ucb_rails_user 8.0.5 → 8.1.0

data/app/assets/javascripts/ucb_rails_user/ucb_rails_user.js

@@ -35,6 +35,20 @@ var addDatatablesToUsersTable = function () {
   $('.ucb-rails-users-table-wrapper #DataTables_Table_0_filter').append(addNewHtml)
 }
 
+var resetImpersonateButton = function() {
+  var targetId = $('#ucb_rails_user_impersonation_target_id').val()
+  if (targetId != null && targetId.toString().length > 0) {
+    $('input[data-impersonate-button]').removeAttr('disabled')
+  } else {
+    $('input[data-impersonate-button]').attr('disabled', 'disabled')
+  }
+}
+
+var clearImpersonateSelection = function() {
+  $('#ucb_rails_user_impersonation_target_id').val('')
+  resetImpersonateButton()
+}
+
 $( window ).on("load", function() {
   // the datatable calling was failing intermittently, but adding the timeout
   // seemed to fix it, so ¯\_(ツ)_/¯
@@ -44,4 +58,46 @@ $( window ).on("load", function() {
     $('.search-results').hide()
     $('.ucb-rails-user-loader').show()
   })
+
+  var usersSource = new Bloodhound({
+    datumTokenizer: Bloodhound.tokenizers.obj.whitespace('value'),
+    queryTokenizer: Bloodhound.tokenizers.whitespace,
+    remote: {
+      url: '/admin/users/impersonate_search?q=%QUERY',
+      wildcard: '%QUERY'
+    }
+  });
+
+  $('#ucb_rails_user_impersonation_target').typeahead(null, {
+    name: 'users',
+    source: usersSource,
+    display: 'name',
+    limit: 7, // any higher than this, and the results don't display properly
+    templates: {
+      empty: [
+        '<div class="empty-message">',
+        'No match found',
+        '</div>'
+      ].join('\n'),
+      suggestion: function (data) {
+        return '<div><strong>' + data.name + '</strong> (' + data.uid + ')</div>'
+      }
+    }
+  });
+
+  $('#ucb_rails_user_impersonation_target').keyup(function(event) {
+    if ($(event.target).val().length == 0) {
+      clearImpersonateSelection()
+    }
+  })
+
+  $('#ucb_rails_user_impersonation_target').bind('typeahead:open', function(event, suggestion) {
+    clearImpersonateSelection()
+  })
+
+  $('#ucb_rails_user_impersonation_target').bind('typeahead:select', function(event, suggestion) {
+    $('#ucb_rails_user_impersonation_target_id').val(suggestion.id)
+    resetImpersonateButton()
+  })
+
 })

data/app/assets/stylesheets/ucb_rails_user/components/impersonations.css

@@ -10,29 +10,3 @@
   .recent-impersonations li {
     list-style-type: none;
     font-size: 110%; }
-
-.impersonate_search_results_container {
-  margin-top: 10px;
-}
-
-.impersonate_result_list {
-  list-style: none; 
-  padding: 0; 
-  margin-top: 10px;
-}
-
-.impersonate_result_list_item {
-  padding: 8px;
-  border-bottom: 1px solid #eee;
-}
-
-.impersonate_no_results_found {
-  margin-top: 10px; 
-  color: #999;
-}
-
-.impersonate_before_search {
-  margin-top: 10px; 
-  color: #666;
-}
-

data/app/assets/stylesheets/ucb_rails_user/components/users_table.css

@@ -1,26 +1,13 @@
 .ucb-rails-users-table-header {
   margin-top: 16px;
-margin-bottom: 8px; }
+margin-bottom: 16px; }
 
 .ucb-rails-users-table-header a {
-margin-top: 0px; }
-
-.ucb-rails-users-table-header form {
-  display: flex !important;
-  gap: 15px;
-  align-items: center;
-  flex-direction: row;
-}
-
-.ucb-rails-users-table-header form span,
-.ucb-rails-users-table-header form select,
-.ucb-rails-users-table-header form input {
-  vertical-align: middle;
-}
+margin-top: 16px; }
 
 table.ucb-rails-users-table {
   border-spacing: 0px;
-  margin-top: 8px;
+  margin-top: 16px; 
 }
 
 table.ucb-rails-users-table th {
@@ -65,39 +52,3 @@ h1 {
   padding-left: 10px;
   padding-right: 10px;
 }
-
-.user_sort {
-  text-decoration: none;
-  color: inherit;
-}
-
-.user_form_container {
-  margin-top: 10px;
-  overflow: auto;
-  margin-bottom: 10px;
-  vertical-align: middle;
-}
-
-.user_form_base_style {
-  display: flex; 
-  gap: 10px;
-  align-items:
-  center; flex-grow: 1;
-}
-
-.user_form_return_count {
-  float: left; 
-  padding-right: 15px;
-}
-
-.user_form_search_box {
-  float: left;
-}
-
-.user_form_add_user_link {
-  float: right;
-}
-
-.user_turbo_frame_users {
-  margin-bottom: 10px;
-}

data/app/assets/stylesheets/ucb_rails_user/pagy_tailwind.css

@@ -0,0 +1,21 @@
+.pagy {
+  @apply flex space-x-1 font-semibold text-sm text-gray-500;
+  a:not(.gap) {
+    @apply block rounded-lg px-3 py-1 bg-gray-200;
+    &:hover {
+      @apply bg-gray-300;
+    }
+    &:not([href]) { /* disabled links */
+      @apply text-gray-300 bg-gray-100 cursor-default;
+    }
+    &.current {
+      @apply text-white bg-gray-400;
+    }
+  }
+  label {
+    @apply inline-block whitespace-nowrap bg-gray-200 rounded-lg px-3 py-0.5;
+    input {
+      @apply bg-gray-100 border-none rounded-md;
+    }
+  }
+}

data/app/controllers/concerns/ucb_rails_user/sessions_controller_concerns.rb

@@ -5,12 +5,12 @@ module UcbRailsUser::SessionsControllerConcerns
     skip_before_action :ensure_authenticated_user, :log_request, raise: false
   end
 
-  # Redirects to authentication provider
+  # Renders login form for authentication provider
   #
   # @return [nil]
   def new
-    provider = UcbRailsUser[:omniauth_provider] || :cas
-    redirect_to "/auth/#{provider}"
+    @provider = UcbRailsUser[:omniauth_provider] || :cas
+    render 'ucb_rails_user/sessions/new'
   end
 
   # Login user after authentication by provider

data/app/controllers/concerns/ucb_rails_user/users_controller_concerns.rb

@@ -9,20 +9,7 @@ module UcbRailsUser::UsersControllerConcerns
   end
 
   def index
-    @sort = params[:sort] || "last_name"
-    @sort_dir = params[:dir] || "asc"
-
-    # Build the query
-    users = if !params[:query].blank?
-      search_user_table(params[:query])
-    else
-      UcbRailsUser.user_class.all
-    end
-
-    # Apply sorting
-    users = users.order("#{@sort} #{@sort_dir}")
-
-    @pagy, @users = pagy(users, limit: params[:count])
+    @pagy, @users = pagy(UcbRailsUser.user_class.all, limit: params[:count])
   end
 
   def search
@@ -37,12 +24,8 @@ module UcbRailsUser::UsersControllerConcerns
   end
 
   def impersonate_search
-    @query = params[:q]
-    @results = if @query.present? && @query.length >= 2
-      UcbRailsUser::UserSearch.find_users_by_name(@query)
-    else
-      []
-    end
+    result = UcbRailsUser::UserSearch.find_users_by_name(params[:q])
+    render json: result.map { |u| { name: u.full_name, id: u.id, uid: u.ldap_uid } }
   end
 
   def edit
@@ -108,6 +91,7 @@ module UcbRailsUser::UsersControllerConcerns
       @lps_existing_uids = UcbRailsUser.user_class.where(ldap_uid: uid_strings).pluck(:uid)
       render 'ucb_rails_user/lps/search'
     end
+
   end
 
   def typeahead_search
@@ -127,10 +111,6 @@ module UcbRailsUser::UsersControllerConcerns
 
   private
 
-  def search_user_table(query)
-    UcbRailsUser.user_class.where('lower(first_name) like lower(:q) or lower(last_name) like lower(:q) or lower(email) like lower(:q) or lower(alternate_email) like lower(:q) or ldap_uid like :q or ldap_uid like :q or employee_id like :q', q: '%' + query + '%')
-  end
-
   def user_params(extra_params = [])
     params.require(:user).permit([
       :superuser_flag,
@@ -150,4 +130,5 @@ module UcbRailsUser::UsersControllerConcerns
   def find_user
     @user ||= UcbRailsUser.user_class.find(params.fetch(:id))
   end
+
 end

data/app/views/ucb_rails_user/impersonations/index.html.erb

@@ -6,22 +6,10 @@
   </div>
 <% else %>
   <div class="impersonation-form">
-    <%= form_with url: admin_user_impersonate_search_path, method: :get, data: { turbo_frame: "search_results" } do |f| %>
-      <%= f.label :q, "Search for user:" %>
-      <%= f.search_field :q, placeholder: "Enter name...", oninput: "
-        clearTimeout(window.impersonateSearchTimer);
-        window.impersonateSearchTimer = setTimeout(() => {
-          if (this.value.length >= 2) {
-            this.form.requestSubmit();
-          }
-        }, 300);
-      " %>
-    <% end %>
-
-    <%= turbo_frame_tag "search_results" do %>
-      <div style="margin-top: 10px; color: #666;">
-        Type at least 2 characters to search for a user...
-      </div>
+    <%= simple_form_for UcbRailsUser::Impersonation.new, url: admin_impersonations_path, method: :post do |f| %>
+      <%= f.input :target, label: "User", input_html: { class: "typeahead" } %>
+      <%= f.input :target_id, as: :hidden %>
+      <%= f.button :submit, value: "Impersonate", class: "btn btn-primary", disabled: true, data: { impersonate_button: true } %>
     <% end %>
   </div>
 <% end %>
@@ -32,7 +20,7 @@
     <ul>
       <% current_user.recent_impersonations.each do |imp| %>
         <li>
-          <%= link_to full_name_with_uid(imp.target), admin_impersonations_path(ucb_rails_user_impersonation: { target_id: imp.target.id }), data: { turbo_method: :post, turbo_frame: "_top" } %>
+          <%= link_to full_name_with_uid(imp.target), "#{admin_impersonations_path}?ucb_rails_user_impersonation[target_id]=#{imp.target.id}", method: :post %>
         </li>
       <% end %>
     </ul>

data/app/views/ucb_rails_user/sessions/new.html.erb

@@ -0,0 +1,21 @@
+<div style="display: flex; justify-content: center; align-items: center; min-height: 100vh; background-color: #f5f5f5;">
+  <div style="background: white; padding: 2rem; border-radius: 8px; box-shadow: 0 2px 10px rgba(0,0,0,0.1); text-align: center; max-width: 400px; width: 100%;">
+    <h1 style="margin-bottom: 1.5rem; color: #333;">Sign In Required</h1>
+    
+    <p style="margin-bottom: 2rem; color: #666;">Please sign in to continue</p>
+    
+    <%= button_to "/auth/#{@provider}", 
+                  method: :post,
+                  data: { turbo: false },
+                  style: "background-color: #003262; color: white; padding: 12px 24px; font-size: 16px; border: none; border-radius: 4px; cursor: pointer; width: 100%; font-weight: 500;" do %>
+      Sign in with CalNet
+    <% end %>
+    
+    <% if Rails.env.development? %>
+      <p style="margin-top: 2rem; font-size: 12px; color: #999;">
+        Environment: Development<br>
+        Provider: <%= @provider %>
+      </p>
+    <% end %>
+  </div>
+</div>

data/app/views/ucb_rails_user/users/_user.html.erb

@@ -1,3 +1,4 @@
+<%= turbo_frame_tag "users" do %>
   <tr id="user_<%=user.id%>" class="user">
     <td><%= checkmark(user.superuser?) %></td>
     <td><%= checkmark(user.inactive?) %></td>
@@ -8,9 +9,10 @@
     <td class="min"><%= user.ldap_uid %></td>
     <td class="min"><%= user.employee_id %></td>
     <td>
-      <%= link_to 'edit', edit_admin_user_path(user), class: 'btn btn-primary', id: dom_id(user, 'edit'), role: 'button', data: { turbo_frame: "users" } %>
+      <%= link_to 'edit', edit_admin_user_path(user), class: 'btn btn-blue', id: dom_id(user, 'edit') %>
     </td>
     <td>
       <%= button_to 'delete', admin_user_path(user), method: :delete, data: { confirm: "Are you sure?" }, class: "btn btn-danger" %>
     </td>
   </tr>
+<% end %>

data/app/views/ucb_rails_user/users/edit.html.erb

@@ -1,5 +1,3 @@
-<%= turbo_frame_tag "users" do %>
-  <h1>Edit User</h1>
+<h1>Edit User</h1>
 
-  <%= render partial: 'form', locals: { url: admin_user_path(@user), method: :put } %>
-<% end %>
+<%= render partial: 'form', locals: { url: admin_user_path(@user), method: :put } %>

data/app/views/ucb_rails_user/users/index.html.erb

@@ -1,119 +1,34 @@
-<div class="ucb-rails-users-table-header">
+<div class="ucb-rails-users-table-header clearfix">
   <h1>Users</h1>
 </div>
 
-<%= turbo_frame_tag "users" do %>
-  <% if flash[:notice] || flash[:error] || flash[:alert] %>
-    <div class="user_turbo_frame_users">
-      <% if flash[:notice] %>
-        <div class="alert alert-info"><%= flash[:notice] %></div>
-      <% end %>
-      <% if flash[:error] %>
-        <div class="alert alert-danger"><%= flash[:error] %></div>
-      <% end %>
-      <% if flash[:alert] %>
-        <div class="alert alert-warning"><%= flash[:alert] %></div>
-      <% end %>
-    </div>
-  <% end %>
-  <div class="user_form_container">
-    <%= form_with url: "", method: :get, data: { turbo_frame: "users" }, class: "user_form_base_style" do |form| %>
-      <%= form.hidden_field :sort, value: @sort %>
-      <%= form.hidden_field :dir, value: @sort_dir %>
-      <div class="user_form_return_count">
-        Show <%= form.select :count, options_for_select([10, 25, 50, 100], selected: params[:count]), {}, { onchange: "this.form.requestSubmit()" } %>
-      </div>
-      <div class="user_form_search_box">
-        Search <%= form.search_field :query, value: params[:query], id: "user_search_field", placeholder: "Search users...", data: { turbo_permanent: true }, oninput: "
-              clearTimeout(window.searchTimer);
-              window.searchTimer = setTimeout(() => {
-                this.form.requestSubmit();
-              }, 300);
-            " %>
-      </div>
-    <% end %>
-    <div class="user_form_add_user_link">
-      <%= link_to "Add User", new_admin_user_path, class: "btn btn-primary" %>
-    </div>
-  </div>
-  <div class="table-responsive ucb-rails-users-table-wrapper">
-    <table class="table table-striped table-bordered table-hover ucb-rails-users-table">
-      <thead>
-        <tr>
-          <th class="min">
-            <%= link_to admin_users_path(sort: "superuser_flag", dir: @sort == "superuser_flag" && @sort_dir == "asc" ? "desc" : "asc", query: params[:query], count: params[:count]), data: { turbo_frame: "users" }, class: "user_sort" do %>
-              Superuser?
-              <% if @sort == "superuser_flag" %>
-                <%= @sort_dir == "asc" ? "▲" : "▼" %>
-              <% end %>
-            <% end %>
-          </th>
-          <th class="min">
-            <%= link_to admin_users_path(sort: "inactive_flag", dir: @sort == "inactive_flag" && @sort_dir == "asc" ? "desc" : "asc", query: params[:query], count: params[:count]), data: { turbo_frame: "users" }, class: "user_sort"  do %>
-              Inactive?
-              <% if @sort == "inactive_flag" %>
-                <%= @sort_dir == "asc" ? "▲" : "▼" %>
-              <% end %>
-            <% end %>
-          </th>
-          <th>
-            <%= link_to admin_users_path(sort: "first_name", dir: @sort == "first_name" && @sort_dir == "asc" ? "desc" : "asc", query: params[:query], count: params[:count]), data: { turbo_frame: "users" }, class: "user_sort" do %>
-              First Name
-              <% if @sort == "first_name" %>
-                <%= @sort_dir == "asc" ? "▲" : "▼" %>
-              <% end %>
-            <% end %>
-          </th>
-          <th>
-            <%= link_to admin_users_path(sort: "last_name", dir: @sort == "last_name" && @sort_dir == "asc" ? "desc" : "asc", query: params[:query], count: params[:count]), data: { turbo_frame: "users" }, class: "user_sort" do %>
-              Last Name
-              <% if @sort == "last_name" %>
-                <%= @sort_dir == "asc" ? "▲" : "▼" %>
-              <% end %>
-            <% end %>
-          </th>
-          <th>
-            <%= link_to admin_users_path(sort: "email", dir: @sort == "email" && @sort_dir == "asc" ? "desc" : "asc", query: params[:query], count: params[:count]), data: { turbo_frame: "users" }, class: "user_sort" do %>
-              Email
-              <% if @sort == "email" %>
-                <%= @sort_dir == "asc" ? "▲" : "▼" %>
-              <% end %>
-            <% end %>
-          </th>
-          <th class="dt">
-            <%= link_to admin_users_path(sort: "last_login_at", dir: @sort == "last_login_at" && @sort_dir == "asc" ? "desc" : "asc", query: params[:query], count: params[:count]), data: { turbo_frame: "users" }, class: "user_sort" do %>
-              Last Login
-              <% if @sort == "last_login_at" %>
-                <%= @sort_dir == "asc" ? "▲" : "▼" %>
-              <% end %>
-            <% end %>
-          </th>
-          <th>
-            <%= link_to admin_users_path(sort: "ldap_uid", dir: @sort == "ldap_uid" && @sort_dir == "asc" ? "desc" : "asc", query: params[:query], count: params[:count]), data: { turbo_frame: "users" }, class: "user_sort" do %>
-              UID
-              <% if @sort == "ldap_uid" %>
-                <%= @sort_dir == "asc" ? "▲" : "▼" %>
-              <% end %>
-            <% end %>
-          </th>
-          <th>
-            <%= link_to admin_users_path(sort: "employee_id", dir: @sort == "employee_id" && @sort_dir == "asc" ? "desc" : "asc", query: params[:query], count: params[:count]), data: { turbo_frame: "users" }, class: "user_sort" do %>
-              Employee ID
-              <% if @sort == "employee_id" %>
-                <%= @sort_dir == "asc" ? "▲" : "▼" %>
-              <% end %>
-            <% end %>
-          </th>
-          <th class="min unsorted">Edit</th>
-          <th class="min unsorted">Delete</th>
-        </tr>
-      </thead>
-      <tbody class="highlight">
-        <%= render partial: "ucb_rails_user/users/user", collection: @users %>
-      </tbody>
-    </table>
-    <div class="ucb-rails-user">
-      <%= pagy_nav(@pagy, pagy_url_for: ->(page, pagy) { admin_users_path(page: page, count: params[:count], query: params[:query], sort: @sort, dir: @sort_dir) }).html_safe %>
-    </div>
-  </div>
+<%= form_with url: "", method: :get, data: { turbo_frame: "users", turbo_action: "advance" } do |form| %>
+  Show <%= form.select :count, options_for_select([10, 25, 50, 100], selected: params[:count]), {}, { onchange: "this.form.requestSubmit()" } %>
+
+  Search <%= form.search_field :query, value: params[:query], oninput: "this.form.requestSubmit()" %>
 <% end %>
+
+<div class="table-responsive ucb-rails-users-table-wrapper">
+  <table class="table table-striped table-bordered table-hover ucb-rails-users-table">
+    <thead>
+      <tr>
+        <th class="min">Superuser?</th>
+        <th class="min">Inactive?</th>
+        <th>First Name</th>
+        <th>Last Name</th>
+        <th>Email</th>
+        <th class="dt">Last Login</th>
+        <th>UID</th>
+        <th>Employee ID</th>
+        <th class="min unsorted">Edit</th>
+        <th class="min unsorted">Delete</th>
+      </tr>
+    </thead>
+    <tbody class="highlight">
+      <%= render partial: "ucb_rails_user/users/user", collection: @users %>
+    </tbody>
+  </table>
+  <div class="ucb-rails-user">
+    <%= pagy_nav(@pagy).html_safe %>
+  </div>
+</div>

data/app/views/ucb_rails_user/users/new.html.erb

@@ -1,17 +1,19 @@
-<%= turbo_frame_tag "users" do %>
-  <h2>Add New User</h2>
+<h2>Add New User</h2>
 
-  <%= form_tag admin_user_search_path, method: :get, class: "form-inline user-search-form" do %>
-    <%= text_field_tag :first_name, "", placeholder: "First name", class: "form-control" %>
-    <%= text_field_tag :last_name, "", placeholder: "Last name", class: "form-control" %>
-    <%= text_field_tag :employee_id, "", placeholder: "Employee ID", class: "form-control" %>
-    <%= submit_tag "Search", class: "btn btn-primary", data: { turbo_submits_with: "Searching..." } %>
-    <%= link_to "Cancel", admin_users_path, class: "btn btn-default" %>
-  <% end %>
-
-  <div class="search-results">
-    <% if @results %>
-      <%= render "results" %>
-    <% end %>
-  </div>
+<%= form_tag admin_user_search_path, method: :get, remote: true, class: "form-inline user-search-form" do %>
+  <%= text_field_tag :first_name, "", placeholder: "First name", class: "form-control" %>
+  <%= text_field_tag :last_name, "", placeholder: "Last name", class: "form-control" %>
+  <%= text_field_tag :employee_id, "", placeholder: "Employee ID", class: "form-control" %>
+  <%= submit_tag "Search", class: "btn btn-primary" %>
+  <%= link_to "Cancel", admin_users_path, class: "btn btn-default" %>
 <% end %>
+
+<div class="ucb-rails-user-loader">
+  Loading...
+</div>
+
+<div class="search-results">
+  <% if @results %>
+    <%= render "results" %>
+  <% end %>
+</div>

data/config/routes.rb

@@ -5,8 +5,8 @@ Rails.application.routes.draw do
   match "/logout", to: UcbRailsUser::SessionsController.action(:destroy),
     as: "logout", via: [:all]
   match "/auth/:omniauth_provider/callback", to: UcbRailsUser::SessionsController.action(:create),
-    via: [:get]
-  match "/auth/failure", to: UcbRailsUser::SessionsController.action(:failure), via: [:get]
+    via: [:get, :post]
+  match "/auth/failure", to: UcbRailsUser::SessionsController.action(:failure), via: [:get, :post]
   match "/not_authorized", to: UcbRailsUser::SessionsController.action(:not_authorized),
     as: "not_authorized", via: [:get]
 

data/lib/ucb_rails_user/configuration/cas.rb

@@ -15,6 +15,15 @@ module UcbRailsUser
 
       def configure_omniauth
         host_name = host
+        
+        # Configure OmniAuth to only accept POST requests for security (CVE-2015-9284)
+        OmniAuth.config.allowed_request_methods = [:post]
+        OmniAuth.config.silence_get_warning = true
+        
+        # Disable CSRF protection for OmniAuth - we handle security through POST-only
+        # This is safe because we're only allowing POST requests and CAS provides its own security
+        OmniAuth.config.request_validation_phase = nil
+        
         Rails.application.config.middleware.use OmniAuth::Builder do
 
           unless Rails.env.production?

data/lib/ucb_rails_user/spec_helpers.rb

@@ -13,6 +13,7 @@ module UcbRailsUser
       OmniAuth.config.test_mode = true
       auth_mock(user.ldap_uid)
       visit login_path()
+      click_on "Sign in with CalNet"
     end
 
     def auth_mock(uid)

data/lib/ucb_rails_user/version.rb

@@ -1,3 +1,3 @@
 module UcbRailsUser
-  VERSION = '8.0.5'
+  VERSION = '8.1.0'
 end