demarches-normaliennes/app/controllers/users/profil_controller.rb

module Users
  class ProfilController < UserController
    before_action :ensure_update_email_is_authorized, only: :update_email
    before_action :find_transfers, only: [:show, :renew_api_token]

    def show
    end

    def renew_api_token
      @token = current_administrateur.renew_api_token
      flash.now.notice = 'Votre jeton a été regénéré.'
      render :show
    end

    def update_email
      requested_user = User.find_by(email: requested_email)
      if requested_user.present? && current_user.ask_for_merge(requested_user)
        current_user.update(unconfirmed_email: nil)

        flash.notice = t('devise.registrations.update_needs_confirmation')
      elsif current_user.update(update_email_params)
        current_user.update(requested_merge_into: nil)

        flash.notice = t('devise.registrations.update_needs_confirmation')
      else
        flash.alert = current_user.errors.full_messages
      end

      redirect_to profil_path
    end

    def transfer_all_dossiers
      transfer = DossierTransfer.initiate(next_owner_email, current_user.dossiers)

      if transfer.valid?
        flash.notice = t('.new_transfer', count: current_user.dossiers.count, email: next_owner_email)
      else
        flash.alert = transfer.errors.full_messages
      end

      redirect_to profil_path
    end

    def accept_merge
      users_requesting_merge.each { |user| current_user.merge(user) }
      users_requesting_merge.update_all(requested_merge_into_id: nil)

      flash.notice = "Vous avez absorbé le compte #{waiting_merge_emails.join(', ')}"
      redirect_to profil_path
    end

    def refuse_merge
      users = users_requesting_merge
      users.update_all(requested_merge_into_id: nil)

      flash.notice = 'La fusion a été refusé'
      redirect_to profil_path
    end

    private

    def find_transfers
      @waiting_merge_emails = waiting_merge_emails
      @waiting_transfers = current_user.dossiers.joins(:transfer).group('dossier_transfers.email').count.to_a
    end

    def waiting_merge_emails
      users_requesting_merge.pluck(:email)
    end

    def users_requesting_merge
      @requesting_merge ||= current_user.requested_merge_from
    end

    def ensure_update_email_is_authorized
      if current_user.instructeur? && !target_email_allowed?
        flash.alert = t('users.profil.ensure_update_email_is_authorized.email_not_allowed', contact_email: CONTACT_EMAIL, requested_email: requested_email)
        redirect_to profil_path
      end
    end

    def update_email_params
      params.require(:user).permit(:email)
    end

    def requested_email
      update_email_params[:email]
    end

    def target_email_allowed?
      LEGIT_ADMIN_DOMAINS.any? { |d| requested_email.end_with?(d) }
    end

    def next_owner_email
      params[:next_owner]
    end
  end
end
Profil: accessible to all roles 2019-07-02 18:15:03 +02:00			`module Users`
			`class ProfilController < UserController`
move update_email check to before_action 2021-10-25 16:57:21 +02:00			`before_action :ensure_update_email_is_authorized, only: :update_email`
fix(profile): prevent crashing on renew token action 2021-11-16 14:54:09 +01:00			`before_action :find_transfers, only: [:show, :renew_api_token]`
move update_email check to before_action 2021-10-25 16:57:21 +02:00
Profile: move to new design 2018-08-23 18:53:35 +02:00			`def show`
			`end`

			`def renew_api_token`
Api Token: store token in an encrypted form 2018-08-24 16:45:43 +02:00			`@token = current_administrateur.renew_api_token`
Profil: display token only once 2018-08-24 14:19:44 +02:00			`flash.now.notice = 'Votre jeton a été regénéré.'`
			`render :show`
Profile: move to new design 2018-08-23 18:53:35 +02:00			`end`
[fix #1709] A user can change its email 2019-07-08 10:40:50 +02:00
			`def update_email`
update update_email to allow merge 2021-10-26 13:36:14 +02:00			`requested_user = User.find_by(email: requested_email)`
fix(profil_controller#update_email): ensure we are not merging same account fix(profil_controller#update_email): changing email from current_user.email to current_user.email destroy current user. whoops ☠️' Update config/locales/en.yml Co-authored-by: Pierre de La Morinerie <pierre.de_la_morinerie@beta.gouv.fr> Update config/locales/fr.yml Co-authored-by: Pierre de La Morinerie <pierre.de_la_morinerie@beta.gouv.fr> Update spec/controllers/users/profil_controller_spec.rb Update config/locales/fr.yml Co-authored-by: Pierre de La Morinerie <pierre.de_la_morinerie@beta.gouv.fr> Update spec/controllers/users/profil_controller_spec.rb fix(spec): broken due to typo 2021-12-23 14:54:37 +01:00			`if requested_user.present? && current_user.ask_for_merge(requested_user)`
one merge at a time 2021-10-26 16:18:12 +02:00			`current_user.update(unconfirmed_email: nil)`

[fix #1709] A user can change its email 2019-07-08 10:40:50 +02:00			`flash.notice = t('devise.registrations.update_needs_confirmation')`
update update_email to allow merge 2021-10-26 13:36:14 +02:00			`elsif current_user.update(update_email_params)`
one merge at a time 2021-10-26 16:18:12 +02:00			`current_user.update(requested_merge_into: nil)`

[fix #1709] A user can change its email 2019-07-08 10:40:50 +02:00			`flash.notice = t('devise.registrations.update_needs_confirmation')`
			`else`
@current_user -> current_user 2019-12-09 16:50:30 +01:00			`flash.alert = current_user.errors.full_messages`
[fix #1709] A user can change its email 2019-07-08 10:40:50 +02:00			`end`

			`redirect_to profil_path`
			`end`

a user can transfer all its dossier 2021-09-20 13:14:03 +02:00			`def transfer_all_dossiers`
fix(dossier_transfer): avoid all transfers without valid email Cf #7621 2022-08-02 13:01:06 +02:00			`transfer = DossierTransfer.initiate(next_owner_email, current_user.dossiers)`

			`if transfer.valid?`
			`flash.notice = t('.new_transfer', count: current_user.dossiers.count, email: next_owner_email)`
			`else`
			`flash.alert = transfer.errors.full_messages`
			`end`

a user can transfer all its dossier 2021-09-20 13:14:03 +02:00			`redirect_to profil_path`
			`end`

accept or refuse merge 2021-10-26 13:22:51 +02:00			`def accept_merge`
			`users_requesting_merge.each { \|user\| current_user.merge(user) }`
			`users_requesting_merge.update_all(requested_merge_into_id: nil)`

			`flash.notice = "Vous avez absorbé le compte #{waiting_merge_emails.join(', ')}"`
			`redirect_to profil_path`
			`end`

			`def refuse_merge`
			`users = users_requesting_merge`
			`users.update_all(requested_merge_into_id: nil)`

			`flash.notice = 'La fusion a été refusé'`
			`redirect_to profil_path`
			`end`

[fix #1709] A user can change its email 2019-07-08 10:40:50 +02:00			`private`

fix(profile): prevent crashing on renew token action 2021-11-16 14:54:09 +01:00			`def find_transfers`
			`@waiting_merge_emails = waiting_merge_emails`
			`@waiting_transfers = current_user.dossiers.joins(:transfer).group('dossier_transfers.email').count.to_a`
			`end`

accept or refuse merge 2021-10-26 13:22:51 +02:00			`def waiting_merge_emails`
			`users_requesting_merge.pluck(:email)`
			`end`

			`def users_requesting_merge`
add has_may requested_merge_from 2021-11-04 15:51:54 +01:00			`@requesting_merge \|\|= current_user.requested_merge_from`
accept or refuse merge 2021-10-26 13:22:51 +02:00			`end`

move update_email check to before_action 2021-10-25 16:57:21 +02:00			`def ensure_update_email_is_authorized`
			`if current_user.instructeur? && !target_email_allowed?`
			`flash.alert = t('users.profil.ensure_update_email_is_authorized.email_not_allowed', contact_email: CONTACT_EMAIL, requested_email: requested_email)`
			`redirect_to profil_path`
			`end`
			`end`

[fix #1709] A user can change its email 2019-07-08 10:40:50 +02:00			`def update_email_params`
			`params.require(:user).permit(:email)`
			`end`
profile: send an email when the account is already taken 2019-07-09 17:08:27 +02:00
			`def requested_email`
			`update_email_params[:email]`
			`end`
[link to #4557] An instructeur cannot change its email on its own 2019-12-09 17:11:12 +01:00
allow instructeur and administrateur to change their email to legit domain (#6550) 2021-10-18 12:03:13 +02:00			`def target_email_allowed?`
			`LEGIT_ADMIN_DOMAINS.any? { \|d\| requested_email.end_with?(d) }`
[link to #4557] An instructeur cannot change its email on its own 2019-12-09 17:11:12 +01:00			`end`
a user can transfer all its dossier 2021-09-20 13:14:03 +02:00
			`def next_owner_email`
			`params[:next_owner]`
			`end`
Profile: move to new design 2018-08-23 18:53:35 +02:00			`end`
			`end`