Refactor Devise integration

- Use scoped users
- Use the named route helpers instead of hardcoded paths

app/controllers/admin/base_controller.rb

@@ -1,10 +1,20 @@
 module Admin
   class BaseController < ApplicationController
-    before_action :authenticate_user!
+    before_action :authenticate_admin_user!
     helper_method :head_title_sufix
 
     def head_title_sufix
       t(:admin_head_title_sufix)
     end
+
+    private
+
+    def current_ability
+      @current_ability ||= Ability.new(current_admin_user)
+    end
+
+    def user_for_paper_trail
+      current_admin_user.present? ? current_admin_user.id_role_username : 'public'
+    end
   end
-end
+end

app/controllers/admin/pending_deletes_controller.rb

@@ -6,7 +6,7 @@ module Admin
     def update
       authorize! :update, :pending
 
-      if registrant_verification.domain_registrant_delete_confirm!("admin #{current_user.username}")
+      if registrant_verification.domain_registrant_delete_confirm!("admin #{current_admin_user.username}")
         redirect_to admin_domain_path(@domain.id), notice: t(:pending_applied)
       else
         redirect_to admin_domain_path(@domain.id), alert: t(:failure)
@@ -16,7 +16,7 @@ module Admin
     def destroy
       authorize! :destroy, :pending
 
-      if registrant_verification.domain_registrant_delete_reject!("admin #{current_user.username}")
+      if registrant_verification.domain_registrant_delete_reject!("admin #{current_admin_user.username}")
         redirect_to admin_domain_path(@domain.id), notice: t(:pending_removed)
       else
         redirect_to admin_domain_path(@domain.id), alert: t(:failure)

app/controllers/admin/pending_updates_controller.rb

@@ -6,7 +6,7 @@ module Admin
     def update
       authorize! :update, :pending
 
-      if registrant_verification.domain_registrant_change_confirm!("admin #{current_user.username}")
+      if registrant_verification.domain_registrant_change_confirm!("admin #{current_admin_user.username}")
         redirect_to admin_domain_path(@domain.id), notice: t(:pending_applied)
       else
         redirect_to edit_admin_domain_path(@domain.id), alert: t(:failure)
@@ -15,7 +15,7 @@ module Admin
 
     def destroy
       authorize! :destroy, :pending
-      if registrant_verification.domain_registrant_change_reject!("admin #{current_user.username}")
+      if registrant_verification.domain_registrant_change_reject!("admin #{current_admin_user.username}")
         redirect_to admin_domain_path(@domain.id), notice: t(:pending_removed)
       else
         redirect_to admin_domain_path(@domain.id), alert: t(:failure)

app/controllers/admin/sessions_controller.rb

@@ -1,8 +1,6 @@
 module Admin
   class SessionsController < Devise::SessionsController
-    skip_authorization_check only: :create
-
-    def login
+    def new
       @admin_user = AdminUser.new
     end
 
@@ -10,19 +8,28 @@ module Admin
       if params[:admin_user].blank?
         @admin_user = AdminUser.new
         flash[:alert] = 'Something went wrong'
-        return render 'login'
+        return render :new
       end
 
       @admin_user = AdminUser.find_by(username: params[:admin_user][:username])
       @admin_user ||= AdminUser.new(username: params[:admin_user][:username])
 
       if @admin_user.valid_password?(params[:admin_user][:password])
-        sign_in @admin_user, event: :authentication
-        redirect_to admin_root_url, notice: I18n.t(:welcome)
+        sign_in_and_redirect(:admin_user, @admin_user, event: :authentication)
       else
         flash[:alert] = 'Authorization error'
-        render 'login'
+        render :new
       end
     end
+
+    private
+
+    def after_sign_in_path_for(resource_or_scope)
+      admin_root_path
+    end
+
+    def after_sign_out_path_for(resource_or_scope)
+      new_admin_user_session_path
+    end
   end
-end
+end

app/controllers/application_controller.rb

@@ -12,63 +12,15 @@ class ApplicationController < ActionController::Base
   end
 
   rescue_from CanCan::AccessDenied do |exception|
-    redirect_to current_root_url, alert: exception.message
+    redirect_to root_url, alert: exception.message
   end
 
-  helper_method :registrant_request?, :registrar_request?, :admin_request?, :current_root_url
   helper_method :available_languages
 
-  def registrant_request?
-    request.path.match(/^\/registrant/)
-  end
-
-  def registrar_request?
-    request.path.match(/^\/registrar/)
-  end
-
-  def admin_request?
-    request.path.match(/^\/admin/)
-  end
-
-  def current_root_url
-    if registrar_request?
-      registrar_root_url
-    elsif registrant_request?
-      registrant_login_url
-    elsif admin_request?
-      admin_root_url
-    end
-  end
-
-  def after_sign_in_path_for(_resource)
-    rt = session[:user_return_to].to_s.presence
-    login_paths = [admin_login_path, registrar_login_path, '/login']
-    return rt if rt && !login_paths.include?(rt)
-    current_root_url
-  end
-
-  def after_sign_out_path_for(_resource)
-    if registrar_request?
-      registrar_login_url
-    elsif registrant_request?
-      registrant_login_url
-    elsif admin_request?
-      admin_login_url
-    end
-  end
-
   def info_for_paper_trail
     { uuid: request.uuid }
   end
 
-  def user_for_paper_trail
-    user_log_str(current_user)
-  end
-
-  def user_log_str(user)
-    user.nil? ? 'public' : user.id_role_username
-  end
-
   def comma_support_for(parent_key, key)
     return if params[parent_key].blank?
     return if params[parent_key][key].blank?
@@ -80,4 +32,8 @@ class ApplicationController < ActionController::Base
   def available_languages
     { en: 'English', et: 'Estonian' }.invert
   end
-end
+
+  def user_for_paper_trail
+    current_user.present? ? current_user.id_role_username : 'public'
+  end
+end

app/controllers/registrant/contacts_controller.rb

@@ -2,7 +2,6 @@ class Registrant::ContactsController < RegistrantController
   helper_method :domain_ids
   def show
     @contact      = Contact.where(id: contacts).find_by(id: params[:id])
-    @current_user = current_user
 
     authorize! :read, @contact
   end
@@ -19,7 +18,7 @@ class Registrant::ContactsController < RegistrantController
 
   def domain_ids
     @domain_ids ||= begin
-      ident_cc, ident = @current_user.registrant_ident.to_s.split '-'
+      ident_cc, ident = current_registrant_user.registrant_ident.to_s.split '-'
       BusinessRegistryCache.fetch_by_ident_and_cc(ident, ident_cc).associated_domain_ids
     end
   end

app/controllers/registrant/domain_delete_confirms_controller.rb

@@ -19,7 +19,7 @@ class Registrant::DomainDeleteConfirmsController < RegistrantController
                                                           domain_name: @domain.name,
                                                           verification_token: params[:token])
 
-    initiator = current_user ? current_user.username : t(:user_not_authenticated)
+    initiator = current_registrant_user ? current_registrant_user.username : t(:user_not_authenticated)
 
     if params[:rejected]
       if @registrant_verification.domain_registrant_delete_reject!("email link #{initiator}")

app/controllers/registrant/domain_update_confirms_controller.rb

@@ -19,7 +19,7 @@ class Registrant::DomainUpdateConfirmsController < RegistrantController
                                                           domain_name: @domain.name,
                                                           verification_token: params[:token])
 
-    initiator = current_user ? current_user.username : t(:user_not_authenticated)
+    initiator = current_registrant_user ? current_registrant_user.username : t(:user_not_authenticated)
 
     if params[:rejected]
       if @registrant_verification.domain_registrant_change_reject!("email link, #{initiator}")

app/controllers/registrant/domains_controller.rb

@@ -54,13 +54,13 @@ class Registrant::DomainsController < RegistrantController
   end
 
   def domains
-    ident_cc, ident = @current_user.registrant_ident.split '-'
+    ident_cc, ident = current_registrant_user.registrant_ident.split '-'
     begin
       BusinessRegistryCache.fetch_associated_domains ident, ident_cc
     rescue Soap::Arireg::NotAvailableError => error
       flash[:notice] = I18n.t(error.json[:message])
       Rails.logger.fatal("[EXCEPTION] #{error.to_s}")
-      current_user.domains
+      current_registrant_user.domains
     end
   end
 

app/controllers/registrant/sessions_controller.rb

@@ -1,7 +1,7 @@
 class Registrant::SessionsController < Devise::SessionsController
   layout 'registrant/application'
 
-  def login
+  def new
   end
 
   def id
@@ -10,11 +10,10 @@ class Registrant::SessionsController < Devise::SessionsController
 
     @user = RegistrantUser.find_or_create_by_idc_data(id_code, id_issuer)
     if @user
-      sign_in(@user, event: :authentication)
-      redirect_to registrant_root_url
+      sign_in_and_redirect(:registrant_user, @user, event: :authentication)
     else
       flash[:alert] = t('login_failed_check_id_card')
-      redirect_to registrant_login_url
+      redirect_to new_registrant_user_session_url
     end
   end
 
@@ -68,7 +67,7 @@ class Registrant::SessionsController < Devise::SessionsController
     when 'USER_AUTHENTICATED'
       @user = RegistrantUser.find_by(registrant_ident: "#{session[:user_country]}-#{session[:user_id_code]}")
 
-      sign_in @user
+      sign_in(:registrant_user, @user)
       flash[:notice] = t(:welcome)
       flash.keep(:notice)
       render js: "window.location = '#{registrant_root_path}'"
@@ -97,4 +96,14 @@ class Registrant::SessionsController < Devise::SessionsController
     return User.new unless idc
     ApiUser.find_by(identity_code: idc) || User.new
   end
-end
+
+  private
+
+  def after_sign_in_path_for(resource_or_scope)
+    registrant_root_path
+  end
+
+  def after_sign_out_path_for(resource_or_scope)
+    new_registrant_user_session_path
+  end
+end

app/controllers/registrant_controller.rb

@@ -1,11 +1,22 @@
 class RegistrantController < ApplicationController
-  before_action :authenticate_user!
+  before_action :authenticate_registrant_user!
   layout 'registrant/application'
 
   include Registrant::ApplicationHelper
 
   helper_method :head_title_sufix
+
   def head_title_sufix
     t(:registrant_head_title_sufix)
   end
-end
+
+  private
+
+  def current_ability
+    @current_ability ||= Ability.new(current_registrant_user, request.remote_ip)
+  end
+
+  def user_for_paper_trail
+    current_registrant_user.present? ? current_registrant_user.id_role_username : 'public'
+  end
+end

app/controllers/registrar/account_activities_controller.rb

@@ -4,7 +4,7 @@ class Registrar
 
     def index
       params[:q] ||= {}
-      account = current_user.registrar.cash_account
+      account = current_registrar_user.registrar.cash_account
 
       ca_cache = params[:q][:created_at_lteq]
       begin

app/controllers/registrar/base_controller.rb

@@ -2,7 +2,7 @@ class Registrar
   class BaseController < ApplicationController
     include Registrar::ApplicationHelper
 
-    before_action :authenticate_user!
+    before_action :authenticate_registrar_user!
     before_action :check_ip_restriction
     helper_method :depp_controller?
     helper_method :head_title_sufix
@@ -10,21 +10,21 @@ class Registrar
     protected
 
     def current_ability
-      @current_ability ||= Ability.new(current_user, request.remote_ip)
+      @current_ability ||= Ability.new(current_registrar_user, request.remote_ip)
     end
 
     private
 
     def check_ip_restriction
       ip_restriction = Authorization::RestrictedIP.new(request.ip)
-      allowed = ip_restriction.can_access_registrar_area?(current_user.registrar)
+      allowed = ip_restriction.can_access_registrar_area?(current_registrar_user.registrar)
 
       return if allowed
 
-      sign_out current_user
+      sign_out current_registrar_user
 
       flash[:alert] = t('registrar.authorization.ip_not_allowed', ip: request.ip)
-      redirect_to registrar_login_url
+      redirect_to new_registrar_user_session_url
     end
 
     def depp_controller?
@@ -34,5 +34,9 @@ class Registrar
     def head_title_sufix
       t(:registrar_head_title_sufix)
     end
+
+    def user_for_paper_trail
+      current_registrar_user.present? ? current_registrar_user.id_role_username : 'public'
+    end
   end
 end

app/controllers/registrar/bulk_change_controller.rb

@@ -10,7 +10,7 @@ class Registrar
     private
 
     def available_contacts
-      current_user.registrar.contacts.order(:name).pluck(:name, :code)
+      current_registrar_user.registrar.contacts.order(:name).pluck(:name, :code)
     end
 
     def default_tab

app/controllers/registrar/contacts_controller.rb

@@ -21,11 +21,11 @@ class Registrar
       end
 
       if params[:statuses_contains]
-        contacts = current_user.registrar.contacts.includes(:registrar).where(
+        contacts = current_registrar_user.registrar.contacts.includes(:registrar).where(
           "contacts.statuses @> ?::varchar[]", "{#{params[:statuses_contains].join(',')}}"
         )
       else
-        contacts = current_user.registrar.contacts.includes(:registrar)
+        contacts = current_registrar_user.registrar.contacts.includes(:registrar)
       end
 
       normalize_search_parameters do
@@ -45,7 +45,7 @@ class Registrar
         @contacts = Contact.find_by(name: params[:q][:name_matches])
       end
 
-      contacts = current_user.registrar.contacts.includes(:registrar)
+      contacts = current_registrar_user.registrar.contacts.includes(:registrar)
       contacts = contacts.filter_by_states(params[:statuses_contains]) if params[:statuses_contains]
 
       normalize_search_parameters do

app/controllers/registrar/current_user_controller.rb

@@ -3,9 +3,9 @@ class Registrar
     skip_authorization_check
 
     def switch
-      raise 'Cannot switch to unlinked user' unless current_user.linked_with?(new_user)
+      raise 'Cannot switch to unlinked user' unless current_registrar_user.linked_with?(new_user)
 
-      sign_in(new_user)
+      sign_in(:registrar_user, new_user)
       redirect_to :back, notice: t('.switched', new_user: new_user)
     end
 

app/controllers/registrar/deposits_controller.rb

@@ -7,7 +7,7 @@ class Registrar
     end
 
     def create
-      @deposit = Deposit.new(deposit_params.merge(registrar: current_user.registrar))
+      @deposit = Deposit.new(deposit_params.merge(registrar: current_registrar_user.registrar))
       @invoice = @deposit.issue_prepayment_invoice
 
       if @invoice&.persisted?

app/controllers/registrar/depp_controller.rb

@@ -5,13 +5,13 @@ class Registrar
     rescue_from(Errno::ECONNRESET, Errno::ECONNREFUSED) do |exception|
       logger.error 'COULD NOT CONNECT TO REGISTRY'
       logger.error exception.backtrace.join("\n")
-      redirect_to registrar_login_url, alert: t(:no_connection_to_registry)
+      redirect_to new_registrar_user_session_url, alert: t(:no_connection_to_registry)
     end
 
     before_action :authenticate_user
 
     def authenticate_user
-      redirect_to registrar_login_url and return unless depp_current_user
+      redirect_to new_registrar_user_session_url and return unless depp_current_user
     end
 
     def depp_controller?
@@ -19,10 +19,10 @@ class Registrar
     end
 
     def depp_current_user
-      return nil unless current_user
+      return nil unless current_registrar_user
       @depp_current_user ||= Depp::User.new(
-        tag: current_user.username,
-        password: current_user.password
+        tag: current_registrar_user.username,
+        password: current_registrar_user.password
       )
     end
 

app/controllers/registrar/domain_transfers_controller.rb

@@ -21,7 +21,7 @@ class Registrar
         uri = URI.parse("#{ENV['repp_url']}domain_transfers")
         request = Net::HTTP::Post.new(uri, 'Content-Type' => 'application/json')
         request.body = { data: { domainTransfers: domain_transfers } }.to_json
-        request.basic_auth(current_user.username, current_user.password)
+        request.basic_auth(current_registrar_user.username, current_registrar_user.password)
 
 
         if Rails.env.test?

app/controllers/registrar/domains_controller.rb

@@ -16,11 +16,11 @@ class Registrar
       end
 
       if params[:statuses_contains]
-        domains = current_user.registrar.domains.includes(:registrar, :registrant).where(
+        domains = current_registrar_user.registrar.domains.includes(:registrar, :registrant).where(
           "statuses @> ?::varchar[]", "{#{params[:statuses_contains].join(',')}}"
         )
       else
-        domains = current_user.registrar.domains.includes(:registrar, :registrant)
+        domains = current_registrar_user.registrar.domains.includes(:registrar, :registrant)
       end
 
       normalize_search_parameters do
@@ -142,7 +142,7 @@ class Registrar
     def search_contacts
       authorize! :create, Depp::Domain
 
-      scope = current_user.registrar.contacts.limit(10)
+      scope = current_registrar_user.registrar.contacts.limit(10)
       if params[:query].present?
         escaped_str = ActiveRecord::Base.connection.quote_string params[:query]
         scope = scope.where("name ilike '%#{escaped_str}%' OR code ilike '%#{escaped_str}%' ")
@@ -159,7 +159,7 @@ class Registrar
 
 
     def contacts
-      current_user.registrar.contacts
+      current_registrar_user.registrar.contacts
     end
 
     def normalize_search_parameters

app/controllers/registrar/invoices_controller.rb

@@ -6,7 +6,7 @@ class Registrar
 
     def index
       params[:q] ||= {}
-      invoices = current_user.registrar.invoices.includes(:invoice_items, :account_activity)
+      invoices = current_registrar_user.registrar.invoices.includes(:invoice_items, :account_activity)
 
       normalize_search_parameters do
         @q = invoices.search(params[:q])

app/controllers/registrar/nameservers_controller.rb

@@ -12,7 +12,7 @@ class Registrar
                                attributes: { hostname: params[:new_hostname],
                                              ipv4: ipv4,
                                              ipv6: ipv6 } } }.to_json
-      request.basic_auth(current_user.username, current_user.password)
+      request.basic_auth(current_registrar_user.username, current_registrar_user.password)
 
       if Rails.env.test?
         response = Net::HTTP.start(uri.hostname, uri.port,

app/controllers/registrar/profile_controller.rb

@@ -5,13 +5,13 @@ class Registrar
     helper_method :linked_users
 
     def show
-      @user = current_user
+      @user = current_registrar_user
     end
 
     private
 
     def linked_users
-      current_user.linked_users
+      current_registrar_user.linked_users
     end
   end
 end

app/controllers/registrar/sessions_controller.rb

@@ -3,7 +3,7 @@ class Registrar
     before_action :check_ip_restriction
     helper_method :depp_controller?
 
-    def login
+    def new
       @depp_user = Depp::User.new
     end
 
@@ -30,7 +30,7 @@ class Registrar
 
       unless @api_user
         @depp_user.errors.add(:base, t(:no_such_user))
-        render 'login' and return
+        render :new and return
       end
 
       if @depp_user.pki
@@ -41,14 +41,13 @@ class Registrar
 
       if @depp_user.errors.none?
         if @api_user.active?
-          sign_in @api_user
-          redirect_to registrar_root_url
+          sign_in_and_redirect(:registrar_user, @api_user)
         else
           @depp_user.errors.add(:base, :not_active)
-          render 'login'
+          render :new
         end
       else
-        render 'login'
+        render :new
       end
     end
 
@@ -56,11 +55,10 @@ class Registrar
       @user = ApiUser.find_by_idc_data_and_allowed(request.env['SSL_CLIENT_S_DN'], request.ip)
 
       if @user
-        sign_in(@user, event: :authentication)
-        redirect_to registrar_root_url
+        sign_in_and_redirect(:registrar_user, @user, event: :authentication)
       else
         flash[:alert] = t('no_such_user')
-        redirect_to registrar_login_url
+        redirect_to new_registrar_user_session_url
       end
     end
 
@@ -91,7 +89,7 @@ class Registrar
         @user = find_user_by_idc_and_allowed(response.user_id_code)
       else
         @user = find_user_by_idc(response.user_id_code)
-      end  
+      end
 
       if @user.persisted?
         session[:user_id_code] = response.user_id_code
@@ -117,7 +115,7 @@ class Registrar
           render json: { message: t(:check_your_phone_for_confirmation_code) }, status: :ok
         when 'USER_AUTHENTICATED'
           @user = find_user_by_idc_and_allowed(session[:user_id_code])
-          sign_in @user
+          sign_in(:registrar_user, @user)
           flash[:notice] = t(:welcome)
           flash.keep(:notice)
           render js: "window.location = '#{registrar_root_url}'"
@@ -163,8 +161,6 @@ class Registrar
       end
     end
 
-
-
     def check_ip_restriction
       ip_restriction = Authorization::RestrictedIP.new(request.ip)
       allowed = ip_restriction.can_access_registrar_area_sign_in_page?
@@ -173,5 +169,13 @@ class Registrar
 
       render text: t('registrar.authorization.ip_not_allowed', ip: request.ip)
     end
+
+    def after_sign_in_path_for(resource_or_scope)
+      registrar_root_path
+    end
+
+    def after_sign_out_path_for(resource_or_scope)
+      new_registrar_user_session_path
+    end
   end
-end
+end

app/controllers/registrar/tech_contacts_controller.rb

@@ -8,7 +8,7 @@ class Registrar
       request = Net::HTTP::Patch.new(uri)
       request.set_form_data(current_contact_id: params[:current_contact_id],
                             new_contact_id: params[:new_contact_id])
-      request.basic_auth(current_user.username, current_user.password)
+      request.basic_auth(current_registrar_user.username, current_registrar_user.password)
 
       if Rails.env.test?
         response = Net::HTTP.start(uri.hostname, uri.port,