mirror of
https://github.com/we-promise/sure.git
synced 2026-04-07 22:34:47 +00:00
7ae9077935
* Add default family selection for invite-only onboarding mode When onboarding is set to invite-only, admins can now choose a default family that new users without an invitation are automatically placed into as members, instead of creating a new family for each signup. https://claude.ai/code/session_01U9KgikKjV6xbyBZ5wMYsYx * Restrict invite codes and onboarding settings to super_admin only The Invite Codes section on /settings/hosting was visible to any authenticated user via the show action, leaking all family names/IDs through the default-family dropdown. This tightens access: - Hide the entire Invite Codes section in the view behind super_admin? - Add before_action :ensure_super_admin to InviteCodesController for all actions (index, create, destroy), replacing the inline admin? check - Add ensure_super_admin_for_onboarding filter on hostings#update that blocks non-super_admin users from changing onboarding_state or invite_only_default_family_id https://claude.ai/code/session_01U9KgikKjV6xbyBZ5wMYsYx * Fix tests for super_admin-only invite codes and onboarding settings - Hostings controller test: sign in as sure_support_staff (super_admin) for the onboarding_state update test, since ensure_super_admin_for_onboarding now requires super_admin role - Invite codes tests: use super_admin fixture for the success case and verify that a regular admin gets redirected instead of raising StandardError https://claude.ai/code/session_01U9KgikKjV6xbyBZ5wMYsYx * Fix system test to use super_admin for self-hosting settings The invite codes section is now only visible to super_admin users, so the system test needs to sign in as sure_support_staff to find the onboarding_state select element. https://claude.ai/code/session_01U9KgikKjV6xbyBZ5wMYsYx * Skip invite code requirement when a default family is configured When onboarding is invite-only but a default family is set, the claim_invite_code before_action was blocking registration before the create action could assign the user to the default family. Now invite_code_required? returns false when invite_only_default_family_id is present, allowing codeless signups to land in the configured default family. https://claude.ai/code/session_01U9KgikKjV6xbyBZ5wMYsYx --------- Co-authored-by: Claude <noreply@anthropic.com>
101 lines
3.5 KiB
Ruby
101 lines
3.5 KiB
Ruby
require "application_system_test_case"
|
|
|
|
class SettingsTest < ApplicationSystemTestCase
|
|
setup do
|
|
sign_in @user = users(:family_admin)
|
|
|
|
# Base settings available to all users
|
|
@settings_links = [
|
|
[ "Accounts", accounts_path ],
|
|
[ "Bank Sync", settings_bank_sync_path ],
|
|
[ "Preferences", settings_preferences_path ],
|
|
[ "Profile Info", settings_profile_path ],
|
|
[ "Security", settings_security_path ],
|
|
[ "Categories", categories_path ],
|
|
[ "Tags", tags_path ],
|
|
[ "Rules", rules_path ],
|
|
[ "Merchants", family_merchants_path ],
|
|
[ "Guides", settings_guides_path ],
|
|
[ "What's new", changelog_path ],
|
|
[ "Feedback", feedback_path ]
|
|
]
|
|
|
|
# Add admin settings if user is admin
|
|
if @user.admin?
|
|
@settings_links += [
|
|
[ "AI Prompts", settings_ai_prompts_path ],
|
|
[ "API Key", settings_api_key_path ]
|
|
]
|
|
end
|
|
end
|
|
|
|
test "can access settings from sidebar" do
|
|
VCR.use_cassette("git_repository_provider/fetch_latest_release_notes") do
|
|
open_settings_from_sidebar
|
|
assert_selector "h1", text: "Accounts"
|
|
assert_current_path accounts_path, ignore_query: true
|
|
|
|
@settings_links.each do |name, path|
|
|
click_link name
|
|
assert_selector "h1", text: name
|
|
assert_current_path path
|
|
end
|
|
end
|
|
end
|
|
|
|
test "can update self hosting settings" do
|
|
sign_in users(:sure_support_staff)
|
|
Rails.application.config.app_mode.stubs(:self_hosted?).returns(true)
|
|
Provider::Registry.stubs(:get_provider).with(:twelve_data).returns(nil)
|
|
Provider::Registry.stubs(:get_provider).with(:yahoo_finance).returns(nil)
|
|
open_settings_from_sidebar
|
|
assert_selector "li", text: "Self-Hosting"
|
|
click_link "Self-Hosting"
|
|
assert_current_path settings_hosting_path
|
|
assert_selector "h1", text: "Self-Hosting"
|
|
find("select#setting_onboarding_state").select("Invite-only")
|
|
within("select#setting_onboarding_state") do
|
|
assert_selector "option[selected]", text: "Invite-only"
|
|
end
|
|
click_button "Generate new code"
|
|
assert_selector 'span[data-clipboard-target="source"]', visible: true, count: 1 # invite code copy widget
|
|
copy_button = find('button[data-action="clipboard#copy"]', match: :first) # Find the first copy button (adjust if needed)
|
|
copy_button.click
|
|
assert_selector 'span[data-clipboard-target="iconSuccess"]', visible: true, count: 1 # text copied and icon changed to checkmark
|
|
end
|
|
|
|
test "does not show payment link if self hosting" do
|
|
Rails.application.config.app_mode.stubs(:self_hosted?).returns(true)
|
|
open_settings_from_sidebar
|
|
assert_no_selector "li", text: I18n.t("settings.settings_nav.payment_label")
|
|
end
|
|
|
|
test "does not show admin settings to non-admin users" do
|
|
VCR.use_cassette("git_repository_provider/fetch_latest_release_notes") do
|
|
# Visit accounts path directly as non-admin user to avoid user menu issues
|
|
visit new_session_path
|
|
within %(form[action='#{sessions_path}']) do
|
|
fill_in "Email", with: users(:family_member).email
|
|
fill_in "Password", with: user_password_test
|
|
click_on "Log in"
|
|
end
|
|
|
|
# Go directly to accounts (settings) page
|
|
visit accounts_path
|
|
|
|
# Assert that admin-only settings are not present in the navigation
|
|
assert_no_selector "li", text: "AI Prompts"
|
|
assert_no_selector "li", text: "API Key"
|
|
end
|
|
end
|
|
|
|
private
|
|
|
|
def open_settings_from_sidebar
|
|
within "div[data-testid=user-menu]" do
|
|
find("button").click
|
|
end
|
|
click_link "Settings"
|
|
end
|
|
end
|