Family invites (#1397)

* Initial pass at household invites

* Invitee setup

* Clean up add member form

* Lint and other tweaks

* Security cleanup

* Lint

* i18n fixes

* More i18n cleanup

* Show pending invites

* Don't use turbo on the form

* Improved email design

* Basic tests

* Lint

* Update onboardings_controller.rb

* Registration + invite cleanup

* Lint

* Update brakeman.ignore

* Update brakeman.ignore

* Self host invite links

* Test tweaks

* Address missing param error

app/controllers/concerns/invitable.rb

@@ -7,6 +7,7 @@ module Invitable
 
   private
     def invite_code_required?
+      return false if @invitation.present?
       self_hosted? ? Setting.require_invite_for_signup : ENV["REQUIRE_INVITE_CODE"] == "true"
     end
 

app/controllers/invitations_controller.rb

@@ -0,0 +1,42 @@
+class InvitationsController < ApplicationController
+  skip_authentication only: :accept
+  def new
+    @invitation = Invitation.new
+  end
+
+  def create
+    unless Current.user.admin?
+      flash[:alert] = t(".failure")
+      redirect_to settings_profile_path
+      return
+    end
+
+    @invitation = Current.family.invitations.build(invitation_params)
+    @invitation.inviter = Current.user
+
+    if @invitation.save
+      InvitationMailer.invite_email(@invitation).deliver_later unless self_hosted?
+      flash[:notice] = t(".success")
+    else
+      flash[:alert] = t(".failure")
+    end
+
+    redirect_to settings_profile_path
+  end
+
+  def accept
+    @invitation = Invitation.find_by!(token: params[:id])
+
+    if @invitation.pending?
+      redirect_to new_registration_path(invitation: @invitation.token)
+    else
+      raise ActiveRecord::RecordNotFound
+    end
+  end
+
+  private
+
+    def invitation_params
+      params.require(:invitation).permit(:email, :role)
+    end
+end

app/controllers/onboardings_controller.rb

@@ -1,7 +1,7 @@
 class OnboardingsController < ApplicationController
   layout "application"
-
   before_action :set_user
+  before_action :load_invitation
 
   def show
   end
@@ -13,7 +13,12 @@ class OnboardingsController < ApplicationController
   end
 
   private
+
     def set_user
       @user = Current.user
     end
+
+    def load_invitation
+      @invitation = Invitation.accepted.most_recent_for_email(Current.user.email)
+    end
 end

app/controllers/registrations_controller.rb

@@ -4,36 +4,49 @@ class RegistrationsController < ApplicationController
   layout "auth"
 
   before_action :set_user, only: :create
+  before_action :set_invitation
   before_action :claim_invite_code, only: :create, if: :invite_code_required?
 
   def new
-    @user = User.new
+    @user = User.new(email: @invitation&.email)
   end
 
   def create
-    family = Family.new
-    @user.family = family
-    @user.role = :admin
+    if @invitation
+      @user.family = @invitation.family
+      @user.role = @invitation.role
+      @user.email = @invitation.email
+    else
+      family = Family.new
+      @user.family = family
+      @user.role = :admin
+    end
 
     if @user.save
-      Category.create_default_categories(@user.family)
+      @invitation&.update!(accepted_at: Time.current)
+      Category.create_default_categories(@user.family) unless @invitation
       @session = create_session_for(@user)
-      flash[:notice] = t(".success")
-      redirect_to root_path
+      redirect_to root_path, notice: t(".success")
     else
-      flash[:alert] = t(".failure")
       render :new, status: :unprocessable_entity
     end
   end
 
   private
 
-    def set_user
-      @user = User.new user_params.except(:invite_code)
+    def set_invitation
+      token = params[:invitation]
+      token ||= params[:user][:invitation] if params[:user].present?
+      @invitation = Invitation.pending.find_by(token: token)
     end
 
-    def user_params
-      params.require(:user).permit(:name, :email, :password, :password_confirmation, :invite_code)
+    def set_user
+      @user = User.new user_params.except(:invite_code, :invitation)
+    end
+
+    def user_params(specific_param = nil)
+      params = self.params.require(:user).permit(:name, :email, :password, :password_confirmation, :invite_code, :invitation)
+      specific_param ? params[specific_param] : params
     end
 
     def claim_invite_code

app/controllers/settings/profiles_controller.rb

@@ -1,5 +1,7 @@
 class Settings::ProfilesController < SettingsController
   def show
     @user = Current.user
+    @users = Current.family.users.order(:created_at)
+    @pending_invitations = Current.family.invitations.pending
   end
 end