QT/sure
1
0
Fork 0
mirror of https://github.com/we-promise/sure.git synced 2026-05-07 12:54:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add default family selection for invite-only onboarding mode (#1174)

Browse Source 
* Add default family selection for invite-only onboarding mode

When onboarding is set to invite-only, admins can now choose a default
family that new users without an invitation are automatically placed into
as members, instead of creating a new family for each signup.

https://claude.ai/code/session_01U9KgikKjV6xbyBZ5wMYsYx

* Restrict invite codes and onboarding settings to super_admin only

The Invite Codes section on /settings/hosting was visible to any
authenticated user via the show action, leaking all family names/IDs
through the default-family dropdown. This tightens access:

- Hide the entire Invite Codes section in the view behind super_admin?
- Add before_action :ensure_super_admin to InviteCodesController for
  all actions (index, create, destroy), replacing the inline admin? check
- Add ensure_super_admin_for_onboarding filter on hostings#update that
  blocks non-super_admin users from changing onboarding_state or
  invite_only_default_family_id

https://claude.ai/code/session_01U9KgikKjV6xbyBZ5wMYsYx

* Fix tests for super_admin-only invite codes and onboarding settings

- Hostings controller test: sign in as sure_support_staff (super_admin)
  for the onboarding_state update test, since ensure_super_admin_for_onboarding
  now requires super_admin role
- Invite codes tests: use super_admin fixture for the success case and
  verify that a regular admin gets redirected instead of raising StandardError

https://claude.ai/code/session_01U9KgikKjV6xbyBZ5wMYsYx

* Fix system test to use super_admin for self-hosting settings

The invite codes section is now only visible to super_admin users,
so the system test needs to sign in as sure_support_staff to find
the onboarding_state select element.

https://claude.ai/code/session_01U9KgikKjV6xbyBZ5wMYsYx

* Skip invite code requirement when a default family is configured

When onboarding is invite-only but a default family is set, the
claim_invite_code before_action was blocking registration before
the create action could assign the user to the default family.
Now invite_code_required? returns false when
invite_only_default_family_id is present, allowing codeless
signups to land in the configured default family.

https://claude.ai/code/session_01U9KgikKjV6xbyBZ5wMYsYx

---------

Co-authored-by: Claude <noreply@anthropic.com>
This commit is contained in:
Juan José Mata
2026-03-10 18:12:53 +01:00
committed by GitHub
parent 674799a6e0
commit 7ae9077935
11 changed files with 67 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/concerns/invitable.rb
View File

@@ -9,7 +9,7 @@ module Invitable
def invite_code_required? def invite_code_required?
return false if @invitation.present? return false if @invitation.present?
if self_hosted? if self_hosted?
Setting.onboarding_state == "invite_only" Setting.onboarding_state == "invite_only" && Setting.invite_only_default_family_id.blank?
else else
ENV["REQUIRE_INVITE_CODE"] == "true" ENV["REQUIRE_INVITE_CODE"] == "true"
end end

6
app/controllers/invite_codes_controller.rb
View File

@@ -1,12 +1,12 @@
class InviteCodesController < ApplicationController class InviteCodesController < ApplicationController
before_action :ensure_self_hosted before_action :ensure_self_hosted
before_action :ensure_super_admin
def index def index
@invite_codes = InviteCode.all @invite_codes = InviteCode.all
end end
def create def create
raise StandardError, "You are not allowed to generate invite codes" unless Current.user.admin?
InviteCode.generate! InviteCode.generate!
redirect_back_or_to invite_codes_path, notice: "Code generated" redirect_back_or_to invite_codes_path, notice: "Code generated"
end end
@@ -22,4 +22,8 @@ class InviteCodesController < ApplicationController
def ensure_self_hosted def ensure_self_hosted
redirect_to root_path unless self_hosted? redirect_to root_path unless self_hosted?
end end
def ensure_super_admin
redirect_to root_path, alert: t("settings.hostings.not_authorized") unless Current.user.super_admin?
end
end end

5
app/controllers/registrations_controller.rb
View File

@@ -18,6 +18,11 @@ class RegistrationsController < ApplicationController
@user.family = @invitation.family @user.family = @invitation.family
@user.role = @invitation.role @user.role = @invitation.role
@user.email = @invitation.email @user.email = @invitation.email
elsif (default_family_id = Setting.invite_only_default_family_id).present? &&
Setting.onboarding_state == "invite_only" &&
(default_family = Family.find_by(id: default_family_id))
@user.family = default_family
@user.role = :member
else else
family = Family.new family = Family.new
@user.family = family @user.family = family

14
app/controllers/settings/hostings_controller.rb
View File

@@ -4,6 +4,7 @@ class Settings::HostingsController < ApplicationController
guard_feature unless: -> { self_hosted? } guard_feature unless: -> { self_hosted? }
before_action :ensure_admin, only: [ :update, :clear_cache, :disconnect_external_assistant ] before_action :ensure_admin, only: [ :update, :clear_cache, :disconnect_external_assistant ]
before_action :ensure_super_admin_for_onboarding, only: :update
def show def show
@breadcrumbs = [ @breadcrumbs = [
@@ -43,6 +44,11 @@ class Settings::HostingsController < ApplicationController
Setting.require_email_confirmation = hosting_params[:require_email_confirmation] Setting.require_email_confirmation = hosting_params[:require_email_confirmation]
end end
if hosting_params.key?(:invite_only_default_family_id)
value = hosting_params[:invite_only_default_family_id].presence
Setting.invite_only_default_family_id = value
end
if hosting_params.key?(:brand_fetch_client_id) if hosting_params.key?(:brand_fetch_client_id)
Setting.brand_fetch_client_id = hosting_params[:brand_fetch_client_id] Setting.brand_fetch_client_id = hosting_params[:brand_fetch_client_id]
end end
@@ -160,7 +166,7 @@ class Settings::HostingsController < ApplicationController
private private
def hosting_params def hosting_params
return ActionController::Parameters.new unless params.key?(:setting) return ActionController::Parameters.new unless params.key?(:setting)
params.require(:setting).permit(:onboarding_state, :require_email_confirmation, :brand_fetch_client_id, :brand_fetch_high_res_logos, :twelve_data_api_key, :openai_access_token, :openai_uri_base, :openai_model, :openai_json_mode, :exchange_rate_provider, :securities_provider, :syncs_include_pending, :auto_sync_enabled, :auto_sync_time, :external_assistant_url, :external_assistant_token, :external_assistant_agent_id) params.require(:setting).permit(:onboarding_state, :require_email_confirmation, :invite_only_default_family_id, :brand_fetch_client_id, :brand_fetch_high_res_logos, :twelve_data_api_key, :openai_access_token, :openai_uri_base, :openai_model, :openai_json_mode, :exchange_rate_provider, :securities_provider, :syncs_include_pending, :auto_sync_enabled, :auto_sync_time, :external_assistant_url, :external_assistant_token, :external_assistant_agent_id)
end end
def update_assistant_type def update_assistant_type
@@ -175,6 +181,12 @@ class Settings::HostingsController < ApplicationController
redirect_to settings_hosting_path, alert: t(".not_authorized") unless Current.user.admin? redirect_to settings_hosting_path, alert: t(".not_authorized") unless Current.user.admin?
end end
def ensure_super_admin_for_onboarding
onboarding_params = %i[onboarding_state invite_only_default_family_id]
return unless onboarding_params.any? { |p| hosting_params.key?(p) }
redirect_to settings_hosting_path, alert: t(".not_authorized") unless Current.user.super_admin?
end
def sync_auto_sync_scheduler! def sync_auto_sync_scheduler!
AutoSyncScheduler.sync! AutoSyncScheduler.sync!
rescue StandardError => error rescue StandardError => error

1
app/models/setting.rb
View File

@@ -73,6 +73,7 @@ class Setting < RailsSettings::Base
field :onboarding_state, type: :string, default: DEFAULT_ONBOARDING_STATE field :onboarding_state, type: :string, default: DEFAULT_ONBOARDING_STATE
field :require_invite_for_signup, type: :boolean, default: false field :require_invite_for_signup, type: :boolean, default: false
field :require_email_confirmation, type: :boolean, default: ENV.fetch("REQUIRE_EMAIL_CONFIRMATION", "true") == "true" field :require_email_confirmation, type: :boolean, default: ENV.fetch("REQUIRE_EMAIL_CONFIRMATION", "true") == "true"
field :invite_only_default_family_id, type: :string, default: nil
def self.validate_onboarding_state!(state) def self.validate_onboarding_state!(state)
return if ONBOARDING_STATES.include?(state) return if ONBOARDING_STATES.include?(state)

23
app/views/settings/hostings/_invite_code_settings.html.erb
View File

@@ -40,6 +40,29 @@
</div> </div>
<% if Setting.onboarding_state == "invite_only" %> <% if Setting.onboarding_state == "invite_only" %>
<div class="flex items-center justify-between">
<div class="space-y-1">
<p class="text-sm"><%= t(".default_family_title") %></p>
<p class="text-secondary text-sm"><%= t(".default_family_description") %></p>
</div>
<%= styled_form_with model: Setting.new,
url: settings_hosting_path,
method: :patch,
data: { controller: "auto-submit-form", auto_submit_form_trigger_event_value: "change" } do |form| %>
<div class="form-field w-fit">
<%= form.select :invite_only_default_family_id,
options_for_select(
[ [ t(".default_family_none"), "" ] ] +
Family.all.map { |f| [ f.name, f.id ] },
Setting.invite_only_default_family_id
),
{ label: false },
{ data: { auto_submit_form_target: "auto" } } %>
</div>
<% end %>
</div>
<div class="flex items-center justify-between mb-4"> <div class="flex items-center justify-between mb-4">
<div> <div>
<span class="text-primary text-base font-medium"><%= t(".generated_tokens") %></span> <span class="text-primary text-base font-medium"><%= t(".generated_tokens") %></span>

6
app/views/settings/hostings/show.html.erb
View File

@@ -22,8 +22,10 @@
<%= settings_section title: t(".sync_settings") do %> <%= settings_section title: t(".sync_settings") do %>
<%= render "settings/hostings/sync_settings" %> <%= render "settings/hostings/sync_settings" %>
<% end %> <% end %>
<%= settings_section title: t(".invites") do %> <% if Current.user.super_admin? %>
<%= render "settings/hostings/invite_code_settings" %> <%= settings_section title: t(".invites") do %>
<%= render "settings/hostings/invite_code_settings" %>
<% end %>
<% end %> <% end %>
<%= settings_section title: t(".danger_zone") do %> <%= settings_section title: t(".danger_zone") do %>
<%= render "settings/hostings/danger_zone_settings" %> <%= render "settings/hostings/danger_zone_settings" %>

3
config/locales/views/settings/hostings/en.yml
View File

@@ -7,6 +7,9 @@ en:
email_confirmation_description: When enabled, users must confirm their email email_confirmation_description: When enabled, users must confirm their email
address when changing it. address when changing it.
email_confirmation_title: Require email confirmation email_confirmation_title: Require email confirmation
default_family_title: Default family for new users
default_family_description: "Put new users on this family/group only if they have no invitation."
default_family_none: None (create new family)
generate_tokens: Generate new code generate_tokens: Generate new code
generated_tokens: Generated codes generated_tokens: Generated codes
title: Onboarding title: Onboarding

14
test/controllers/invite_codes_controller_test.rb
View File

@@ -4,17 +4,21 @@ class InviteCodesControllerTest < ActionDispatch::IntegrationTest
setup do setup do
Rails.application.config.app_mode.stubs(:self_hosted?).returns(true) Rails.application.config.app_mode.stubs(:self_hosted?).returns(true)
end end
test "admin can generate invite codes" do test "super admin can generate invite codes" do
sign_in users(:family_admin) sign_in users(:sure_support_staff)
assert_difference("InviteCode.count") do assert_difference("InviteCode.count") do
post invite_codes_url, params: {} post invite_codes_url, params: {}
end end
end end
test "non-admin cannot generate invite codes" do test "non-super-admin cannot generate invite codes" do
sign_in users(:family_member) sign_in users(:family_admin)
assert_raises(StandardError) { post invite_codes_url, params: {} } assert_no_difference("InviteCode.count") do
post invite_codes_url, params: {}
end
assert_redirected_to root_path
end end
end end

2
test/controllers/settings/hostings_controller_test.rb
View File

@@ -51,6 +51,8 @@ class Settings::HostingsControllerTest < ActionDispatch::IntegrationTest
end end
test "can update onboarding state when self hosting is enabled" do test "can update onboarding state when self hosting is enabled" do
sign_in users(:sure_support_staff)
with_self_hosting do with_self_hosting do
patch settings_hosting_url, params: { setting: { onboarding_state: "invite_only" } } patch settings_hosting_url, params: { setting: { onboarding_state: "invite_only" } }

1
test/system/settings_test.rb
View File

@@ -44,6 +44,7 @@ class SettingsTest < ApplicationSystemTestCase
end end
test "can update self hosting settings" do test "can update self hosting settings" do
sign_in users(:sure_support_staff)
Rails.application.config.app_mode.stubs(:self_hosted?).returns(true) Rails.application.config.app_mode.stubs(:self_hosted?).returns(true)
Provider::Registry.stubs(:get_provider).with(:twelve_data).returns(nil) Provider::Registry.stubs(:get_provider).with(:twelve_data).returns(nil)
Provider::Registry.stubs(:get_provider).with(:yahoo_finance).returns(nil) Provider::Registry.stubs(:get_provider).with(:yahoo_finance).returns(nil)