Module: Controllers::MasqueradeGuarded

Extended by:: ActiveSupport::Concern

Included in:: Auth::AuthenticationsController, Auth::CustomerRegistrationsController, BasePortalController, MyAccountsController, PresetJobsControllerBase

Defined in:: app/concerns/controllers/masquerade_guarded.rb

Overview

Blocks destructive customer-account changes while an employee is masquerading
("Login as this user"). The masquerading employee is auditable but should not
be able to:

change the customer's password
change the customer's login email (and therefore lock them out)
delete the customer's account
link/unlink third-party OAuth identities

Usage:

class Auth::CustomerRegistrationsController < Devise::RegistrationsController
  include Controllers::MasqueradeGuarded

  block_while_masquerading :update, :update_email, :destroy,
    message: "Account credentials cannot be changed while masquerading."
end

View helper masquerade_blocks? is also exposed so templates can hide the
corresponding buttons/links and avoid showing a button that would only error.

Constant Summary collapse

DEFAULT_BLOCK_MESSAGE =

'This action is disabled during a masquerade session. Stop masquerading to continue.'

Class Method Summary collapse

.block_while_masquerading(*actions, message: DEFAULT_BLOCK_MESSAGE, redirect_to: nil) ⇒ Object
Registers a before_action that aborts (with a redirect or 403) when a masquerade session is active and the action is in the guarded list.

Instance Method Summary collapse

#masquerade_blocks? ⇒ Boolean
View helper: "is the session currently under masquerade at all?".

Class Method Details

.block_while_masquerading(*actions, message: DEFAULT_BLOCK_MESSAGE, redirect_to: nil) ⇒ `Object`

Registers a before_action that aborts (with a redirect or 403) when a
masquerade session is active and the action is in the guarded list.

Parameters:

actions (Array<Symbol>) —
action names to guard
message (String) (defaults to: DEFAULT_BLOCK_MESSAGE) —
flash message shown to the employee
redirect_to (Symbol, String, Proc) (defaults to: nil) —
where to send the user; defaults
to :back via referer or root_path.

# File 'app/concerns/controllers/masquerade_guarded.rb', line 40

def block_while_masquerading(*actions, message: DEFAULT_BLOCK_MESSAGE, redirect_to: nil)
  before_action(only: actions) do
    reject_action_during_masquerade!(message, redirect_to) if account_impersonated?
  end
end

Instance Method Details

#masquerade_blocks? ⇒ `Boolean`

View helper: "is the session currently under masquerade at all?". Used by
templates to hide buttons that would only get rejected by the
block_while_masquerading guard above (e.g. password change, account
deletion, OAuth link/unlink). Per-action gating is intentionally not
implemented here — the guard registers actions at class load time, so a
boolean answer is enough to drive UI affordances.

Returns:

(Boolean)



53
54
55

# File 'app/concerns/controllers/masquerade_guarded.rb', line 53

def masquerade_blocks?
  account_impersonated?
end