Merge branch 'master' into apiary-updated

Gemfile

@@ -39,7 +39,7 @@ gem 'p3p', '~> 2.0'
 gem 'panoptes-client'
 gem 'pg', '~> 1.4'
 gem 'pg_search'
-gem 'puma', '~> 6.1.1'
+gem 'puma', '~> 6.3.1'
 gem 'pundit', '~> 2.3.0'
 gem 'rack-cors', '~> 1.0', require: 'rack/cors'
 if next?

Gemfile.lock

@@ -119,11 +119,11 @@ GEM
     congestion (0.1.0)
       connection_pool (>= 2.0)
       redis (>= 3.1)
-    connection_pool (2.4.0)
+    connection_pool (2.4.1)
     crack (0.4.5)
       rexml
     crass (1.0.6)
-    dalli (3.2.4)
+    dalli (3.2.5)
     database_cleaner (1.99.0)
     date (3.3.3)
     deep_cloneable (3.2.0)
@@ -225,7 +225,7 @@ GEM
     httparty (0.21.0)
       mini_mime (>= 1.0.0)
       multi_xml (>= 0.5.2)
-    i18n (1.13.0)
+    i18n (1.14.1)
       concurrent-ruby (~> 1.0)
     jmespath (1.6.1)
     jquery-rails (4.5.1)
@@ -255,14 +255,14 @@ GEM
     listen (3.8.0)
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
-    lograge (0.12.0)
+    lograge (0.13.0)
       actionpack (>= 4)
       activesupport (>= 4)
       railties (>= 4)
       request_store (~> 1.0)
-    loofah (2.20.0)
+    loofah (2.21.3)
       crass (~> 1.0.2)
-      nokogiri (>= 1.5.9)
+      nokogiri (>= 1.12.0)
     lumberjack (1.2.8)
     mail (2.8.1)
       mini_mime (>= 0.1.1)
@@ -275,10 +275,10 @@ GEM
       mime-types-data (~> 3.2015)
     mime-types-data (3.2022.0105)
     mini_mime (1.1.2)
-    mini_portile2 (2.8.1)
+    mini_portile2 (2.8.4)
     mini_racer (0.6.3)
       libv8-node (~> 16.10.0.0)
-    minitest (5.18.0)
+    minitest (5.19.0)
     mock_redis (0.36.0)
       ruby2_keywords
     multi_json (1.15.0)
@@ -297,10 +297,10 @@ GEM
     net-smtp (0.3.3)
       net-protocol
     netrc (0.11.0)
-    newrelic_rpm (9.1.0)
-    nio4r (2.5.8)
-    nokogiri (1.14.3)
-      mini_portile2 (~> 2.8.0)
+    newrelic_rpm (9.3.1)
+    nio4r (2.5.9)
+    nokogiri (1.15.3)
+      mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
     notiffany (0.1.3)
       nenv (~> 0.1)
@@ -342,13 +342,13 @@ GEM
       coderay (~> 1.1)
       method_source (~> 1.0)
     public_suffix (4.0.7)
-    puma (6.1.1)
+    puma (6.3.1)
       nio4r (~> 2.0)
     pundit (2.3.0)
       activesupport (>= 3.0.0)
     raabro (1.4.0)
-    racc (1.6.2)
-    rack (2.2.7)
+    racc (1.7.1)
+    rack (2.2.8)
     rack-cors (1.1.1)
       rack (>= 2.0.0)
     rack-protection (3.0.5)
@@ -370,11 +370,13 @@ GEM
       bundler (>= 1.15.0)
       railties (= 6.1.7.3)
       sprockets-rails (>= 2.0.0)
-    rails-dom-testing (2.0.3)
-      activesupport (>= 4.2.0)
+    rails-dom-testing (2.1.1)
+      activesupport (>= 5.0.0)
+      minitest
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.5.0)
-      loofah (~> 2.19, >= 2.19.1)
+    rails-html-sanitizer (1.6.0)
+      loofah (~> 2.21)
+      nokogiri (~> 1.14)
     railties (6.1.7.3)
       actionpack (= 6.1.7.3)
       activesupport (= 6.1.7.3)
@@ -405,25 +407,25 @@ GEM
       rspec-core (~> 3.12.0)
       rspec-expectations (~> 3.12.0)
       rspec-mocks (~> 3.12.0)
-    rspec-core (3.12.0)
+    rspec-core (3.12.2)
       rspec-support (~> 3.12.0)
-    rspec-expectations (3.12.0)
+    rspec-expectations (3.12.3)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.12.0)
     rspec-its (1.3.0)
       rspec-core (>= 3.0.0)
       rspec-expectations (>= 3.0.0)
-    rspec-mocks (3.12.0)
+    rspec-mocks (3.12.5)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.12.0)
-    rspec-rails (6.0.1)
+    rspec-rails (6.0.3)
       actionpack (>= 6.1)
       activesupport (>= 6.1)
       railties (>= 6.1)
-      rspec-core (~> 3.11)
-      rspec-expectations (~> 3.11)
-      rspec-mocks (~> 3.11)
-      rspec-support (~> 3.11)
+      rspec-core (~> 3.12)
+      rspec-expectations (~> 3.12)
+      rspec-mocks (~> 3.12)
+      rspec-support (~> 3.12)
     rspec-support (3.12.0)
     rubocop (0.91.1)
       parallel (~> 1.10)
@@ -448,12 +450,12 @@ GEM
       rubocop-ast (>= 0.7.1)
     ruby-progressbar (1.11.0)
     ruby2_keywords (0.0.5)
-    sanitize (6.0.1)
+    sanitize (6.0.2)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
     scientist (1.6.4)
     shellany (0.0.1)
-    sidekiq (6.5.8)
+    sidekiq (6.5.9)
       connection_pool (>= 2.2.5, < 3)
       rack (~> 2.0)
       redis (>= 4.5.0, < 5)
@@ -482,15 +484,15 @@ GEM
       sprockets (>= 3.0.0)
     standby (4.0.0)
       activerecord (>= 3.0.0)
-    stringex (2.8.5)
+    stringex (2.8.6)
     strong_migrations (1.4.4)
       activerecord (>= 5.2)
     ten_years_rails (0.2.0)
       actionview
       activesupport
       colorize (>= 0.8.1)
       rest-client (>= 2.0.2)
-    thor (1.2.1)
+    thor (1.2.2)
     timeout (0.3.2)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
@@ -514,7 +516,7 @@ GEM
     websocket-extensions (0.1.5)
     yard (0.9.27)
       webrick (~> 1.7.0)
-    zeitwerk (2.6.8)
+    zeitwerk (2.6.10)
     zoo_stream (1.0.1)
       aws-sdk
 
@@ -563,7 +565,7 @@ DEPENDENCIES
   pg (~> 1.4)
   pg_search
   pry
-  puma (~> 6.1.1)
+  puma (~> 6.3.1)
   pundit (~> 2.3.0)
   rack-cors (~> 1.0)
   rails (~> 6.1)

app/controllers/api/v1/project_preferences_controller.rb

@@ -22,9 +22,11 @@ def find_upp_for_update_settings
       user_id: params_for[:user_id],
       project_id: params_for[:project_id]
     )
-    unless @upp.project.owners_and_collaborators.include?(api_user.user)
-      raise Api::Unauthorized.new("You must be the project owner")
-    end
+    raise Api::Unauthorized, 'You must be the project owner or a collaborator' unless user_allowed?
+  end
+
+  def user_allowed?
+    @upp.project.owners_and_collaborators.include?(api_user.user) || api_user.is_admin?
   end
 
   def update_settings_response

app/controllers/api/v1/user_groups_controller.rb

@@ -9,8 +9,8 @@ class Api::V1::UserGroupsController < Api::ApiController
 
   alias_method :user_group, :controlled_resource
 
-  allowed_params :create, :name, :display_name, links: [ users: [] ]
-  allowed_params :update, :name, :display_name
+  allowed_params :create, :name, :display_name, :stats_visibility, links: [users: []]
+  allowed_params :update, :name, :stats_visibility, :display_name
 
   search_by do |name, query|
     query.search_name(name.join(" "))

app/controllers/confirmations_controller.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class ConfirmationsController < Devise::ConfirmationsController
+  protected
+
+  def after_confirmation_path_for(resource_name, resource)
+    'https://www.zooniverse.org'
+  end
+end

app/models/project.rb

@@ -48,7 +48,7 @@ class Project < ApplicationRecord
 
   has_many :project_versions, dependent: :destroy
 
-  versioned association: :project_versions, attributes: %w(private live beta_requested beta_approved launch_requested launch_approved display_name description workflow_description introduction url_labels researcher_quote)
+  versioned association: :project_versions, attributes: %w[private live beta_requested beta_approved launch_requested launch_approved display_name description workflow_description introduction url_labels researcher_quote]
 
   enum state: [:paused, :finished]
 
@@ -82,7 +82,7 @@ class Project < ApplicationRecord
   ranks :beta_row_order
 
   def self.translatable_attributes
-    %i(display_name title description workflow_description introduction researcher_quote url_labels)
+    %i[display_name title description workflow_description introduction researcher_quote url_labels]
   end
 
   def available_languages
@@ -102,7 +102,7 @@ def expert_classifier?(classifier)
   end
 
   def owners_and_collaborators
-    users_with_project_roles(%w(owner collaborator)).select(:id)
+    users_with_project_roles(%w[owner collaborator]).select(:id)
   end
 
   def create_talk_admin(client)
@@ -166,6 +166,6 @@ def users_with_project_roles(roles)
   end
 
   def communication_emails
-    users_with_project_roles(%w(owner communications)).pluck(:email)
+    users_with_project_roles(%w[owner collaborator communications]).pluck(:email)
   end
 end

app/models/user.rb

@@ -13,7 +13,7 @@ class User < ApplicationRecord
   attr_accessor :minor_age
 
   devise :database_authenticatable, :registerable,
-    :recoverable, :rememberable, :trackable, :validatable,
+    :recoverable, :rememberable, :trackable, :validatable, :confirmable,
     :omniauthable, omniauth_providers: [:facebook, :google_oauth2]
 
   has_many :classifications, dependent: :restrict_with_exception
@@ -56,15 +56,13 @@ class User < ApplicationRecord
   validates_with IdentityGroupNameValidator
 
   after_create :set_zooniverse_id
-  after_create :send_welcome_email, unless: :migrated
   before_create :set_ouroboros_api_key
 
   delegate :projects, to: :identity_group
   delegate :collections, to: :identity_group
   delegate :subjects, to: :identity_group
   delegate :owns?, to: :identity_group
 
-
   pg_search_scope :search_name,
     against: [:login],
     using: {
@@ -204,6 +202,10 @@ def self.find_by_lower_login(login)
     find_by("lower(login) = ?", login.downcase)
   end
 
+  def after_confirmation
+    send_welcome_email
+  end
+
   def subject_limit
     super || Panoptes.max_subjects
   end

app/models/user_group.rb

@@ -19,6 +19,31 @@ class UserGroup < ApplicationRecord
   has_many :collections, through: :owned_resources, source: :resource,
            source_type: "Collection"
 
+  ##
+  # Stats_Visibility Levels (Used for ERAS stats service)
+  # private_agg_only (default): Only members of a user group can view aggregate stats. Individual stats only viewable by only admins of the user group
+  #
+  # private_show_agg_and_ind: Only members of a user group can view aggregate stats. Individual stats is viewable by BOTH members and admins of the user group.
+  #
+  # public_agg_only: Anyone can view aggregate stats of the user group. Only admins of the user group can view individual stats.
+  #
+  # public_agg_show_ind_if_member: Anyone can view aggregate stats of the user group. Members and admins of the user group can view individual stats.
+  #
+  # public_show_all: Anyone can view aggregate stats of the user group and can view individual stats of the user group.
+  ##
+  STATS_VISIBILITY_LEVELS = {
+    private_agg_only: 0,
+    private_show_agg_and_ind: 1,
+    public_agg_only: 2,
+    public_agg_show_ind_if_member: 3,
+    public_show_all: 4
+  }.freeze
+  enum stats_visibility: STATS_VISIBILITY_LEVELS
+
+  validate do
+    errors.add(:stats_visibility, "Not valid stats_visibility type, please select from the list: #{STATS_VISIBILITY_LEVELS.keys}") if @invalid_stats_visibility
+  end
+
   validates :display_name, presence: true
   validates :name, presence: true,
     uniqueness: { case_sensitive: false },
@@ -66,6 +91,14 @@ def verify_join_token(token_to_verify)
     join_token.present? && join_token == token_to_verify
   end
 
+  def stats_visibility=(value)
+    if STATS_VISIBILITY_LEVELS.stringify_keys.keys.exclude?(value) && STATS_VISIBILITY_LEVELS.values.exclude?(value)
+      @invalid_stats_visibility = true
+    else
+      super value
+    end
+  end
+
   private
 
   def default_display_name

app/serializers/user_group_serializer.rb

@@ -3,7 +3,7 @@ class UserGroupSerializer
   include RecentLinkSerializer
   include CachedSerializer
 
-  attributes :id, :name, :display_name, :classifications_count, :created_at, :updated_at, :type, :href, :join_token
+  attributes :id, :name, :display_name, :classifications_count, :created_at, :updated_at, :type, :href, :join_token, :stats_visibility
   can_include :memberships, :users,
               projects: { param: "owner", value: "name" },
               collections: { param: "owner", value: "name" }

config/initializers/devise.rb

@@ -8,7 +8,8 @@
   config.strip_whitespace_keys = [ :email ]
   config.skip_session_storage = [:http_auth]
   config.stretches = Rails.env.test? ? 1 : 10
-  config.reconfirmable = true
+  config.reconfirmable = false
+  config.allow_unconfirmed_access_for = nil
   config.password_length = 8..128
   config.reset_password_within = 6.hours
   config.paranoid = true

config/routes.rb

@@ -21,7 +21,7 @@
   end
 
   devise_for :users,
-    controllers: { omniauth_callbacks: 'omniauth_callbacks', passwords: 'passwords' },
+    controllers: { confirmations: 'confirmations', omniauth_callbacks: 'omniauth_callbacks', passwords: 'passwords' },
     skip: [ :sessions, :registrations ]
 
   as :user do

db/migrate/20230613165746_add_stats_visibility_to_user_groups.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class AddStatsVisibilityToUserGroups < ActiveRecord::Migration[6.1]
+  def change
+    add_column :user_groups, :stats_visibility, :integer
+    # defaulting to private_agg_only stats_visibility view (where members can view aggregate stats but only admins can view detailed stats)
+    change_column_default :user_groups, :stats_visibility, from: nil, to: 0
+  end
+end