glib-web 5.0.5 → 5.0.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f17a1a4daae7e40a97af1832e97b2d8c9dd67310f5c633cbdeb4ab3dd5d5d46a
-  data.tar.gz: 669a156ca671210d00fb34383fc99bdfe9089e69470709d733b4a686922b4291
+  metadata.gz: 6885a1b150291881895f5b3cdfda3c2424961e5fd953e7faebd2d421242d930c
+  data.tar.gz: 2c9b74ee8ac40b6b887d3b14a06915b98b0562a207d578d63b955a12b7e235f9
 SHA512:
-  metadata.gz: e707bdf53ababa1afe4b53fa4a8d6d0f6c7bf4db2730a18fc576cf58fd7c7d16e3081a98a488c18a5c8d6ee953edaa44c4a8c2f4e53840ae367f44d735435e2d
-  data.tar.gz: f88d6a7ddec4a1c364396579a3b56eaaf82e98dd32a16a5d2f0595c0ea0d79dbfa63ab94df4ccefefd47aa6a4b12b601793a67aed5d51d22ee8c2670ed8993c0
+  metadata.gz: 67e1d34169a5cea5970378da912372ff6b0c5b1e0b7793c9e05fc50347cd1e118f55d0b9b63a328a60fdff810c913ba94575198eee0cd147d161feb8272c6c27
+  data.tar.gz: dadf602d4b72f9c2c2ef4434182c94eb6690f05e1ec934226de01d8c24cef88719f29cba394d12c5e13df93e82144f46ae8425443b4318807780bcde5381d761

data/app/controllers/concerns/glib/analytics/funnel.rb

@@ -38,7 +38,16 @@ module Glib::Analytics
       referrer_url = request.headers['referer'] # Notice that the HTTP header uses one "r"
       if group.nil? && action.nil? && !referrer_url.nil?
         current_host = request.host
-        referrer_host = URI.parse(referrer_url).host
+        # The Referer header is attacker-controlled and may not be a valid URI
+        # (scanners send junk like "() { ignored; }; cat /etc/passwd"). Treat an
+        # unparseable referer as "no referer" rather than letting URI::InvalidURIError
+        # bubble up mid-render, where the 500 rescue then double-renders.
+        referrer_host =
+          begin
+            URI.parse(referrer_url).host
+          rescue URI::InvalidURIError
+            nil
+          end
 
         # Replace the subdomain portion with regex so it will only match the non-subdomain part.
         # This will allow cross-subdomain referral, but it will not work if the host is a bare domain,

data/app/controllers/concerns/glib/json/libs.rb

@@ -249,6 +249,13 @@ module Glib::Json::Libs
           Rollbar.error(exception, use_exception_level_filters: true)
         end
 
+        # The exception may have been raised AFTER a response was already rendered
+        # (e.g. from an after_action injection). Rendering the error page on top of that
+        # would raise AbstractController::DoubleRenderError, which masks the genuine
+        # exception reported above. The real cause is already logged, so leave the
+        # already-rendered response in place rather than double-rendering.
+        return if performed?
+
         render file: Rails.root.join('public', '500.html'), status: :internal_server_error
       else
         raise exception
@@ -261,6 +268,12 @@ module Glib::Json::Libs
   def glib_json_handle_404(exception, preview_mode)
     if json_ui_activated?
       if Rails.env.production? || preview_mode
+        # As with glib_json_handle_500: if a response was already rendered (e.g. an
+        # after_action raised RecordNotFound), rendering the 404 page on top would raise
+        # AbstractController::DoubleRenderError and mask the real exception. Keep the
+        # already-rendered response instead of double-rendering.
+        return if performed?
+
         render file: Rails.root.join('public', '404.html'), status: :not_found
       else
         raise exception

data/lib/glib/mailer_tester.rb

@@ -8,11 +8,7 @@ module Glib
 
     module ClassMethods
       def generate_preview_tests
-        project_root = Rails.root
-        paths = Dir.glob(project_root + 'test/mailers/previews/*')
-        paths.each do |file|
-          require file
-        end
+        Glib::MailerTester.load_preview_files
 
         ActionMailer::Preview.subclasses.each do |preview_class|
           preview = preview_class.new
@@ -45,6 +41,95 @@ module Glib
           end
         end
       end
+
+      # Opt-in companion to `generate_preview_tests`. That method only snapshot-tests
+      # the previews that EXIST; this asserts every mailer ACTION has a matching
+      # preview, so a new mailer/action can't silently ship with no preview.
+      #
+      # `except:` allowlists "Mailer#action" strings that intentionally have no
+      # preview — document the reason at the call site.
+      def assert_all_mailer_actions_have_previews(except: [])
+        test 'every mailer action has a preview' do
+          missing = Glib::MailerTester.missing_previews(except: except)
+          assert missing.empty?, Glib::MailerTester.missing_previews_message(missing)
+        end
+      end
+    end
+
+    # --- Preview coverage (companion to generate_preview_tests) ---------------
+
+    # Loads every preview file (idempotent — `require` no-ops if already loaded).
+    def self.load_preview_files
+      Dir.glob(Rails.root + 'test/mailers/previews/*').each { |file| require file }
+    end
+
+    # Sorted Array<String> of "Mailer#action" entries that have no preview.
+    def self.missing_previews(except: [])
+      load_preview_files
+      compute_missing_previews(
+        mailer_actions: reflect_mailer_actions,
+        previewed_actions: ->(mailer) { reflect_preview_methods(mailer) },
+        except: except
+      )
+    end
+
+    # Pure (no Rails reflection) so it is unit-testable.
+    #   mailer_actions:    { "FooMailer" => ["welcome", "goodbye"] }
+    #   previewed_actions: ->(mailer_name) { ["welcome"] }
+    #   except:            ["FooMailer#goodbye"]
+    def self.compute_missing_previews(mailer_actions:, previewed_actions:, except: [])
+      excluded = except.map(&:to_s).to_set
+      mailer_actions.flat_map do |mailer, actions|
+        previewed = Array(previewed_actions.call(mailer)).map(&:to_s).to_set
+        actions.map(&:to_s)
+               .reject { |action| previewed.include?(action) }
+               .map { |action| "#{mailer}##{action}" }
+      end.reject { |id| excluded.include?(id) }.sort
+    end
+
+    def self.missing_previews_message(missing)
+      <<~MSG
+        Every mailer action must have a preview so `generate_preview_tests` snapshot-tests it.
+        These actions have none:
+
+          #{missing.join("\n  ")}
+
+        Add a method named after the action to the matching `<Mailer>Preview` class under
+        test/mailers/previews/, returning `<Mailer>.<action>(...)`. If an action genuinely
+        cannot be previewed, allowlist it with a reason:
+
+          assert_all_mailer_actions_have_previews(except: ['FooMailer#some_action']) # why
+      MSG
+    end
+
+    # Reflection glue (needs a loaded Rails app). Scopes to app mailers under
+    # `ApplicationMailer` so third-party mailers (Devise, etc.) are not flagged.
+    def self.reflect_mailer_actions
+      load_mailer_files
+      base = '::ApplicationMailer'.safe_constantize || ActionMailer::Base
+      base.descendants.each_with_object({}) do |mailer, acc|
+        actions = mailer.action_methods.to_a
+        acc[mailer.name] = actions unless actions.empty?
+      end
+    end
+
+    # Loads only `app/mailers` (so every mailer subclass is defined) rather than
+    # eager-loading the whole app — faster, and avoids unrelated load failures.
+    def self.load_mailer_files
+      dir = Rails.root.join('app/mailers')
+      return unless dir.exist?
+
+      loader = Rails.respond_to?(:autoloaders) ? Rails.autoloaders.main : nil
+      if loader.respond_to?(:eager_load_dir)
+        loader.eager_load_dir(dir.to_s)
+      else
+        Rails.application.eager_load!
+      end
+    end
+
+    def self.reflect_preview_methods(mailer_name)
+      preview = "#{mailer_name}Preview".safe_constantize
+      preview ? preview.instance_methods(false).map(&:to_s) : []
     end
 
     def log_root_dir

data/lib/glib/test_helpers.rb

@@ -134,8 +134,7 @@ module Glib
     #   submit_form(response.body, { chat: { message_body: 'Hello' } })
     #
     def submit_form(page_payload, data, url: nil, method: nil)
-      json = JSON.parse(page_payload)
-      form = __find_form(json)
+      form = find_form(page_payload)
 
       raise 'No form found in page. Ensure the form is rendered properly.' unless form
 
@@ -173,6 +172,23 @@ module Glib
       assert_response :success
     end
 
+    # Locates the form in a rendered page payload without submitting it -- useful for
+    # asserting on a form's attributes (e.g. its HTTP method) in a test. Returns the form
+    # Hash, or nil when the page renders no form. When several forms are present it returns
+    # the one with the most childViews, the same selection submit_form uses internally.
+    #
+    # @param page_payload [String, Hash] The JSON response body, or an already-parsed Hash
+    # @return [Hash, nil] The located form view, or nil if none is rendered
+    #
+    # @example
+    #   get new_chat_url(checklist_id: checklist.id), params: json_params
+    #   assert_equal 'post', find_form(response.body)['method']
+    #
+    def find_form(page_payload)
+      json = page_payload.is_a?(String) ? JSON.parse(page_payload) : page_payload
+      __find_form(json)
+    end
+
     def glib_travel(*args, &block)
       Timecop.travel(*args, &block)
     end
@@ -207,6 +223,11 @@ module Glib
 
       def __build_form_params(form, data)
         params = {}
+
+        # Skip ALL hidden fields under the same model prefix, not just exact key matches.
+        # Hidden fields use flat bracket notation (e.g. "submission[task_id]") while data uses
+        # nested hashes (e.g. { submission: { signature_submission_attributes: { ... } } }).
+        # Mixing both in params makes Rails misparse them, resulting in 403 Forbidden errors.
         data_prefixes = data.keys.map { |k| "#{k}[" }
 
         __extract_form_fields(form).each do |field|

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: glib-web
 version: !ruby/object:Gem::Version
-  version: 5.0.5
+  version: 5.0.7
 platform: ruby
 authors:
 - ''