discourse/app/controllers/invites_controller.rb

require_dependency 'rate_limiter'

class InvitesController < ApplicationController

  skip_before_filter :check_xhr, except: [:perform_accept_invitation]
  skip_before_filter :preload_json, except: [:show]
  skip_before_filter :redirect_to_login_if_required

  before_filter :ensure_logged_in, only: [:destroy, :create, :create_invite_link, :resend_invite, :resend_all_invites, :upload_csv]
  before_filter :ensure_new_registrations_allowed, only: [:show, :perform_accept_invitation, :redeem_disposable_invite]
  before_filter :ensure_not_logged_in, only: [:show, :perform_accept_invitation, :redeem_disposable_invite]

  def show
    expires_now

    invite = Invite.find_by(invite_key: params[:id])

    if invite.present?
      store_preloaded("invite_info", MultiJson.dump({
        invited_by: UserNameSerializer.new(invite.invited_by, scope: guardian, root: false),
        email: invite.email,
        username: UserNameSuggester.suggest(invite.email)
      }))
      render layout: 'application'
    else
      flash.now[:error] = I18n.t('invite.not_found')
      render layout: 'no_ember'
    end
  end

  def perform_accept_invitation
    params.require(:id)
    params.permit(:username, :name, :password, :user_custom_fields)
    invite = Invite.find_by(invite_key: params[:id])

    if invite.present?
      begin
        user = invite.redeem(username: params[:username], name: params[:name], password: params[:password], user_custom_fields: params[:user_custom_fields])
        if user.present?
          log_on_user(user)
          post_process_invite(user)
        end

        topic = user.present? ? invite.topics.first : nil

        render json: {
          success: true,
          redirect_to: topic.present? ? path("#{topic.relative_url}") : path("/")
        }
      rescue ActiveRecord::RecordInvalid, ActiveRecord::RecordNotSaved => e
        render json: {
          success: false,
          errors: e.record&.errors&.to_hash || {}
        }
      end
    else
      render json: { success: false, message: I18n.t('invite.not_found') }
    end
  end

  def create
    params.require(:email)

    group_ids = Group.lookup_group_ids(params)

    guardian.ensure_can_invite_to_forum!(group_ids)

    invite_exists = Invite.where(email: params[:email], invited_by_id: current_user.id).first
    if invite_exists && !guardian.can_send_multiple_invites?(current_user)
      return render json: failed_json, status: 422
    end

    begin
      if Invite.invite_by_email(params[:email], current_user, _topic=nil,  group_ids, params[:custom_message])
        render json: success_json
      else
        render json: failed_json, status: 422
      end
    rescue Invite::UserExists, ActiveRecord::RecordInvalid => e
      render json: {errors: [e.message]}, status: 422
    end
  end

  def create_invite_link
    params.require(:email)
    group_ids = Group.lookup_group_ids(params)
    topic = Topic.find_by(id: params[:topic_id])
    guardian.ensure_can_invite_to_forum!(group_ids)

    invite_exists = Invite.where(email: params[:email], invited_by_id: current_user.id).first
    if invite_exists && !guardian.can_send_multiple_invites?(current_user)
      return render json: failed_json, status: 422
    end

    begin
      # generate invite link
      if invite_link = Invite.generate_invite_link(params[:email], current_user, topic, group_ids)
        render_json_dump(invite_link)
      else
        render json: failed_json, status: 422
      end
    rescue => e
      render json: {errors: [e.message]}, status: 422
    end
  end

  def create_disposable_invite
    guardian.ensure_can_create_disposable_invite!(current_user)
    params.permit(:username, :email, :quantity, :group_names)

    username_or_email = params[:username] ? fetch_username : fetch_email
    user = User.find_by_username_or_email(username_or_email)

    # generate invite tokens
    invite_tokens = Invite.generate_disposable_tokens(user, params[:quantity], params[:group_names])

    render_json_dump(invite_tokens)
  end

  def redeem_disposable_invite
    params.require(:email)
    params.permit(:username, :name, :topic)
    params[:email] = params[:email].split(' ').join('+')

    invite = Invite.find_by(invite_key: params[:token])

    if invite.present?
      user = Invite.redeem_from_token(params[:token], params[:email], params[:username], params[:name], params[:topic].to_i)
      if user.present?
        log_on_user(user)
        post_process_invite(user)
        topic = invite.topics.first
        if topic.present?
          redirect_to path("#{topic.relative_url}")
          return
        end
      end
    end

    redirect_to path("/")
  end

  def destroy
    params.require(:email)

    invite = Invite.find_by(invited_by_id: current_user.id, email: params[:email])
    raise Discourse::InvalidParameters.new(:email) if invite.blank?
    invite.trash!(current_user)

    render nothing: true
  end

  def resend_invite
    params.require(:email)
    RateLimiter.new(current_user, "resend-invite-per-hour", 10, 1.hour).performed!

    invite = Invite.find_by(invited_by_id: current_user.id, email: params[:email])
    raise Discourse::InvalidParameters.new(:email) if invite.blank?
    invite.resend_invite
    render nothing: true

  rescue RateLimiter::LimitExceeded
    render_json_error(I18n.t("rate_limiter.slow_down"))
  end

  def resend_all_invites
    guardian.ensure_can_resend_all_invites!(current_user)

    Invite.resend_all_invites_from(current_user.id)
    render nothing: true
  end

  def upload_csv
    guardian.ensure_can_bulk_invite_to_forum!(current_user)

    file = params[:file] || params[:files].first
    name = params[:name] || File.basename(file.original_filename, ".*")
    extension = File.extname(file.original_filename)

    Scheduler::Defer.later("Upload CSV") do
      begin
        data = if extension.downcase == ".csv"
          path = Invite.create_csv(file, name)
          Jobs.enqueue(:bulk_invite, filename: "#{name}#{extension}", current_user_id: current_user.id)
          {url: path}
        else
          failed_json.merge(errors: [I18n.t("bulk_invite.file_should_be_csv")])
        end
      rescue
        failed_json.merge(errors: [I18n.t("bulk_invite.error")])
      end
      MessageBus.publish("/uploads/csv", data.as_json, user_ids: [current_user.id])
    end

    render json: success_json
  end

  def fetch_username
    params.require(:username)
    params[:username]
  end

  def fetch_email
    params.require(:email)
    params[:email]
  end

  def ensure_new_registrations_allowed
    unless SiteSetting.allow_new_registrations
      flash[:error] = I18n.t('login.new_registrations_disabled')
      render layout: 'no_ember'
      false
    end
  end

  def ensure_not_logged_in
    if current_user
      flash[:error] = I18n.t("login.already_logged_in", current_user: current_user.username)
      render layout: 'no_ember'
      false
    end
  end

  private

    def post_process_invite(user)
      user.enqueue_welcome_message('welcome_invite') if user.send_welcome_message
      if user.has_password?
        email_token = user.email_tokens.create(email: user.email)
        Jobs.enqueue(:critical_user_email, type: :signup, user_id: user.id, email_token: email_token.token)
      elsif !SiteSetting.enable_sso && SiteSetting.enable_local_logins
        Jobs.enqueue(:invite_password_instructions_email, username: user.username)
      end
    end

end
FEATURE: rate limit resend invites 2016-06-06 15:36:59 -04:00			`require_dependency 'rate_limiter'`

Initial release of Discourse 2013-02-05 14:16:51 -05:00			`class InvitesController < ApplicationController`

FEATURE: new invite acceptance page, where username can be chosen and password can be set 2017-02-13 16:19:41 -05:00			`skip_before_filter :check_xhr, except: [:perform_accept_invitation]`
			`skip_before_filter :preload_json, except: [:show]`
Don't require authentication for invites 2013-06-05 14:12:37 -04:00			`skip_before_filter :redirect_to_login_if_required`

FIX: simplify CSV file upload 2016-12-04 11:06:35 -05:00			`before_filter :ensure_logged_in, only: [:destroy, :create, :create_invite_link, :resend_invite, :resend_all_invites, :upload_csv]`
FEATURE: add explicit confirmation button to accept the invite 2017-01-24 15:15:29 -05:00			`before_filter :ensure_new_registrations_allowed, only: [:show, :perform_accept_invitation, :redeem_disposable_invite]`
			`before_filter :ensure_not_logged_in, only: [:show, :perform_accept_invitation, :redeem_disposable_invite]`
Initial release of Discourse 2013-02-05 14:16:51 -05:00
			`def show`
FEATURE: add explicit confirmation button to accept the invite 2017-01-24 15:15:29 -05:00			`expires_now`
FEATURE: new invite acceptance page, where username can be chosen and password can be set 2017-02-13 16:19:41 -05:00
			`invite = Invite.find_by(invite_key: params[:id])`

			`if invite.present?`
			`store_preloaded("invite_info", MultiJson.dump({`
			`invited_by: UserNameSerializer.new(invite.invited_by, scope: guardian, root: false),`
			`email: invite.email,`
			`username: UserNameSuggester.suggest(invite.email)`
			`}))`
			`render layout: 'application'`
			`else`
			`flash.now[:error] = I18n.t('invite.not_found')`
			`render layout: 'no_ember'`
			`end`
FEATURE: add explicit confirmation button to accept the invite 2017-01-24 15:15:29 -05:00			`end`

			`def perform_accept_invitation`
FEATURE: require name when accepting invite if 'full name required' setting is enabled 2017-05-29 03:45:01 -04:00			`params.require(:id)`
FEATURE: add required user fields to invite accept form UX: make "accept invitation" page consistent with sign up modal 2017-06-08 15:10:43 -04:00			`params.permit(:username, :name, :password, :user_custom_fields)`
Perform the where(...).first to find_by(...) refactoring. This refactoring was automated using the command: bundle exec "ruby refactorings/where_dot_first_to_find_by/app.rb" 2014-05-06 09:41:59 -04:00			`invite = Invite.find_by(invite_key: params[:id])`
Initial release of Discourse 2013-02-05 14:16:51 -05:00
			`if invite.present?`
FEATURE: new invite acceptance page, where username can be chosen and password can be set 2017-02-13 16:19:41 -05:00			`begin`
FEATURE: add required user fields to invite accept form UX: make "accept invitation" page consistent with sign up modal 2017-06-08 15:10:43 -04:00			`user = invite.redeem(username: params[:username], name: params[:name], password: params[:password], user_custom_fields: params[:user_custom_fields])`
FEATURE: new invite acceptance page, where username can be chosen and password can be set 2017-02-13 16:19:41 -05:00			`if user.present?`
			`log_on_user(user)`
FIX: send activation email when accepting invite if password is set 2017-04-15 05:18:05 -04:00			`post_process_invite(user)`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`end`

FEATURE: new invite acceptance page, where username can be chosen and password can be set 2017-02-13 16:19:41 -05:00			`topic = user.present? ? invite.topics.first : nil`

			`render json: {`
			`success: true,`
			`redirect_to: topic.present? ? path("#{topic.relative_url}") : path("/")`
			`}`
			`rescue ActiveRecord::RecordInvalid, ActiveRecord::RecordNotSaved => e`
			`render json: {`
			`success: false,`
			`errors: e.record&.errors&.to_hash \|\| {}`
			`}`
			`end`
FEATURE: add explicit confirmation button to accept the invite 2017-01-24 15:15:29 -05:00			`else`
FEATURE: new invite acceptance page, where username can be chosen and password can be set 2017-02-13 16:19:41 -05:00			`render json: { success: false, message: I18n.t('invite.not_found') }`
FEATURE: add explicit confirmation button to accept the invite 2017-01-24 15:15:29 -05:00			`end`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`end`

Support for inviting to a forum from a user's invite page. 2013-11-06 12:56:26 -05:00			`def create`
			`params.require(:email)`

FEATURE: admins can invite users to groups via the web UI 2014-05-09 04:22:15 -04:00			`group_ids = Group.lookup_group_ids(params)`
Support for inviting to a forum from a user's invite page. 2013-11-06 12:56:26 -05:00
FEATURE: admins can invite users to groups via the web UI 2014-05-09 04:22:15 -04:00			`guardian.ensure_can_invite_to_forum!(group_ids)`

FEATURE: allow staff to send multiple invites to same email 2014-07-29 13:57:08 -04:00			`invite_exists = Invite.where(email: params[:email], invited_by_id: current_user.id).first`
FIX: sane error message when inviting an existing user 2017-02-03 03:57:27 -05:00			`if invite_exists && !guardian.can_send_multiple_invites?(current_user)`
fix the build 2017-02-03 05:05:33 -05:00			`return render json: failed_json, status: 422`
FEATURE: allow staff to send multiple invites to same email 2014-07-29 13:57:08 -04:00			`end`

FIX: show proper message on invite error 2015-12-14 11:02:23 -05:00			`begin`
FEATURE: customize invite email message 2016-06-05 13:22:46 -04:00			`if Invite.invite_by_email(params[:email], current_user, _topic=nil, group_ids, params[:custom_message])`
FIX: show proper message on invite error 2015-12-14 11:02:23 -05:00			`render json: success_json`
			`else`
			`render json: failed_json, status: 422`
			`end`
FIX: show invite validation error message in response 2017-06-13 12:59:02 -04:00			`rescue Invite::UserExists, ActiveRecord::RecordInvalid => e`
FIX: show proper message on invite error 2015-12-14 11:02:23 -05:00			`render json: {errors: [e.message]}, status: 422`
Support for inviting to a forum from a user's invite page. 2013-11-06 12:56:26 -05:00			`end`
			`end`

FEATURE: generate invite token 2015-08-25 21:41:52 -04:00			`def create_invite_link`
			`params.require(:email)`
			`group_ids = Group.lookup_group_ids(params)`
FEATURE: copy invite link for topic invites 2015-08-31 10:06:13 -04:00			`topic = Topic.find_by(id: params[:topic_id])`
FEATURE: generate invite token 2015-08-25 21:41:52 -04:00			`guardian.ensure_can_invite_to_forum!(group_ids)`

			`invite_exists = Invite.where(email: params[:email], invited_by_id: current_user.id).first`
FIX: sane error message when inviting an existing user 2017-02-03 03:57:27 -05:00			`if invite_exists && !guardian.can_send_multiple_invites?(current_user)`
fix the build 2017-02-03 05:05:33 -05:00			`return render json: failed_json, status: 422`
FEATURE: generate invite token 2015-08-25 21:41:52 -04:00			`end`

FIX: show proper message on invite error 2015-12-14 11:02:23 -05:00			`begin`
			`# generate invite link`
			`if invite_link = Invite.generate_invite_link(params[:email], current_user, topic, group_ids)`
			`render_json_dump(invite_link)`
			`else`
			`render json: failed_json, status: 422`
			`end`
			`rescue => e`
			`render json: {errors: [e.message]}, status: 422`
FIX: return 422 if the invite is already redeemed 2015-09-16 07:57:32 -04:00			`end`
FEATURE: generate invite token 2015-08-25 21:41:52 -04:00			`end`

FEATURE: disposable invite tokens 2014-07-14 11:56:26 -04:00			`def create_disposable_invite`
			`guardian.ensure_can_create_disposable_invite!(current_user)`
			`params.permit(:username, :email, :quantity, :group_names)`

			`username_or_email = params[:username] ? fetch_username : fetch_email`
			`user = User.find_by_username_or_email(username_or_email)`

			`# generate invite tokens`
			`invite_tokens = Invite.generate_disposable_tokens(user, params[:quantity], params[:group_names])`

			`render_json_dump(invite_tokens)`
			`end`

			`def redeem_disposable_invite`
			`params.require(:email)`
FEATURE: topic support in disposable invites 2014-07-15 07:10:35 -04:00			`params.permit(:username, :name, :topic)`
convert space to plus for invite email parameter 2014-08-06 04:32:00 -04:00			`params[:email] = params[:email].split(' ').join('+')`
FEATURE: disposable invite tokens 2014-07-14 11:56:26 -04:00
			`invite = Invite.find_by(invite_key: params[:token])`

			`if invite.present?`
FEATURE: topic support in disposable invites 2014-07-15 07:10:35 -04:00			`user = Invite.redeem_from_token(params[:token], params[:email], params[:username], params[:name], params[:topic].to_i)`
FEATURE: disposable invite tokens 2014-07-14 11:56:26 -04:00			`if user.present?`
			`log_on_user(user)`
FIX: send activation email when accepting invite if password is set 2017-04-15 05:18:05 -04:00			`post_process_invite(user)`
FEATURE: topic support in disposable invites 2014-07-15 07:10:35 -04:00			`topic = invite.topics.first`
			`if topic.present?`
FEATURE: add clean support for running Discourse in a subfolder To setup set DISCOURSE_RELATIVE_URL_ROOT to the folder you wish 2015-03-08 20:45:36 -04:00			`redirect_to path("#{topic.relative_url}")`
FEATURE: topic support in disposable invites 2014-07-15 07:10:35 -04:00			`return`
			`end`
FEATURE: disposable invite tokens 2014-07-14 11:56:26 -04:00			`end`
			`end`

FEATURE: add clean support for running Discourse in a subfolder To setup set DISCOURSE_RELATIVE_URL_ROOT to the folder you wish 2015-03-08 20:45:36 -04:00			`redirect_to path("/")`
FEATURE: disposable invite tokens 2014-07-14 11:56:26 -04:00			`end`

Initial release of Discourse 2013-02-05 14:16:51 -05:00			`def destroy`
Implemented strong_parameters for Invite/InvitesController. The email parameter is now required using strong parameters and will throw ActionController::ParameterMissing if it is missing. If the email address is incorrect or invalid, Discourse::InvalidParameters will still be thrown. 2013-06-05 03:04:03 -04:00			`params.require(:email)`
Initial release of Discourse 2013-02-05 14:16:51 -05:00
Perform the where(...).first to find_by(...) refactoring. This refactoring was automated using the command: bundle exec "ruby refactorings/where_dot_first_to_find_by/app.rb" 2014-05-06 09:41:59 -04:00			`invite = Invite.find_by(invited_by_id: current_user.id, email: params[:email])`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`raise Discourse::InvalidParameters.new(:email) if invite.blank?`
Add `deleted_by` to `Trashable` tables 2013-07-09 15:20:18 -04:00			`invite.trash!(current_user)`
Initial release of Discourse 2013-02-05 14:16:51 -05:00
			`render nothing: true`
			`end`

Feature: resend invites 2014-10-06 14:48:56 -04:00			`def resend_invite`
			`params.require(:email)`
FEATURE: rate limit resend invites 2016-06-06 15:36:59 -04:00			`RateLimiter.new(current_user, "resend-invite-per-hour", 10, 1.hour).performed!`
Feature: resend invites 2014-10-06 14:48:56 -04:00
			`invite = Invite.find_by(invited_by_id: current_user.id, email: params[:email])`
			`raise Discourse::InvalidParameters.new(:email) if invite.blank?`
			`invite.resend_invite`
			`render nothing: true`
FEATURE: rate limit resend invites 2016-06-06 15:36:59 -04:00
			`rescue RateLimiter::LimitExceeded`
			`render_json_error(I18n.t("rate_limiter.slow_down"))`
Feature: resend invites 2014-10-06 14:48:56 -04:00			`end`

FEATURE: Resend all pending invitations 2016-06-02 15:09:02 -04:00			`def resend_all_invites`
FIX: only staff can access 'resend all invites' feature 2016-06-07 01:27:08 -04:00			`guardian.ensure_can_resend_all_invites!(current_user)`
FEATURE: Resend all pending invitations 2016-06-02 15:09:02 -04:00
			`Invite.resend_all_invites_from(current_user.id)`
			`render nothing: true`
			`end`

FIX: simplify CSV file upload 2016-12-04 11:06:35 -05:00			`def upload_csv`
FEATURE: Bulk Invite 2014-05-27 16:14:37 -04:00			`guardian.ensure_can_bulk_invite_to_forum!(current_user)`

FIX: simplify CSV file upload 2016-12-04 11:06:35 -05:00			`file = params[:file] \|\| params[:files].first`
			`name = params[:name] \|\| File.basename(file.original_filename, ".*")`
			`extension = File.extname(file.original_filename)`

			`Scheduler::Defer.later("Upload CSV") do`
			`begin`
FIX: only allow CSV file to be uploaded for bulk invite 2017-01-11 05:45:02 -05:00			`data = if extension.downcase == ".csv"`
FIX: simplify CSV file upload 2016-12-04 11:06:35 -05:00			`path = Invite.create_csv(file, name)`
FIX: only allow CSV file to be uploaded for bulk invite 2017-01-11 05:45:02 -05:00			`Jobs.enqueue(:bulk_invite, filename: "#{name}#{extension}", current_user_id: current_user.id)`
FIX: simplify CSV file upload 2016-12-04 11:06:35 -05:00			`{url: path}`
			`else`
			`failed_json.merge(errors: [I18n.t("bulk_invite.file_should_be_csv")])`
			`end`
			`rescue`
			`failed_json.merge(errors: [I18n.t("bulk_invite.error")])`
			`end`
			`MessageBus.publish("/uploads/csv", data.as_json, user_ids: [current_user.id])`
FEATURE: Bulk Invite 2014-05-27 16:14:37 -04:00			`end`

FIX: simplify CSV file upload 2016-12-04 11:06:35 -05:00			`render json: success_json`
FEATURE: Bulk Invite 2014-05-27 16:14:37 -04:00			`end`

FEATURE: disposable invite tokens 2014-07-14 11:56:26 -04:00			`def fetch_username`
			`params.require(:username)`
			`params[:username]`
			`end`

			`def fetch_email`
			`params.require(:email)`
			`params[:email]`
			`end`

FEATURE: add site setting allow_new_registrations which can be used to block all new account registrations 2014-07-14 15:42:14 -04:00			`def ensure_new_registrations_allowed`
			`unless SiteSetting.allow_new_registrations`
			`flash[:error] = I18n.t('login.new_registrations_disabled')`
Rename `no_js` layout to `no_ember` While sometimes `no_js` was used for visitors without js (for example disabling it on your browser) it was also used for some pages that were disabled to JS capable browsers, including the 404 page. Even worse, sometimes it was used on pages that had Javascript, such as our `/activate-account` route. It has been renamed to `no_ember` to indicate what it really is, a layout for the site that doesn't load our Ember.js application. 2015-01-15 15:56:53 -05:00			`render layout: 'no_ember'`
FEATURE: add site setting allow_new_registrations which can be used to block all new account registrations 2014-07-14 15:42:14 -04:00			`false`
			`end`
			`end`
FIX: invite link should not auto-accept invitation if user is already logged in 2016-02-23 08:33:12 -05:00
			`def ensure_not_logged_in`
			`if current_user`
			`flash[:error] = I18n.t("login.already_logged_in", current_user: current_user.username)`
			`render layout: 'no_ember'`
			`false`
			`end`
			`end`
FIX: send activation email when accepting invite if password is set 2017-04-15 05:18:05 -04:00
			`private`

			`def post_process_invite(user)`
			`user.enqueue_welcome_message('welcome_invite') if user.send_welcome_message`
			`if user.has_password?`
			`email_token = user.email_tokens.create(email: user.email)`
			`Jobs.enqueue(:critical_user_email, type: :signup, user_id: user.id, email_token: email_token.token)`
FIX: always send password reset email when accepting invite if password is not set 2017-04-18 04:55:52 -04:00			`elsif !SiteSetting.enable_sso && SiteSetting.enable_local_logins`
			`Jobs.enqueue(:invite_password_instructions_email, username: user.username)`
FIX: send activation email when accepting invite if password is set 2017-04-15 05:18:05 -04:00			`end`
			`end`

Initial release of Discourse 2013-02-05 14:16:51 -05:00			`end`