Merge remote-tracking branch 'parent/main' into upstream-20241216

app/controllers/admin/base_controller.rb

@@ -8,6 +8,7 @@ module Admin
     layout 'admin'
 
     before_action :set_cache_headers
+    before_action :set_referrer_policy_header
 
     after_action :verify_authorized
 
@@ -17,6 +18,10 @@ module Admin
       response.cache_control.replace(private: true, no_store: true)
     end
 
+    def set_referrer_policy_header
+      response.headers['Referrer-Policy'] = 'same-origin'
+    end
+
     def set_user
       @user = Account.find(params[:account_id]).user || raise(ActiveRecord::RecordNotFound)
     end

app/controllers/admin/terms_of_service/distributions_controller.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+class Admin::TermsOfService::DistributionsController < Admin::BaseController
+  before_action :set_terms_of_service
+
+  def create
+    authorize @terms_of_service, :distribute?
+    @terms_of_service.touch(:notification_sent_at)
+    Admin::DistributeTermsOfServiceNotificationWorker.perform_async(@terms_of_service.id)
+    redirect_to admin_terms_of_service_index_path
+  end
+
+  private
+
+  def set_terms_of_service
+    @terms_of_service = TermsOfService.find(params[:terms_of_service_id])
+  end
+end

app/controllers/admin/terms_of_service/drafts_controller.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+class Admin::TermsOfService::DraftsController < Admin::BaseController
+  before_action :set_terms_of_service
+
+  def show
+    authorize :terms_of_service, :create?
+  end
+
+  def update
+    authorize @terms_of_service, :update?
+
+    @terms_of_service.published_at = Time.now.utc if params[:action_type] == 'publish'
+
+    if @terms_of_service.update(resource_params)
+      log_action(:publish, @terms_of_service) if @terms_of_service.published?
+      redirect_to @terms_of_service.published? ? admin_terms_of_service_index_path : admin_terms_of_service_draft_path
+    else
+      render :show
+    end
+  end
+
+  private
+
+  def set_terms_of_service
+    @terms_of_service = TermsOfService.draft.first || TermsOfService.new(text: current_terms_of_service&.text)
+  end
+
+  def current_terms_of_service
+    TermsOfService.live.first
+  end
+
+  def resource_params
+    params.require(:terms_of_service).permit(:text, :changelog)
+  end
+end

app/controllers/admin/terms_of_service/generates_controller.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+class Admin::TermsOfService::GeneratesController < Admin::BaseController
+  before_action :set_instance_presenter
+
+  def show
+    authorize :terms_of_service, :create?
+
+    @generator = TermsOfService::Generator.new(
+      domain: @instance_presenter.domain,
+      admin_email: @instance_presenter.contact.email
+    )
+  end
+
+  def create
+    authorize :terms_of_service, :create?
+
+    @generator = TermsOfService::Generator.new(resource_params)
+
+    if @generator.valid?
+      TermsOfService.create!(text: @generator.render)
+      redirect_to admin_terms_of_service_draft_path
+    else
+      render :show
+    end
+  end
+
+  private
+
+  def set_instance_presenter
+    @instance_presenter = InstancePresenter.new
+  end
+
+  def resource_params
+    params.require(:terms_of_service_generator).permit(*TermsOfService::Generator::VARIABLES)
+  end
+end

app/controllers/admin/terms_of_service/histories_controller.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class Admin::TermsOfService::HistoriesController < Admin::BaseController
+  def show
+    authorize :terms_of_service, :index?
+    @terms_of_service = TermsOfService.published.all
+  end
+end

app/controllers/admin/terms_of_service/previews_controller.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+class Admin::TermsOfService::PreviewsController < Admin::BaseController
+  before_action :set_terms_of_service
+
+  def show
+    authorize @terms_of_service, :distribute?
+    @user_count = @terms_of_service.scope_for_notification.count
+  end
+
+  private
+
+  def set_terms_of_service
+    @terms_of_service = TermsOfService.find(params[:terms_of_service_id])
+  end
+end

app/controllers/admin/terms_of_service/tests_controller.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class Admin::TermsOfService::TestsController < Admin::BaseController
+  before_action :set_terms_of_service
+
+  def create
+    authorize @terms_of_service, :distribute?
+    UserMailer.terms_of_service_changed(current_user, @terms_of_service).deliver_later!
+    redirect_to admin_terms_of_service_preview_path(@terms_of_service)
+  end
+
+  private
+
+  def set_terms_of_service
+    @terms_of_service = TermsOfService.find(params[:terms_of_service_id])
+  end
+end

app/controllers/admin/terms_of_service_controller.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class Admin::TermsOfServiceController < Admin::BaseController
+  def index
+    authorize :terms_of_service, :index?
+    @terms_of_service = TermsOfService.live.first
+  end
+end

app/controllers/api/v1/instances/terms_of_services_controller.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+class Api::V1::Instances::TermsOfServicesController < Api::V1::Instances::BaseController
+  before_action :set_terms_of_service
+
+  def show
+    cache_even_if_authenticated!
+    render json: @terms_of_service, serializer: REST::PrivacyPolicySerializer
+  end
+
+  private
+
+  def set_terms_of_service
+    @terms_of_service = TermsOfService.live.first!
+  end
+end

app/controllers/application_controller.rb

@@ -70,7 +70,13 @@ class ApplicationController < ActionController::Base
   end
 
   def require_functional!
-    redirect_to edit_user_registration_path unless current_user.functional?
+    return if current_user.functional?
+
+    if current_user.confirmed?
+      redirect_to edit_user_registration_path
+    else
+      redirect_to auth_setup_path
+    end
   end
 
   def skip_csrf_meta_tags?

app/controllers/auth/registrations_controller.rb

@@ -142,4 +142,12 @@ class Auth::RegistrationsController < Devise::RegistrationsController
   def set_cache_headers
     response.cache_control.replace(private: true, no_store: true)
   end
+
+  def is_flashing_format? # rubocop:disable Naming/PredicateName
+    if params[:action] == 'create'
+      false # Disable flash messages for sign-up
+    else
+      super
+    end
+  end
 end

app/controllers/concerns/web_app_controller_concern.rb

@@ -7,6 +7,7 @@ module WebAppControllerConcern
     vary_by 'Accept, Accept-Language, Cookie'
 
     before_action :redirect_unauthenticated_to_permalinks!
+    before_action :set_referer_header
 
     content_security_policy do |p|
       policy = ContentSecurityPolicy.new
@@ -41,4 +42,10 @@ module WebAppControllerConcern
       end
     end
   end
+
+  protected
+
+  def set_referer_header
+    response.set_header('Referrer-Policy', Setting.allow_referrer_origin ? 'origin' : 'same-origin')
+  end
 end

app/controllers/terms_of_service_controller.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class TermsOfServiceController < ApplicationController
+  include WebAppControllerConcern
+
+  skip_before_action :require_functional!
+
+  def show
+    expires_in(15.seconds, public: true, stale_while_revalidate: 30.seconds, stale_if_error: 1.day) unless user_signed_in?
+  end
+end