diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 14c069af1..2293c673c 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,4 +1,5 @@ class ApplicationController < ActionController::Base + before_action :authenticate_user! verify_authorized unless: :devise_controller? before_action :set_current_user diff --git a/app/controllers/contacts_controller.rb b/app/controllers/contacts_controller.rb index 6becd64a9..21e54d9b5 100644 --- a/app/controllers/contacts_controller.rb +++ b/app/controllers/contacts_controller.rb @@ -1,4 +1,5 @@ class ContactsController < ApplicationController + skip_before_action :authenticate_user! skip_verify_authorized only: %i[new create] def new diff --git a/app/controllers/errors_controller.rb b/app/controllers/errors_controller.rb index 59c0815d3..4f9f31915 100644 --- a/app/controllers/errors_controller.rb +++ b/app/controllers/errors_controller.rb @@ -1,4 +1,5 @@ class ErrorsController < ApplicationController + skip_before_action :authenticate_user! skip_verify_authorized def not_found diff --git a/app/controllers/organizations/adoptable_pets_controller.rb b/app/controllers/organizations/adoptable_pets_controller.rb index c6c4aacc5..fc6860b64 100644 --- a/app/controllers/organizations/adoptable_pets_controller.rb +++ b/app/controllers/organizations/adoptable_pets_controller.rb @@ -1,5 +1,7 @@ class Organizations::AdoptablePetsController < Organizations::BaseController include ::Pagy::Backend + + skip_before_action :authenticate_user! skip_verify_authorized only: %i[index] before_action :set_likes, only: %i[index show], if: -> { current_user&.adopter_foster_account } helper_method :get_animals diff --git a/app/controllers/organizations/adopter_fosterer/adopter_applications_controller.rb b/app/controllers/organizations/adopter_fosterer/adopter_applications_controller.rb index ac1321b70..50446a2a7 100644 --- a/app/controllers/organizations/adopter_fosterer/adopter_applications_controller.rb +++ b/app/controllers/organizations/adopter_fosterer/adopter_applications_controller.rb @@ -1,5 +1,4 @@ class Organizations::AdopterFosterer::AdopterApplicationsController < Organizations::BaseController - before_action :authenticate_user! before_action :set_application, only: %i[update] layout "adopter_foster_dashboard" diff --git a/app/controllers/organizations/adopter_fosterer/profiles_controller.rb b/app/controllers/organizations/adopter_fosterer/profiles_controller.rb index 384a93511..5f4d7539b 100644 --- a/app/controllers/organizations/adopter_fosterer/profiles_controller.rb +++ b/app/controllers/organizations/adopter_fosterer/profiles_controller.rb @@ -1,5 +1,4 @@ class Organizations::AdopterFosterer::ProfilesController < Organizations::BaseController - before_action :authenticate_user! before_action :authorize_with!, only: %i[new create] before_action :set_profile, only: %i[show edit update] diff --git a/app/controllers/organizations/faq_controller.rb b/app/controllers/organizations/faq_controller.rb index c7059b043..34d758790 100644 --- a/app/controllers/organizations/faq_controller.rb +++ b/app/controllers/organizations/faq_controller.rb @@ -1,4 +1,5 @@ class Organizations::FaqController < Organizations::BaseController + skip_before_action :authenticate_user! skip_verify_authorized only: %i[index] def index diff --git a/app/controllers/organizations/home_controller.rb b/app/controllers/organizations/home_controller.rb index aad5f6da5..79c320c35 100644 --- a/app/controllers/organizations/home_controller.rb +++ b/app/controllers/organizations/home_controller.rb @@ -1,4 +1,5 @@ class Organizations::HomeController < Organizations::BaseController + skip_before_action :authenticate_user! skip_verify_authorized only: %i[index] def index diff --git a/app/controllers/root_controller.rb b/app/controllers/root_controller.rb index 2cb99259d..8f0765827 100644 --- a/app/controllers/root_controller.rb +++ b/app/controllers/root_controller.rb @@ -1,4 +1,5 @@ class RootController < ApplicationController + skip_before_action :authenticate_user! skip_verify_authorized only: %i[index] def index diff --git a/app/controllers/static_pages_controller.rb b/app/controllers/static_pages_controller.rb index a91bfe6cb..2e62ad1aa 100644 --- a/app/controllers/static_pages_controller.rb +++ b/app/controllers/static_pages_controller.rb @@ -1,4 +1,5 @@ class StaticPagesController < ApplicationController + skip_before_action :authenticate_user! skip_verify_authorized only: %i[about_us cookie_policy donate faq partners privacy_policy terms_and_conditions] diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb index 2219e7cb4..c71cfa852 100644 --- a/config/initializers/devise.rb +++ b/config/initializers/devise.rb @@ -1,5 +1,7 @@ # frozen_string_literal: true +require "authentication_failure_app" + # Assuming you have not yet modified this file, each configuration option below # is set to its default value. Note that some are commented out while others # are not: uncommented lines are intended to protect your configuration from @@ -363,4 +365,8 @@ config.responder.error_status = :unprocessable_entity config.responder.redirect_status = :see_other + + config.warden do |manager| + manager.failure_app = AuthenticationFailureApp + end end diff --git a/db/schema.rb b/db/schema.rb index 9bf7fa40d..c663a49ca 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -276,21 +276,6 @@ t.index ["user_id"], name: "index_staff_accounts_on_user_id" end - create_table "submissions", force: :cascade do |t| - t.bigint "pet_id", null: false - t.bigint "adopter_foster_account_id", null: false - t.datetime "created_at", null: false - t.datetime "updated_at", null: false - t.integer "status", default: 0 - t.text "notes" - t.boolean "profile_show", default: true - t.bigint "organization_id", null: false - t.index ["adopter_foster_account_id"], name: "index_submissions_on_adopter_foster_account_id" - t.index ["organization_id"], name: "index_submissions_on_organization_id" - t.index ["pet_id", "adopter_foster_account_id"], name: "index_submissions_on_pet_id_and_adopter_foster_account_id", unique: true - t.index ["pet_id"], name: "index_submissions_on_pet_id" - end - create_table "submitted_answers", force: :cascade do |t| t.json "value", null: false t.json "question_snapshot", null: false @@ -387,8 +372,6 @@ add_foreign_key "questions", "forms" add_foreign_key "staff_accounts", "organizations" add_foreign_key "staff_accounts", "users" - add_foreign_key "submissions", "adopter_foster_accounts" - add_foreign_key "submissions", "pets" add_foreign_key "submitted_answers", "questions" add_foreign_key "submitted_answers", "users" add_foreign_key "task_templates", "organizations" diff --git a/lib/authentication_failure_app.rb b/lib/authentication_failure_app.rb new file mode 100644 index 000000000..4e7fe35e5 --- /dev/null +++ b/lib/authentication_failure_app.rb @@ -0,0 +1,55 @@ +class AuthenticationFailureApp < Devise::FailureApp + # This method is used to generate the URL for the redirect after a user fails to authenticate, + # for example, when an unauthenticated user tries to access an authenticated route within an organization's scope. + # The issue was that if a user failed to authenticate while in the context of an organization, + # the organization's slug should be in the URL. So, after failing, the user would be redirected + # to the sign-in page, but the organization's scope would be lost in the URL, + # and it would fall back to the root URL instead of the organization's sign-in URL. + # This fixes that to ensure the organization's slug is present in the URL. + # + # This code is 99% reproduced from the Devise gem's Devise::FailureApp class + # at: lib/devise/failure_app.rb. The only exception is that we comment out the + # 5th line: + # opts[:script_name] = nil + # + # This line was causing the`env["SCRIPT_NAME"]` value that's set by + # OrganizationMiddleware to not be used when generating the route in the + # statement `context.send(route, opts)`, which wipes out the current + # Organization context on authentication failure. + # + # If Devise is upgraded, may need to compare this method across versions for + # any needed updates. + def scope_url + opts = {} + + # Initialize script_name with nil to prevent infinite loops in + # authenticated mounted engines in rails 4.2 and 5.0 + # opts[:script_name] = nil + + route = route(scope) + + opts[:format] = request_format unless skip_format? + + router_name = Devise.mappings[scope].router_name || Devise.available_router_name + context = send(router_name) + + if relative_url_root? + opts[:script_name] = relative_url_root + + # We need to add the rootpath to `script_name` manually for applications that use a Rails + # version lower than 5.1. Otherwise, it is going to generate a wrong path for Engines + # that use Devise. Remove it when the support of Rails 5.0 is dropped. + elsif root_path_defined?(context) && !rails_51_and_up? + rootpath = context.routes.url_helpers.root_path + opts[:script_name] = rootpath.chomp("/") if rootpath.length > 1 + end + + if context.respond_to?(route) + context.send(route, opts) + elsif respond_to?(:root_url) + root_url(opts) + else + "/" + end + end +end diff --git a/test/controllers/organizations/staff/fosterers_controller_test.rb b/test/controllers/organizations/staff/fosterers_controller_test.rb index 7bdc5a343..8ee493b3b 100644 --- a/test/controllers/organizations/staff/fosterers_controller_test.rb +++ b/test/controllers/organizations/staff/fosterers_controller_test.rb @@ -4,6 +4,8 @@ class Organizations::Staff::FosterersControllerTest < ActionDispatch::IntegrationTest setup do @organization = ActsAsTenant.current_tenant + @adopter_foster_account = create(:adopter_foster_account) + sign_in @adopter_foster_account.user end context "authorization" do diff --git a/test/controllers/organizations/staff/fosters_controller_test.rb b/test/controllers/organizations/staff/fosters_controller_test.rb index fb235a94a..b6506f2ba 100644 --- a/test/controllers/organizations/staff/fosters_controller_test.rb +++ b/test/controllers/organizations/staff/fosters_controller_test.rb @@ -4,10 +4,11 @@ class Organizations::Staff::FostersControllerTest < ActionDispatch::IntegrationTest context "authorization" do include ActionPolicy::TestHelper - context "context only action" do setup do @organization = ActsAsTenant.current_tenant + @adopter_foster_account = create(:adopter_foster_account) + sign_in @adopter_foster_account.user end context "#new" do @@ -66,6 +67,7 @@ class Organizations::Staff::FostersControllerTest < ActionDispatch::IntegrationT context "existing record actions" do setup do @foster = create(:foster) + sign_in @foster.user end context "#edit" do diff --git a/test/controllers/organizations/staff/staff_controller_test.rb b/test/controllers/organizations/staff/staff_controller_test.rb index ed5bfda30..1d7003473 100644 --- a/test/controllers/organizations/staff/staff_controller_test.rb +++ b/test/controllers/organizations/staff/staff_controller_test.rb @@ -5,6 +5,7 @@ class Organizations::Staff::StaffControllerTest < ActionDispatch::IntegrationTes setup do @organization = ActsAsTenant.current_tenant @staff = create(:staff_account) + sign_in @staff.user end context "authorization" do diff --git a/test/controllers/states_controller_test.rb b/test/controllers/states_controller_test.rb index 6d3115f5c..2f7984905 100644 --- a/test/controllers/states_controller_test.rb +++ b/test/controllers/states_controller_test.rb @@ -2,7 +2,9 @@ class StatesControllerTest < ActionDispatch::IntegrationTest test "should return turbo stream with the states in it" do - create(:adopter, :with_profile) + adopter = create(:adopter, :with_profile) + sign_in adopter + name = "adopter[address_attributes][state]" target = "adopter_foster_profile_location_attributes_province_state" diff --git a/test/integration/adoption_application_reviews_test.rb b/test/integration/adoption_application_reviews_test.rb index 0508e752b..ae687d15c 100644 --- a/test/integration/adoption_application_reviews_test.rb +++ b/test/integration/adoption_application_reviews_test.rb @@ -15,6 +15,9 @@ class AdoptionApplicationReviewsTest < ActionDispatch::IntegrationTest context "non-staff" do should "not see any applications" do + @user = create(:user) + sign_in @user + get staff_adoption_application_reviews_path assert_response :redirect