Remove user invitation expiration, make user confirmation period configurable, improve invitation code [SCI-11574]

2025-03-03 19:24:48 +08:00 · 2025-02-17 14:47:57 +01:00 · 2025-02-17 14:47:57 +01:00 · 2f8b5f89a4
commit 2f8b5f89a4
parent 31de10d463
3 changed files with 45 additions and 23 deletions
--- a/app/controllers/users/invitations_controller.rb
+++ b/app/controllers/users/invitations_controller.rb
@ -14,6 +14,15 @@ module Users

    before_action :update_sanitized_params, only: :update

+    def new
+      raise NotImplementedError
+    end
+
+    def create
+      # Replaced with invite_users action
+      raise NotImplementedError
+    end
+
    def update
      return super unless Rails.configuration.x.new_team_on_signup

@ -24,11 +33,15 @@ module Users
      super do |user|
        if user.errors.blank?
          @team.created_by = user
-          @team.save
+          @team.save!
        end
      end
    end

+    def destroy
+      raise NotImplementedError
+    end
+
    def accept_resource
      return super unless Rails.configuration.x.new_team_on_signup

@ -71,7 +84,7 @@ module Users
          next
        end
        # Check if user already exists
-        user = User.find_by(email: email)
+        user = User.find_by(email: email.downcase)

        if user
          result[:status] = :user_exists
@ -156,6 +169,11 @@ module Users

    private

+    def invite_resource
+      # Replaced with invite_users action
+      raise NotImplementedError
+    end
+
    def update_sanitized_params
      # Solution for Devise < 4.0.0
      devise_parameter_sanitizer.permit(:accept_invitation, keys: [:full_name])
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@ -107,7 +107,7 @@ Devise.setup do |config|
  # The period the generated invitation token is valid, after
  # this period, the invited resource won't be able to accept the invitation.
  # When invite_for is 0 (the default), the invitation won't expire.
-  config.invite_for = 7.days
+  # config.invite_for = 7.days

  # Number of invitations users can send.
  # - If invitation_limit is nil, there is no limit for invitations, users can
@ -165,7 +165,7 @@ Devise.setup do |config|
  # their account can't be confirmed with the token any more.
  # Default is nil, meaning there is no restriction on how long a user can take
  # before confirming their account.
-  config.confirm_within = 7.days
+  config.confirm_within = ENV['SCINOTE_USERS_CONFIRM_WITHIN']&.to_i&.days

  # If true, requires any email changes to be confirmed (exactly the same way as
  # initial account confirmation) to be applied. Requires additional unconfirmed_email
--- a/lib/tasks/data.rake
+++ b/lib/tasks/data.rake
@ -50,32 +50,36 @@ namespace :data do
    end
  end

-  desc "Remove unconfirmed user accounts"
+  desc 'Remove unconfirmed user accounts'
  task clean_unconfirmed_users: :environment do
-    Rails.logger.info "Cleaning unconfirmed users"
+    Rails.logger.info 'Cleaning unconfirmed users'

    # First, remove the users who signed up by themselves
-    users = User
-    .where(confirmed_at: nil)
-    .where.not(confirmation_token: nil)
-    .where(invitation_token: nil)
-    .where("created_at < ?", Devise.confirm_within.ago)
-    destroy_users(users)
+    if Devise.confirm_within.present?
+      users = User.where(confirmed_at: nil)
+                  .where.not(confirmation_token: nil)
+                  .where(invitation_token: nil)
+                  .where(created_at: ...Devise.confirm_within.ago)
+      destroy_users(users)
+    end

    # Now, remove users who were invited
-    users = User
-    .where(confirmed_at: nil)
-    .where(invitation_accepted_at: nil)
-    .where(confirmation_token: nil)
-    .where.not(invitation_token: nil)
-    .where("created_at < ?", Devise.invite_for.ago)
-    destroy_users(users)
+    unless Devise.invite_for.zero?
+      users = User.where(confirmed_at: nil)
+                  .where(invitation_accepted_at: nil)
+                  .where(confirmation_token: nil)
+                  .where.not(invitation_token: nil)
+                  .where(created_at: ...Devise.invite_for.ago)
+      destroy_users(users)
+    end

    # Remove users who didn't finish signup with LinkedIn
-    users = User.joins(:user_identities)
-                .where(confirmed_at: nil)
-                .where('users.created_at < ?', Devise.confirm_within.ago)
-    destroy_users(users)
+    if Devise.confirm_within.present?
+      users = User.joins(:user_identities)
+                  .where(confirmed_at: nil)
+                  .where(users: { created_at: ...Devise.confirm_within.ago })
+      destroy_users(users)
+    end
  end

  desc "Remove temporary and obsolete data"