mno-enterprise-api 3.1.4 → 3.2.0

data/lib/mno_enterprise/concerns/controllers/jpi/v1/teams_controller.rb

@@ -0,0 +1,92 @@
+module MnoEnterprise::Concerns::Controllers::Jpi::V1::TeamsController
+  extend ActiveSupport::Concern
+
+  #==================================================================
+  # Included methods
+  #==================================================================
+  # 'included do' causes the included code to be evaluated in the
+  # context where it is included rather than being executed in the module's context
+  included do
+    respond_to :json
+  end
+
+  #==================================================================
+  # Instance methods
+  #==================================================================
+  # GET /mnoe/jpi/v1/organizations/:organization_id/teams
+  def index
+    authorize! :read, parent_organization
+    @teams = parent_organization.teams
+  end
+
+  # GET /mnoe/jpi/v1/teams/:id
+  def show
+    @team = MnoEnterprise::Team.find(params[:id])
+    authorize! :read, @team.organization
+  end
+
+  # POST /mnoe/jpi/v1/organizations/:organization_id/teams
+  def create
+    authorize! :manage_teams, parent_organization
+    @team = parent_organization.teams.create(team_params)
+
+    render 'show'
+  end
+
+  # PUT /mnoe/jpi/v1/teams/:id
+  def update
+    @team = MnoEnterprise::Team.find(params[:id])
+    authorize! :manage_teams, @team.organization
+
+    # Update regular attributes
+    @team.update_attributes(team_params)
+
+    # # Update permissions
+    if params[:team] && params[:team][:app_instances]
+      list = params[:team][:app_instances].select { |e| e != {} }
+      @team.set_access_to(list)
+    end
+
+    render 'show'
+  end
+
+  # PUT /mnoe/jpi/v1/teams/:id/add_users
+  def add_users
+    update_members(:add_user)
+  end
+
+  # PUT /mnoe/jpi/v1/teams/:id/remove_users
+  def remove_users
+    update_members(:remove_user)
+  end
+
+  # DELETE /mnoe/jpi/v1/teams/:id
+  def destroy
+    @team = MnoEnterprise::Team.find(params[:id])
+    authorize! :manage_teams, @team.organization
+    @team.destroy
+
+    head :no_content
+  end
+
+  private
+
+  # Update the members of a team
+  # Reduce duplication between add and remove
+  def update_members(action)
+    @team = MnoEnterprise::Team.find(params[:id])
+    authorize! :manage_teams, @team.organization
+
+    if params[:team] && params[:team][:users]
+      id_list = params[:team][:users].map { |h| h[:id] }.compact
+      users = @team.organization.users.where('id.in' => id_list)
+      users.each { |u| @team.send(action, u) }
+    end
+
+    render 'show'
+  end
+
+  def team_params
+    params.require(:team).permit(:name)
+  end
+end

data/lib/mno_enterprise/concerns/controllers/pages_controller.rb

@@ -23,9 +23,9 @@ module MnoEnterprise::Concerns::Controllers::PagesController
   # TODO: Access + existence checks could be added in the future. This is not
   # mandatory as Mno Enterprise will do it anyway
   def launch
-    app = MnoEnterprise::AppInstance.find_by(uid: params[:id])
-    MnoEnterprise::EventLogger.info('app_launch', current_user.id, "App launched", app.name, app)
-    redirect_to MnoEnterprise.router.launch_url(params[:id], wtk: MnoEnterprise.jwt(user_id: current_user.uid))
+    app_instance = MnoEnterprise::AppInstance.find_by(uid: params[:id])
+    MnoEnterprise::EventLogger.info('app_launch', current_user.id, 'App launched', app_instance)
+    redirect_to MnoEnterprise.router.launch_url(params[:id], {wtk: MnoEnterprise.jwt(user_id: current_user.uid)}.reverse_merge(request.query_parameters))
   end
 
   # GET /loading/:id
@@ -56,6 +56,20 @@ module MnoEnterprise::Concerns::Controllers::PagesController
     @meta[:description] = "Logged out from application"
   end
 
+  def terms
+    @meta[:title] = 'Terms of Use'
+    @meta[:description] = 'Terms of Use'
+
+    ts = MnoEnterprise::App.order_by("updated_at.desc").first.try(:updated_at)
+    @apps = if ts
+      Rails.cache.fetch(['pages/terms/app-list', ts]) do
+        MnoEnterprise::App.order_by("name.ac").reject{|i| i.terms_url.blank?}
+      end
+    else
+      []
+    end
+  end
+
   private
     def app_instance_hash(app_instance)
       return {} unless app_instance

data/lib/mno_enterprise/concerns/controllers/provision_controller.rb

@@ -40,7 +40,17 @@ module MnoEnterprise::Concerns::Controllers::ProvisionController
     unless @organization
       @organization = @organizations.one? ? @organizations.first : nil
     end
-    authorize! :manage_app_instances, @organization
+
+    if @organization && cannot?(:manage_app_instances, @organization)
+      msg = 'Unfortunately you do not have permission to purchase products for this organization'
+      if @organizations.one?
+        redirect_path = add_param_to_fragment(after_provision_path.to_s, 'flash', [{msg: msg,  type: :error}.to_json])
+        redirect_to redirect_path
+      else
+        @organization = nil
+        flash.now.alert = msg
+      end
+    end
 
     # Redirect to dashboard if no applications
     unless @apps && @apps.any?
@@ -51,12 +61,17 @@ module MnoEnterprise::Concerns::Controllers::ProvisionController
   # POST /provision
   # TODO: check organization accessibility via ability
   def create
+    # Avoid double provisioning: previous url would be "/provision/new?apps[]=vtiger&organization_id=1"
+    session.delete('previous_url')
+
     @organization = current_user.organizations.to_a.find { |o| o.id && o.id.to_s == params[:organization_id].to_s }
     authorize! :manage_app_instances, @organization
 
     app_instances = []
     params[:apps].each do |product_name|
-      app_instances << @organization.app_instances.create(product: product_name)
+      app_instance = @organization.app_instances.create(product: product_name)
+      app_instances << app_instance
+      MnoEnterprise::EventLogger.info('app_add', current_user.id, 'App added', app_instance)
     end
 
     render json: app_instances.map(&:attributes).to_json, status: :created

data/lib/mno_enterprise/concerns/mailers/system_notification_mailer.rb

@@ -23,7 +23,11 @@ module MnoEnterprise::Concerns::Mailers::SystemNotificationMailer
 
   # ==> Devise Email
   # Description:
-  #   Email asking users to confirm their email
+  #   New user: Email asking users to confirm their email
+  #     OR
+  #   Existing user: 
+  #    - Email asking users (on their new email) to confirm their email change
+  #    - Email notifying users (on their old email) of an email change
   #
   # Mandrill vars:
   #   :first_name
@@ -32,12 +36,21 @@ module MnoEnterprise::Concerns::Mailers::SystemNotificationMailer
   #   :confirmation_link
   #
   def confirmation_instructions(record, token, opts={})
-    template = record.confirmed? && record.unconfirmed_email? ? 'reconfirmation-instructions' : 'confirmation-instructions'
+    update_email = record.confirmed? && record.unconfirmed_email?
+    template = update_email ? 'reconfirmation-instructions' : 'confirmation-instructions'
+    email = update_email ? record.unconfirmed_email : record.email
     MnoEnterprise::MailClient.deliver(template,
       default_sender,
-      recipient(record),
+      recipient(record).merge(email: email),
       user_vars(record).merge(confirmation_link: user_confirmation_url(confirmation_token: token))
     )
+    if update_email
+      MnoEnterprise::MailClient.deliver('email-change',
+         default_sender,
+         recipient(record),
+         user_vars(record).merge(unconfirmed_email: record.unconfirmed_email)
+      )
+    end
   end
 
   # ==> Devise Email
@@ -76,6 +89,17 @@ module MnoEnterprise::Concerns::Mailers::SystemNotificationMailer
     )
   end
 
+  # Description:
+  #   Email notifying a change of password
+  #
+  def password_change(record, opts={})
+    MnoEnterprise::MailClient.deliver('password-change',
+      default_sender,
+      recipient(record),
+      user_vars(record)
+    )
+  end
+
   # Description:
   #   Send an email inviting the user to join an existing organization. If the user
   #   is already confirmed it is directed to the organization invite page where he

data/lib/mno_enterprise/event_logger.rb

@@ -1,26 +1,44 @@
 require 'httparty'
 
 module MnoEnterprise
+  # EventLogger to log various action performed by the end users (eg: sign in, add an app, ...)
+  # The EventLogger will enqueue notifications and dispatch them to the various listeners.
+  # The listeners can then process these event in any way they see fit (Audit Log, Analytics, ...)
   class EventLogger
-    include HTTParty
-    base_uri "#{MnoEnterprise.mno_api_private_host || MnoEnterprise.mno_api_host}/api/mnoe/v1/audit_events"
-    read_timeout 0.1
-    basic_auth MnoEnterprise.tenant_id, MnoEnterprise.tenant_key
+    @@listeners = [AuditEventsListener.new]
+    @@listeners << IntercomEventsListener.new if MnoEnterprise.intercom_enabled?
 
-    def self.info(key, current_user_id, description, metadata, object)
-      post('', body: {
-          data: {
-              key: key,
-              user_id: current_user_id,
-              description: description,
-              metadata: format_metadata(metadata, object),
-              subject_type: object.class.name,
-              subject_id: object.id
-          }})
-    rescue Net::ReadTimeout
-      # Meant to fail
+    # Enqueue a logging job to be performed later
+    #
+    # @param [String] key unique key identifying the event type
+    # @param [Integer] current_user_id user_id of the user triggering the event
+    # @param [String] description humanised description
+    # @param [Object] metadata
+    # @param [Object] object
+    def self.info(key, current_user_id, description, object, metadata = {})
+      formatted_metadata = format_metadata(metadata, object)
+      subject_type = object.class.name
+      subject_id = object.id
+      # TODO: improve
+      # Bypass Job queuing in specs or we'd have to stub lots of Her call for the deserialization
+      if Rails.env.test?
+        self.send_info(key, current_user_id, description, subject_type, subject_id, formatted_metadata)
+      else
+        MnoEnterprise::EventLoggerJob.perform_later('info', key, current_user_id, description, subject_type, subject_id, formatted_metadata)
+      end
+    rescue ActiveJob::SerializationError
+      Rails.logger.warn "[MnoEnterprise::EventLogger] Serialization error, skipping #{key} event"
+    end
+
+    # Send the event to the listeners
+    # @see .info for the params description
+    def self.send_info(key, current_user_id, description, subject_type, subject_id, metadata)
+      @@listeners.each do |listener|
+        listener.info(key, current_user_id, description, subject_type, subject_id, metadata)
+      end
     end
 
+    # Get the metadata from the object if not provided
     def self.format_metadata(metadata, object)
       if metadata.blank? && object.respond_to?(:to_audit_event)
         object.to_audit_event

data/lib/mno_enterprise/intercom_events_listener.rb

@@ -0,0 +1,96 @@
+require 'intercom'
+
+module MnoEnterprise
+
+  class IntercomEventsListener
+
+    attr_accessor :intercom
+
+    def initialize
+      args = if MnoEnterprise.intercom_token
+        {token: MnoEnterprise.intercom_token}
+      else
+        {app_id: MnoEnterprise.intercom_app_id, api_key: MnoEnterprise.intercom_api_key}
+      end
+      self.intercom = ::Intercom::Client.new(args)
+    end
+
+    def info(key, current_user_id, description, subject_type, subject_id, metadata)
+      u = User.find(current_user_id)
+      begin
+        intercom.users.find(user_id: current_user_id)
+      rescue Intercom::ResourceNotFound
+        self.update_intercom_user(u)
+      end
+      data = {created_at: Time.now.to_i, email: u.email, user_id: u.id, event_name: key.tr('_', '-')}
+      case key
+        when 'user_update', 'organization_update'
+          self.update_intercom_user(u)
+          # convert values to string
+          data[:metadata] = Hash[ metadata.collect {|k,v| [k, v.to_s] } ]
+        when 'user_confirm'
+          data[:event_name] = 'finished-sign-up'
+        when 'dashboard_create'
+          data[:event_name] = 'added-dashboard'
+        when 'dashboard_delete'
+          data[:event_name] = 'removed-dashboard'
+        when 'widget_delete'
+          data[:event_name] = 'removed-widget'
+        when 'widget_create'
+          data[:event_name] = 'added-widget'
+          data[:metadata] = {widget: metadata[:name]}
+        when 'app_launch'
+          data[:event_name] = 'launched-app-' + metadata[:app_nid]
+        when 'app_destroy'
+          data[:event_name] = 'deleted-app-'  + metadata[:app_nid]
+          data[:metadata] = {type: 'single', app_list: metadata[:app_nid]}
+        when 'app_add'
+          data[:event_name] = 'added-app-' + metadata[:app_nid]
+          data[:metadata] = {type: 'single', app_list: metadata[:app_nid]}
+      end
+      self.intercom.events.create(data)
+
+    rescue Intercom::IntercomError => e
+      Rails.logger.tagged('Intercom') { Rails.logger.warn 'Error while calling intercom ' + e.message}
+    end
+
+    def update_intercom_user(user, update_last_request_at = true)
+      data = {
+        user_id: user.id,
+        name: [user.name, user.surname].join(' '),
+        email: user.email,
+        created_at: user.created_at.to_i,
+        last_seen_ip: user.last_sign_in_ip,
+        custom_attributes: {},
+        update_last_request_at: update_last_request_at
+      }
+      data[:custom_attributes][:phone]= user.phone if user.phone
+      data[:custom_attributes][:external_id]= user.external_id if user.external_id
+
+      data[:companies] = user.organizations.map do |organization|
+        {
+          company_id: organization.id,
+          name: organization.name,
+          created_at: organization.created_at.to_i,
+          custom_attributes: {
+            industry: organization.industry,
+            size: organization.size,
+            credit_card_details: organization.credit_card?,
+            app_count: organization.app_instances.count,
+            app_list: organization.app_instances.map { |app| app.name }.to_sentence
+          }
+        }
+      end
+      intercom.users.create(data)
+      tag_user(user)
+    end
+
+    # If a source is set, tag the user with it
+    def tag_user(user)
+      if user.meta_data && user.meta_data[:source].present?
+        intercom.tags.tag(name: user.meta_data[:source], users: [{user_id: user.id}])
+      end
+    end
+  end
+end
+

data/spec/controllers/mno_enterprise/auth/confirmation_controller_spec.rb

@@ -64,5 +64,33 @@ module MnoEnterprise
         end
       end
     end
+
+    describe 'PATCH #finalize' do
+      let(:user_params) { {confirmation_token: user.confirmation_token, password: 'test', name: 'test'} }
+      subject { post :finalize, user: user_params }
+
+      before do
+        allow(MnoEnterprise::User).to receive(:find_for_confirmation) { user }
+        api_stub_for(get: "/org_invites?filter[user_email]=#{user.email}", response: from_api(nil))
+        api_stub_for(put: "/users/#{user.id}", response: from_api(user))
+      end
+
+      context 'unconfirmed user' do
+        let(:user) { unconfirmed_user }
+
+        it 'redirects the user to the dashboard' do
+          expect(subject).to redirect_to('/dashboard/')
+        end
+
+        context 'when password change notifications are enabled' do
+          before { user.class.send_password_change_notification = true }
+
+          it 'does not send an email' do
+            expect(user).not_to receive(:send_devise_notification)
+            subject
+          end
+        end
+      end
+    end
   end
 end

data/spec/controllers/mno_enterprise/auth/omniauth_callback_controller_spec.rb

@@ -0,0 +1,34 @@
+require 'rails_helper'
+
+module MnoEnterprise
+  describe Auth::OmniauthCallbacksController, type: :controller do
+    routes { MnoEnterprise::Engine.routes }
+
+
+    supported_providers = %i(linkedin google facebook)
+
+
+    describe 'provides callbacks for the providers' do
+      before do
+        Devise.omniauth :facebook, 'key', 'secret', secure_image_url: true
+        MnoEnterprise::Auth.send(:remove_const, :OmniauthCallbacksController)
+        load 'app/controllers/mno_enterprise/auth/omniauth_callbacks_controller.rb'
+      end
+
+
+      # No described_class as it doesn't take into account the reloading above
+      let(:controller) { MnoEnterprise::Auth::OmniauthCallbacksController.new }
+
+      it { expect(controller).to respond_to(:intuit) }
+      it { expect(controller).to respond_to(:facebook) }
+
+    end
+
+    # it creates an org?
+    # no if no email
+    # no if user already exists
+    # no if accepting an org invite
+
+
+  end
+end