# frozen_string_literal: true require 'random_name_generator' require 'securerandom' class Auth::RegistrationsController < Devise::RegistrationsController include RegistrationSpamConcern layout :determine_layout before_action :set_invite, only: [:new, :create] before_action :check_enabled_registrations, only: [:new, :create] before_action :configure_sign_up_params, only: [:create] before_action :set_sessions, only: [:edit, :update] before_action :set_strikes, only: [:edit, :update] before_action :set_instance_presenter, only: [:new, :create, :update] before_action :set_body_classes, only: [:new, :create, :edit, :update] before_action :require_not_suspended!, only: [:update] before_action :set_cache_headers, only: [:edit, :update] before_action :set_rules, only: :new before_action :require_rules_acceptance!, only: :new before_action :set_registration_form_time, only: :new skip_before_action :require_functional!, only: [:edit, :update] def new super(&:build_invite_request) end def destroy not_found end def update super do |resource| if resource.saved_change_to_encrypted_password? resource.clear_other_sessions(current_session.session_id) end end end protected def update_resource(resource, params) params[:password] = nil if Devise.pam_authentication && resource.encrypted_password.blank? super end def build_resource(hash = nil) # hack to always use auto-generated usernames and passwords if !hash.nil? username = generate_name password = SecureRandom.hex hash["account_attributes"] = { "username": username.parameterize(separator: '_'), "display_name": username } hash["email"] = "#{hash["account_attributes"]["username"]}@#{Rails.configuration.x.web_domain}" hash["password"] = password hash["password_confirmation"] = password end super(hash) resource.locale = I18n.locale resource.invite_code = params[:invite_code] if resource.invite_code.blank? resource.registration_form_time = session[:registration_form_time] resource.sign_up_ip = request.remote_ip resource.build_account if resource.account.nil? end def configure_sign_up_params devise_parameter_sanitizer.permit(:sign_up) do |u| u.permit({ account_attributes: [:username, :display_name], invite_request_attributes: [:text] }, :email, :password, :password_confirmation, :invite_code, :agreement, :website, :confirm_password) end end def after_sign_up_path_for(_resource) # Hack to automatically visit the confirmation link after successful sign-up. # This way we can use the default configuration but still get away without an email server. "/auth/confirmation?confirmation_token=#{@user.confirmation_token}" end def after_sign_in_path_for(_resource) set_invite if @invite&.autofollow? short_account_path(@invite.user.account) else super end end def after_inactive_sign_up_path_for(_resource) new_user_session_path end def after_update_path_for(_resource) edit_user_registration_path end def check_enabled_registrations redirect_to root_path if single_user_mode? || omniauth_only? || !allowed_registrations? || ip_blocked? end def allowed_registrations? Setting.registrations_mode != 'none' || @invite&.valid_for_use? end def omniauth_only? ENV['OMNIAUTH_ONLY'] == 'true' end def ip_blocked? IpBlock.where(severity: :sign_up_block).where('ip >>= ?', request.remote_ip.to_s).exists? end def invite_code if params[:user] params[:user][:invite_code] else params[:invite_code] end end private def set_instance_presenter @instance_presenter = InstancePresenter.new end def set_body_classes @body_classes = %w(edit update).include?(action_name) ? 'admin' : 'lighter' end def set_invite @invite = begin invite = Invite.find_by(code: invite_code) if invite_code.present? invite if invite&.valid_for_use? end end def determine_layout %w(edit update).include?(action_name) ? 'admin' : 'auth' end def set_sessions @sessions = current_user.session_activations end def set_strikes @strikes = current_account.strikes.recent.latest end def require_not_suspended! forbidden if current_account.suspended? end def set_rules @rules = Rule.ordered end def require_rules_acceptance! return if @rules.empty? || (session[:accept_token].present? && params[:accept] == session[:accept_token]) @accept_token = session[:accept_token] = SecureRandom.hex @invite_code = invite_code set_locale { render :rules } end def set_cache_headers response.headers['Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate' end @@first_name_generator = RandomNameGenerator.new(File.new("#{File.dirname(__FILE__)}/roman.txt")) @@last_name_generator = RandomNameGenerator.new(RandomNameGenerator::FANTASY) def generate_name # When there is a name collision, the user will be shown # "Something isn't quite right yet! Please review 2 errors below" # When they sign up again, it will most probably succeed (since there is no collision anymore) # While this isn't the best UX, it's only a minor issue # (collisions happen after > 1k of users and there's an easy fix) # so not worth fixing for now "#{@@first_name_generator.compose(3)} #{@@last_name_generator.compose(3)}" end end