Constrain user queries to the current or relevant account

This commit is contained in:
Mike Dalessio
2025-11-10 17:17:03 -05:00
parent 93b2cef419
commit dbf66f9a50
19 changed files with 34 additions and 16 deletions
@@ -3,7 +3,7 @@ class Account::SettingsController < ApplicationController
before_action :set_account
def show
@users = User.active.alphabetically
@users = @account.users.active.alphabetically
end
def update
+2 -2
View File
@@ -24,7 +24,7 @@ class BoardsController < ApplicationController
def edit
selected_user_ids = @board.users.pluck :id
@selected_users, @unselected_users = \
User.active.alphabetically.partition { |user| selected_user_ids.include? user.id }
@board.account.users.active.alphabetically.partition { |user| selected_user_ids.include? user.id }
end
def update
@@ -73,7 +73,7 @@ class BoardsController < ApplicationController
end
def grantees
User.active.where id: grantee_ids
@board.account.users.active.where id: grantee_ids
end
def revokees
+1 -1
View File
@@ -3,7 +3,7 @@ class My::MenusController < ApplicationController
@filters = Current.user.filters.all
@boards = Current.user.boards.ordered_by_recently_accessed
@tags = Tag.all.alphabetically
@users = User.active.alphabetically
@users = Current.account.users.active.alphabetically
fresh_when etag: [ @filters, @boards, @tags, @users ]
end
+1 -1
View File
@@ -1,6 +1,6 @@
class Prompts::UsersController < ApplicationController
def index
@users = User.active.alphabetically
@users = Current.account.users.active.alphabetically
if stale? etag: @users
render layout: false
+1 -1
View File
@@ -12,7 +12,7 @@ class Users::EventsController < ApplicationController
private
def set_user
@user = User.active.find(params[:user_id])
@user = Current.account.users.active.find(params[:user_id])
end
def day_param
+1 -1
View File
@@ -9,7 +9,7 @@ class Users::RolesController < ApplicationController
private
def set_user
@user = User.active.find(params[:user_id])
@user = Current.account.users.active.find(params[:user_id])
end
def ensure_permission_to_administer_user
+1 -1
View File
@@ -20,7 +20,7 @@ class UsersController < ApplicationController
private
def set_user
@user = User.active.find(params[:id])
@user = Current.account.users.active.find(params[:id])
end
def ensure_permission_to_change_user
+1
View File
@@ -2,6 +2,7 @@ class Account < ApplicationRecord
include Entropic, Seedeable
has_one :join_code
has_many :users, dependent: :destroy
has_many_attached :uploads
+1 -1
View File
@@ -58,7 +58,7 @@ module Board::Accessible
end
def grant_access_to_everyone
accesses.grant_to(User.active) if all_access_previously_changed?(to: true)
accesses.grant_to(account.users.active) if all_access_previously_changed?(to: true)
end
def mentions_for_user(user)
+1 -1
View File
@@ -25,7 +25,7 @@ class User::Filtering
end
def users
@users ||= User.active.alphabetically
@users ||= Current.account.users.active.alphabetically
end
def filters
@@ -18,7 +18,7 @@
<%= filter_dialog "Assigned to…" do %>
<strong class="popup__title">Assigned to…</strong>
<% if User.active.many? %>
<% if Current.account.users.active.many? %>
<%= text_field_tag nil, nil, id: nil, placeholder: "Filter…", class: "input input--transparent txt-small", autofocus: true,
type: "search", autocorrect: "off", autocomplete: "off", data: { "1p-ignore": "true", filter_target: "input", action: "input->filter#filter" } %>
<% end %>
+1 -2
View File
@@ -108,8 +108,7 @@ class Signup
membership_id: membership.id
}
)
# TODO:PLANB: we'll need to filter by account
@user = User.find_by!(role: :admin)
@user = @account.users.find_by!(role: :admin)
# TODO:PLANB: remove this once board and other models have an account_id.
# this is needed because code will try to reference Account#entropy, previously
+1 -1
View File
@@ -86,7 +86,7 @@ class BoardsControllerTest < ActionDispatch::IntegrationTest
assert_redirected_to edit_board_path(board)
assert board.reload.all_access?
assert_equal User.active.sort, board.users.sort
assert_equal accounts("37s").users.active.sort, board.users.sort
end
test "destroy" do
@@ -9,5 +9,6 @@ class Prompts::Boards::UsersControllerTest < ActionDispatch::IntegrationTest
test "index" do
get prompts_board_users_path(@board)
assert_response :success
assert_select "lexxy-prompt-item", count: 3
end
end
+4
View File
@@ -1,3 +1,7 @@
37s:
name: 37signals
external_account_id: <%= ActiveRecord::FixtureSet.identify("37signals") %>
initech:
name: Initech LLC
external_account_id: <%= ActiveRecord::FixtureSet.identify("initech") %>
+3
View File
@@ -6,3 +6,6 @@ jz:
kevin:
email_address: kevin@37signals.com
mike:
email_address: mike@37signals.com
+4
View File
@@ -10,3 +10,7 @@ jz_in_37signals:
kevin_in_37signals:
identity: kevin
tenant: <%= ActiveRecord::FixtureSet.identify("37signals") %> # matches the external_account_id
mike_in_initech:
identity: mike
tenant: <%= ActiveRecord::FixtureSet.identify("initech") %>
+6
View File
@@ -20,3 +20,9 @@ system:
name: System
role: system
account: 37s
mike:
name: Mike
role: admin
membership: mike_in_initech
account: initech
+2 -2
View File
@@ -18,7 +18,7 @@ class Board::AccessibleTest < ActiveSupport::TestCase
board = Current.set(session: sessions(:david)) do
Board.create! name: "New board", all_access: true
end
assert_equal User.active.sort, board.users.sort
assert_equal accounts("37s").users.active.sort, board.users.sort
end
test "grants access to everyone after update" do
@@ -28,7 +28,7 @@ class Board::AccessibleTest < ActiveSupport::TestCase
assert_equal [ users(:david) ], board.users
board.update! all_access: true
assert_equal User.active.sort, board.users.reload.sort
assert_equal accounts("37s").users.active.sort, board.users.reload.sort
end
test "board watchers" do