Constrain user queries to the current or relevant account
This commit is contained in:
@@ -3,7 +3,7 @@ class Account::SettingsController < ApplicationController
|
||||
before_action :set_account
|
||||
|
||||
def show
|
||||
@users = User.active.alphabetically
|
||||
@users = @account.users.active.alphabetically
|
||||
end
|
||||
|
||||
def update
|
||||
|
||||
@@ -24,7 +24,7 @@ class BoardsController < ApplicationController
|
||||
def edit
|
||||
selected_user_ids = @board.users.pluck :id
|
||||
@selected_users, @unselected_users = \
|
||||
User.active.alphabetically.partition { |user| selected_user_ids.include? user.id }
|
||||
@board.account.users.active.alphabetically.partition { |user| selected_user_ids.include? user.id }
|
||||
end
|
||||
|
||||
def update
|
||||
@@ -73,7 +73,7 @@ class BoardsController < ApplicationController
|
||||
end
|
||||
|
||||
def grantees
|
||||
User.active.where id: grantee_ids
|
||||
@board.account.users.active.where id: grantee_ids
|
||||
end
|
||||
|
||||
def revokees
|
||||
|
||||
@@ -3,7 +3,7 @@ class My::MenusController < ApplicationController
|
||||
@filters = Current.user.filters.all
|
||||
@boards = Current.user.boards.ordered_by_recently_accessed
|
||||
@tags = Tag.all.alphabetically
|
||||
@users = User.active.alphabetically
|
||||
@users = Current.account.users.active.alphabetically
|
||||
|
||||
fresh_when etag: [ @filters, @boards, @tags, @users ]
|
||||
end
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
class Prompts::UsersController < ApplicationController
|
||||
def index
|
||||
@users = User.active.alphabetically
|
||||
@users = Current.account.users.active.alphabetically
|
||||
|
||||
if stale? etag: @users
|
||||
render layout: false
|
||||
|
||||
@@ -12,7 +12,7 @@ class Users::EventsController < ApplicationController
|
||||
|
||||
private
|
||||
def set_user
|
||||
@user = User.active.find(params[:user_id])
|
||||
@user = Current.account.users.active.find(params[:user_id])
|
||||
end
|
||||
|
||||
def day_param
|
||||
|
||||
@@ -9,7 +9,7 @@ class Users::RolesController < ApplicationController
|
||||
|
||||
private
|
||||
def set_user
|
||||
@user = User.active.find(params[:user_id])
|
||||
@user = Current.account.users.active.find(params[:user_id])
|
||||
end
|
||||
|
||||
def ensure_permission_to_administer_user
|
||||
|
||||
@@ -20,7 +20,7 @@ class UsersController < ApplicationController
|
||||
|
||||
private
|
||||
def set_user
|
||||
@user = User.active.find(params[:id])
|
||||
@user = Current.account.users.active.find(params[:id])
|
||||
end
|
||||
|
||||
def ensure_permission_to_change_user
|
||||
|
||||
@@ -2,6 +2,7 @@ class Account < ApplicationRecord
|
||||
include Entropic, Seedeable
|
||||
|
||||
has_one :join_code
|
||||
has_many :users, dependent: :destroy
|
||||
|
||||
has_many_attached :uploads
|
||||
|
||||
|
||||
@@ -58,7 +58,7 @@ module Board::Accessible
|
||||
end
|
||||
|
||||
def grant_access_to_everyone
|
||||
accesses.grant_to(User.active) if all_access_previously_changed?(to: true)
|
||||
accesses.grant_to(account.users.active) if all_access_previously_changed?(to: true)
|
||||
end
|
||||
|
||||
def mentions_for_user(user)
|
||||
|
||||
@@ -25,7 +25,7 @@ class User::Filtering
|
||||
end
|
||||
|
||||
def users
|
||||
@users ||= User.active.alphabetically
|
||||
@users ||= Current.account.users.active.alphabetically
|
||||
end
|
||||
|
||||
def filters
|
||||
|
||||
@@ -18,7 +18,7 @@
|
||||
<%= filter_dialog "Assigned to…" do %>
|
||||
<strong class="popup__title">Assigned to…</strong>
|
||||
|
||||
<% if User.active.many? %>
|
||||
<% if Current.account.users.active.many? %>
|
||||
<%= text_field_tag nil, nil, id: nil, placeholder: "Filter…", class: "input input--transparent txt-small", autofocus: true,
|
||||
type: "search", autocorrect: "off", autocomplete: "off", data: { "1p-ignore": "true", filter_target: "input", action: "input->filter#filter" } %>
|
||||
<% end %>
|
||||
|
||||
@@ -108,8 +108,7 @@ class Signup
|
||||
membership_id: membership.id
|
||||
}
|
||||
)
|
||||
# TODO:PLANB: we'll need to filter by account
|
||||
@user = User.find_by!(role: :admin)
|
||||
@user = @account.users.find_by!(role: :admin)
|
||||
|
||||
# TODO:PLANB: remove this once board and other models have an account_id.
|
||||
# this is needed because code will try to reference Account#entropy, previously
|
||||
|
||||
@@ -86,7 +86,7 @@ class BoardsControllerTest < ActionDispatch::IntegrationTest
|
||||
|
||||
assert_redirected_to edit_board_path(board)
|
||||
assert board.reload.all_access?
|
||||
assert_equal User.active.sort, board.users.sort
|
||||
assert_equal accounts("37s").users.active.sort, board.users.sort
|
||||
end
|
||||
|
||||
test "destroy" do
|
||||
|
||||
@@ -9,5 +9,6 @@ class Prompts::Boards::UsersControllerTest < ActionDispatch::IntegrationTest
|
||||
test "index" do
|
||||
get prompts_board_users_path(@board)
|
||||
assert_response :success
|
||||
assert_select "lexxy-prompt-item", count: 3
|
||||
end
|
||||
end
|
||||
|
||||
Vendored
+4
@@ -1,3 +1,7 @@
|
||||
37s:
|
||||
name: 37signals
|
||||
external_account_id: <%= ActiveRecord::FixtureSet.identify("37signals") %>
|
||||
|
||||
initech:
|
||||
name: Initech LLC
|
||||
external_account_id: <%= ActiveRecord::FixtureSet.identify("initech") %>
|
||||
|
||||
Vendored
+3
@@ -6,3 +6,6 @@ jz:
|
||||
|
||||
kevin:
|
||||
email_address: kevin@37signals.com
|
||||
|
||||
mike:
|
||||
email_address: mike@37signals.com
|
||||
|
||||
Vendored
+4
@@ -10,3 +10,7 @@ jz_in_37signals:
|
||||
kevin_in_37signals:
|
||||
identity: kevin
|
||||
tenant: <%= ActiveRecord::FixtureSet.identify("37signals") %> # matches the external_account_id
|
||||
|
||||
mike_in_initech:
|
||||
identity: mike
|
||||
tenant: <%= ActiveRecord::FixtureSet.identify("initech") %>
|
||||
|
||||
Vendored
+6
@@ -20,3 +20,9 @@ system:
|
||||
name: System
|
||||
role: system
|
||||
account: 37s
|
||||
|
||||
mike:
|
||||
name: Mike
|
||||
role: admin
|
||||
membership: mike_in_initech
|
||||
account: initech
|
||||
|
||||
@@ -18,7 +18,7 @@ class Board::AccessibleTest < ActiveSupport::TestCase
|
||||
board = Current.set(session: sessions(:david)) do
|
||||
Board.create! name: "New board", all_access: true
|
||||
end
|
||||
assert_equal User.active.sort, board.users.sort
|
||||
assert_equal accounts("37s").users.active.sort, board.users.sort
|
||||
end
|
||||
|
||||
test "grants access to everyone after update" do
|
||||
@@ -28,7 +28,7 @@ class Board::AccessibleTest < ActiveSupport::TestCase
|
||||
assert_equal [ users(:david) ], board.users
|
||||
|
||||
board.update! all_access: true
|
||||
assert_equal User.active.sort, board.users.reload.sort
|
||||
assert_equal accounts("37s").users.active.sort, board.users.reload.sort
|
||||
end
|
||||
|
||||
test "board watchers" do
|
||||
|
||||
Reference in New Issue
Block a user