Merge from docusealco/wip

Author: AlexBTurchyn

Gemfile.lock

@@ -116,7 +116,7 @@ GEM
       erubi (~> 1.4)
       parser (>= 2.4)
       smart_properties
-    bigdecimal (4.1.0)
+    bigdecimal (4.1.2)
     bindex (0.8.1)
     bootsnap (1.23.0)
       msgpack (~> 1.2)
@@ -161,7 +161,7 @@ GEM
       irb (~> 1.10)
       reline (>= 0.3.8)
     declarative (0.0.20)
-    devise (5.0.3)
+    devise (5.0.4)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 7.0)
@@ -268,13 +268,13 @@ GEM
       mini_magick (>= 4.9.5, < 6)
       ruby-vips (>= 2.0.17, < 3)
     io-console (0.8.2)
-    irb (1.17.0)
+    irb (1.18.0)
       pp (>= 0.6.0)
       prism (>= 1.3.0)
       rdoc (>= 4.0.0)
       reline (>= 0.4.2)
     jmespath (1.6.2)
-    json (2.19.3)
+    json (2.19.5)
     jwt (3.1.2)
       base64
     language_server-protocol (3.17.0.5)
@@ -311,7 +311,7 @@ GEM
     mini_magick (5.3.1)
       logger
     mini_mime (1.1.5)
-    minitest (6.0.3)
+    minitest (6.0.6)
       drb (~> 2.0)
       prism (~> 1.5)
     msgpack (1.8.0)
@@ -429,7 +429,7 @@ GEM
       tsort (>= 0.2)
       zeitwerk (~> 2.6)
     rainbow (3.1.1)
-    rake (13.3.1)
+    rake (13.4.2)
     rdoc (7.2.0)
       erb
       psych (>= 4.0.0)

app/controllers/submissions_resend_email_controller.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+class SubmissionsResendEmailController < ApplicationController
+  load_and_authorize_resource :submission
+
+  before_action do
+    authorize!(:manage, :resend_all)
+    authorize!(:update, @submission)
+  end
+
+  def create
+    submitters = @submission.submitters.reject(&:completed_at?).select { |s| s.email.present? && !s.declined_at? }
+
+    if Docuseal.multitenant?
+      recent_submitter_ids =
+        SubmissionEvent.where(submitter_id: submitters.map(&:id),
+                              event_type: 'send_email',
+                              created_at: 10.hours.ago..Time.current).pluck(:submitter_id).to_set
+
+      submitters = submitters.reject { |s| recent_submitter_ids.include?(s.id) }
+    end
+
+    submitters.each do |submitter|
+      SendSubmitterInvitationEmailJob.perform_async('submitter_id' => submitter.id)
+
+      submitter.sent_at ||= Time.current
+      submitter.save!
+    end
+
+    notice =
+      if submitters.empty?
+        I18n.t('email_has_been_sent_already')
+      else
+        I18n.t('emails_have_been_sent_to_n_recipients', count: submitters.size)
+      end
+
+    redirect_back(fallback_location: submission_path(@submission), notice:)
+  end
+end

app/controllers/submissions_unarchive_controller.rb

@@ -4,6 +4,8 @@ class SubmissionsUnarchiveController < ApplicationController
   load_and_authorize_resource :submission
 
   def create
+    authorize!(:update, @submission)
+
     @submission.update!(archived_at: nil)
 
     redirect_to submission_path(@submission), notice: I18n.t('submission_has_been_unarchived')

app/controllers/submitters_send_email_controller.rb

@@ -4,6 +4,8 @@ class SubmittersSendEmailController < ApplicationController
   load_and_authorize_resource :submitter
 
   def create
+    authorize!(:update, @submitter)
+
     if Docuseal.multitenant? && SubmissionEvent.exists?(submitter: @submitter,
                                                         event_type: 'send_email',
                                                         created_at: 10.hours.ago..Time.current)

app/controllers/template_documents_controller.rb

@@ -10,6 +10,8 @@ def index
   end
 
   def create
+    authorize!(:update, @template)
+
     if params[:blobs].blank? && params[:files].blank?
       return render json: { error: I18n.t('file_is_missing') }, status: :unprocessable_content
     end

app/controllers/templates_clone_and_replace_controller.rb

@@ -13,6 +13,9 @@ def create
 
     cloned_template = Templates::Clone.call(@template, author: current_user)
     cloned_template.name = File.basename(params[:files].first.original_filename, '.*')
+
+    authorize!(:create, cloned_template)
+
     cloned_template.save!
 
     documents = Templates::ReplaceAttachments.call(cloned_template, params, extract_fields: true)

app/controllers/templates_controller.rb

@@ -77,8 +77,6 @@ def update
 
     WebhookUrls.enqueue_events(@template, 'template.updated')
 
-    TemplateVersions.find_or_create_for(@template, author: current_user) if params[:revision]
-
     head :ok
   end
 

app/controllers/templates_folders_controller.rb

@@ -6,6 +6,8 @@ class TemplatesFoldersController < ApplicationController
   def edit; end
 
   def update
+    authorize!(:update, @template)
+
     name = [params[:parent_name], params[:name]].compact_blank.join(' / ')
 
     @template.folder = TemplateFolders.find_or_create_by_name(current_user, name)

app/controllers/templates_restore_controller.rb

@@ -4,6 +4,8 @@ class TemplatesRestoreController < ApplicationController
   load_and_authorize_resource :template
 
   def create
+    authorize!(:update, @template)
+
     @template.update!(archived_at: nil)
 
     WebhookUrls.enqueue_events(@template, 'template.updated')

app/controllers/templates_versions_controller.rb

@@ -14,4 +14,12 @@ def show
 
     render json: TemplateVersions.serialize(version)
   end
+
+  def create
+    authorize!(:update, @template)
+
+    TemplateVersions.find_or_create_for(@template, author: current_user)
+
+    head :ok
+  end
 end