card 1.98.3 → 1.99.0

data/mod/account/set/type/user/setup_help.haml

@@ -0,0 +1,10 @@
+%h3 First, set up an account.
+.pb-2
+  As the first account holder for this deck, you will automatically have several
+  permissioned roles. You can configure these roles at any time.
+
+
+- if Card.config.action_mailer.perform_deliveries == false
+  .bg-warning.p-3
+    WARNING: Email delivery is turned off.
+    Change settings in config/application.rb to send sign up notifications.

data/mod/account/spec/set/all/account_spec.rb

@@ -1,127 +1,113 @@
 RSpec.describe Card::Set::All::Account do
-  describe "accountable?" do
-    it "is false for cards with *accountable rule off" do
-      expect(Card["A"].accountable?).to eq(false)
+  describe "parties" do
+    it "for Wagn Bot", with_user: Card::WagnBotID do
+      expect(Card::Auth.current.parties.sort)
+        .to eq([Card::WagnBotID, Card::AnyoneSignedInID, Card::AdministratorID])
     end
 
-    it "is true for cards with *accountable rule on", as_bot: true do
-      Card.create name: "A+*self+*accountable", content: "1"
-      Card.create name: "*account+*right+*create",
-                  content: "[[Anyone Signed In]]"
-      expect(Card["A"].accountable?).to eq(true)
+    it "for Anonymous", with_user: Card::AnonymousID do
+      expect(Card::Auth.current.parties.sort).to eq([Card::AnonymousID])
     end
 
-    describe "parties" do
-      it "for Wagn Bot", with_user: Card::WagnBotID do
-        expect(Card::Auth.current.parties.sort).to eq(
-                                                     [Card::WagnBotID, Card::AnyoneSignedInID, Card::AdministratorID]
-                                                   )
+    context "for Joe User" do
+      before do
+        @joe_user_card = Card::Auth.current
+        @parties = @joe_user_card.parties # note: must be called to test resets
       end
 
-      it "for Anonymous", with_user: Card::AnonymousID do
-        expect(Card::Auth.current.parties.sort).to eq([Card::AnonymousID])
+      it "initially has only auth and self " do
+        expect(@parties)
+          .to eq([Card::AnyoneSignedInID, Card::SharkID, @joe_user_card.id])
       end
 
-      context "for Joe User" do
-        before do
-          @joe_user_card = Card::Auth.current
-          @parties = @joe_user_card.parties # note: must be called to test resets
-        end
-
-        it "initially has only auth and self " do
-          expect(@parties)
-            .to eq([Card::AnyoneSignedInID, Card::SharkID, @joe_user_card.id])
-        end
-
-        it "updates when new roles are set" do
-          roles_card = @joe_user_card.fetch trait: :roles, new: {}
-          r1 = Card["r1"]
-
-          Card::Auth.as_bot { roles_card.items = [r1.id] }
-          Card::Cache.restore
-          # simulate new request
-          # clears local cache, where, eg, @parties would still be cached on card
-
-          Card::Auth.current_id = Card::Auth.current_id
-          # simulate new request
-          # current_id assignment clears several class variables
-
-          new_parties = [Card::AnyoneSignedInID, r1.id, @joe_user_card.id]
-          expect(Card["Joe User"].parties).to eq(new_parties)
-          # @parties regenerated, now with correct values
-
-          expect(Card::Auth.current.parties).to eq(new_parties)
-          # @joe_user_card.refresh(force=true).parties.should == new_parties
-          # should work, but now superfluous?
-        end
+      it "updates when new roles are set" do
+        roles_card = @joe_user_card.fetch trait: :roles, new: {}
+        r1 = Card["r1"]
+
+        Card::Auth.as_bot { roles_card.items = [r1.id] }
+        Card::Cache.restore
+        # simulate new request
+        # clears local cache, where, eg, @parties would still be cached on card
+
+        Card::Auth.current_id = Card::Auth.current_id
+        # simulate new request
+        # current_id assignment clears several class variables
+
+        new_parties = [Card::AnyoneSignedInID, r1.id, @joe_user_card.id]
+        expect(Card["Joe User"].parties).to eq(new_parties)
+        # @parties regenerated, now with correct values
+
+        expect(Card::Auth.current.parties).to eq(new_parties)
+        # @joe_user_card.refresh(force=true).parties.should == new_parties
+        # should work, but now superfluous?
       end
     end
+  end
 
-    describe "among?" do
-      it "is true for self" do
-        expect(Card::Auth.current.among?([Card::Auth.current_id])).to be_truthy
-      end
+  describe "among?" do
+    it "is true for self" do
+      expect(Card::Auth.current.among?([Card::Auth.current_id])).to be_truthy
     end
+  end
 
-    describe "+*email" do
-      it "creates a card and account card" do
-        jadmin = Card["joe admin"]
-        Card::Auth.current_id = jadmin.id
-        # simulate login to get correct from address
+  describe "+*email" do
+    it "creates a card and account card" do
+      jadmin = Card["joe admin"]
+      Card::Auth.current_id = jadmin.id
+      # simulate login to get correct from address
 
-        Card::Env[:params] = { email: { subject: "Hey Joe!",
-                                        message: "Come on in." } }
-        Card.create! name: "Joe New",
-                     type_id: Card::UserID,
-                     "+*account" => { "+*email" => "joe@new.com" }
+      Card::Env[:params] = { email: { subject: "Hey Joe!",
+                                      message: "Come on in." } }
+      Card.create! name: "Joe New",
+                   type_id: Card::UserID,
+                   "+*account" => { "+*email" => "joe@new.com" }
 
-        c = Card["Joe New"]
-        u = Card::Auth.find_account_by_email("joe@new.com")
+      c = Card["Joe New"]
+      u = Card::Auth.find_account_by_email("joe@new.com")
 
-        expect(c.account).to eq(u)
-        expect(c.type_id).to eq(Card::UserID)
-      end
+      expect(c.account).to eq(u)
+      expect(c.type_id).to eq(Card::UserID)
     end
+  end
 
-    context "updates" do
-      let(:card) {Card["Joe User"]}
-      let(:account) {card.account}
+  context "updates" do
+    let(:card) {Card["Joe User"]}
+    let(:account) {card.account}
 
-      it "handles email updates" do
-        card.update! "+*account" => { "+*email" => "joe@user.co.uk" }
-        expect(account.email).to eq("joe@user.co.uk")
-      end
+    it "handles email updates" do
+      card.update! "+*account" => { "+*email" => "joe@user.co.uk" }
+      expect(account.email).to eq("joe@user.co.uk")
+    end
 
-      it "lets Wagn Bot block accounts", as_bot: true do
-        card.account.status_card.update! content: "blocked"
-        expect(account.blocked?).to be_truthy
-      end
+    it "lets Wagn Bot block accounts", as_bot: true do
+      card.account.status_card.update! content: "blocked"
+      expect(account.blocked?).to be_truthy
+    end
 
-      it "does not allow a user to block or unblock himself" do
-        expect do
-          account.status_card.update! content: "blocked"
-        end.to raise_error(ActiveRecord::RecordInvalid,
-                           "Validation failed: Permission denied You don't have "\
-                         "permission to change the status of your own account")
-        expect(account.blocked?).to be_falsey
-      end
+    it "does not allow a user to block or unblock himself" do
+      expect do
+        account.status_card.update! content: "blocked"
+      end.to raise_error(ActiveRecord::RecordInvalid,
+                         "Validation failed: Permission denied You don't have "\
+                       "permission to change the status of your own account")
+      expect(account.blocked?).to be_falsey
     end
+  end
 
-    describe "#read_rules" do
-      before(:all) do
-        @read_rules = Card["joe_user"].read_rules
-      end
+  describe "#read_rules" do
+    before(:all) do
+      @read_rules = Card["joe_user"].read_rules
+    end
 
-      it "*all+*read should apply to Joe User" do
-        expect(@read_rules.member?(Card.fetch("*all+*read").id)).to be_truthy
-      end
+    it "*all+*read should apply to Joe User" do
+      expect(@read_rules.member?(Card.fetch("*all+*read").id)).to be_truthy
+    end
 
-      it "11 more should apply to Joe Admin" do
-        # includes lots of account rules...
-        Card::Auth.as("joe_admin") do
-          ids = Card::Auth.as_card.read_rules
-          expect(ids.length).to eq(@read_rules.size + 17)
-        end
+    it "11 more should apply to Joe Admin" do
+      # includes lots of account rules...
+      Card::Auth.as("joe_admin") do
+        ids = Card::Auth.as_card.read_rules
+        expect(ids.length).to eq(@read_rules.size + 17)
       end
     end
   end

data/mod/account/spec/set/right/account_spec.rb

@@ -27,18 +27,17 @@ RSpec.describe Card::Set::Right::Account do
     end
 
     it "checks accountability of 'accounted' card" do
-      unaccountable = Card.create(dummy_account_args)
-      expect(unaccountable.errors["+*account"].first).to eq("not allowed on this card")
+      expect(Card.create(dummy_account_args).errors["+*account"].first)
+        .to match(/You don\'t have permission to create/)
     end
 
-    it "works for any accountable card -- not just User type" do
+    it "works for any card with +*account permissions -- not just User type" do
       Card::Auth.as_bot do
-        rule_name = Card::Name[%i[basic type accountable]]
-        Card.create! name: rule_name, content: "1"
+        Card.create! name: Card::Name[%i[basic account type_plus_right create]],
+                     content: "Anyone Signed In"
       end
 
-      accountable = Card.create(dummy_account_args)
-      expect(accountable.errors).to be_empty
+      expect(Card.create(dummy_account_args).errors).to be_empty
     end
 
     it "requires email" do
@@ -51,12 +50,12 @@ RSpec.describe Card::Set::Right::Account do
     end
   end
 
-  describe "#send_account_verification_email" do
+  describe "#send_verification_email" do
     before do
       @email = "joe@user.com"
       @account = Card::Auth.find_account_by_email(@email)
       Mail::TestMailer.deliveries.clear
-      @account.send_account_verification_email
+      @account.send_verification_email
       @mail = Mail::TestMailer.deliveries.last
     end
 
@@ -71,8 +70,9 @@ RSpec.describe Card::Set::Right::Account do
 
     it "contains link to verify account" do
       raw_source = @mail.parts[0].body.raw_source
-      ["/update/#{@account.left.name.url_key}",
-       "token=#{@account.token}"].each do |url_part|
+      ["/update/#{@account.name.url_key}",
+       "card%5Btrigger%5D=verify_and_activate",
+       "token="].each do |url_part|
         expect(raw_source).to include(url_part)
       end
     end
@@ -83,12 +83,29 @@ RSpec.describe Card::Set::Right::Account do
     end
   end
 
-  describe "#send_reset_password_token" do
+  describe "#verify_and_activate" do
+    it "activates account" do
+      user = Card.create!(
+        name: "TmpUser",
+        type_id: Card::UserID,
+        "+*account" => { "+*password" => "tmp_pass",
+                         "+*email" => "tmp@decko.org",
+                         "+*status" => "unverified" }
+      )
+
+      Card::Env.params[:token] = Card::Auth::Token.encode user.id, anonymous: true
+      user.account.update! trigger: :verify_and_activate
+
+      expect(user.account).to be_active
+    end
+  end
+
+  describe "#send_password_reset_email" do
     before do
       @email = "joe@user.com"
       @account = Card::Auth.find_account_by_email(@email)
       Mail::TestMailer.deliveries = []
-      @account.send_reset_password_token
+      @account.send_password_reset_email
       @mail = Mail::TestMailer.deliveries.last
     end
 
@@ -99,10 +116,8 @@ RSpec.describe Card::Set::Right::Account do
 
     it "contains password reset link" do
       raw_source = @mail.parts[0].body.raw_source
-      token = @account.token_card.refresh(true).content
       ["/update/#{@account.left.name.url_key}",
-       "token=#{token}",
-       "live_token=true",
+       "token=",
        "card%5Btrigger%5D=reset_password"].each do |url_part|
         expect(raw_source).to include(url_part)
       end
@@ -136,39 +151,31 @@ RSpec.describe Card::Set::Right::Account do
     before do
       @email = "joe@user.com"
       @account = Card::Auth.find_account_by_email(@email)
-      @account.send_reset_password_token
-      @token = @account.token
-      Card::Env.params[:token] = @token
       Card::Auth.current_id = Card::AnonymousID
     end
 
     let(:trigger_reset) { @account.update! trigger: :reset_password }
 
+    def auth_token extra_payload={}
+      Card::Env.params[:token] = Card::Auth::Token.encode @account.left_id, extra_payload
+    end
+
     it "authenticates with correct token" do
+      auth_token
       expect(Card::Auth.current_id).to eq(Card::AnonymousID)
       trigger_reset
       expect(Card::Auth.current_id).to eq(@account.left_id)
-      @account = @account.refresh true
     end
 
     it "does not work if token is expired" do
-      @account.token_card.update_column :updated_at,
-                                        3.days.ago.strftime("%F %T")
-      @account.token_card.expire
-
-      trigger_reset
-
-      expect(@account.token).not_to eq(@token)
-      # token gets updated
-
-      expect(@account.success.message).to match(/expired/)
+      auth_token exp: 1.days.ago.to_i
+      expect { trigger_reset }.to raise_error(/Signature has expired/)
       # user notified of expired token
     end
 
     it "does not work if token is wrong" do
-      Card::Env.params[:token] = @token + "xxx"
-      trigger_reset
-      expect(Card::Env.success[:message]).to match(/mismatch/)
+      Card::Env.params[:token] = auth_token + "xxx"
+      expect { trigger_reset }.to raise_error(/Signature verification raised/)
     end
   end
 end

data/mod/account/spec/set/self/signin_spec.rb

@@ -53,8 +53,8 @@ RSpec.describe Card::Set::Self::Signin do
   context "#reset password" do
     it "is triggered by an update" do
       # Card['joe admin'].account.token.should be_nil FIXME:  this should be t
-      @card.update! "+*email" => "joe@admin.com"
-      expect(Card["joe admin"].account.token).not_to be_nil
+      @card.update! "+*email" => "joe@admin.com", trigger: :send_reset_password_token
+      expect(Mail::TestMailer.deliveries.last.to.first).to eq("joe@admin.com")
     end
 
     it "returns an error if email is not found" do

data/mod/account/spec/set/type/signup_spec.rb

@@ -5,6 +5,14 @@ RSpec.describe Card::Set::Type::Signup do
     Card::Auth.current_id = Card::AnonymousID
   end
 
+  let :big_bad_signup do
+    Mail::TestMailer.deliveries.clear
+    Card.create!(
+      name: "Big Bad Wolf", type_id: Card::SignupID,
+      "+*account" => { "+*email" => "wolf@wagn.org", "+*password" => "wolf" }
+    )
+  end
+
   context "signup form form" do
     subject do
       Card.new(type_id: Card::SignupID).format.render! :new
@@ -19,29 +27,21 @@ RSpec.describe Card::Set::Type::Signup do
 
   context "signup (without approval)" do
     before do
-      ActionMailer::Base.deliveries = [] # needed?
-
       Card::Auth.as_bot do
         Card.create! name: "User+*type+*create", content: "[[Anyone]]"
       end
-
       Card::Auth.current_id = Card::AnonymousID
-      @signup = Card.create!(
-        name: "Big Bad Wolf", type_id: Card::SignupID,
-        "+*account" => { "+*email" => "wolf@wagn.org", "+*password" => "wolf" }
-      )
 
+      @signup = big_bad_signup
       @account = @signup.account
-      @token = @account.token
     end
 
     it "creates all the necessary cards" do
       expect(@signup.type_id).to eq(Card::SignupID)
       expect(@account.email).to eq("wolf@wagn.org")
-      expect(@account.status).to eq("pending")
+      expect(@account.status).to eq("unverified")
       expect(@account.salt).not_to eq("")
       expect(@account.password.length).to be > 10 # encrypted
-      expect(@account.token).to be_present
     end
 
     it "renders in core view" do
@@ -50,9 +50,9 @@ RSpec.describe Card::Set::Type::Signup do
         expect(@signup.format.render_core).to have_tag "div.invite-links" do
           with_tag "div", text: "A verification email has been sent to wolf@wagn.org"
           with_tag "div" do
-            with_tag "a", href: "/update/Big_Bad_Wolf?approve_with_token=true",
+            with_tag "a", href: "/update/Big_Bad_Wolf?approve_with_verification=true",
                           text: "Resend verification email"
-            with_tag "a", href: "/update/Big_Bad_Wolf?approve_without_token=true",
+            with_tag "a", href: "/update/Big_Bad_Wolf?approve_without_verification=true",
                           text: "Approve without verification"
             with_tag "a", href: "/delete/Big_Bad_Wolf",
                           text: "Deny and delete"
@@ -67,74 +67,41 @@ RSpec.describe Card::Set::Type::Signup do
       expect(body).to match(Card.global_setting(:title))
     end
 
-    it "creates an authenticable token" do
-      expect(@account.token).to eq(@token)
-      expect(@account.validate_token!(@token)).to be_truthy
-      expect(@account.errors).to be_empty
-    end
-
     it "notifies someone" do
       expect(ActionMailer::Base.deliveries.map(&:to).sort).to(
         eq [["signups@wagn.org"], ["wolf@wagn.org"]]
       )
     end
 
-    it "is activated by an update" do
-      Card::Env.params[:token] = @token
-      @signup = Card.fetch "big bad wolf"
-      @signup.update({})
+    it "can be activated by verification token" do
+      Card::Env.params[:token] = Card::Auth::Token.encode @signup.id, anonymous: true
+      account = @signup.account
+      account.update! trigger: :verify_and_activate
       # puts @signup.errors.full_messages * "\n"
-      expect(@signup.errors).to be_empty
-      expect(@signup.type_id).to eq(Card::UserID)
-      expect(@account.status).to eq("active")
-      expect(Card[@account.name].active?).to be_truthy
-    end
-
-    it "rejects expired token and creates new token" do
-      @account.token_card.update_column :updated_at,
-                                        8.days.ago.strftime("%F %T")
-      @account.token_card.expire
-      Card::Env.params[:token] = @token
-      @signup = Card.fetch "big bad wolf"
-      result = @signup.update!({})
-      # successfully completes save
-      expect(result).to eq(true)
-      @account.reload
-      # token gets updated
-      expect(@account.token).not_to eq(@token)
-      # user notified of expired token
-      expect(Card::Env.success.message)
-        .to match(/Please check your email for a new password reset link\./)
+      expect(account.errors).to be_empty
+      expect(account.status).to eq("active")
+      expect(account.refresh(true)).to be_active
+      expect(@signup.refresh(true).type_id).to eq(Card::UserID)
     end
   end
 
   context "signup (with approval)" do
     before do
       # NOTE: by default Anonymous does not have permission
-      # to create User cards.
-      Mail::TestMailer.deliveries.clear
+      # to create User cards and thus requires approval
       Card::Auth.current_id = Card::AnonymousID
-      @signup = Card.create! name: "Big Bad Wolf",
-                             type_id: Card::SignupID,
-                             "+*account" => {
-                               "+*email" => "wolf@wagn.org",
-                               "+*password" => "wolf"
-                             }
+      @signup = big_bad_signup
       @account = @signup.account
     end
 
-    it "creates all the necessary cards, but no token" do
+    it "creates all the necessary cards" do
       expect(@signup.type_id).to eq(Card::SignupID)
       expect(@account.email).to eq("wolf@wagn.org")
-      expect(@account.status).to eq("pending")
+      expect(@account.status).to eq("unapproved")
       expect(@account.salt).not_to eq("")
       expect(@account.password.length).to be > 10 # encrypted
     end
 
-    it "does not create a token" do
-      expect(@account.token).not_to be_present
-    end
-
     it "sends signup alert email" do
       signup_alert = ActionMailer::Base.deliveries.last
       expect(signup_alert.to).to eq(["signups@wagn.org"])
@@ -149,27 +116,24 @@ RSpec.describe Card::Set::Type::Signup do
       expect(Mail::TestMailer.deliveries[-2]).to be_nil
     end
 
-    context "approval with token" do
-      it "creates token" do
-        Card::Env.params[:approve_with_token] = true
+    context "when approving with verification" do
+      it "sets status to 'unverified'" do
         Card::Auth.as "joe_admin"
+        @signup.update! trigger: :approve_with_verification
+
+        expect(@signup.account.status).to eq("unverified")
+        expect(@signup.type_id).to eq(Card::SignupID)
 
-        @signup = Card.fetch @signup.id
-        @signup.save!
-        expect(@signup.account.token).to be_present
+        # test that verification email goes out?
       end
     end
 
-    context "approval without token" do
-      it "creates token" do
-        Card::Env.params[:approve_without_token] = true
+    context "when approving without verification" do
+      it "immediately converts signup to active user" do
         Card::Auth.as "joe_admin"
-
-        @signup = Card.fetch @signup.id
-        @signup.save!
-        expect(@signup.account.token).not_to be_present
+        @signup.update! trigger: :approve_without_verification
         expect(@signup.type_id).to eq(Card::UserID)
-        expect(@signup.account.status).to eq("active")
+        expect(@signup.account).to be_active
       end
     end
   end
@@ -193,7 +157,8 @@ RSpec.describe Card::Set::Type::Signup do
 
     it "sends welcome email when account is activated" do
       # @signup.run_phase :approve do
-      @signup.activate_account
+      Card::Auth.as "joe admin"
+      @signup.update! trigger: :approve_without_verification
       # end
       @mail = ActionMailer::Base.deliveries.find { |a| a.subject == "welcome" }
       Mail::TestMailer.deliveries.clear
@@ -208,18 +173,15 @@ RSpec.describe Card::Set::Type::Signup do
       # NOTE:
       # by default Anonymous does not have permission to create User cards.
       Card::Auth.current_id = Card::WagnBotID
-      @signup = Card.create! name: "Big Bad Wolf", type_id: Card::SignupID,
-                             "+*account" => { "+*email" => "wolf@wagn.org" }
+      @signup = big_bad_signup
       @account = @signup.account
     end
 
-    it "creates all the necessary cards, but no password" do
+    it "creates all the necessary cards" do
       expect(@signup.type_id).to eq(Card::SignupID)
       expect(@account.email).to eq("wolf@wagn.org")
-      expect(@account.status).to eq("pending")
+      expect(@account.status).to eq("unverified")
       expect(@account.salt).not_to eq("")
-      expect(@account.token).to be_present
-      expect(@account.password).not_to be_present
     end
 
     it "considers signups created by signed-in users to be invitations" do