Require valid invitation to start sign-up process

2020-12-02 19:20:01 +01:00
parent 69b99711e5
commit 7aadb5cb51
15 changed files with 201 additions and 3 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -9,6 +9,12 @@ class ApplicationController < ActionController::Base
    end
  end

+  def require_user_signed_out
+    if user_signed_in?
+      redirect_to root_path and return
+    end
+  end
+
  def authorize_admin
    http_status :forbidden unless current_user.is_admin?
  end
--- a/app/controllers/invitations_controller.rb
+++ b/app/controllers/invitations_controller.rb
@@ -1,11 +1,26 @@
 class InvitationsController < ApplicationController
-  before_action :require_user_signed_in
+  before_action :require_user_signed_in, except: ["show"]
+  before_action :require_user_signed_out, only: ["show"]
+
+  layout "signup", only: ["show"]

  # GET /invitations
  def index
    @invitations = current_user.invitations
  end

+  # GET /invitations/a-random-invitation-token
+  def show
+    token = session[:invitation_token] = params[:id]
+
+    if Invitation.where(token: token, used_at: nil).exists?
+      redirect_to signup_path and return
+    else
+      flash.now[:alert] = "This invitation either doesn't exist or has already been used."
+      http_status :unauthorized
+    end
+  end
+
  # POST /invitations
  def create
    @invitation = Invitation.new(user: current_user)
--- a/app/controllers/signup_controller.rb
+++ b/app/controllers/signup_controller.rb
@@ -0,0 +1,33 @@
+class SignupController < ApplicationController
+  before_action :require_user_signed_out
+  before_action :require_invitation
+  before_action :set_invitation
+
+  layout "signup"
+
+  def index
+    @invited_by_name = @invitation.user.address
+  end
+
+  private
+
+  def require_invitation
+    if session[:invitation_token].blank?
+      flash.now[:alert] = "You need an invitation to sign up for an account."
+      http_status :unauthorized
+    elsif !valid_invitation?(session[:invitation_token])
+      flash.now[:alert] = "This invitation either doesn't exist or has already been used."
+      http_status :unauthorized
+    end
+
+    @invitation = Invitation.find_by(token: session[:invitation_token])
+  end
+
+  def valid_invitation?(token)
+    Invitation.where(token: session[:invitation_token], used_at: nil).exists?
+  end
+
+  def set_invitation
+    @invitation = Invitation.find_by(token: session[:invitation_token])
+  end
+end
--- a/app/helpers/signup_helper.rb
+++ b/app/helpers/signup_helper.rb
@@ -0,0 +1,2 @@
+module SignupHelper
+end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -36,4 +36,8 @@ class User < ApplicationRecord
                false
              end
  end
+
+  def address
+    "#{self.cn}@#{self.ou}"
+  end
 end
--- a/app/views/layouts/signup.html.erb
+++ b/app/views/layouts/signup.html.erb
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Sign up | Kosmos Accounts</title>
+    <%= csrf_meta_tags %>
+    <%= csp_meta_tag %>
+
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+
+    <%= stylesheet_link_tag 'application', media: 'all', 'data-turbolinks-track': 'reload' %>
+    <%= javascript_pack_tag 'application', 'data-turbolinks-track': 'reload' %>
+  </head>
+
+  <body>
+    <div id="wrapper">
+      <header>
+        <h1>
+          <span class ="project-name">Kosmos</span>
+          <span class ="site-name">Sign Up</span>
+          <!-- <span class="beta"><span class="bolt">⚡</span> beta</span> -->
+        </h1>
+        <% if user_signed_in? %>
+          <p class="current-user">
+            Signed in as <strong><%= current_user.cn %>@kosmos.org</strong>.
+            <%= link_to "Log out", destroy_user_session_path, method: :delete %>
+          </p>
+        <% end %>
+      </header>
+
+      <% flash.each do |type, msg| %>
+        <div class="flash-msg <%= type %>">
+          <p><%= msg %></p>
+        </div>
+      <% end %>
+
+      <main>
+        <%= yield %>
+      </main>
+    </div>
+  </body>
+</html>
--- a/app/views/shared/status_forbidden.html.erb
+++ b/app/views/shared/status_forbidden.html.erb
@@ -1,2 +1,2 @@
 <h2>Access forbidden</h2>
-<p>Not with those shoes, buddy.</p>
+<p>Sorry, you're not allowed to access this page.</p>
--- a/app/views/shared/status_unauthorized.html.erb
+++ b/app/views/shared/status_unauthorized.html.erb
--- a/app/views/signup/index.html.erb
+++ b/app/views/signup/index.html.erb
@@ -0,0 +1,12 @@
+<h2>Welcome</h2>
+<p>
+  Hey there! You were invited to sign up for a Kosmos account by
+  <strong><%= @invited_by_name %></strong>.
+</p>
+<p>
+  This invitation can only be used once, and sign-up is currently only possible
+  by invitation. Seems like you have good friends!
+</p>
+<p>
+  <%= link_to "Get started", signup_path, class: "next-step" %>
+</p>