/type/user.rb
+- set/type/user/setup_help.haml
+- set/type_plus_right/user/email.rb
+homepage: http://decko.org
+licenses:
+- GPL-3.0
+metadata:
+  card-mod: account
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.5'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.3
+signing_key:
+specification_version: 4
+summary: Email-based account handling for decko cards
+test_files: []