Add consumable invites (#5814)

* Add consumable invites * Add UI for generating invite codes * Add tests * Display max uses and expiration in invites table, delete invite * Remove unused column and redundant validator - Default follows not used, probably bad idea - InviteCodeValidator is redundant because RegistrationsController checks invite code validity * Add admin setting to disable invites * Add admin UI for invites, configurable role for invite creation - Admin UI that lists everyone's invites, always available - Admin setting min_invite_role to control who can invite people - Non-admin invite UI only visible if users are allowed to * Do not remove invites from database, expire them instantly
2017-11-27 16:07:59 +01:00 · 2017-11-27 16:07:59 +01:00 · 740f8a95a9
commit 740f8a95a9
parent 0ea4478b68
28 changed files with 439 additions and 5 deletions
--- a/app/controllers/admin/invites_controller.rb
+++ b/app/controllers/admin/invites_controller.rb
@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module Admin
+  class InvitesController < BaseController
+    def index
+      authorize :invite, :index?
+
+      @invites = Invite.includes(user: :account).page(params[:page])
+      @invite  = Invite.new
+    end
+
+    def create
+      authorize :invite, :create?
+
+      @invite      = Invite.new(resource_params)
+      @invite.user = current_user
+
+      if @invite.save
+        redirect_to admin_invites_path
+      else
+        @invites = Invite.page(params[:page])
+        render :index
+      end
+    end
+
+    def destroy
+      @invite = Invite.find(params[:id])
+      authorize @invite, :destroy?
+      @invite.expire!
+      redirect_to admin_invites_path
+    end
+  end
+end
--- a/app/controllers/admin/settings_controller.rb
+++ b/app/controllers/admin/settings_controller.rb
@ -16,6 +16,7 @@ module Admin
      show_staff_badge
      bootstrap_timeline_accounts
      thumbnail
+      min_invite_role
    ).freeze

    BOOLEAN_SETTINGS = %w(
--- a/app/controllers/auth/registrations_controller.rb
+++ b/app/controllers/auth/registrations_controller.rb
@ -16,13 +16,16 @@ class Auth::RegistrationsController < Devise::RegistrationsController

  def build_resource(hash = nil)
    super(hash)
-    resource.locale = I18n.locale
+
+    resource.locale      = I18n.locale
+    resource.invite_code = params[:invite_code] if resource.invite_code.blank?
+
    resource.build_account if resource.account.nil?
  end

  def configure_sign_up_params
    devise_parameter_sanitizer.permit(:sign_up) do |u|
-      u.permit({ account_attributes: [:username] }, :email, :password, :password_confirmation)
+      u.permit({ account_attributes: [:username] }, :email, :password, :password_confirmation, :invite_code)
    end
  end

@ -35,7 +38,19 @@ class Auth::RegistrationsController < Devise::RegistrationsController
  end

  def check_enabled_registrations
-    redirect_to root_path if single_user_mode? || !Setting.open_registrations
+    redirect_to root_path if single_user_mode? || !allowed_registrations?
+  end
+
+  def allowed_registrations?
+    Setting.open_registrations || (invite_code.present? && Invite.find_by(code: invite_code)&.valid_for_use?)
+  end
+
+  def invite_code
+    if params[:user]
+      params[:user][:invite_code]
+    else
+      params[:invite_code]
+    end
  end

  private
--- a/app/controllers/invites_controller.rb
+++ b/app/controllers/invites_controller.rb
@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+class InvitesController < ApplicationController
+  include Authorization
+
+  layout 'admin'
+
+  before_action :authenticate_user!
+
+  def index
+    authorize :invite, :create?
+
+    @invites = Invite.where(user: current_user)
+    @invite  = Invite.new(expires_in: 1.day.to_i)
+  end
+
+  def create
+    authorize :invite, :create?
+
+    @invite      = Invite.new(resource_params)
+    @invite.user = current_user
+
+    if @invite.save
+      redirect_to invites_path
+    else
+      @invites = Invite.where(user: current_user)
+      render :index
+    end
+  end
+
+  def destroy
+    @invite = Invite.where(user: current_user).find(params[:id])
+    authorize @invite, :destroy?
+    @invite.expire!
+    redirect_to invites_path
+  end
+
+  private
+
+  def resource_params
+    params.require(:invite).permit(:max_uses, :expires_in)
+  end
+end
--- a/app/javascript/styles/mastodon/admin.scss
+++ b/app/javascript/styles/mastodon/admin.scss
@ -448,3 +448,19 @@
    color: $success-green;
  }
 }
+
+.name-tag {
+  display: flex;
+  align-items: center;
+
+  .avatar {
+    display: block;
+    margin: 0;
+    margin-right: 5px;
+    border-radius: 50%;
+  }
+
+  .username {
+    font-weight: 500;
+  }
+}
--- a/app/models/form/admin_settings.rb
+++ b/app/models/form/admin_settings.rb
@ -28,6 +28,8 @@ class Form::AdminSettings
    :show_staff_badge=,
    :bootstrap_timeline_accounts,
    :bootstrap_timeline_accounts=,
+    :min_invite_role,
+    :min_invite_role=,
    to: Setting
  )
 end
--- a/app/models/invite.rb
+++ b/app/models/invite.rb
@ -0,0 +1,45 @@
+# frozen_string_literal: true
+# == Schema Information
+#
+# Table name: invites
+#
+#  id         :integer          not null, primary key
+#  user_id    :integer
+#  code       :string           default(""), not null
+#  expires_at :datetime
+#  max_uses   :integer
+#  uses       :integer          default(0), not null
+#  created_at :datetime         not null
+#  updated_at :datetime         not null
+#
+
+class Invite < ApplicationRecord
+  belongs_to :user, required: true
+  has_many :users, inverse_of: :invite
+
+  before_validation :set_code
+
+  attr_reader :expires_in
+
+  def expires_in=(interval)
+    self.expires_at = interval.to_i.seconds.from_now unless interval.blank?
+    @expires_in     = interval
+  end
+
+  def valid_for_use?
+    (max_uses.nil? || uses < max_uses) && (expires_at.nil? || expires_at >= Time.now.utc)
+  end
+
+  def expire!
+    touch(:expires_at)
+  end
+
+  private
+
+  def set_code
+    loop do
+      self.code = ([*('a'..'z'), *('A'..'Z'), *('0'..'9')] - %w(0 1 I l O)).sample(8).join
+      break if Invite.find_by(code: code).nil?
+    end
+  end
+end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -33,6 +33,7 @@
 #  account_id                :integer          not null
 #  disabled                  :boolean          default(FALSE), not null
 #  moderator                 :boolean          default(FALSE), not null
+#  invite_id                 :integer
 #

 class User < ApplicationRecord
@ -47,6 +48,7 @@ class User < ApplicationRecord
         otp_number_of_backup_codes: 10

  belongs_to :account, inverse_of: :user, required: true
+  belongs_to :invite, counter_cache: :uses
  accepts_nested_attributes_for :account

  has_many :applications, class_name: 'Doorkeeper::Application', as: :owner
@ -77,6 +79,8 @@ class User < ApplicationRecord
           :reduce_motion, :system_font_ui, :noindex, :theme,
           to: :settings, prefix: :setting, allow_nil: false

+  attr_accessor :invite_code
+
  def confirmed?
    confirmed_at.present?
  end
@ -95,6 +99,19 @@ class User < ApplicationRecord
    end
  end

+  def role?(role)
+    case role
+    when 'user'
+      true
+    when 'moderator'
+      staff?
+    when 'admin'
+      admin?
+    else
+      false
+    end
+  end
+
  def disable!
    update!(disabled: true,
            last_sign_in_at: current_sign_in_at,
@ -169,6 +186,11 @@ class User < ApplicationRecord
    session.web_push_subscription.nil? ? nil : session.web_push_subscription.as_payload
  end

+  def invite_code=(code)
+    self.invite  = Invite.find_by(code: code) unless code.blank?
+    @invite_code = code
+  end
+
  protected

  def send_devise_notification(notification, *args)
--- a/app/policies/invite_policy.rb
+++ b/app/policies/invite_policy.rb
@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+class InvitePolicy < ApplicationPolicy
+  def index?
+    staff?
+  end
+
+  def create?
+    min_required_role?
+  end
+
+  def destroy?
+    owner? || staff?
+  end
+
+  private
+
+  def owner?
+    record.user_id == current_user&.id
+  end
+
+  def min_required_role?
+    current_user&.role?(Setting.min_invite_role)
+  end
+end
--- a/app/views/admin/action_logs/_action_log.html.haml
+++ b/app/views/admin/action_logs/_action_log.html.haml
@ -1,7 +1,7 @@
 %li.log-entry
  .log-entry__header
    .log-entry__avatar
-      = image_tag action_log.account.avatar.url(:original), alt: '', width: 48, height: 48, class: 'avatar'
+      = image_tag action_log.account.avatar.url(:original), alt: '', width: 40, height: 40, class: 'avatar'
    .log-entry__content
      .log-entry__title
        = t("admin.action_logs.actions.#{action_log.action}_#{action_log.target_type.underscore}", name: content_tag(:span, action_log.account.username, class: 'username'), target: content_tag(:span, log_target(action_log), class: 'target')).html_safe
--- a/app/views/admin/invites/_invite.html.haml
+++ b/app/views/admin/invites/_invite.html.haml
@ -0,0 +1,15 @@
+%tr
+  %td
+    .name-tag
+      = image_tag invite.user.account.avatar.url(:original), alt: '', width: 16, height: 16, class: 'avatar'
+      %span.username= invite.user.account.username
+  %td
+    = invite.uses
+    = " / #{invite.max_uses}" unless invite.max_uses.nil?
+  %td
+    - if invite.expires_at.nil?
+      ∞
+    - else
+      = l invite.expires_at
+  %td= table_link_to 'link', public_invite_url(invite_code: invite.code), public_invite_url(invite_code: invite.code)
+  %td= table_link_to 'times', t('invites.delete'), invite_path(invite), method: :delete if policy(invite).destroy?
--- a/app/views/admin/invites/index.html.haml
+++ b/app/views/admin/invites/index.html.haml
@ -0,0 +1,22 @@
+- content_for :page_title do
+  = t('admin.invites.title')
+
+- if policy(:invite).create?
+  %p= t('invites.prompt')
+
+  = render 'invites/form'
+
+  %hr/
+
+%table.table
+  %thead
+    %tr
+      %th
+      %th= t('invites.table.uses')
+      %th= t('invites.table.expires_at')
+      %th
+      %th
+  %tbody
+    = render @invites
+
+= paginate @invites
--- a/app/views/admin/settings/edit.html.haml
+++ b/app/views/admin/settings/edit.html.haml
@ -32,6 +32,11 @@

  %hr/

+  .fields-group
+    = f.input :min_invite_role, wrapper: :with_label, collection: %i(disabled user moderator admin), label: t('admin.settings.registrations.min_invite_role.title'), label_method: lambda { |role| role == :disabled ? t('admin.settings.registrations.min_invite_role.disabled') : t("admin.accounts.roles.#{role}") }, as: :radio_buttons, include_blank: false, collection_wrapper_tag: 'ul', item_wrapper_tag: 'li'
+
+  %hr/
+
  .fields-group
    = f.input :site_extended_description, wrapper: :with_block_label, as: :text, label: t('admin.settings.site_description_extended.title'), hint: t('admin.settings.site_description_extended.desc_html'), input_html: { rows: 8 }
    = f.input :site_terms, wrapper: :with_block_label, as: :text, label: t('admin.settings.site_terms.title'), hint: t('admin.settings.site_terms.desc_html'), input_html: { rows: 8 }
--- a/app/views/auth/registrations/new.html.haml
+++ b/app/views/auth/registrations/new.html.haml
@ -16,6 +16,7 @@
  = f.input :email, placeholder: t('simple_form.labels.defaults.email'), required: true, input_html: { 'aria-label' => t('simple_form.labels.defaults.email'), :autocomplete => 'off' }
  = f.input :password, placeholder: t('simple_form.labels.defaults.password'), required: true, input_html: { 'aria-label' => t('simple_form.labels.defaults.password'), :autocomplete => 'off' }
  = f.input :password_confirmation, placeholder: t('simple_form.labels.defaults.confirm_password'), required: true, input_html: { 'aria-label' => t('simple_form.labels.defaults.confirm_password'), :autocomplete => 'off' }
+  = f.input :invite_code, as: :hidden

  .actions
    = f.button :button, t('auth.register'), type: :submit
--- a/app/views/invites/_form.html.haml
+++ b/app/views/invites/_form.html.haml
@ -0,0 +1,9 @@
+= simple_form_for(@invite) do |f|
+  = render 'shared/error_messages', object: @invite
+
+  .fields-group
+    = f.input :max_uses, wrapper: :with_label, collection: [1, 5, 10, 25, 50, 100], label_method: lambda { |num| I18n.t('invites.max_uses', count: num) }, prompt: I18n.t('invites.max_uses_prompt')
+    = f.input :expires_in, wrapper: :with_label, collection: [30.minutes, 1.hour, 6.hours, 12.hours, 1.day].map(&:to_i), label_method: lambda { |i| I18n.t("invites.expires_in.#{i}") }, prompt: I18n.t('invites.expires_in_prompt')
+
+  .actions
+    = f.button :button, t('invites.generate'), type: :submit
--- a/app/views/invites/_invite.html.haml
+++ b/app/views/invites/_invite.html.haml
@ -0,0 +1,11 @@
+%tr
+  %td
+    = invite.uses
+    = " / #{invite.max_uses}" unless invite.max_uses.nil?
+  %td
+    - if invite.expires_at.nil?
+      ∞
+    - else
+      = l invite.expires_at
+  %td= table_link_to 'link', public_invite_url(invite_code: invite.code), public_invite_url(invite_code: invite.code)
+  %td= table_link_to 'times', t('invites.delete'), invite_path(invite), method: :delete if policy(invite).destroy?
--- a/app/views/invites/index.html.haml
+++ b/app/views/invites/index.html.haml
@ -0,0 +1,19 @@
+- content_for :page_title do
+  = t('invites.title')
+
+- if policy(:invite).create?
+  %p= t('invites.prompt')
+
+  = render 'form'
+
+  %hr/
+
+%table.table
+  %thead
+    %tr
+      %th= t('invites.table.uses')
+      %th= t('invites.table.expires_at')
+      %th
+      %th
+  %tbody
+    = render @invites