only allow users with an invite to create accounts

2025-11-30 21:32:30 +00:00 · 2017-05-12 14:45:42 +01:00
--- a/app/controllers/user_controller.rb
+++ b/app/controllers/user_controller.rb
@@ -1,16 +1,20 @@
 class UserController < ApplicationController

-  skip_before_action :login_required, :only => [:new, :create]
+  skip_before_action :login_required, :only => [:new, :create, :join]
  skip_before_action :verified_email_required, :only => [:edit, :update, :verify]

  def new
+    @user_invite = UserInvite.active.find_by!(:uuid => params[:invite_token])
    @user = User.new
+    @user.email_address = @user_invite.email_address
    render :layout => 'sub'
  end

  def create
+    @user_invite = UserInvite.active.find_by!(:uuid => params[:invite_token])
    @user = User.new(params.require(:user).permit(:first_name, :last_name, :email_address, :password, :password_confirmation))
    if @user.save
+      @user_invite.accept(@user)
      AppMailer.new_user(@user).deliver
      self.current_user = @user
      redirect_to verify_path(:return_to => params[:return_to])
@@ -21,14 +25,18 @@ class UserController < ApplicationController

  def join
    if @invite = UserInvite.where(:uuid => params[:token]).where("expires_at > ?", Time.now).first
-      if request.post?
-        @invite.accept(current_user)
-        redirect_to_with_json root_path(:nrd => 1), :notice => "Invitation has been accepted successfully. You now have access to this organization."
-      elsif request.delete?
-        @invite.reject
-        redirect_to_with_json root_path(:nrd => 1), :notice => "Invitation has been rejected successfully."
+      if logged_in?
+        if request.post?
+          @invite.accept(current_user)
+          redirect_to_with_json root_path(:nrd => 1), :notice => "Invitation has been accepted successfully. You now have access to this organization."
+        elsif request.delete?
+          @invite.reject
+          redirect_to_with_json root_path(:nrd => 1), :notice => "Invitation has been rejected successfully."
+        else
+          @organizations = @invite.organizations.order(:name).to_a
+        end
      else
-        @organizations = @invite.organizations.order(:name).to_a
+        redirect_to new_signup_path(params[:token])
      end
    else
      redirect_to_with_json root_path(:nrd => 1), :alert => "The invite URL you have has expired. Please ask the person who invited you to re-send your invitation."
--- a/app/models/user_invite.rb
+++ b/app/models/user_invite.rb
@@ -25,6 +25,8 @@ class UserInvite < ApplicationRecord

  default_value :expires_at, -> { 7.days.from_now }

+  scope :active, -> { where("expires_at > ?", Time.now) }
+
  def md5_for_gravatar
    @md5_for_gravatar ||= Digest::MD5.hexdigest(email_address.to_s.downcase)
  end
--- a/app/views/sessions/new.html.haml
+++ b/app/views/sessions/new.html.haml
@@ -7,13 +7,12 @@
  = form_tag login_path, :class => 'loginForm' do
    = hidden_field_tag 'return_to', params[:return_to]
    - if params[:return_to] && params[:return_to] =~ /\/join\//
-      %p.loginForm__invite.warningBox.u-margin To accept your invitation you need to login to your account or create a new one. Choose from the options below to continue.
+      %p.loginForm__invite.warningBox.u-margin Login to your existing account to accept your invitation.

    %p.loginForm__input= text_field_tag 'email_address', '', :type => 'email', :autocomplete => 'off', :spellcheck => 'false', :class => 'input input--text input--onWhite', :placeholder => "Your e-mail address", :autofocus => true, :tabindex => 1
    %p.loginForm__input= password_field_tag 'password', '', :class => 'input input--text input--onWhite', :placeholder => "Your password", :tabindex => 2
    .loginForm__submit
      %ul.loginForm__links
        %li= link_to "Forgotten your password?", login_reset_path(:return_to => params[:return_to])
-        %li= link_to "Create a new user", signup_path(:return_to => params[:return_to])
      %p= submit_tag "Login", :class => 'button button--positive', :tabindex => 3

--- a/app/views/user/new.html.haml
+++ b/app/views/user/new.html.haml
@@ -1,17 +1,19 @@
 - @wide = true
 - page_title << "Signup"
 .subPageBox__title
-  Create your own Postal account
+  Join the #{@user_invite.organizations.first.name} organization
 = display_flash

 .subPageBox__content
  %p.subPageBox__text
-    To create an account, just enter your details below and you'll be on your way.
-    Be sure to enter a valid e-mail address because we'll send you a verification
-    e-mail as part of the signup process.
+    If you don't already have an account on this system, you can create one below. Otherwise, you should
+    #{link_to "login to your existing account", login_path(:return_to => join_path(@user_invite.uuid)), :class => 'u-link'}
+    and add this organization to that.
+
  .signupForm
    = form_for @user, :url => signup_path do |f|
      = hidden_field_tag 'return_to', params[:return_to]
+      = hidden_field_tag 'invite_token', params[:invite_token]
      = f.error_messages
      .fieldSet.fieldSet--compact.u-margin
        .fieldSet__fieldPair