CitizenLabDotCo · sebastienhoorens · Oct 25, 2023 · Oct 12, 2023 · Oct 12, 2023 · Oct 12, 2023
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -1,7 +1,7 @@
 name: CI
 on:
   push:
-    paths: ['cl2-component-library/src/**']# Trigger the action only when files change in the folders defined here
+    paths: ['cl2-component-library/**'] # Trigger the action when files change in the folder defined here
 jobs:
   build:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/storybook.yml b/.github/workflows/storybook.yml
@@ -3,7 +3,7 @@ on:
   push:
     branches:
       - master
-    paths: ['cl2-component-library/src/**'] # Trigger the action only when files change in the folders defined here
+    paths: ['cl2-component-library/**'] # Trigger the action when files change in the folder defined here
 jobs:
   build-and-deploy:
     runs-on: ubuntu-latest

diff --git a/back/Dockerfile.development b/back/Dockerfile.development
@@ -17,7 +17,7 @@ RUN apt-get update && apt-get install -qq -y --no-install-recommends \
       less                 \
       clang
 
-RUN curl -sL https://deb.nodesource.com/setup_15.x  | bash -
+RUN curl -sL https://deb.nodesource.com/setup_18.x  | bash -
 RUN apt-get -y install nodejs
 
 # Install MJML parser required by email engine.

diff --git a/back/Gemfile.lock b/back/Gemfile.lock
@@ -125,7 +125,7 @@ PATH
   specs:
     id_cow (0.1.0)
       rails (~> 7.0)
-      savon (~> 2.12.0)
+      savon (>= 2.12, < 2.15)
       verification
 
 PATH
@@ -164,7 +164,7 @@ PATH
     id_id_card_lookup (0.1.0)
       admin_api
       rails (~> 7.0)
-      savon (~> 2.12.0)
+      savon (>= 2.12, < 2.15)
       verification
 
 PATH
@@ -316,7 +316,7 @@ PATH
       pundit (~> 2.0)
       rails (~> 7.0)
       ros-apartment (>= 2.9.0)
-      savon (~> 2.12.0)
+      savon (>= 2.12, < 2.15)
 
 PATH
   remote: engines/free/document_annotation
@@ -473,7 +473,7 @@ GEM
       tzinfo (~> 2.0)
     acts_as_list (1.1.0)
       activerecord (>= 4.2)
-    addressable (2.8.4)
+    addressable (2.8.5)
       public_suffix (>= 2.0.2, < 6.0)
     aes_key_wrap (1.1.0)
     akami (1.3.1)
@@ -727,9 +727,8 @@ GEM
       mini_mime (>= 1.0.0)
       multi_xml (>= 0.5.2)
     httpclient (2.8.3)
-    httpi (2.5.0)
+    httpi (3.0.1)
       rack
-      socksify
     i18n (1.14.1)
       concurrent-ruby (~> 1.0)
     icalendar (2.9.0)
@@ -1012,7 +1011,7 @@ GEM
       mime-types (>= 1.16, < 4.0)
       netrc (~> 0.8)
     retriable (3.1.2)
-    rexml (3.2.5)
+    rexml (3.2.6)
     rgeo (3.0.0)
     rgeo-activerecord (7.0.1)
       activerecord (>= 5.0)
@@ -1107,11 +1106,12 @@ GEM
     rubyzip (1.3.0)
     saharspec (0.0.10)
       ruby2_keywords
-    savon (2.12.1)
+    savon (2.14.0)
       akami (~> 1.2)
       builder (>= 2.1.2)
       gyoku (~> 1.2)
-      httpi (~> 2.3)
+      httpi (>= 2.4.5)
+      mail (~> 2.5)
       nokogiri (>= 1.8.1)
       nori (~> 2.4)
       wasabi (~> 3.4)
@@ -1148,7 +1148,6 @@ GEM
       rack-protection (= 3.0.6)
       tilt (~> 2.0)
     smstools (0.2.2)
-    socksify (1.7.1)
     sorted_set (1.0.3)
       rbtree
       set (~> 1.0)
@@ -1198,9 +1197,9 @@ GEM
       activemodel (>= 3.0.0)
       public_suffix
     vcr (6.1.0)
-    wasabi (3.7.0)
+    wasabi (3.8.0)
       addressable
-      httpi (~> 2.0)
+      httpi (~> 3.0)
       nokogiri (>= 1.4.2)
     webfinger (2.1.2)
       activesupport

diff --git a/back/app/controllers/web_api/v1/resend_codes_controller.rb b/back/app/controllers/web_api/v1/resend_codes_controller.rb
@@ -4,12 +4,11 @@ class WebApi::V1::ResendCodesController < ApplicationController
   skip_after_action :verify_authorized
 
   def create
-    result = SendConfirmationCode.call(user: current_user, new_email: resend_code_params[:new_email])
-
-    if result.success?
+    RequestConfirmationCodeJob.perform_now current_user, new_email: resend_code_params[:new_email]
+    if current_user.valid?
       head :ok
     else
-      render json: { errors: result.errors.details }, status: :unprocessable_entity
+      render json: { errors: current_user.errors.details }, status: :unprocessable_entity
     end
   end
 

diff --git a/back/app/interactors/deliver_confirmation_code.rb b/back/app/interactors/deliver_confirmation_code.rb
diff --git a/back/app/interactors/reset_user_confirmation_code.rb b/back/app/interactors/reset_user_confirmation_code.rb
diff --git a/back/app/interactors/reset_user_email.rb b/back/app/interactors/reset_user_email.rb
diff --git a/back/app/interactors/schedule_code_expiration.rb b/back/app/interactors/schedule_code_expiration.rb
diff --git a/back/app/interactors/send_confirmation_code.rb b/back/app/interactors/send_confirmation_code.rb
diff --git a/back/app/jobs/request_confirmation_code_job.rb b/back/app/jobs/request_confirmation_code_job.rb
@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+class RequestConfirmationCodeJob < ApplicationJob
+  self.priority = 30 # More important than default (50)
+
+  attr_reader :user
+
+  def run(user, new_email: nil)
+    @user = user
+    raise 'User confirmation is disabled.' if !AppConfiguration.instance.feature_activated?('user_confirmation')
+    if !user.registered_with_email? && (!new_email || PhoneService.new.encoded_phone_or_email?(new_email) != :email)
+      raise 'Confirmation is currently working for emails only.'
+    end
+
+    LogActivityJob.perform_later(user, 'requested_confirmation_code', user, Time.now.to_i, payload: { new_email: new_email })
+    if new_email
+      user.new_email = new_email
+      user.email_confirmation_code_reset_count = 0
+    end
+    reset_user_confirmation_code user
+    return if !user.valid?
+
+    ActiveRecord::Base.transaction do
+      user.save!
+      deliver_confirmation_code! user
+      schedule_code_expiration! user
+      LogActivityJob.perform_later(user, 'received_confirmation_code', user, Time.now.to_i, payload: { new_email: new_email })
+    end
+  end
+
+  private
+
+  def reset_user_confirmation_code(user)
+    first_code = user.email_confirmation_code.nil?
+    user.reset_confirmation_code
+    user.increment_confirmation_code_reset_count if !first_code
+  end
+
+  def deliver_confirmation_code!(user)
+    ConfirmationsMailer.with(user: user).send_confirmation_code.deliver_now
+    user.update!(email_confirmation_code_sent_at: Time.zone.now)
+  end
+
+  def schedule_code_expiration!(user)
+    ExpireConfirmationCodeOrDeleteJob.set(
+      wait_until: user.email_confirmation_code_expiration_at
+    ).perform_later(
+      user.id,
+      user.email_confirmation_code
+    )
+  end
+end
diff --git a/back/app/models/user.rb b/back/app/models/user.rb
@@ -491,7 +491,7 @@ def confirm
   end
 
   def confirm!
-    return unless registered_with_email? && (confirmation_required? || new_email.present?)
+    return if !confirmation_required? && !new_email
 
     confirm_new_email if new_email.present?
     confirm
@@ -528,24 +528,15 @@ def reset_confirmation_code
     self.email_confirmation_code = use_fake_code? ? '1234' : rand.to_s[2..5]
   end
 
-  def increment_confirmation_code_reset_count!
+  def increment_confirmation_code_reset_count
     self.email_confirmation_code_reset_count += 1
-    save!
   end
 
   def increment_confirmation_retry_count!
     self.email_confirmation_retry_count += 1
     save!
   end
 
-  def reset_email!(new_email)
-    if user_confirmation_enabled? && active?
-      update!(new_email: new_email, email_confirmation_code_reset_count: 0)
-    else
-      update!(email: new_email, email_confirmation_code_reset_count: 0)
-    end
-  end
-
   def confirm_new_email
     return unless new_email
 

diff --git a/back/app/policies/user_policy.rb b/back/app/policies/user_policy.rb
@@ -103,17 +103,23 @@ def view_private_attributes?
     !!((user && (instance&.id == user.id || user.admin?)) || instance&.invite_pending?)
   end
 
-  def permitted_attributes
-    shared = [:first_name, :last_name, :email, :password, :avatar, :locale, { onboarding: [:topics_and_areas], custom_field_values: allowed_custom_field_keys, bio_multiloc: CL2_SUPPORTED_LOCALES }]
-    admin? ? shared + role_permitted_params : shared
+  def permitted_attributes_for_create
+    [:email] + shared_permitted_attributes
   end
 
-  def role_permitted_params
-    [roles: %i[type project_id project_folder_id]]
+  def permitted_attributes_for_update
+    shared_permitted_attributes.tap do |attrs|
+      attrs.push :email if !AppConfiguration.instance.feature_activated?('user_confirmation')
+    end
   end
 
   private
 
+  def shared_permitted_attributes
+    shared = [:first_name, :last_name, :password, :avatar, :locale, { onboarding: [:topics_and_areas], custom_field_values: allowed_custom_field_keys, bio_multiloc: CL2_SUPPORTED_LOCALES }]
+    admin? ? shared + [roles: %i[type project_id project_folder_id]] : shared
+  end
+
   def allowed_custom_field_keys
     allowed_fields = allowed_custom_fields
     simple_keys = allowed_fields.support_single_value.pluck(:key).map(&:to_sym)

diff --git a/back/app/services/side_fx_user_service.rb b/back/app/services/side_fx_user_service.rb
@@ -13,7 +13,7 @@ def after_create(user, current_user)
       LogActivityJob.set(wait: 5.seconds).perform_later(user, 'admin_rights_given', current_user, user.created_at.to_i)
     end
     user.create_email_campaigns_unsubscription_token
-    SendConfirmationCode.call(user: user) if user.should_send_confirmation_email?
+    RequestConfirmationCodeJob.perform_later(user) if user.should_send_confirmation_email?
     AdditionalSeatsIncrementer.increment_if_necessary(user, current_user) if user.roles_previously_changed?
   end
 
@@ -29,7 +29,7 @@ def after_update(user, current_user)
     AdditionalSeatsIncrementer.increment_if_necessary(user, current_user) if user.roles_previously_changed?
 
     UpdateMemberCountJob.perform_later
-    SendConfirmationCode.call(user: user) if user.should_send_confirmation_email?
+    RequestConfirmationCodeJob.perform_later(user) if user.should_send_confirmation_email?
   end
 
   def before_destroy(user, _current_user)

diff --git a/...ulk_import_ideas/app/controllers/bulk_import_ideas/web_api/v1/project_users_controller.rb b/...ulk_import_ideas/app/controllers/bulk_import_ideas/web_api/v1/project_users_controller.rb
@@ -9,7 +9,7 @@ class WebApi::V1::ProjectUsersController < ApplicationController
 
     def create_user
       user = User.new
-      user.assign_attributes(permitted_attributes(user))
+      user.assign_attributes user_params(user)
       if user.email.blank?
         user.unique_code = SecureRandom.uuid
       end
@@ -28,5 +28,11 @@ def authorize_project
       project = Project.find(params[:id])
       authorize project
     end
+
+    private
+
+    def user_params(user)
+      params.require(:user).permit(UserPolicy.new(current_user, user).permitted_attributes_for_create)
+    end
   end
 end
diff --git a/back/engines/commercial/id_clave_unica/spec/requests/clave_unica_verification_spec.rb b/back/engines/commercial/id_clave_unica/spec/requests/clave_unica_verification_spec.rb
@@ -248,12 +248,14 @@ def expect_to_create_verified_user(user)
         headers = { 'Authorization' => "Bearer #{token}" }
         post '/web_api/v1/user/resend_code', params: { new_email: '[email protected]' }, headers: headers
         expect(response).to have_http_status(:ok)
-        expect(user.reload).to have_attributes({ email: '[email protected]' })
+        expect(user.reload).to have_attributes({ new_email: '[email protected]' })
         expect(user.confirmation_required?).to be(true)
 
         post '/web_api/v1/user/confirm', params: { confirmation: { code: user.email_confirmation_code } }, headers: headers
         expect(response).to have_http_status(:ok)
         expect(user.reload.confirmation_required?).to be(false)
+        expect(user).to have_attributes({ email: '[email protected]' })
+        expect(user.new_email).to be_nil
       end
     end