Avoid storing user records in the session during signup

This works around an issue with rails failing to preserve attribute
change flags and is in line with upstream advice against storing models
in the session in this way.

https://github.com/rails/rails/issues/49826
https://github.com/rails/rails/issues/49827

diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml
index db94a610b8fe20aecc9ebc4851cba172c0afc05f..6f25cfeb3333abeec57378ca3a7c1d123ca6f5d1 100644 (file)
--- a/.rubocop_todo.yml
+++ b/.rubocop_todo.yml
@@ -81,7 +81,7 @@ Metrics/ParameterLists:
 # Offense count: 56
 # Configuration parameters: AllowedMethods, AllowedPatterns.
 Metrics/PerceivedComplexity:
 # Offense count: 56
 # Configuration parameters: AllowedMethods, AllowedPatterns.
 Metrics/PerceivedComplexity:

-  Max: 27
+  Max: 29

 
 # Offense count: 2394
 # This cop supports safe autocorrection (--autocorrect).
 
 # Offense count: 2394
 # This cop supports safe autocorrection (--autocorrect).

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 5ba1b702bf9f2bc84d55c44d220fbcd59d62e46e..36c9f4e2288f06185726045826ae82ed9d927bb0 100644 (file)
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -104,11 +104,11 @@ class UsersController < ApplicationController
         render :action => "new"
       elsif current_user.auth_provider.present?
         # Verify external authenticator before moving on
         render :action => "new"
       elsif current_user.auth_provider.present?
         # Verify external authenticator before moving on

-        session[:new_user] = current_user
+        session[:new_user] = current_user.attributes.slice("email", "display_name", "pass_crypt")

         redirect_to auth_url(current_user.auth_provider, current_user.auth_uid), :status => :temporary_redirect
       else
         # Save the user record
         redirect_to auth_url(current_user.auth_provider, current_user.auth_uid), :status => :temporary_redirect
       else
         # Save the user record

-        session[:new_user] = current_user
+        session[:new_user] = current_user.attributes.slice("email", "display_name", "pass_crypt")

         redirect_to :action => :terms
       end
     end
         redirect_to :action => :terms
       end
     end


@@ -170,7 +170,10 @@ class UsersController < ApplicationController
 
       redirect_to referer || edit_account_path
     else
 
       redirect_to referer || edit_account_path
     else

-      self.current_user = session.delete(:new_user)
+      new_user = session.delete(:new_user)
+      verified_email = new_user.delete("verified_email")
+
+      self.current_user = User.new(new_user)

 
       if check_signup_allowed(current_user.email)
         current_user.data_public = true
 
       if check_signup_allowed(current_user.email)
         current_user.data_public = true


@@ -184,6 +187,8 @@ class UsersController < ApplicationController
         if current_user.auth_uid.blank?
           current_user.auth_provider = nil
           current_user.auth_uid = nil
         if current_user.auth_uid.blank?
           current_user.auth_provider = nil
           current_user.auth_uid = nil

+        elsif current_user.email == verified_email
+          current_user.activate

         end
 
         if current_user.save
         end
 
         if current_user.save


@@ -272,10 +277,9 @@ class UsersController < ApplicationController
 
       redirect_to edit_account_path
     elsif session[:new_user]
 
       redirect_to edit_account_path
     elsif session[:new_user]

-      session[:new_user].auth_provider = provider
-      session[:new_user].auth_uid = uid
-
-      session[:new_user].activate if email_verified && email == session[:new_user].email
+      session[:new_user]["auth_provider"] = provider
+      session[:new_user]["auth_uid"] = uid
+      session[:new_user]["verified_email"] = email if email_verified

 
       redirect_to :action => "terms"
     else
 
       redirect_to :action => "terms"
     else