[pull] main from forem:main#279
Merged
Merged
Conversation
* Hide pending org invitations from user profile and bust caches on confirm Fixes #23277. The user profile sidebar used `@user.organizations`, which includes pending memberships, so invitees appeared as members on their public profile before accepting. Additionally, the sidebar fragment cache only busted on membership create/destroy, not on pending->member transitions, so accepted invites could remain invisible for up to the 2-day cache TTL. - Switch sidebar and Settings > Organization tab to `member_organizations` - Touch `organization_info_updated_at` on `type_of_user` changes - Add regression specs for confirm! cache bust and profile filtering * Split callback into after_create/after_update to preserve factory skip Copilot review feedback: the factory skip_callback(:create, :after, ...) no longer matched the after_save callback, causing every create(:organization_membership) in the suite to fire an extra update_column on the user. Splitting into after_create (still skipped by the factory) + after_update (guarded by saved_change_to_type_of_user?) restores the original factory intent while keeping the pending->member transition coverage.
* fix(23031): add authentication guard to ApiSecretsController ApiSecretsController had no `authenticate_user!` before_action, so users with expired sessions hit Pundit's UserRequiredError — mapped to 404 via rescue_responses — instead of redirecting to login. - Add `before_action :authenticate_user!` to ApiSecretsController - Add request specs for unauthenticated create/destroy (redirect) - Add request specs for CSRF failure on create/destroy (422) - Expand create specs with edge cases (max length, limit, empty) - Expand destroy specs with suspended/spam user ownership cases - Add E2E system spec for generate/revoke flow on settings page Closes #23031 Closes #23090 Generated-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Ashley Childress <6563688+anchildress1@users.noreply.github.com> * test(23031): tighten ApiSecrets spec coverage per review feedback - Pin unauthenticated redirect assertions to new_magic_link_path instead of a loose :redirect status check - Update regression comment to past tense - Remove CSRF specs that used allow_any_instance_of (discouraged pattern per project conventions; those cases test Rails internals, not the fix) - Move sign_in into scoped before blocks so suspended/spam contexts don't incur extraneous user/api_secret setup from the outer scope - Tighten system spec unauthenticated redirect to assert /magic_links/new Generated-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Ashley Childress <6563688+anchildress1@users.noreply.github.com> * test(23031): fix system spec unauthenticated redirect assertion - settings/extensions routes to users#edit which redirects unauthenticated users via sign_up_path (/enter), not new_magic_link_path — correct the have_current_path assertion to match actual behavior. Generated-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Ashley Childress <6563688+anchildress1@users.noreply.github.com> * Fix events spec using tags transient instead of cached_tag_list Article save processing overwrites cached_tag_list from frontmatter, so directly setting it in the factory has no effect. Use the `tags:` transient to set the tag via frontmatter, which properly populates cached_tag_list. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Signed-off-by: Ashley Childress <6563688+anchildress1@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Timeframe.datetime("infinity") returns 5.years.ago, which was being
applied as a published_at cutoff in both the tag feed controller and
the Articles::Feeds::Timeframe service. As a result, posts older than
five years (e.g. classic high-score posts on tags like /t/css) were
silently dropped from the 'top/infinity' listing.
Skip the published_at filter entirely when the requested timeframe is
'infinity' so the listing truly reflects all-time top posts. Other
Timeframe.datetime callers (sidebar active_threads, seo_boostable) are
left as-is since the 5-year ceiling is reasonable for recent-activity
lookups.
Fixes #23294
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )