Applied Rubocop style suggestions and address high priority Brakeman …

…vulnerabilities

Guardfile.rb

@@ -3,7 +3,7 @@
 
 # TODO: Check this, just copied from Engine
 
-guard 'rspec', :version => 2 do
+guard 'rspec', version: 2 do
   watch(%r{^spec/.+_spec\.rb$})
   watch(%r{^lib/(.+)\.rb$})     { |m| "spec/lib/#{m[1]}_spec.rb" }
   watch('spec/spec_helper.rb')  { "spec" }
@@ -13,7 +13,9 @@
   watch(%r{^app/(.+)\.rb$})                           { |m| "spec/#{m[1]}_spec.rb" }
   watch(%r{^app/(.*)(\.erb|\.haml)$})                 { |m| "spec/#{m[1]}#{m[2]}_spec.rb" }
   watch(%r{^lib/(.+)\.rb$})                           { |m| "spec/lib/#{m[1]}_spec.rb" }
-  watch(%r{^app/controllers/(.+)_(controller)\.rb$})  { |m| ["spec/routing/#{m[1]}_routing_spec.rb", "spec/#{m[2]}s/#{m[1]}_#{m[2]}_spec.rb", "spec/acceptance/#{m[1]}_spec.rb"] }
+  watch(%r{^app/controllers/(.+)_(controller)\.rb$})  { |m|
+ [ "spec/routing/#{m[1]}_routing_spec.rb", "spec/#{m[2]}s/#{m[1]}_#{m[2]}_spec.rb",
+"spec/acceptance/#{m[1]}_spec.rb" ] }
   watch(%r{^spec/support/(.+)\.rb$})                  { "spec" }
   watch('spec/spec_helper.rb')                        { "spec" }
   watch('config/routes.rb')                           { "spec/routing" }

app/components/css_classes.rb

@@ -4,6 +4,6 @@ module CssClasses
   private
 
   def merge_attributes(attributes)
-    attributes.merge(class: [attributes[:class], *self.class::DEFAULT_CLASSES].compact.join(' '))
+    attributes.merge(class: [ attributes[:class], *self.class::DEFAULT_CLASSES ].compact.join(" "))
   end
 end

app/components/hovercard/component.rb

@@ -4,6 +4,6 @@ module Hovercard
   class Component < ApplicationComponent
     option :path
     option :text, default: proc { "" }
-    option :placement_class, default: proc { 'right-2' }
+    option :placement_class, default: proc { "right-2" }
   end
 end

app/components/identity/sidebar_item_component.rb

@@ -5,7 +5,7 @@ class Identity::SidebarItemComponent < ApplicationComponent
   option :title
   option :explanation
   option :active, default: proc { false }
-  option :icon, default: proc { 'identification' }
+  option :icon, default: proc { "identification" }
 
   def css_classes
     if @active

app/components/identity/token_component.rb

@@ -5,7 +5,7 @@ class Identity::TokenComponent < ApplicationComponent
   include Turbo::FramesHelper
 
   # TODO: this should not be here
-  TOKEN_PREFIX = Rails.env.staging? ? 'etm_beta_' : 'etm_'
+  TOKEN_PREFIX = Rails.env.staging? ? "etm_beta_" : "etm_"
 
   def initialize(token:)
     @token = token

app/components/login/action_arrow_component.rb

@@ -3,7 +3,7 @@
 module Login
   class ActionArrowComponent < ApplicationComponent
     def call
-      heroicon @icon, options: { class: 'flex-shrink-0 ml-1 mt-px group-hover:translate-x-1 group-active:translate-x-1 transition duration-300', aria_hidden: true }
+      heroicon(@icon, options: { class: "flex-shrink-0 ml-1 mt-px group-hover:translate-x-1 group-active:translate-x-1 transition duration-300", aria_hidden: true })
     end
   end
 end

app/components/login/action_button_component.rb

@@ -4,16 +4,16 @@ module Login
   class ActionButtonComponent < ApplicationComponent
     include ButtonHelper
 
-    BASE_CLASSES = 'text-base flex items-center justify-center group'
+    BASE_CLASSES = "text-base flex items-center justify-center group"
 
     def initialize(form:, color: :default, size: :base, **attributes)
       @form = form
 
-      additional_classes = [BASE_CLASSES, attributes.delete(:class)].compact.join(' ')
+      additional_classes = [ BASE_CLASSES, attributes.delete(:class) ].compact.join(" ")
 
       @attributes = attributes.merge(
         class: button_classes(additional_classes, color:, size:),
-        type: attributes[:type] || 'submit'
+        type: attributes[:type] || "submit"
       )
     end
   end

app/components/login/button_component.rb

@@ -3,7 +3,7 @@
 module Login
   class ButtonComponent < ActionButtonComponent
     def initialize(form:)
-      super(form:, type: :submit, color: :primary, size: :lg, class: 'w-full !py-3 mt-5 bg-midnight-600')
+      super(form:, type: :submit, color: :primary, size: :lg, class: "w-full !py-3 mt-5 bg-midnight-600")
     end
   end
 end

app/components/modal_component.rb

@@ -22,11 +22,11 @@ def stimulus
     @stimulus ||=
       if turbo_modal?
         StimulusConfig.new(
-          controller: 'modal',
+          controller: "modal",
           turbo_frame_id: :modal,
-          button_close_action: 'click->modal#close',
-          backdrop_close_action: 'mousedown->modal#closeWithBackdrop',
-          keyboard_close_action: 'keyup@window->modal#closeWithKeyboard'
+          button_close_action: "click->modal#close",
+          backdrop_close_action: "mousedown->modal#closeWithBackdrop",
+          keyboard_close_action: "keyup@window->modal#closeWithKeyboard"
         )
       else
         StimulusConfig.new(turbo_frame_id: :static_modal)
@@ -44,6 +44,6 @@ def close_link(inline_content, url = nil, **kwargs)
   private
 
   def turbo_modal?
-    request.headers['Turbo-Frame'] == 'modal'
+    request.headers["Turbo-Frame"] == "modal"
   end
 end

app/components/notice_banner/component.rb

@@ -3,6 +3,6 @@ class Component < ApplicationComponent
     option :text
     option :path, default: proc { "" }
     option :button_text, default: proc { "" }
-    option :icon, default: proc { 'information-circle' }
+    option :icon, default: proc { "information-circle" }
   end
 end

app/components/saved_scenario_user/user_row/component.rb

@@ -28,9 +28,9 @@ def destroy_classes
 
     def destroy_text
       if @destroyable
-        t('saved_scenario_users.confirm_destroy.button')
+        t("saved_scenario_users.confirm_destroy.button")
       else
-        t('saved_scenario_users.confirm_destroy.not_possible')
+        t("saved_scenario_users.confirm_destroy.not_possible")
       end
     end
   end

app/components/toast_component.rb

@@ -5,8 +5,8 @@ def initialize(message:, type: :notice)
     @type = type
 
     if message.is_a?(Hash)
-      @title = no_break_on_hyphen(message[:title] || message['title'])
-      @message = no_break_on_hyphen(message[:message] || message['message'])
+      @title = no_break_on_hyphen(message[:title] || message["title"])
+      @message = no_break_on_hyphen(message[:message] || message["message"])
     else
       @message = no_break_on_hyphen(message)
     end
@@ -16,6 +16,6 @@ def initialize(message:, type: :notice)
 
   # Replaces any hyphen in the message with a character taht won't trigger line breaks.
   def no_break_on_hyphen(string)
-    string.tr('-', '‑')
+    string.tr("-", "‑")
   end
 end

app/controllers/admin/saved_scenarios_controller.rb

@@ -5,7 +5,7 @@ class SavedScenariosController < ApplicationController
     def index
       @saved_scenarios = SavedScenario.available
         .includes(:featured_scenario, :users)
-        .order('updated_at DESC')
+        .order("updated_at DESC")
     end
   end
 end

app/controllers/admin/staff_applications_controller.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
-require 'myetm/staff_applications'
+
+require "myetm/staff_applications"
 
 module Admin
   # Updates a staff application with a new URI.
@@ -19,7 +20,7 @@ def update
       )
 
       if result.success?
-        flash[:notice] = 'The application was updated.'
+        flash[:notice] = "The application was updated."
       else
         flash[:alert] = result.failure.errors.full_messages.to_sentence
       end

app/controllers/admin/users_controller.rb

@@ -11,26 +11,27 @@ def org
 
     # All users
     def all
-      @users = User.all.includes(:saved_scenarios)#, :collections)
+      @users = User.all.includes(:saved_scenarios) # , :collections)
     end
 
-    # Instant confirmation for our users that struggel with their spam
+    # Instant confirmation for our users that struggle with their spam
     def confirm
       @user.confirm!
+      flash[:notice] = "User confirmed."
     end
 
     def edit; end
 
     def update
-      if @user.update!(user_params.compact_blank)
-        flash[:notice] = t('admin.users.edit.success')
+      if @user.update(user_params.compact_blank)
+        flash[:notice] = t("admin.users.edit.success")
 
         respond_to do |format|
           format.html { redirect_to(admin_users_path) }
 
           format.turbo_stream do
             render turbo_stream: [
-              turbo_stream.update(:modal, ''),
+              turbo_stream.update(:modal, ""),
               turbo_user,
               turbo_notice
             ]
@@ -48,19 +49,17 @@ def set_user
     end
 
     def user_params
-      params.require(:user).permit(:name, :email, :password, :admin)
+      attributes = [:name, :email, :password]
+      attributes << :admin if current_user&.admin?
+      params.require(:user).permit(*attributes)
     end
 
     def turbo_notice(message = nil)
-      if message.nil?
-        message = flash[:notice]
-        flash.delete(:notice)
-      end
-
+      message ||= flash.delete(:notice)
       return if message.nil?
 
       turbo_stream.update(
-        'toast',
+        "toast",
         ToastComponent.new(type: :notice, message:).render_in(view_context)
       )
     end

app/controllers/api/v1/base_controller.rb

@@ -6,12 +6,12 @@ class BaseController < ActionController::API
       before_action :authenticate_request!
 
       rescue_from ActionController::ParameterMissing do |e|
-        render json: { errors: [e.message] }, status: :bad_request
+        render json: { errors: [ e.message ] }, status: :bad_request
       end
 
       rescue_from ActiveRecord::RecordNotFound do |e|
         render json: {
-          errors: ["No such #{e.model.underscore.humanize.downcase}: #{e.id}"]
+          errors: [ "No such #{e.model.underscore.humanize.downcase}: #{e.id}" ]
         }, status: :not_found
       end
 
@@ -21,14 +21,14 @@ class BaseController < ActionController::API
 
       rescue_from CanCan::AccessDenied do |e|
         if e.subject.is_a?(SavedScenario) && !e.subject.private?
-          render status: :forbidden, json: { errors: ['Scenario does not belong to you'] }
+          render status: :forbidden, json: { errors: [ "Scenario does not belong to you" ] }
         else
           render_not_found
         end
       end
 
       rescue_from MyEtm::Auth::DecodeError do
-        render json: { errors: ['Invalid or expired token'] }, status: :unauthorized
+        render json: { errors: [ "Invalid or expired token" ] }, status: :unauthorized
       end
 
       private
@@ -37,13 +37,13 @@ class BaseController < ActionController::API
       def decoded_token
         return @decoded_token if defined?(@decoded_token)
 
-        auth_header = request.headers['Authorization']
-        token = auth_header&.split(' ')&.last
+        auth_header = request.headers["Authorization"]
+        token = auth_header&.split(" ")&.last
         return nil unless token
 
         @decoded_token = MyEtm::Auth.decode(token)
       rescue MyEtm::Auth::DecodeError, MyEtm::Auth::TokenExchangeError => e
-        Rails.logger.debug "Token decoding failed: #{e.message}"
+        Rails.logger.debug("Token decoding failed: #{e.message}")
         nil
       end
 
@@ -78,15 +78,15 @@ def authenticate_request!
           @current_user = User.find(doorkeeper_token.resource_owner_id)
         elsif decoded_token
           unless current_user
-            render json: { errors: ['Unauthorized'] }, status: :unauthorized
+            render json: { errors: [ "Unauthorized" ] }, status: :unauthorized
           end
         else
-          render json: { errors: ['Authentication required'] }, status: :unauthorized
+          render json: { errors: [ "Authentication required" ] }, status: :unauthorized
         end
       end
 
       # Send a 404 response with an optional JSON body.
-      def render_not_found(body = { errors: ['Not found'] })
+      def render_not_found(body = { errors: [ "Not found" ] })
         render json: body, status: :not_found
       end
 
@@ -99,7 +99,7 @@ def render_not_found(body = { errors: ['Not found'] })
       def process_action(*args)
         super
       rescue ActionDispatch::Http::Parameters::ParseError => e
-        render status: 400, json: { errors: [e.message] }
+        render status: 400, json: { errors: [ e.message ] }
       end
 
       def track_token_use
@@ -122,7 +122,6 @@ def find_user_from_token
         user_data = decoded_token[:user]
         User.find_or_create_by(id: decoded_token[:sub]) do |user|
           user.assign_attributes(user_data)
-
         end
       end
 

app/controllers/api/v1/saved_scenarios_controller.rb

@@ -1,7 +1,6 @@
 module Api
   module V1
     class SavedScenariosController < BaseController
-
       load_and_authorize_resource(class: SavedScenario, only: %i[index show create update destroy])
 
       # GET /saved_scenarios or /saved_scenarios.json
@@ -10,7 +9,7 @@ def index
           .saved_scenarios
           .available
           .includes(:featured_scenario, :users)
-          .order('updated_at DESC')
+          .order("updated_at DESC")
 
           render json: saved_scenarios
       end

app/controllers/application_controller.rb

@@ -84,12 +84,12 @@ def engine_client
   #
   # Returns true.
   def render_not_found(thing = nil)
-    content = Rails.root.join('public/404.html').read
+    content = Rails.root.join("public/404.html").read
 
     unless thing.nil?
       # Swap out the word "page" for something else, when appropriate.
       document = Nokogiri::HTML.parse(content)
-      header = document.at_css('h1')
+      header = document.at_css("h1")
       header.content = header.content.sub(/\bpage\b/, thing)
 
       content = document.to_s
@@ -113,7 +113,7 @@ def turbo_notice(message = nil)
     return if message.nil?
 
     turbo_stream.update(
-      'toast',
+      "toast",
       ToastComponent.new(type: :notice, message:).render_in(view_context)
     )
   end
@@ -127,7 +127,7 @@ def turbo_alert(message = nil)
     return if message.nil?
 
     turbo_stream.update(
-      'toast',
+      "toast",
       ToastComponent.new(type: :alert, message:).render_in(view_context)
     )
   end

app/controllers/discarded_controller.rb

@@ -7,6 +7,6 @@ def index
       .saved_scenarios
       .discarded
       .includes(:featured_scenario, :users)
-      .order('updated_at DESC')
+      .order("updated_at DESC")
   end
 end

app/controllers/featured_scenarios_controller.rb

@@ -33,7 +33,7 @@ def update
   end
 
   def confirm_destroy
-    render :confirm_destroy, layout: 'application'
+    render :confirm_destroy, layout: "application"
   end
 
   def destroy