diff --git a/app/controllers/concerns/authentication.rb b/app/controllers/concerns/authentication.rb index a8a0e1b20..8105e3a86 100644 --- a/app/controllers/concerns/authentication.rb +++ b/app/controllers/concerns/authentication.rb @@ -2,10 +2,9 @@ module Authentication extend ActiveSupport::Concern included do - # Checking for tenant must happen first so we redirect before trying to access the db. - before_action :require_tenant prepend_before_action :clear_old_scoped_session_cookies + before_action :require_account # Checking and setting account must happen first before_action :require_authentication helper_method :authenticated? @@ -26,8 +25,8 @@ module Authentication allow_unauthorized_access **options end - def require_untenanted_access(**options) - skip_before_action :require_tenant, **options + def disallow_account_scope(**options) + skip_before_action :require_account, **options before_action :redirect_tenanted_request, **options end end @@ -37,9 +36,11 @@ module Authentication Current.session.present? end - def require_tenant - if ApplicationRecord.current_tenant.blank? + def require_account + if request_account_id.blank? redirect_to session_menu_url(script_name: nil) + else + set_current_account end end @@ -81,7 +82,7 @@ module Authentication end def redirect_tenanted_request - redirect_to root_url if ApplicationRecord.current_tenant + redirect_to root_url if request_account_id end def start_new_session_for(identity) @@ -101,6 +102,10 @@ module Authentication cookies.delete(:session_token) end + def set_current_account + Current.account = Account.find_by(external_account_id: request_account_id) + end + def request_account_id request.env["fizzy.external_account_id"] end diff --git a/app/controllers/concerns/authorization.rb b/app/controllers/concerns/authorization.rb index d56082010..aa1d08e34 100644 --- a/app/controllers/concerns/authorization.rb +++ b/app/controllers/concerns/authorization.rb @@ -2,7 +2,6 @@ module Authorization extend ActiveSupport::Concern included do - prepend_before_action :set_account, if: -> { request_account_id.present? } before_action :ensure_can_access_account, if: -> { Current.account.present? && authenticated? } end @@ -18,10 +17,6 @@ module Authorization end private - def set_account - Current.account = Account.find_by(external_account_id: request_account_id) - end - def ensure_admin head :forbidden unless Current.user.admin? end diff --git a/app/controllers/join_codes_controller.rb b/app/controllers/join_codes_controller.rb index 320f06553..2edf41860 100644 --- a/app/controllers/join_codes_controller.rb +++ b/app/controllers/join_codes_controller.rb @@ -1,5 +1,5 @@ class JoinCodesController < ApplicationController - require_untenanted_access + disallow_account_scope allow_unauthenticated_access before_action :set_join_code before_action :ensure_join_code_is_valid @@ -7,7 +7,8 @@ class JoinCodesController < ApplicationController layout "public" def new - @account_name = Current.account.name + @account = Account.find_by_external_account_id!(tenant) + @account_name = @account.name end def create diff --git a/app/controllers/memberships/email_addresses/confirmations_controller.rb b/app/controllers/memberships/email_addresses/confirmations_controller.rb index b53fdc135..2bee5499a 100644 --- a/app/controllers/memberships/email_addresses/confirmations_controller.rb +++ b/app/controllers/memberships/email_addresses/confirmations_controller.rb @@ -1,5 +1,5 @@ class Memberships::EmailAddresses::ConfirmationsController < ApplicationController - require_untenanted_access + disallow_account_scope allow_unauthenticated_access before_action :set_membership diff --git a/app/controllers/memberships/email_addresses_controller.rb b/app/controllers/memberships/email_addresses_controller.rb index 0870410a9..268e4ec58 100644 --- a/app/controllers/memberships/email_addresses_controller.rb +++ b/app/controllers/memberships/email_addresses_controller.rb @@ -1,5 +1,5 @@ class Memberships::EmailAddressesController < ApplicationController - require_untenanted_access + disallow_account_scope layout "public" diff --git a/app/controllers/memberships/unlink_controller.rb b/app/controllers/memberships/unlink_controller.rb index 63664aca8..2c140c314 100644 --- a/app/controllers/memberships/unlink_controller.rb +++ b/app/controllers/memberships/unlink_controller.rb @@ -1,5 +1,5 @@ class Memberships::UnlinkController < ApplicationController - require_untenanted_access + disallow_account_scope before_action :set_membership def show diff --git a/app/controllers/pwa_controller.rb b/app/controllers/pwa_controller.rb index bd6127182..ab8f605a7 100644 --- a/app/controllers/pwa_controller.rb +++ b/app/controllers/pwa_controller.rb @@ -1,5 +1,5 @@ class PwaController < ApplicationController - require_untenanted_access + disallow_account_scope skip_forgery_protection # We need a stable URL at the root, so we can't use the regular asset path here. diff --git a/app/controllers/sessions/magic_links_controller.rb b/app/controllers/sessions/magic_links_controller.rb index 3b836e445..40de894df 100644 --- a/app/controllers/sessions/magic_links_controller.rb +++ b/app/controllers/sessions/magic_links_controller.rb @@ -1,5 +1,5 @@ class Sessions::MagicLinksController < ApplicationController - require_untenanted_access + disallow_account_scope require_unauthenticated_access rate_limit to: 10, within: 15.minutes, only: :create, with: -> { redirect_to session_magic_link_path, alert: "Try again in 15 minutes." } diff --git a/app/controllers/sessions/menus_controller.rb b/app/controllers/sessions/menus_controller.rb index 7ad3b6a09..d62cf9beb 100644 --- a/app/controllers/sessions/menus_controller.rb +++ b/app/controllers/sessions/menus_controller.rb @@ -1,5 +1,5 @@ class Sessions::MenusController < ApplicationController - require_untenanted_access + disallow_account_scope before_action(if: :render_as_menu_section?) { request.variant = :menu_section } diff --git a/app/controllers/sessions/transfers_controller.rb b/app/controllers/sessions/transfers_controller.rb index b3b7ae773..0c28e1fe3 100644 --- a/app/controllers/sessions/transfers_controller.rb +++ b/app/controllers/sessions/transfers_controller.rb @@ -1,5 +1,5 @@ class Sessions::TransfersController < ApplicationController - require_untenanted_access + disallow_account_scope require_unauthenticated_access def show diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 8f8222ed9..deda51d5e 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -4,7 +4,7 @@ class SessionsController < ApplicationController SIGNUP_PASSWORD = Rails.env.local? ? "testpassword" : Rails.application.credentials.account_signup_http_basic_auth.password http_basic_authenticate_with name: SIGNUP_USERNAME, password: SIGNUP_PASSWORD, realm: "Fizzy Signup", only: :create, unless: -> { Identity.exists?(email_address: email_address) } - require_untenanted_access + disallow_account_scope require_unauthenticated_access except: :destroy rate_limit to: 10, within: 3.minutes, only: :create, with: -> { redirect_to new_session_path, alert: "Try again later." }