discourse/app/models/invite_redeemer.rb

# frozen_string_literal: true

# NOTE: There are a _lot_ of complicated rules and conditions for our
# invite system, and the code is spread out through a lot of places.
# Tread lightly and read carefully when modifying this code. You may
# also want to look at:
#
# * InvitesController
# * SessionController
# * Invite model
# * User model
#
# Invites that are scoped to a specific email (email IS NOT NULL on the Invite
# model) have different rules to invites that are considered an "invite link",
# (email IS NULL) on the Invite model.
class InviteRedeemer
  attr_reader :invite,
              :email,
              :username,
              :name,
              :password,
              :user_custom_fields,
              :ip_address,
              :session,
              :email_token,
              :redeeming_user

  def initialize(
    invite:,
    email: nil,
    username: nil,
    name: nil,
    password: nil,
    user_custom_fields: nil,
    ip_address: nil,
    session: nil,
    email_token: nil,
    redeeming_user: nil
  )
    @invite = invite
    @username = username
    @name = name
    @password = password
    @user_custom_fields = user_custom_fields
    @ip_address = ip_address
    @session = session
    @email_token = email_token
    @redeeming_user = redeeming_user

    ensure_email_is_present!(email)
  end

  def redeem
    Invite.transaction do
      if can_redeem_invite? && mark_invite_redeemed
        process_invitation
        invited_user
      end
    end
  end

  # The email must be present in some form since many of the methods
  # for processing + redemption rely on it. If it's still nil after
  # these checks then we have hit an edge case and should not proceed!
  def ensure_email_is_present!(email)
    if email.blank?
      Rails.logger.warn(
        "email param was blank in InviteRedeemer for invite ID #{@invite.id}. The `redeeming_user` was #{@redeeming_user.present? ? "(ID: #{@redeeming_user.id})" : "not"} present.",
      )
    end

    if email.blank? && @invite.is_email_invite?
      @email = @invite.email
    elsif @redeeming_user.present?
      @email = @redeeming_user.email
    else
      @email = email
    end

    raise Discourse::InvalidParameters if @email.blank?
  end

  # This will _never_ be called if there is a redeeming_user being passed
  # in to InviteRedeemer -- see invited_user below.
  def self.create_user_from_invite(
    email:,
    invite:,
    username: nil,
    name: nil,
    password: nil,
    user_custom_fields: nil,
    ip_address: nil,
    session: nil,
    email_token: nil
  )
    if username && UsernameValidator.new(username).valid_format? &&
         User.username_available?(username, email)
      available_username = username
    else
      available_username = UserNameSuggester.suggest(email)
    end

    user = User.where(staged: true).with_email(email.strip.downcase).first
    user.unstage! if user
    user ||= User.new

    user.attributes = {
      email: email,
      username: available_username,
      name: name || available_username,
      active: false,
      trust_level: SiteSetting.default_invitee_trust_level,
      ip_address: ip_address,
      registration_ip_address: ip_address,
    }

    if (!SiteSetting.must_approve_users && SiteSetting.invite_only) ||
         (SiteSetting.must_approve_users? && EmailValidator.can_auto_approve_user?(user.email))
      ReviewableUser.set_approved_fields!(user, Discourse.system_user)
    end

    user_fields = UserField.all
    if user_custom_fields.present? && user_fields.present?
      field_params = user_custom_fields || {}
      fields = user.custom_fields

      user_fields.each do |f|
        field_val = field_params[f.id.to_s]
        fields["#{User::USER_FIELD_PREFIX}#{f.id}"] = field_val[
          0...UserField.max_length
        ] unless field_val.blank?
      end
      user.custom_fields = fields
    end

    user.moderator = true if invite.moderator? && invite.invited_by.staff?

    if password
      user.password = password
      user.password_required!
    end

    authenticator = UserAuthenticator.new(user, session, require_password: false)

    if !authenticator.has_authenticator? && !SiteSetting.enable_local_logins
      raise ActiveRecord::RecordNotSaved.new(I18n.t("login.incorrect_username_email_or_password"))
    end

    authenticator.start

    if authenticator.email_valid? && !authenticator.authenticated?
      raise ActiveRecord::RecordNotSaved.new(I18n.t("login.incorrect_username_email_or_password"))
    end

    user.save!
    authenticator.finish

    if invite.emailed_status != Invite.emailed_status_types[:not_required] &&
         email == invite.email && invite.email_token.present? && email_token == invite.email_token
      user.activate
    end

    User.find(user.id)
  end

  private

  def can_redeem_invite?
    return false if !invite.redeemable?
    return false if email.blank?

    # Invite scoped to email has already been redeemed by anyone.
    return false if invite.is_email_invite? && InvitedUser.exists?(invite_id: invite.id)

    # The email will be present for either an invite link (where the user provides
    # us the email manually) or for an invite scoped to an email, where we
    # prefill the email and do not let the user modify it.
    #
    # Note that an invite link can also have a domain scope which must be checked.
    email_to_check = redeeming_user&.email || email

    if invite.email.present? && !invite.email_matches?(email_to_check)
      raise ActiveRecord::RecordNotSaved.new(I18n.t("invite.not_matching_email"))
    end

    if invite.domain.present? && !invite.domain_matches?(email_to_check)
      raise ActiveRecord::RecordNotSaved.new(I18n.t("invite.domain_not_allowed"))
    end

    # Anon user is trying to redeem an invitation, if an existing user already
    # redeemed it then we cannot redeem now.
    redeeming_user ||= User.where(admin: false, staged: false).find_by_email(email)
    if redeeming_user.present? &&
         InvitedUser.exists?(user_id: redeeming_user.id, invite_id: invite.id)
      return false
    end

    true
  end

  # Note that the invited_user is returned by #redeemed, so other places
  # (e.g. the InvitesController) can perform further actions on it, this
  # is why things like send_welcome_message are set without being saved
  # on the model.
  def invited_user
    return @invited_user if defined?(@invited_user)

    # The redeeming user is an already logged in user or a user who is
    # activating their account who is redeeming the invite,
    # which is valid for existing users to be invited to topics or groups.
    if redeeming_user.present?
      @invited_user = redeeming_user
      return @invited_user
    end

    # If there was no logged in user then we must attempt to create
    # one based on the provided params.
    invited_user ||=
      InviteRedeemer.create_user_from_invite(
        email: email,
        invite: invite,
        username: username,
        name: name,
        password: password,
        user_custom_fields: user_custom_fields,
        ip_address: ip_address,
        session: session,
        email_token: email_token,
      )
    invited_user.send_welcome_message = false
    @invited_user = invited_user
    @invited_user
  end

  def process_invitation
    add_to_private_topics_if_invited
    add_user_to_groups
    send_welcome_message
    notify_invitee
  end

  def mark_invite_redeemed
    @invited_user_record = InvitedUser.create!(invite_id: invite.id, redeemed_at: Time.zone.now)

    if @invited_user_record.present?
      Invite.increment_counter(:redemption_count, invite.id)
      delete_duplicate_invites
    end

    @invited_user_record.present?
  end

  def add_to_private_topics_if_invited
    # Should not happen because of ensure_email_is_present!, but better to cover bases.
    return if email.blank?

    topic_ids =
      TopicInvite
        .joins(:invite)
        .joins(:topic)
        .where("topics.archetype = ?", Archetype.private_message)
        .where("invites.email = ?", email)
        .pluck(:topic_id)
    topic_ids.each do |id|
      if !TopicAllowedUser.exists?(user_id: invited_user.id, topic_id: id)
        TopicAllowedUser.create!(user_id: invited_user.id, topic_id: id)
      end
    end
  end

  def add_user_to_groups
    guardian = Guardian.new(invite.invited_by)
    new_group_ids = invite.groups.pluck(:id) - invited_user.group_users.pluck(:group_id)
    new_group_ids.each do |id|
      group = Group.find_by(id: id)
      if guardian.can_edit_group?(group)
        invited_user.group_users.create!(group_id: group.id)
        GroupActionLogger.new(invite.invited_by, group).log_add_user_to_group(invited_user)
        DiscourseEvent.trigger(:user_added_to_group, invited_user, group, automatic: false)
      end
    end
  end

  def send_welcome_message
    @invited_user_record.update!(user_id: invited_user.id)
    invited_user.send_welcome_message = true
  end

  def notify_invitee
    return if invite.invited_by.blank?
    invite.invited_by.notifications.create!(
      notification_type: Notification.types[:invitee_accepted],
      data: { display_username: invited_user.username }.to_json,
    )
  end

  def delete_duplicate_invites
    # Should not happen because of ensure_email_is_present!, but better to cover bases.
    return if email.blank?

    Invite
      .where("invites.max_redemptions_allowed = 1")
      .joins("LEFT JOIN invited_users ON invites.id = invited_users.invite_id")
      .where("invited_users.user_id IS NULL")
      .where("invites.email = ? AND invites.id != ?", email, invite.id)
      .delete_all
  end
end