QT/sure
1
0
Fork 0
mirror of https://github.com/we-promise/sure.git synced 2026-04-07 14:31:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
d7a3b0cacd613bf6bc7a5d1e4819901cda1b9b57
sure/app/controllers/registrations_controller.rb
Juan José Mata 7ae9077935 Add default family selection for invite-only onboarding mode (#1174) 
* Add default family selection for invite-only onboarding mode

When onboarding is set to invite-only, admins can now choose a default
family that new users without an invitation are automatically placed into
as members, instead of creating a new family for each signup.

https://claude.ai/code/session_01U9KgikKjV6xbyBZ5wMYsYx

* Restrict invite codes and onboarding settings to super_admin only

The Invite Codes section on /settings/hosting was visible to any
authenticated user via the show action, leaking all family names/IDs
through the default-family dropdown. This tightens access:

- Hide the entire Invite Codes section in the view behind super_admin?
- Add before_action :ensure_super_admin to InviteCodesController for
  all actions (index, create, destroy), replacing the inline admin? check
- Add ensure_super_admin_for_onboarding filter on hostings#update that
  blocks non-super_admin users from changing onboarding_state or
  invite_only_default_family_id

https://claude.ai/code/session_01U9KgikKjV6xbyBZ5wMYsYx

* Fix tests for super_admin-only invite codes and onboarding settings

- Hostings controller test: sign in as sure_support_staff (super_admin)
  for the onboarding_state update test, since ensure_super_admin_for_onboarding
  now requires super_admin role
- Invite codes tests: use super_admin fixture for the success case and
  verify that a regular admin gets redirected instead of raising StandardError

https://claude.ai/code/session_01U9KgikKjV6xbyBZ5wMYsYx

* Fix system test to use super_admin for self-hosting settings

The invite codes section is now only visible to super_admin users,
so the system test needs to sign in as sure_support_staff to find
the onboarding_state select element.

https://claude.ai/code/session_01U9KgikKjV6xbyBZ5wMYsYx

* Skip invite code requirement when a default family is configured

When onboarding is invite-only but a default family is set, the
claim_invite_code before_action was blocking registration before
the create action could assign the user to the default family.
Now invite_code_required? returns false when
invite_only_default_family_id is present, allowing codeless
signups to land in the configured default family.

https://claude.ai/code/session_01U9KgikKjV6xbyBZ5wMYsYx

---------

Co-authored-by: Claude <noreply@anthropic.com>
2026-03-10 18:12:53 +01:00

95 lines
2.9 KiB
Ruby
Raw Blame History

class RegistrationsController < ApplicationController
skip_authentication
layout "auth"
before_action :ensure_signup_open, if: :self_hosted?
before_action :set_user, only: :create
before_action :set_invitation
before_action :claim_invite_code, only: :create, if: :invite_code_required?
before_action :validate_password_requirements, only: :create
def new
@user = User.new(email: @invitation&.email)
end
def create
if @invitation
@user.family = @invitation.family
@user.role = @invitation.role
@user.email = @invitation.email
elsif (default_family_id = Setting.invite_only_default_family_id).present? &&
Setting.onboarding_state == "invite_only" &&
(default_family = Family.find_by(id: default_family_id))
@user.family = default_family
@user.role = :member
else
family = Family.new
@user.family = family
@user.role = User.role_for_new_family_creator
end
if @user.save
@invitation&.update!(accepted_at: Time.current)
@session = create_session_for(@user)
redirect_to root_path, notice: t(".success")
else
render :new, status: :unprocessable_entity, alert: t(".failure")
end
end
private
def set_invitation
token = params[:invitation]
token ||= params[:user][:invitation] if params[:user].present?
@invitation = Invitation.pending.find_by(token: token)
end
def set_user
@user = User.new user_params.except(:invite_code, :invitation)
end
def user_params(specific_param = nil)
params = self.params.require(:user).permit(:name, :email, :password, :password_confirmation, :invite_code, :invitation)
specific_param ? params[specific_param] : params
end
def claim_invite_code
unless InviteCode.claim! params[:user][:invite_code]
redirect_to new_registration_path, alert: t("registrations.create.invalid_invite_code")
end
end
def validate_password_requirements
password = user_params[:password]
return if password.blank? # Let Rails built-in validations handle blank passwords
if password.length < 8
@user.errors.add(:password, "must be at least 8 characters")
end
unless password.match?(/[A-Z]/) && password.match?(/[a-z]/)
@user.errors.add(:password, "must include both uppercase and lowercase letters")
end
unless password.match?(/\d/)
@user.errors.add(:password, "must include at least one number")
end
unless password.match?(/[!@#$%^&*(),.?":{}|<>]/)
@user.errors.add(:password, "must include at least one special character")
end
if @user.errors.present?
render :new, status: :unprocessable_entity
end
end
def ensure_signup_open
return unless Setting.onboarding_state == "closed"
redirect_to new_session_path, alert: t("registrations.closed")
end
end
Reference in New Issue View Git Blame Copy Permalink