From dbf66f9a500860c29db08cc04cb8aa2ff9fffd98 Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Mon, 10 Nov 2025 17:17:03 -0500 Subject: [PATCH] Constrain user queries to the current or relevant account --- app/controllers/account/settings_controller.rb | 2 +- app/controllers/boards_controller.rb | 4 ++-- app/controllers/my/menus_controller.rb | 2 +- app/controllers/prompts/users_controller.rb | 2 +- app/controllers/users/events_controller.rb | 2 +- app/controllers/users/roles_controller.rb | 2 +- app/controllers/users_controller.rb | 2 +- app/models/account.rb | 1 + app/models/board/accessible.rb | 2 +- app/models/user/filtering.rb | 2 +- app/views/filters/settings/_assignees.html.erb | 2 +- gems/fizzy-saas/app/models/signup.rb | 3 +-- test/controllers/boards_controller_test.rb | 2 +- test/controllers/prompts/boards/users_controller_test.rb | 1 + test/fixtures/accounts.yml | 4 ++++ test/fixtures/identities.yml | 3 +++ test/fixtures/memberships.yml | 4 ++++ test/fixtures/users.yml | 6 ++++++ test/models/board/accessible_test.rb | 4 ++-- 19 files changed, 34 insertions(+), 16 deletions(-) diff --git a/app/controllers/account/settings_controller.rb b/app/controllers/account/settings_controller.rb index bbfec0fe1..a076479cb 100644 --- a/app/controllers/account/settings_controller.rb +++ b/app/controllers/account/settings_controller.rb @@ -3,7 +3,7 @@ class Account::SettingsController < ApplicationController before_action :set_account def show - @users = User.active.alphabetically + @users = @account.users.active.alphabetically end def update diff --git a/app/controllers/boards_controller.rb b/app/controllers/boards_controller.rb index 70383e139..593595814 100644 --- a/app/controllers/boards_controller.rb +++ b/app/controllers/boards_controller.rb @@ -24,7 +24,7 @@ class BoardsController < ApplicationController def edit selected_user_ids = @board.users.pluck :id @selected_users, @unselected_users = \ - User.active.alphabetically.partition { |user| selected_user_ids.include? user.id } + @board.account.users.active.alphabetically.partition { |user| selected_user_ids.include? user.id } end def update @@ -73,7 +73,7 @@ class BoardsController < ApplicationController end def grantees - User.active.where id: grantee_ids + @board.account.users.active.where id: grantee_ids end def revokees diff --git a/app/controllers/my/menus_controller.rb b/app/controllers/my/menus_controller.rb index a2c1c96eb..dd04aae67 100644 --- a/app/controllers/my/menus_controller.rb +++ b/app/controllers/my/menus_controller.rb @@ -3,7 +3,7 @@ class My::MenusController < ApplicationController @filters = Current.user.filters.all @boards = Current.user.boards.ordered_by_recently_accessed @tags = Tag.all.alphabetically - @users = User.active.alphabetically + @users = Current.account.users.active.alphabetically fresh_when etag: [ @filters, @boards, @tags, @users ] end diff --git a/app/controllers/prompts/users_controller.rb b/app/controllers/prompts/users_controller.rb index c926e2de4..6f5028eec 100644 --- a/app/controllers/prompts/users_controller.rb +++ b/app/controllers/prompts/users_controller.rb @@ -1,6 +1,6 @@ class Prompts::UsersController < ApplicationController def index - @users = User.active.alphabetically + @users = Current.account.users.active.alphabetically if stale? etag: @users render layout: false diff --git a/app/controllers/users/events_controller.rb b/app/controllers/users/events_controller.rb index 2f1e3afb0..e310ed9a4 100644 --- a/app/controllers/users/events_controller.rb +++ b/app/controllers/users/events_controller.rb @@ -12,7 +12,7 @@ class Users::EventsController < ApplicationController private def set_user - @user = User.active.find(params[:user_id]) + @user = Current.account.users.active.find(params[:user_id]) end def day_param diff --git a/app/controllers/users/roles_controller.rb b/app/controllers/users/roles_controller.rb index f9eb7d232..b881bdcfc 100644 --- a/app/controllers/users/roles_controller.rb +++ b/app/controllers/users/roles_controller.rb @@ -9,7 +9,7 @@ class Users::RolesController < ApplicationController private def set_user - @user = User.active.find(params[:user_id]) + @user = Current.account.users.active.find(params[:user_id]) end def ensure_permission_to_administer_user diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 2ba535fef..86058fea3 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -20,7 +20,7 @@ class UsersController < ApplicationController private def set_user - @user = User.active.find(params[:id]) + @user = Current.account.users.active.find(params[:id]) end def ensure_permission_to_change_user diff --git a/app/models/account.rb b/app/models/account.rb index dbcd64619..65c85e0a3 100644 --- a/app/models/account.rb +++ b/app/models/account.rb @@ -2,6 +2,7 @@ class Account < ApplicationRecord include Entropic, Seedeable has_one :join_code + has_many :users, dependent: :destroy has_many_attached :uploads diff --git a/app/models/board/accessible.rb b/app/models/board/accessible.rb index 75b2e982e..1565e67af 100644 --- a/app/models/board/accessible.rb +++ b/app/models/board/accessible.rb @@ -58,7 +58,7 @@ module Board::Accessible end def grant_access_to_everyone - accesses.grant_to(User.active) if all_access_previously_changed?(to: true) + accesses.grant_to(account.users.active) if all_access_previously_changed?(to: true) end def mentions_for_user(user) diff --git a/app/models/user/filtering.rb b/app/models/user/filtering.rb index 4ac9cf86a..5cd9516c0 100644 --- a/app/models/user/filtering.rb +++ b/app/models/user/filtering.rb @@ -25,7 +25,7 @@ class User::Filtering end def users - @users ||= User.active.alphabetically + @users ||= Current.account.users.active.alphabetically end def filters diff --git a/app/views/filters/settings/_assignees.html.erb b/app/views/filters/settings/_assignees.html.erb index 519fc2546..ec7e82725 100644 --- a/app/views/filters/settings/_assignees.html.erb +++ b/app/views/filters/settings/_assignees.html.erb @@ -18,7 +18,7 @@ <%= filter_dialog "Assigned to…" do %> Assigned to… - <% if User.active.many? %> + <% if Current.account.users.active.many? %> <%= text_field_tag nil, nil, id: nil, placeholder: "Filter…", class: "input input--transparent txt-small", autofocus: true, type: "search", autocorrect: "off", autocomplete: "off", data: { "1p-ignore": "true", filter_target: "input", action: "input->filter#filter" } %> <% end %> diff --git a/gems/fizzy-saas/app/models/signup.rb b/gems/fizzy-saas/app/models/signup.rb index 08538e681..1986a8af2 100644 --- a/gems/fizzy-saas/app/models/signup.rb +++ b/gems/fizzy-saas/app/models/signup.rb @@ -108,8 +108,7 @@ class Signup membership_id: membership.id } ) - # TODO:PLANB: we'll need to filter by account - @user = User.find_by!(role: :admin) + @user = @account.users.find_by!(role: :admin) # TODO:PLANB: remove this once board and other models have an account_id. # this is needed because code will try to reference Account#entropy, previously diff --git a/test/controllers/boards_controller_test.rb b/test/controllers/boards_controller_test.rb index 41cbb557e..f2b807480 100644 --- a/test/controllers/boards_controller_test.rb +++ b/test/controllers/boards_controller_test.rb @@ -86,7 +86,7 @@ class BoardsControllerTest < ActionDispatch::IntegrationTest assert_redirected_to edit_board_path(board) assert board.reload.all_access? - assert_equal User.active.sort, board.users.sort + assert_equal accounts("37s").users.active.sort, board.users.sort end test "destroy" do diff --git a/test/controllers/prompts/boards/users_controller_test.rb b/test/controllers/prompts/boards/users_controller_test.rb index 2254bf432..992df99f0 100644 --- a/test/controllers/prompts/boards/users_controller_test.rb +++ b/test/controllers/prompts/boards/users_controller_test.rb @@ -9,5 +9,6 @@ class Prompts::Boards::UsersControllerTest < ActionDispatch::IntegrationTest test "index" do get prompts_board_users_path(@board) assert_response :success + assert_select "lexxy-prompt-item", count: 3 end end diff --git a/test/fixtures/accounts.yml b/test/fixtures/accounts.yml index 78f618790..e13abf5a2 100644 --- a/test/fixtures/accounts.yml +++ b/test/fixtures/accounts.yml @@ -1,3 +1,7 @@ 37s: name: 37signals external_account_id: <%= ActiveRecord::FixtureSet.identify("37signals") %> + +initech: + name: Initech LLC + external_account_id: <%= ActiveRecord::FixtureSet.identify("initech") %> diff --git a/test/fixtures/identities.yml b/test/fixtures/identities.yml index c9dbc7c09..a014e801c 100644 --- a/test/fixtures/identities.yml +++ b/test/fixtures/identities.yml @@ -6,3 +6,6 @@ jz: kevin: email_address: kevin@37signals.com + +mike: + email_address: mike@37signals.com diff --git a/test/fixtures/memberships.yml b/test/fixtures/memberships.yml index 4d1cdb512..d400ff41d 100644 --- a/test/fixtures/memberships.yml +++ b/test/fixtures/memberships.yml @@ -10,3 +10,7 @@ jz_in_37signals: kevin_in_37signals: identity: kevin tenant: <%= ActiveRecord::FixtureSet.identify("37signals") %> # matches the external_account_id + +mike_in_initech: + identity: mike + tenant: <%= ActiveRecord::FixtureSet.identify("initech") %> diff --git a/test/fixtures/users.yml b/test/fixtures/users.yml index d2fb815ab..321c4666a 100644 --- a/test/fixtures/users.yml +++ b/test/fixtures/users.yml @@ -20,3 +20,9 @@ system: name: System role: system account: 37s + +mike: + name: Mike + role: admin + membership: mike_in_initech + account: initech diff --git a/test/models/board/accessible_test.rb b/test/models/board/accessible_test.rb index 8c3beef5e..caae4e9b0 100644 --- a/test/models/board/accessible_test.rb +++ b/test/models/board/accessible_test.rb @@ -18,7 +18,7 @@ class Board::AccessibleTest < ActiveSupport::TestCase board = Current.set(session: sessions(:david)) do Board.create! name: "New board", all_access: true end - assert_equal User.active.sort, board.users.sort + assert_equal accounts("37s").users.active.sort, board.users.sort end test "grants access to everyone after update" do @@ -28,7 +28,7 @@ class Board::AccessibleTest < ActiveSupport::TestCase assert_equal [ users(:david) ], board.users board.update! all_access: true - assert_equal User.active.sort, board.users.reload.sort + assert_equal accounts("37s").users.active.sort, board.users.reload.sort end test "board watchers" do