ucb_rails_user 8.0.4 → 8.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8d1e82725f375724e87fee2abd8ebd6a1eef2d9e99866e2f93c42ceae225e540
-  data.tar.gz: 9889577c25c659e93aa4ae9a4a1a4cbe8a672b325dd68d694d03b12078ef9120
+  metadata.gz: '09287b7395b9051f836da163e113b19e79b97f2ca1a4244ac647fb01de4ef398'
+  data.tar.gz: 91ed2a6b9f2d2aa7a1a8d41c16bca50d179e17eeaec497fce684d606eef3d9ce
 SHA512:
-  metadata.gz: c1e3e70e8637c5bcc38cd1916950d18137de5638963fdd58067665946aeb3e51fd54562cd8c14425aae85ee68574b8acabd29f34e0f4026e0a94e3d49e47c7ec
-  data.tar.gz: e7c74e99cc0cb2c0206fd7a507a3e18f152dedc756648058792f34610ce796a87985752a06ec89a83847686a0353463d54d2e08e22081197e4afbe1bbace1821
+  metadata.gz: 14686fd6c41309f33ae5d16d427c7d6270f6a0f1601d2f2ded8d22562c4cfd124e92f2ca3e3d59a5079309cc1413514c1448c1ce6583b3c51e005c02d5799cb7
+  data.tar.gz: 5273939befe8db63989e4e4f6940ec23e93f9cecaf1a7aeb20c7acbcad60cd415154b0e4b87b25391bb7dc3a05f3e80c04759d64e7fcc5ce335d6e17a0bc9ff1

data/README.md

@@ -89,23 +89,7 @@ And in `application.js` add this line:
 //= require ucb_rails_user/scripts
 ```
 
-9. Enable Turbo (required for admin user search functionality)
-
-The admin user search uses Turbo Frames for seamless searching without page reloads. Add this to your application layout (typically `app/views/layouts/application.html.erb`):
-
-```erb
-<%= turbo_include_tags %>
-```
-
-Also update any `data-turbolinks-track` attributes to use `data-turbo-track` instead:
-
-```erb
-<%= stylesheet_link_tag "application", "data-turbo-track": "reload" %>
-```
-
-If your app doesn't already include Turbo, make sure the `turbo-rails` gem is in your Gemfile (it's included as a dependency of this gem).
-
-10. Restart your host app as usual
+9. Restart your host app as usual
 
 You should be able to access the following routes:
 
@@ -306,5 +290,3 @@ There is a new session timeout gem that can be used as well. It has a nice Javas
 ## Version 8+
 
 This version removes both the emailing setup functionality as well as the error reporting functionality. Those are both in the [UcbRailsDefaults] (https://gitlab.com/ucb-bit/cad/aa/ucb_rails_defaults) gem. This gem's dependencies have been slimmed down so that only the basics to run the gem are required. This makes it easier to upgrade the including apps.
-
-Versions 8.0.x use the new standard of Turbo, importmaps, and propshaft. The 8.0.x versions do not have the latest CAS upgrades in them and are used for Rails 8 apps that are in maintenance mode.

data/app/assets/stylesheets/ucb_rails_user/components/users_table.css

@@ -1,26 +1,13 @@
 .ucb-rails-users-table-header {
   margin-top: 16px;
-margin-bottom: 8px; }
+margin-bottom: 16px; }
 
 .ucb-rails-users-table-header a {
-margin-top: 0px; }
-
-.ucb-rails-users-table-header form {
-  display: flex !important;
-  gap: 15px;
-  align-items: center;
-  flex-direction: row;
-}
-
-.ucb-rails-users-table-header form span,
-.ucb-rails-users-table-header form select,
-.ucb-rails-users-table-header form input {
-  vertical-align: middle;
-}
+margin-top: 16px; }
 
 table.ucb-rails-users-table {
   border-spacing: 0px;
-  margin-top: 8px;
+  margin-top: 16px; 
 }
 
 table.ucb-rails-users-table th {

data/app/controllers/concerns/ucb_rails_user/sessions_controller_concerns.rb

@@ -5,12 +5,12 @@ module UcbRailsUser::SessionsControllerConcerns
     skip_before_action :ensure_authenticated_user, :log_request, raise: false
   end
 
-  # Redirects to authentication provider
+  # Renders login form for authentication provider
   #
   # @return [nil]
   def new
-    provider = UcbRailsUser[:omniauth_provider] || :cas
-    redirect_to "/auth/#{provider}"
+    @provider = UcbRailsUser[:omniauth_provider] || :cas
+    render 'ucb_rails_user/sessions/new'
   end
 
   # Login user after authentication by provider

data/app/controllers/concerns/ucb_rails_user/users_controller_concerns.rb

@@ -9,20 +9,7 @@ module UcbRailsUser::UsersControllerConcerns
   end
 
   def index
-    @sort = params[:sort] || "last_name"
-    @sort_dir = params[:dir] || "asc"
-
-    # Build the query
-    users = if !params[:query].blank?
-      search_user_table(params[:query])
-    else
-      UcbRailsUser.user_class.all
-    end
-
-    # Apply sorting
-    users = users.order("#{@sort} #{@sort_dir}")
-
-    @pagy, @users = pagy(users, limit: params[:count])
+    @pagy, @users = pagy(UcbRailsUser.user_class.all, limit: params[:count])
   end
 
   def search
@@ -104,6 +91,7 @@ module UcbRailsUser::UsersControllerConcerns
       @lps_existing_uids = UcbRailsUser.user_class.where(ldap_uid: uid_strings).pluck(:uid)
       render 'ucb_rails_user/lps/search'
     end
+
   end
 
   def typeahead_search
@@ -123,10 +111,6 @@ module UcbRailsUser::UsersControllerConcerns
 
   private
 
-  def search_user_table(query)
-    UcbRailsUser.user_class.where('lower(first_name) like lower(:q) or lower(last_name) like lower(:q) or lower(email) like lower(:q) or lower(alternate_email) like lower(:q) or ldap_uid like :q or ldap_uid like :q or employee_id like :q', q: '%' + query + '%')
-  end
-
   def user_params(extra_params = [])
     params.require(:user).permit([
       :superuser_flag,
@@ -146,4 +130,5 @@ module UcbRailsUser::UsersControllerConcerns
   def find_user
     @user ||= UcbRailsUser.user_class.find(params.fetch(:id))
   end
+
 end

data/app/views/ucb_rails_user/sessions/new.html.erb

@@ -0,0 +1,21 @@
+<div style="display: flex; justify-content: center; align-items: center; min-height: 100vh; background-color: #f5f5f5;">
+  <div style="background: white; padding: 2rem; border-radius: 8px; box-shadow: 0 2px 10px rgba(0,0,0,0.1); text-align: center; max-width: 400px; width: 100%;">
+    <h1 style="margin-bottom: 1.5rem; color: #333;">Sign In Required</h1>
+    
+    <p style="margin-bottom: 2rem; color: #666;">Please sign in to continue</p>
+    
+    <%= button_to "/auth/#{@provider}", 
+                  method: :post,
+                  data: { turbo: false },
+                  style: "background-color: #003262; color: white; padding: 12px 24px; font-size: 16px; border: none; border-radius: 4px; cursor: pointer; width: 100%; font-weight: 500;" do %>
+      Sign in with CalNet
+    <% end %>
+    
+    <% if Rails.env.development? %>
+      <p style="margin-top: 2rem; font-size: 12px; color: #999;">
+        Environment: Development<br>
+        Provider: <%= @provider %>
+      </p>
+    <% end %>
+  </div>
+</div>

data/app/views/ucb_rails_user/users/_user.html.erb

@@ -1,3 +1,4 @@
+<%= turbo_frame_tag "users" do %>
   <tr id="user_<%=user.id%>" class="user">
     <td><%= checkmark(user.superuser?) %></td>
     <td><%= checkmark(user.inactive?) %></td>
@@ -8,9 +9,10 @@
     <td class="min"><%= user.ldap_uid %></td>
     <td class="min"><%= user.employee_id %></td>
     <td>
-      <%= link_to 'edit', edit_admin_user_path(user), class: 'btn btn-primary', id: dom_id(user, 'edit'), role: 'button', data: { turbo_frame: "users" } %>
+      <%= link_to 'edit', edit_admin_user_path(user), class: 'btn btn-blue', id: dom_id(user, 'edit') %>
     </td>
     <td>
       <%= button_to 'delete', admin_user_path(user), method: :delete, data: { confirm: "Are you sure?" }, class: "btn btn-danger" %>
     </td>
   </tr>
+<% end %>

data/app/views/ucb_rails_user/users/edit.html.erb

@@ -1,5 +1,3 @@
-<%= turbo_frame_tag "users" do %>
-  <h1>Edit User</h1>
+<h1>Edit User</h1>
 
-  <%= render partial: 'form', locals: { url: admin_user_path(@user), method: :put } %>
-<% end %>
+<%= render partial: 'form', locals: { url: admin_user_path(@user), method: :put } %>

data/app/views/ucb_rails_user/users/index.html.erb

@@ -1,119 +1,34 @@
-<div class="ucb-rails-users-table-header">
+<div class="ucb-rails-users-table-header clearfix">
   <h1>Users</h1>
 </div>
 
-<%= turbo_frame_tag "users" do %>
-  <% if flash[:notice] || flash[:error] || flash[:alert] %>
-    <div style="margin-bottom: 10px;">
-      <% if flash[:notice] %>
-        <div class="alert alert-info"><%= flash[:notice] %></div>
-      <% end %>
-      <% if flash[:error] %>
-        <div class="alert alert-danger"><%= flash[:error] %></div>
-      <% end %>
-      <% if flash[:alert] %>
-        <div class="alert alert-warning"><%= flash[:alert] %></div>
-      <% end %>
-    </div>
-  <% end %>
-  <div style="margin-top: 10px; overflow: auto; margin-bottom: 10px; vertical-align: middle; ">
-    <%= form_with url: "", method: :get, data: { turbo_frame: "users" }, style: "display: flex; gap: 10px; align-items: center; flex-grow: 1;" do |form| %>
-      <%= form.hidden_field :sort, value: @sort %>
-      <%= form.hidden_field :dir, value: @sort_dir %>
-      <div style="float: left; padding-right: 15px">
-        Show <%= form.select :count, options_for_select([10, 25, 50, 100], selected: params[:count]), {}, { onchange: "this.form.requestSubmit()" } %>
-      </div>
-      <div style="float: left;">
-        Search <%= form.search_field :query, value: params[:query], id: "user_search_field", placeholder: "Search users...", data: { turbo_permanent: true }, oninput: "
-              clearTimeout(window.searchTimer);
-              window.searchTimer = setTimeout(() => {
-                this.form.requestSubmit();
-              }, 300);
-            " %>
-      </div>
-    <% end %>
-    <div style="float: right;">
-      <%= link_to "Add User", new_admin_user_path, class: "btn btn-primary" %>
-    </div>
-  </div>
-  <div class="table-responsive ucb-rails-users-table-wrapper">
-    <table class="table table-striped table-bordered table-hover ucb-rails-users-table">
-      <thead>
-        <tr>
-          <th class="min">
-            <%= link_to admin_users_path(sort: "superuser_flag", dir: @sort == "superuser_flag" && @sort_dir == "asc" ? "desc" : "asc", query: params[:query], count: params[:count]), data: { turbo_frame: "users" }, style: "text-decoration: none; color: inherit;" do %>
-              Superuser?
-              <% if @sort == "superuser_flag" %>
-                <%= @sort_dir == "asc" ? "▲" : "▼" %>
-              <% end %>
-            <% end %>
-          </th>
-          <th class="min">
-            <%= link_to admin_users_path(sort: "inactive_flag", dir: @sort == "inactive_flag" && @sort_dir == "asc" ? "desc" : "asc", query: params[:query], count: params[:count]), data: { turbo_frame: "users" }, style: "text-decoration: none; color: inherit;" do %>
-              Inactive?
-              <% if @sort == "inactive_flag" %>
-                <%= @sort_dir == "asc" ? "▲" : "▼" %>
-              <% end %>
-            <% end %>
-          </th>
-          <th>
-            <%= link_to admin_users_path(sort: "first_name", dir: @sort == "first_name" && @sort_dir == "asc" ? "desc" : "asc", query: params[:query], count: params[:count]), data: { turbo_frame: "users" }, style: "text-decoration: none; color: inherit;" do %>
-              First Name
-              <% if @sort == "first_name" %>
-                <%= @sort_dir == "asc" ? "▲" : "▼" %>
-              <% end %>
-            <% end %>
-          </th>
-          <th>
-            <%= link_to admin_users_path(sort: "last_name", dir: @sort == "last_name" && @sort_dir == "asc" ? "desc" : "asc", query: params[:query], count: params[:count]), data: { turbo_frame: "users" }, style: "text-decoration: none; color: inherit;" do %>
-              Last Name
-              <% if @sort == "last_name" %>
-                <%= @sort_dir == "asc" ? "▲" : "▼" %>
-              <% end %>
-            <% end %>
-          </th>
-          <th>
-            <%= link_to admin_users_path(sort: "email", dir: @sort == "email" && @sort_dir == "asc" ? "desc" : "asc", query: params[:query], count: params[:count]), data: { turbo_frame: "users" }, style: "text-decoration: none; color: inherit;" do %>
-              Email
-              <% if @sort == "email" %>
-                <%= @sort_dir == "asc" ? "▲" : "▼" %>
-              <% end %>
-            <% end %>
-          </th>
-          <th class="dt">
-            <%= link_to admin_users_path(sort: "last_login_at", dir: @sort == "last_login_at" && @sort_dir == "asc" ? "desc" : "asc", query: params[:query], count: params[:count]), data: { turbo_frame: "users" }, style: "text-decoration: none; color: inherit;" do %>
-              Last Login
-              <% if @sort == "last_login_at" %>
-                <%= @sort_dir == "asc" ? "▲" : "▼" %>
-              <% end %>
-            <% end %>
-          </th>
-          <th>
-            <%= link_to admin_users_path(sort: "ldap_uid", dir: @sort == "ldap_uid" && @sort_dir == "asc" ? "desc" : "asc", query: params[:query], count: params[:count]), data: { turbo_frame: "users" }, style: "text-decoration: none; color: inherit;" do %>
-              UID
-              <% if @sort == "ldap_uid" %>
-                <%= @sort_dir == "asc" ? "▲" : "▼" %>
-              <% end %>
-            <% end %>
-          </th>
-          <th>
-            <%= link_to admin_users_path(sort: "employee_id", dir: @sort == "employee_id" && @sort_dir == "asc" ? "desc" : "asc", query: params[:query], count: params[:count]), data: { turbo_frame: "users" }, style: "text-decoration: none; color: inherit;" do %>
-              Employee ID
-              <% if @sort == "employee_id" %>
-                <%= @sort_dir == "asc" ? "▲" : "▼" %>
-              <% end %>
-            <% end %>
-          </th>
-          <th class="min unsorted">Edit</th>
-          <th class="min unsorted">Delete</th>
-        </tr>
-      </thead>
-      <tbody class="highlight">
-        <%= render partial: "ucb_rails_user/users/user", collection: @users %>
-      </tbody>
-    </table>
-    <div class="ucb-rails-user">
-      <%= pagy_nav(@pagy, pagy_url_for: ->(page, pagy) { admin_users_path(page: page, count: params[:count], query: params[:query], sort: @sort, dir: @sort_dir) }).html_safe %>
-    </div>
-  </div>
+<%= form_with url: "", method: :get, data: { turbo_frame: "users", turbo_action: "advance" } do |form| %>
+  Show <%= form.select :count, options_for_select([10, 25, 50, 100], selected: params[:count]), {}, { onchange: "this.form.requestSubmit()" } %>
+
+  Search <%= form.search_field :query, value: params[:query], oninput: "this.form.requestSubmit()" %>
 <% end %>
+
+<div class="table-responsive ucb-rails-users-table-wrapper">
+  <table class="table table-striped table-bordered table-hover ucb-rails-users-table">
+    <thead>
+      <tr>
+        <th class="min">Superuser?</th>
+        <th class="min">Inactive?</th>
+        <th>First Name</th>
+        <th>Last Name</th>
+        <th>Email</th>
+        <th class="dt">Last Login</th>
+        <th>UID</th>
+        <th>Employee ID</th>
+        <th class="min unsorted">Edit</th>
+        <th class="min unsorted">Delete</th>
+      </tr>
+    </thead>
+    <tbody class="highlight">
+      <%= render partial: "ucb_rails_user/users/user", collection: @users %>
+    </tbody>
+  </table>
+  <div class="ucb-rails-user">
+    <%= pagy_nav(@pagy).html_safe %>
+  </div>
+</div>

data/app/views/ucb_rails_user/users/new.html.erb

@@ -1,17 +1,19 @@
-<%= turbo_frame_tag "users" do %>
-  <h2>Add New User</h2>
+<h2>Add New User</h2>
 
-  <%= form_tag admin_user_search_path, method: :get, class: "form-inline user-search-form" do %>
-    <%= text_field_tag :first_name, "", placeholder: "First name", class: "form-control" %>
-    <%= text_field_tag :last_name, "", placeholder: "Last name", class: "form-control" %>
-    <%= text_field_tag :employee_id, "", placeholder: "Employee ID", class: "form-control" %>
-    <%= submit_tag "Search", class: "btn btn-primary", data: { turbo_submits_with: "Searching..." } %>
-    <%= link_to "Cancel", admin_users_path, class: "btn btn-default" %>
-  <% end %>
-
-  <div class="search-results">
-    <% if @results %>
-      <%= render "results" %>
-    <% end %>
-  </div>
+<%= form_tag admin_user_search_path, method: :get, remote: true, class: "form-inline user-search-form" do %>
+  <%= text_field_tag :first_name, "", placeholder: "First name", class: "form-control" %>
+  <%= text_field_tag :last_name, "", placeholder: "Last name", class: "form-control" %>
+  <%= text_field_tag :employee_id, "", placeholder: "Employee ID", class: "form-control" %>
+  <%= submit_tag "Search", class: "btn btn-primary" %>
+  <%= link_to "Cancel", admin_users_path, class: "btn btn-default" %>
 <% end %>
+
+<div class="ucb-rails-user-loader">
+  Loading...
+</div>
+
+<div class="search-results">
+  <% if @results %>
+    <%= render "results" %>
+  <% end %>
+</div>

data/config/routes.rb

@@ -5,8 +5,8 @@ Rails.application.routes.draw do
   match "/logout", to: UcbRailsUser::SessionsController.action(:destroy),
     as: "logout", via: [:all]
   match "/auth/:omniauth_provider/callback", to: UcbRailsUser::SessionsController.action(:create),
-    via: [:get]
-  match "/auth/failure", to: UcbRailsUser::SessionsController.action(:failure), via: [:get]
+    via: [:get, :post]
+  match "/auth/failure", to: UcbRailsUser::SessionsController.action(:failure), via: [:get, :post]
   match "/not_authorized", to: UcbRailsUser::SessionsController.action(:not_authorized),
     as: "not_authorized", via: [:get]
 

data/lib/ucb_rails_user/configuration/cas.rb

@@ -15,6 +15,15 @@ module UcbRailsUser
 
       def configure_omniauth
         host_name = host
+        
+        # Configure OmniAuth to only accept POST requests for security (CVE-2015-9284)
+        OmniAuth.config.allowed_request_methods = [:post]
+        OmniAuth.config.silence_get_warning = true
+        
+        # Disable CSRF protection for OmniAuth - we handle security through POST-only
+        # This is safe because we're only allowing POST requests and CAS provides its own security
+        OmniAuth.config.request_validation_phase = nil
+        
         Rails.application.config.middleware.use OmniAuth::Builder do
 
           unless Rails.env.production?

data/lib/ucb_rails_user/spec_helpers.rb

@@ -13,6 +13,7 @@ module UcbRailsUser
       OmniAuth.config.test_mode = true
       auth_mock(user.ldap_uid)
       visit login_path()
+      click_on "Sign in with CalNet"
     end
 
     def auth_mock(uid)

data/lib/ucb_rails_user/version.rb

@@ -1,3 +1,3 @@
 module UcbRailsUser
-  VERSION = '8.0.4'
+  VERSION = '8.1.0'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ucb_rails_user
 version: !ruby/object:Gem::Version
-  version: 8.0.4
+  version: 8.1.0
 platform: ruby
 authors:
 - Steve Downey
@@ -13,7 +13,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-10-01 00:00:00.000000000 Z
+date: 2025-08-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -146,7 +146,7 @@ dependencies:
         version: '1.8'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '4.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -156,21 +156,21 @@ dependencies:
         version: '1.8'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '4.0'
 - !ruby/object:Gem::Dependency
   name: omniauth-cas
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '3.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: ucb_ldap
   requirement: !ruby/object:Gem::Requirement
@@ -189,16 +189,16 @@ dependencies:
   name: faraday
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 2.12.1
+        version: '2.12'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 2.12.1
+        version: '2.12'
 - !ruby/object:Gem::Dependency
   name: puma
   requirement: !ruby/object:Gem::Requirement
@@ -390,15 +390,14 @@ files:
 - app/views/ucb_rails_user/lps/_modal.html.erb
 - app/views/ucb_rails_user/lps/_results.html.erb
 - app/views/ucb_rails_user/lps/search.js.erb
+- app/views/ucb_rails_user/sessions/new.html.erb
 - app/views/ucb_rails_user/users/_form.html.erb
 - app/views/ucb_rails_user/users/_search_results.html.erb
 - app/views/ucb_rails_user/users/_user.html.erb
 - app/views/ucb_rails_user/users/edit.html.erb
 - app/views/ucb_rails_user/users/index.html.erb
 - app/views/ucb_rails_user/users/new.html.erb
-- app/views/ucb_rails_user/users/search.html.erb
 - app/views/ucb_rails_user/users/search.js.erb
-- config/importmap.rb
 - config/initializers/simple_form.rb
 - config/initializers/simple_form_bootstrap.rb
 - config/locales/simple_form.en.yml

data/app/views/ucb_rails_user/users/search.html.erb

@@ -1,15 +0,0 @@
-<%= turbo_frame_tag "users" do %>
-  <h2>Add New User</h2>
-
-  <%= form_tag admin_user_search_path, method: :get, class: "form-inline user-search-form" do %>
-    <%= text_field_tag :first_name, params[:first_name], placeholder: "First name", class: "form-control" %>
-    <%= text_field_tag :last_name, params[:last_name], placeholder: "Last name", class: "form-control" %>
-    <%= text_field_tag :employee_id, params[:employee_id], placeholder: "Employee ID", class: "form-control" %>
-    <%= submit_tag "Search", class: "btn btn-primary" %>
-    <%= link_to "Cancel", admin_users_path, class: "btn btn-default" %>
-  <% end %>
-
-  <div class="search-results">
-    <%= render "search_results" %>
-  </div>
-<% end %>

data/config/importmap.rb

@@ -1,2 +0,0 @@
-# Pin npm packages for the engine
-pin_all_from File.expand_path("../app/assets/javascripts/ucb_rails_user", __dir__), under: "ucb_rails_user"