mirror of
https://github.com/we-promise/sure.git
synced 2026-04-07 14:31:25 +00:00
7ae9077935
* Add default family selection for invite-only onboarding mode When onboarding is set to invite-only, admins can now choose a default family that new users without an invitation are automatically placed into as members, instead of creating a new family for each signup. https://claude.ai/code/session_01U9KgikKjV6xbyBZ5wMYsYx * Restrict invite codes and onboarding settings to super_admin only The Invite Codes section on /settings/hosting was visible to any authenticated user via the show action, leaking all family names/IDs through the default-family dropdown. This tightens access: - Hide the entire Invite Codes section in the view behind super_admin? - Add before_action :ensure_super_admin to InviteCodesController for all actions (index, create, destroy), replacing the inline admin? check - Add ensure_super_admin_for_onboarding filter on hostings#update that blocks non-super_admin users from changing onboarding_state or invite_only_default_family_id https://claude.ai/code/session_01U9KgikKjV6xbyBZ5wMYsYx * Fix tests for super_admin-only invite codes and onboarding settings - Hostings controller test: sign in as sure_support_staff (super_admin) for the onboarding_state update test, since ensure_super_admin_for_onboarding now requires super_admin role - Invite codes tests: use super_admin fixture for the success case and verify that a regular admin gets redirected instead of raising StandardError https://claude.ai/code/session_01U9KgikKjV6xbyBZ5wMYsYx * Fix system test to use super_admin for self-hosting settings The invite codes section is now only visible to super_admin users, so the system test needs to sign in as sure_support_staff to find the onboarding_state select element. https://claude.ai/code/session_01U9KgikKjV6xbyBZ5wMYsYx * Skip invite code requirement when a default family is configured When onboarding is invite-only but a default family is set, the claim_invite_code before_action was blocking registration before the create action could assign the user to the default family. Now invite_code_required? returns false when invite_only_default_family_id is present, allowing codeless signups to land in the configured default family. https://claude.ai/code/session_01U9KgikKjV6xbyBZ5wMYsYx --------- Co-authored-by: Claude <noreply@anthropic.com>
251 lines
8.4 KiB
Ruby
251 lines
8.4 KiB
Ruby
require "test_helper"
|
|
require "ostruct"
|
|
|
|
class Settings::HostingsControllerTest < ActionDispatch::IntegrationTest
|
|
include ProviderTestHelper
|
|
|
|
setup do
|
|
sign_in users(:family_admin)
|
|
|
|
@provider = mock
|
|
Provider::Registry.stubs(:get_provider).with(:twelve_data).returns(@provider)
|
|
|
|
@provider.stubs(:healthy?).returns(true)
|
|
Provider::Registry.stubs(:get_provider).with(:yahoo_finance).returns(@provider)
|
|
@provider.stubs(:usage).returns(provider_success_response(
|
|
OpenStruct.new(
|
|
used: 10,
|
|
limit: 100,
|
|
utilization: 10,
|
|
plan: "free",
|
|
)
|
|
))
|
|
end
|
|
|
|
test "cannot edit when self hosting is disabled" do
|
|
@provider.stubs(:usage).returns(@usage_response)
|
|
|
|
Rails.configuration.stubs(:app_mode).returns("managed".inquiry)
|
|
get settings_hosting_url
|
|
assert_response :forbidden
|
|
|
|
patch settings_hosting_url, params: { setting: { onboarding_state: "invite_only" } }
|
|
assert_response :forbidden
|
|
end
|
|
|
|
test "should get edit when self hosting is enabled" do
|
|
@provider.expects(:usage).returns(@usage_response)
|
|
|
|
with_self_hosting do
|
|
get settings_hosting_url
|
|
assert_response :success
|
|
end
|
|
end
|
|
|
|
test "can update settings when self hosting is enabled" do
|
|
with_self_hosting do
|
|
patch settings_hosting_url, params: { setting: { twelve_data_api_key: "1234567890" } }
|
|
|
|
assert_equal "1234567890", Setting.twelve_data_api_key
|
|
end
|
|
end
|
|
|
|
test "can update onboarding state when self hosting is enabled" do
|
|
sign_in users(:sure_support_staff)
|
|
|
|
with_self_hosting do
|
|
patch settings_hosting_url, params: { setting: { onboarding_state: "invite_only" } }
|
|
|
|
assert_equal "invite_only", Setting.onboarding_state
|
|
assert Setting.require_invite_for_signup
|
|
|
|
patch settings_hosting_url, params: { setting: { onboarding_state: "closed" } }
|
|
|
|
assert_equal "closed", Setting.onboarding_state
|
|
refute Setting.require_invite_for_signup
|
|
end
|
|
end
|
|
|
|
test "can update openai access token when self hosting is enabled" do
|
|
with_self_hosting do
|
|
patch settings_hosting_url, params: { setting: { openai_access_token: "token" } }
|
|
|
|
assert_equal "token", Setting.openai_access_token
|
|
end
|
|
end
|
|
|
|
test "can update openai uri base and model together when self hosting is enabled" do
|
|
with_self_hosting do
|
|
patch settings_hosting_url, params: { setting: { openai_uri_base: "https://api.example.com/v1", openai_model: "gpt-4" } }
|
|
|
|
assert_equal "https://api.example.com/v1", Setting.openai_uri_base
|
|
assert_equal "gpt-4", Setting.openai_model
|
|
end
|
|
end
|
|
|
|
test "cannot update openai uri base without model when self hosting is enabled" do
|
|
with_self_hosting do
|
|
Setting.openai_model = ""
|
|
|
|
patch settings_hosting_url, params: { setting: { openai_uri_base: "https://api.example.com/v1" } }
|
|
|
|
assert_response :unprocessable_entity
|
|
assert_match(/OpenAI model is required/, flash[:alert])
|
|
assert Setting.openai_uri_base.blank?, "Expected openai_uri_base to remain blank after failed validation"
|
|
end
|
|
end
|
|
|
|
test "can update openai model alone when self hosting is enabled" do
|
|
with_self_hosting do
|
|
patch settings_hosting_url, params: { setting: { openai_model: "gpt-4" } }
|
|
|
|
assert_equal "gpt-4", Setting.openai_model
|
|
end
|
|
end
|
|
|
|
test "cannot clear openai model when custom uri base is set" do
|
|
with_self_hosting do
|
|
Setting.openai_uri_base = "https://api.example.com/v1"
|
|
Setting.openai_model = "gpt-4"
|
|
|
|
patch settings_hosting_url, params: { setting: { openai_model: "" } }
|
|
|
|
assert_response :unprocessable_entity
|
|
assert_match(/OpenAI model is required/, flash[:alert])
|
|
assert_equal "gpt-4", Setting.openai_model
|
|
end
|
|
end
|
|
|
|
test "can clear data cache when self hosting is enabled" do
|
|
account = accounts(:investment)
|
|
holding = account.holdings.first
|
|
exchange_rate = exchange_rates(:one)
|
|
security_price = holding.security.prices.first
|
|
account_balance = account.balances.create!(date: Date.current, balance: 1000, currency: "USD")
|
|
|
|
with_self_hosting do
|
|
perform_enqueued_jobs(only: DataCacheClearJob) do
|
|
delete clear_cache_settings_hosting_url
|
|
end
|
|
end
|
|
|
|
assert_redirected_to settings_hosting_url
|
|
assert_equal I18n.t("settings.hostings.clear_cache.cache_cleared"), flash[:notice]
|
|
|
|
assert_not ExchangeRate.exists?(exchange_rate.id)
|
|
assert_not Security::Price.exists?(security_price.id)
|
|
assert_not Holding.exists?(holding.id)
|
|
assert_not Balance.exists?(account_balance.id)
|
|
end
|
|
|
|
test "can update assistant type to external" do
|
|
with_self_hosting do
|
|
assert_equal "builtin", users(:family_admin).family.assistant_type
|
|
|
|
patch settings_hosting_url, params: { family: { assistant_type: "external" } }
|
|
|
|
assert_redirected_to settings_hosting_url
|
|
assert_equal "external", users(:family_admin).family.reload.assistant_type
|
|
end
|
|
end
|
|
|
|
test "ignores invalid assistant type values" do
|
|
with_self_hosting do
|
|
patch settings_hosting_url, params: { family: { assistant_type: "hacked" } }
|
|
|
|
assert_redirected_to settings_hosting_url
|
|
assert_equal "builtin", users(:family_admin).family.reload.assistant_type
|
|
end
|
|
end
|
|
|
|
test "ignores assistant type update when ASSISTANT_TYPE env is set" do
|
|
with_self_hosting do
|
|
with_env_overrides("ASSISTANT_TYPE" => "external") do
|
|
patch settings_hosting_url, params: { family: { assistant_type: "external" } }
|
|
|
|
assert_redirected_to settings_hosting_url
|
|
# DB value should NOT change when env override is active
|
|
assert_equal "builtin", users(:family_admin).family.reload.assistant_type
|
|
end
|
|
end
|
|
end
|
|
|
|
test "can update external assistant settings" do
|
|
with_self_hosting do
|
|
patch settings_hosting_url, params: { setting: {
|
|
external_assistant_url: "https://agent.example.com/v1/chat",
|
|
external_assistant_token: "my-secret-token",
|
|
external_assistant_agent_id: "finance-bot"
|
|
} }
|
|
|
|
assert_redirected_to settings_hosting_url
|
|
assert_equal "https://agent.example.com/v1/chat", Setting.external_assistant_url
|
|
assert_equal "my-secret-token", Setting.external_assistant_token
|
|
assert_equal "finance-bot", Setting.external_assistant_agent_id
|
|
end
|
|
ensure
|
|
Setting.external_assistant_url = nil
|
|
Setting.external_assistant_token = nil
|
|
Setting.external_assistant_agent_id = nil
|
|
end
|
|
|
|
test "does not overwrite token with masked placeholder" do
|
|
with_self_hosting do
|
|
Setting.external_assistant_token = "real-secret"
|
|
|
|
patch settings_hosting_url, params: { setting: { external_assistant_token: "********" } }
|
|
|
|
assert_equal "real-secret", Setting.external_assistant_token
|
|
end
|
|
ensure
|
|
Setting.external_assistant_token = nil
|
|
end
|
|
|
|
test "disconnect external assistant clears settings and resets type" do
|
|
with_self_hosting do
|
|
with_env_overrides("EXTERNAL_ASSISTANT_URL" => nil, "EXTERNAL_ASSISTANT_TOKEN" => nil) do
|
|
Setting.external_assistant_url = "https://agent.example.com/v1/chat"
|
|
Setting.external_assistant_token = "token"
|
|
Setting.external_assistant_agent_id = "finance-bot"
|
|
users(:family_admin).family.update!(assistant_type: "external")
|
|
|
|
delete disconnect_external_assistant_settings_hosting_url
|
|
|
|
assert_redirected_to settings_hosting_url
|
|
# Force cache refresh so configured? reads fresh DB state after
|
|
# the disconnect action cleared the settings within its own request.
|
|
Setting.clear_cache
|
|
assert_not Assistant::External.configured?
|
|
assert_equal "builtin", users(:family_admin).family.reload.assistant_type
|
|
end
|
|
end
|
|
ensure
|
|
Setting.external_assistant_url = nil
|
|
Setting.external_assistant_token = nil
|
|
Setting.external_assistant_agent_id = nil
|
|
end
|
|
|
|
test "disconnect external assistant requires admin" do
|
|
with_self_hosting do
|
|
sign_in users(:family_member)
|
|
delete disconnect_external_assistant_settings_hosting_url
|
|
|
|
assert_redirected_to settings_hosting_url
|
|
assert_equal I18n.t("settings.hostings.not_authorized"), flash[:alert]
|
|
end
|
|
end
|
|
|
|
test "can clear data only when admin" do
|
|
with_self_hosting do
|
|
sign_in users(:family_member)
|
|
|
|
assert_no_enqueued_jobs do
|
|
delete clear_cache_settings_hosting_url
|
|
end
|
|
|
|
assert_redirected_to settings_hosting_url
|
|
assert_equal I18n.t("settings.hostings.not_authorized"), flash[:alert]
|
|
end
|
|
end
|
|
end
|