scinote-web/app/controllers/users/registrations_controller.rb

class Users::RegistrationsController < Devise::RegistrationsController
  prepend_before_action :check_captcha, only: [:create]
  before_action :registration_enabled?,
                only: %i(new create new_with_provider create_with_provider)
  before_action :sign_up_with_provider_enabled?,
                only: %i(new_with_provider create_with_provider)
  layout :layout

  def avatar
    user = User.find_by_id(params[:id]) || current_user
    style = params[:style] || :icon_small
    redirect_to user.avatar_url(style)
  end

  def update_resource(resource, params)
    @user_avatar_url = avatar_path(current_user, :thumb)

    if params.include? :change_password
      # Special handling if changing password
      params.delete(:change_password)
      if resource.valid_password?(params[:current_password]) &&
         params.include?(:password) &&
         params.include?(:password_confirmation) &&
         params[:password].blank?
        # If new password is blank and we're in process of changing
        # password, add error to the resource and return false
        resource.errors.add(:password, :blank)
        false
      else
        resource.update_with_password(params)
      end
    elsif params.include? :change_avatar
      params.delete(:change_avatar)
      if !params.include?(:avatar) || (params[:avatar].length > Constants::AVATAR_MAX_SIZE_MB.megabytes * 2)
        resource.errors.add(:avatar, :blank)
        false
      else
        temp_file = Tempfile.new('avatar', Rails.root.join('tmp'))
        begin
          check_extension = params[:avatar].split(';')[0].split('/')[1]
          temp_file.binmode
          temp_file.write(Base64.decode64(params[:avatar].split(',')[1]))
          temp_file.rewind
          resource.avatar.attach(io: temp_file, filename: "avatar.#{check_extension}")
        ensure
          temp_file.close
          temp_file.unlink
        end
        params.delete(:avatar)
        resource.update_without_password(params)
      end
    elsif params.include?(:email) || params.include?(:password)
      # For changing email or password, validate current_password
      resource.update_with_password(params)
    else
      # For changing some attributes, no current_password validation
      # is required
      resource.update_without_password(params)
    end
  end

  # Override default registrations_controller.rb implementation
  # to support JSON
  def update
    change_password = account_update_params.include? :change_password
    respond_to do |format|
      self.resource = resource_class.to_adapter.get!(send(:"current_#{resource_name}").to_key)
      prev_unconfirmed_email = resource.unconfirmed_email if resource.respond_to?(:unconfirmed_email)

      resource_updated = update_resource(resource, account_update_params)

      yield resource if block_given?
      if resource_updated
        # Set "needs confirmation" flash if neccesary
        if is_flashing_format? || account_update_params['change_avatar']
          flash_key = update_needs_confirmation?(resource, prev_unconfirmed_email) ?
            :update_needs_confirmation : :updated
          set_flash_message :notice, flash_key
        end

        # Set "password successfully updated" flash if neccesary
        if change_password
          set_flash_message :notice, :password_changed
        end

        format.html {
          sign_in resource_name, resource, bypass: true
          respond_with resource, location: edit_user_registration_path
        }
        format.json {
          flash.keep
          sign_in resource_name, resource, bypass: true
          render json: {}
        }
      else
        clean_up_passwords resource
        format.html {
          respond_with resource, location: edit_user_registration_path
        }
        format.json {
          render json: resource.errors, status: :bad_request
        }
      end
    end
  end

  def new; end

  def create
    build_resource(sign_up_params)
    valid_resource = resource.valid?
    # ugly checking if new team on sign up is enabled :(
    if Rails.configuration.x.new_team_on_signup
      # Create new team for the new user
      @team = Team.new
      @team.name = params[:team][:name]
      valid_team = @team.valid?

      if valid_team && valid_resource
        # this must be called after @team variable is defined. Otherwise this
        # variable won't be accessable in view.
        super do |resource|
          # Set the confirmed_at == created_at IF not using email confirmations
          unless Rails.configuration.x.enable_email_confirmations
            resource.update(confirmed_at: resource.created_at)
          end

          if resource.valid? && resource.persisted?
            @team.created_by = resource # set created_by for oraganization
            @team.save

            # Add this user to the team as owner
            UserTeam.create(user: resource, team: @team, role: :admin)

            # set current team to new user
            resource.current_team_id = @team.id
            resource.save
          end
        end
      else
        render :new
      end
    elsif valid_resource
      super do |resource|
        # Set the confirmed_at == created_at IF not using email confirmations
        unless Rails.configuration.x.enable_email_confirmations
          resource.update(confirmed_at: resource.created_at)
          resource.save
        end
      end
    else
      render :new
    end
  end

  def new_with_provider; end

  def create_with_provider
    @user = User.find_by_id(user_provider_params['user'])
    # Create new team for the new user
    @team = Team.new(team_provider_params)

    if @team.valid? && @user && Rails.configuration.x.new_team_on_signup
      # Set the confirmed_at == created_at IF not using email confirmations
      unless Rails.configuration.x.enable_email_confirmations
        @user.update!(confirmed_at: @user.created_at)
      end

      @team.created_by = @user # set created_by for team
      @team.save!

      # Add this user to the team as owner
      UserTeam.create(user: @user, team: @team, role: :admin)

      # set current team to new user
      @user.current_team_id = @team.id
      @user.save!

      sign_in_and_redirect @user
    else
      render :new_with_provider
    end
  end

  def two_factor_enable
    if current_user.valid_otp?(params[:submit_code])
      recovery_codes = current_user.enable_2fa!
      render json: { recovery_codes: recovery_codes }
    else
      render json: { error: t('users.registrations.edit.2fa_errors.wrong_submit_code') }, status: :unprocessable_entity
    end
  end

  def two_factor_disable
    if current_user.valid_password?(params[:password])
      current_user.disable_2fa!
      redirect_to edit_user_registration_path
    else
      render json: { error: t('users.registrations.edit.2fa_errors.wrong_password') }, status: :forbidden
    end
  end

  def two_factor_qr_code
    current_user.assign_2fa_token!
    qr_code_url = ROTP::TOTP.new(current_user.otp_secret, issuer: 'SciNote').provisioning_uri(current_user.email)
    qr_code = RQRCode::QRCode.new(qr_code_url)
    render json: { qr_code: qr_code.as_svg(module_size: 4) }
  end

  protected

  # Called upon creating User (before .save). Permits parameters and extracts
  # initials from :full_name (takes at most 4 chars). If :full_name is empty, it
  # uses "PLCH" as a placeholder (user won't get error complaining about
  # initials being empty.
  def sign_up_params
    tmp = params.require(:user).permit(:full_name, :initials, :email, :password, :password_confirmation)
    initials = tmp[:full_name].titleize.scan(/[A-Z]+/).join()
    initials = if initials.strip.empty?
                 'PLCH'
               else
                 initials[0..Constants::USER_INITIALS_MAX_LENGTH]
               end
    tmp.merge(:initials => initials)
  end

  def team_provider_params
    params.require(:team).permit(:name)
  end

  def user_provider_params
    params.permit(:user)
  end

  def account_update_params
    params.require(:user).permit(
      :full_name,
      :initials,
      :avatar,
      :email,
      :password,
      :password_confirmation,
      :current_password,
      :change_password,
      :change_avatar
    )
  end

  def avatar_params
    params.permit(
      :file
    )
  end

  private

  def layout
    'fluid' if action_name == 'edit'
  end

  def check_captcha
    if Rails.configuration.x.enable_recaptcha
      unless verify_recaptcha
        # Construct new resource before rendering :new
        self.resource = resource_class.new sign_up_params

        # Also validate team
        @team = Team.new(name: params[:team][:name])
        @team.valid?

        respond_with_navigational(resource) { render :new }
      end
    end
  end

  def registration_enabled?
    render_403 unless Rails.configuration.x.enable_user_registration
  end

  def sign_up_with_provider_enabled?
    render_403 unless Rails.configuration.x.linkedin_signin_enabled
  end

  # Redirect to login page after signing up
  def after_sign_up_path_for(resource)
    new_user_session_path
  end

  # Redirect to login page after signing up
  def after_inactive_sign_up_path_for(resource)
    new_user_session_path
  end
end
Initial commit. 2016-02-12 23:52:43 +08:00			`class Users::RegistrationsController < Devise::RegistrationsController`
integrate reCaptcha into sciNote 2016-11-22 21:57:41 +08:00			`prepend_before_action :check_captcha, only: [:create]`
sign up with linkedIn account 2018-02-26 18:05:05 +08:00			`before_action :registration_enabled?,`
			`only: %i(new create new_with_provider create_with_provider)`
			`before_action :sign_up_with_provider_enabled?,`
			`only: %i(new_with_provider create_with_provider)`
fix travis 2018-04-06 23:16:04 +08:00			`layout :layout`
Initial commit. 2016-02-12 23:52:43 +08:00
			`def avatar`
Migration GitLab -> GitHub 2016-07-21 19:11:15 +08:00			`user = User.find_by_id(params[:id]) \|\| current_user`
Refactor TinyMce assets, user avatars, zip files [SCI-3539] 2019-07-05 22:56:05 +08:00			`style = params[:style] \|\| :icon_small`
			`redirect_to user.avatar_url(style)`
Initial commit. 2016-02-12 23:52:43 +08:00			`end`

			`def update_resource(resource, params)`
Migration GitLab -> GitHub 2016-07-21 19:11:15 +08:00			`@user_avatar_url = avatar_path(current_user, :thumb)`
Initial commit. 2016-02-12 23:52:43 +08:00
			`if params.include? :change_password`
			`# Special handling if changing password`
			`params.delete(:change_password)`
Refactor TinyMce assets, user avatars, zip files [SCI-3539] 2019-07-05 22:56:05 +08:00			`if resource.valid_password?(params[:current_password]) &&`
			`params.include?(:password) &&`
			`params.include?(:password_confirmation) &&`
			`params[:password].blank?`
Initial commit. 2016-02-12 23:52:43 +08:00			`# If new password is blank and we're in process of changing`
			`# password, add error to the resource and return false`
			`resource.errors.add(:password, :blank)`
			`false`
			`else`
			`resource.update_with_password(params)`
			`end`
			`elsif params.include? :change_avatar`
			`params.delete(:change_avatar)`
Enforce file size limits for direct uploads on S3 [SCI-3681] 2019-07-30 19:31:22 +08:00			`if !params.include?(:avatar) \|\| (params[:avatar].length > Constants::AVATAR_MAX_SIZE_MB.megabytes * 2)`
Initial commit. 2016-02-12 23:52:43 +08:00			`resource.errors.add(:avatar, :blank)`
			`false`
			`else`
Refactor TinyMce assets, user avatars, zip files [SCI-3539] 2019-07-05 22:56:05 +08:00			`temp_file = Tempfile.new('avatar', Rails.root.join('tmp'))`
			`begin`
Add predefined avatars 2019-10-02 15:52:37 +08:00			`check_extension = params[:avatar].split(';')[0].split('/')[1]`
Refactor TinyMce assets, user avatars, zip files [SCI-3539] 2019-07-05 22:56:05 +08:00			`temp_file.binmode`
Add predefined avatars 2019-10-02 15:52:37 +08:00			`temp_file.write(Base64.decode64(params[:avatar].split(',')[1]))`
Refactor TinyMce assets, user avatars, zip files [SCI-3539] 2019-07-05 22:56:05 +08:00			`temp_file.rewind`
Add predefined avatars 2019-10-02 15:52:37 +08:00			`resource.avatar.attach(io: temp_file, filename: "avatar.#{check_extension}")`
Refactor TinyMce assets, user avatars, zip files [SCI-3539] 2019-07-05 22:56:05 +08:00			`ensure`
			`temp_file.close`
			`temp_file.unlink`
			`end`
			`params.delete(:avatar)`
Initial commit. 2016-02-12 23:52:43 +08:00			`resource.update_without_password(params)`
			`end`
Refactor TinyMce assets, user avatars, zip files [SCI-3539] 2019-07-05 22:56:05 +08:00			`elsif params.include?(:email) \|\| params.include?(:password)`
Initial commit. 2016-02-12 23:52:43 +08:00			`# For changing email or password, validate current_password`
			`resource.update_with_password(params)`
			`else`
			`# For changing some attributes, no current_password validation`
			`# is required`
			`resource.update_without_password(params)`
			`end`
			`end`

			`# Override default registrations_controller.rb implementation`
			`# to support JSON`
			`def update`
			`change_password = account_update_params.include? :change_password`
			`respond_to do \|format\|`
			`self.resource = resource_class.to_adapter.get!(send(:"current_#{resource_name}").to_key)`
			`prev_unconfirmed_email = resource.unconfirmed_email if resource.respond_to?(:unconfirmed_email)`

			`resource_updated = update_resource(resource, account_update_params)`
Word wrapping and truncating added to whole application [fixes SCI-458]. Fixed some bugs which were related to long/too long text and validations. Modified parts of application to accomodate for longer text limits. 2016-09-21 21:54:12 +08:00
Initial commit. 2016-02-12 23:52:43 +08:00			`yield resource if block_given?`
			`if resource_updated`
			`# Set "needs confirmation" flash if neccesary`
Fix tests 2019-10-02 19:22:07 +08:00			`if is_flashing_format? \|\| account_update_params['change_avatar']`
Initial commit. 2016-02-12 23:52:43 +08:00			`flash_key = update_needs_confirmation?(resource, prev_unconfirmed_email) ?`
			`:update_needs_confirmation : :updated`
			`set_flash_message :notice, flash_key`
			`end`

			`# Set "password successfully updated" flash if neccesary`
			`if change_password`
			`set_flash_message :notice, :password_changed`
			`end`

			`format.html {`
			`sign_in resource_name, resource, bypass: true`
			`respond_with resource, location: edit_user_registration_path`
			`}`
			`format.json {`
			`flash.keep`
			`sign_in resource_name, resource, bypass: true`
A lot of file uploading edge cases considered. File uploading is now actually redirected to S3 server, as before was not. Error functions changed and error output format specified, which should be used consistently throughout the application. Some other refactoring. 2016-08-05 23:00:29 +08:00			`render json: {}`
Initial commit. 2016-02-12 23:52:43 +08:00			`}`
			`else`
			`clean_up_passwords resource`
			`format.html {`
			`respond_with resource, location: edit_user_registration_path`
			`}`
			`format.json {`
Fixed hound alerts. 2016-08-18 02:49:20 +08:00			`render json: resource.errors, status: :bad_request`
Initial commit. 2016-02-12 23:52:43 +08:00			`}`
			`end`
			`end`
			`end`

sign up with linkedIn account 2018-02-26 18:05:05 +08:00			`def new; end`
Add config option to enable/disable users registration [SCI-935] 2017-01-30 22:04:02 +08:00
Initial commit. 2016-02-12 23:52:43 +08:00			`def create`
Refactor registrations_controller code slightly 2016-11-25 16:56:07 +08:00			`build_resource(sign_up_params)`
			`valid_resource = resource.valid?`
adds environment variable that disables/enables the creation of new team when user sign up 2017-10-25 21:29:04 +08:00			`# ugly checking if new team on sign up is enabled :(`
			`if Rails.configuration.x.new_team_on_signup`
			`# Create new team for the new user`
			`@team = Team.new`
			`@team.name = params[:team][:name]`
			`valid_team = @team.valid?`

			`if valid_team && valid_resource`
			`# this must be called after @team variable is defined. Otherwise this`
			`# variable won't be accessable in view.`
			`super do \|resource\|`
			`# Set the confirmed_at == created_at IF not using email confirmations`
			`unless Rails.configuration.x.enable_email_confirmations`
			`resource.update(confirmed_at: resource.created_at)`
			`end`
Initial commit. 2016-02-12 23:52:43 +08:00
adds environment variable that disables/enables the creation of new team when user sign up 2017-10-25 21:29:04 +08:00			`if resource.valid? && resource.persisted?`
			`@team.created_by = resource # set created_by for oraganization`
			`@team.save`
Initial commit. 2016-02-12 23:52:43 +08:00
adds environment variable that disables/enables the creation of new team when user sign up 2017-10-25 21:29:04 +08:00			`# Add this user to the team as owner`
			`UserTeam.create(user: resource, team: @team, role: :admin)`
fixed new user registration 2016-10-12 18:02:04 +08:00
adds environment variable that disables/enables the creation of new team when user sign up 2017-10-25 21:29:04 +08:00			`# set current team to new user`
			`resource.current_team_id = @team.id`
			`resource.save`
			`end`
Initial commit. 2016-02-12 23:52:43 +08:00			`end`
adds environment variable that disables/enables the creation of new team when user sign up 2017-10-25 21:29:04 +08:00			`else`
			`render :new`
Initial commit. 2016-02-12 23:52:43 +08:00			`end`
Fixes per @okriuchykhin 's request 2017-10-26 16:42:18 +08:00			`elsif valid_resource`
			`super do \|resource\|`
			`# Set the confirmed_at == created_at IF not using email confirmations`
			`unless Rails.configuration.x.enable_email_confirmations`
			`resource.update(confirmed_at: resource.created_at)`
			`resource.save`
adds environment variable that disables/enables the creation of new team when user sign up 2017-10-25 21:29:04 +08:00			`end`
			`end`
Fixes per @okriuchykhin 's request 2017-10-26 16:42:18 +08:00			`else`
			`render :new`
Initial commit. 2016-02-12 23:52:43 +08:00			`end`
			`end`

sign up with linkedIn account 2018-02-26 18:05:05 +08:00			`def new_with_provider; end`

			`def create_with_provider`
			`@user = User.find_by_id(user_provider_params['user'])`
			`# Create new team for the new user`
			`@team = Team.new(team_provider_params)`

change validation again 2018-03-05 20:12:44 +08:00			`if @team.valid? && @user && Rails.configuration.x.new_team_on_signup`
sign up with linkedIn account 2018-02-26 18:05:05 +08:00			`# Set the confirmed_at == created_at IF not using email confirmations`
			`unless Rails.configuration.x.enable_email_confirmations`
			`@user.update!(confirmed_at: @user.created_at)`
			`end`

			`@team.created_by = @user # set created_by for team`
			`@team.save!`

			`# Add this user to the team as owner`
			`UserTeam.create(user: @user, team: @team, role: :admin)`

			`# set current team to new user`
			`@user.current_team_id = @team.id`
			`@user.save!`

			`sign_in_and_redirect @user`
			`else`
			`render :new_with_provider`
			`end`
			`end`

Add 2fa to user settings page 2020-07-01 17:07:33 +08:00			`def two_factor_enable`
Small 2fa improvments 2020-07-01 20:41:55 +08:00			`if current_user.valid_otp?(params[:submit_code])`
Add recovery strategy for 2fa 2020-07-09 23:01:00 +08:00			`recovery_codes = current_user.enable_2fa!`
			`render json: { recovery_codes: recovery_codes }`
Add 2fa to user settings page 2020-07-01 17:07:33 +08:00			`else`
			`render json: { error: t('users.registrations.edit.2fa_errors.wrong_submit_code') }, status: :unprocessable_entity`
			`end`
			`end`

			`def two_factor_disable`
			`if current_user.valid_password?(params[:password])`
Fix tests 2020-07-01 21:44:52 +08:00			`current_user.disable_2fa!`
Add 2fa to user settings page 2020-07-01 17:07:33 +08:00			`redirect_to edit_user_registration_path`
			`else`
			`render json: { error: t('users.registrations.edit.2fa_errors.wrong_password') }, status: :forbidden`
			`end`
			`end`

			`def two_factor_qr_code`
Rename ensure 2fa method 2020-07-02 17:24:33 +08:00			`current_user.assign_2fa_token!`
Add 2fa to user settings page 2020-07-01 17:07:33 +08:00			`qr_code_url = ROTP::TOTP.new(current_user.otp_secret, issuer: 'SciNote').provisioning_uri(current_user.email)`
			`qr_code = RQRCode::QRCode.new(qr_code_url)`
Add basic UX to 2FA 2020-07-07 18:59:48 +08:00			`render json: { qr_code: qr_code.as_svg(module_size: 4) }`
Add 2fa to user settings page 2020-07-01 17:07:33 +08:00			`end`

Initial commit. 2016-02-12 23:52:43 +08:00			`protected`

			`# Called upon creating User (before .save). Permits parameters and extracts`
			`# initials from :full_name (takes at most 4 chars). If :full_name is empty, it`
			`# uses "PLCH" as a placeholder (user won't get error complaining about`
			`# initials being empty.`
			`def sign_up_params`
			`tmp = params.require(:user).permit(:full_name, :initials, :email, :password, :password_confirmation)`
			`initials = tmp[:full_name].titleize.scan(/[A-Z]+/).join()`
Removed unneeded ERB tags, which caused error. Minor refactoring. 2016-10-13 16:00:36 +08:00			`initials = if initials.strip.empty?`
			`'PLCH'`
			`else`
			`initials[0..Constants::USER_INITIALS_MAX_LENGTH]`
			`end`
Initial commit. 2016-02-12 23:52:43 +08:00			`tmp.merge(:initials => initials)`
			`end`

sign up with linkedIn account 2018-02-26 18:05:05 +08:00			`def team_provider_params`
			`params.require(:team).permit(:name)`
			`end`

			`def user_provider_params`
			`params.permit(:user)`
			`end`

Initial commit. 2016-02-12 23:52:43 +08:00			`def account_update_params`
			`params.require(:user).permit(`
			`:full_name,`
			`:initials,`
			`:avatar,`
			`:email,`
			`:password,`
			`:password_confirmation,`
			`:current_password,`
			`:change_password,`
			`:change_avatar`
			`)`
			`end`

A lot of file uploading edge cases considered. File uploading is now actually redirected to S3 server, as before was not. Error functions changed and error output format specified, which should be used consistently throughout the application. Some other refactoring. 2016-08-05 23:00:29 +08:00			`def avatar_params`
			`params.permit(`
Fixed hound alerts. 2016-08-18 02:49:20 +08:00			`:file`
A lot of file uploading edge cases considered. File uploading is now actually redirected to S3 server, as before was not. Error functions changed and error output format specified, which should be used consistently throughout the application. Some other refactoring. 2016-08-05 23:00:29 +08:00			`)`
Fixed hound alerts. 2016-08-18 02:49:20 +08:00			`end`
A lot of file uploading edge cases considered. File uploading is now actually redirected to S3 server, as before was not. Error functions changed and error output format specified, which should be used consistently throughout the application. Some other refactoring. 2016-08-05 23:00:29 +08:00
Initial commit. 2016-02-12 23:52:43 +08:00			`private`

fix travis 2018-04-06 23:16:04 +08:00			`def layout`
			`'fluid' if action_name == 'edit'`
			`end`

integrate reCaptcha into sciNote 2016-11-22 21:57:41 +08:00			`def check_captcha`
			`if Rails.configuration.x.enable_recaptcha`
			`unless verify_recaptcha`
Fix some recaptcha form submit errors for signup pages Closes SCI-746. 2016-11-29 22:53:58 +08:00			`# Construct new resource before rendering :new`
integrate reCaptcha into sciNote 2016-11-22 21:57:41 +08:00			`self.resource = resource_class.new sign_up_params`
Fix some recaptcha form submit errors for signup pages Closes SCI-746. 2016-11-29 22:53:58 +08:00
rename controllers where org/organization 2017-01-24 23:57:14 +08:00			`# Also validate team`
rename Organization to Team in controllers 2017-01-25 00:06:51 +08:00			`@team = Team.new(name: params[:team][:name])`
rename controllers where org/organization 2017-01-24 23:57:14 +08:00			`@team.valid?`
Fix some recaptcha form submit errors for signup pages Closes SCI-746. 2016-11-29 22:53:58 +08:00
integrate reCaptcha into sciNote 2016-11-22 21:57:41 +08:00			`respond_with_navigational(resource) { render :new }`
			`end`
			`end`
			`end`

sign up with linkedIn account 2018-02-26 18:05:05 +08:00			`def registration_enabled?`
			`render_403 unless Rails.configuration.x.enable_user_registration`
			`end`

			`def sign_up_with_provider_enabled?`
			`render_403 unless Rails.configuration.x.linkedin_signin_enabled`
			`end`

Initial commit. 2016-02-12 23:52:43 +08:00			`# Redirect to login page after signing up`
			`def after_sign_up_path_for(resource)`
			`new_user_session_path`
			`end`

			`# Redirect to login page after signing up`
			`def after_inactive_sign_up_path_for(resource)`
			`new_user_session_path`
			`end`
			`end`