Class: ApplicationController

Inherits:
ActionController::Base
  • Object
show all
Includes:
ActionView::Helpers::NumberHelper, ApplicationHelper, Controllers::AcceleratedFileSending, Controllers::AnalyticsEvents, Controllers::AppsignalTagging, Controllers::Authenticable, Controllers::CloudflareCaching, Controllers::DeviceDetection, Controllers::ErrorRendering, Controllers::Localizable, Controllers::Paginateable, Controllers::PaperTrailContext, Controllers::ReturnPathHandling, Controllers::SetCurrentRequestDetails, Controllers::SubdomainDetection, Controllers::TrackingDetection, Controllers::TurboSafeRedirect, Controllers::TurboStreamFlashable, Controllers::TurnstileVerification, Controllers::Webpackable, Memery
Defined in:
app/controllers/application_controller.rb

Overview

Controller: application.

Constant Summary

Constants included from Controllers::AnalyticsEvents

Controllers::AnalyticsEvents::MAX_QUEUED_EVENTS, Controllers::AnalyticsEvents::SESSION_KEY

Constants included from Controllers::ErrorRendering

Controllers::ErrorRendering::NON_CONTENT_PATH_PREFIXES

Constants included from Www::SeoHelper

Www::SeoHelper::AWARDS, Www::SeoHelper::CA_ADDRESS, Www::SeoHelper::CA_BUSINESS_HOURS, Www::SeoHelper::CA_CONTACT_POINT, Www::SeoHelper::CA_CURRENCIES, Www::SeoHelper::CA_DESCRIPTION, Www::SeoHelper::CA_FOUNDING_DATE, Www::SeoHelper::CA_GLOBAL_LOCATION_NUMBER, Www::SeoHelper::CA_LEGAL_NAME, Www::SeoHelper::CA_LOCAL_BUSINESS, Www::SeoHelper::CA_ONLINE_STORE, Www::SeoHelper::CA_RETURN_POLICY, Www::SeoHelper::CA_SALES_DEPARTMENT, Www::SeoHelper::CA_SERVICE_AREA, Www::SeoHelper::CA_URL, Www::SeoHelper::CA_VAT_ID, Www::SeoHelper::CA_WAREHOUSE_DEPARTMENT, Www::SeoHelper::CA_WAREHOUSE_HOURS, Www::SeoHelper::COMPANY_EMAIL, Www::SeoHelper::COMPANY_LOGO, Www::SeoHelper::COMPANY_NAME, Www::SeoHelper::COMPANY_SLOGAN, Www::SeoHelper::EXPERTISE, Www::SeoHelper::FAX_NUMBER, Www::SeoHelper::GS1_COMPANY_PREFIX, Www::SeoHelper::ISO6523_CODE, Www::SeoHelper::PAYMENT_METHODS, Www::SeoHelper::PHONE_NUMBER, Www::SeoHelper::PRIMARY_NAICS, Www::SeoHelper::REFUND_TYPE, Www::SeoHelper::RETURN_FEES, Www::SeoHelper::RETURN_METHOD, Www::SeoHelper::RETURN_POLICY_CATEGORY, Www::SeoHelper::SECONDARY_NAICS, Www::SeoHelper::SOCIAL_PROFILES, Www::SeoHelper::US_ADDRESS, Www::SeoHelper::US_BUSINESS_HOURS, Www::SeoHelper::US_CONTACT_POINT, Www::SeoHelper::US_CURRENCIES, Www::SeoHelper::US_DESCRIPTION, Www::SeoHelper::US_FOUNDING_DATE, Www::SeoHelper::US_GLOBAL_LOCATION_NUMBER, Www::SeoHelper::US_IMAGE, Www::SeoHelper::US_LEGAL_NAME, Www::SeoHelper::US_LOCAL_BUSINESS, Www::SeoHelper::US_ONLINE_STORE, Www::SeoHelper::US_RETURN_POLICY, Www::SeoHelper::US_SALES_DEPARTMENT, Www::SeoHelper::US_SERVICE_AREA, Www::SeoHelper::US_TAX_ID, Www::SeoHelper::US_URL, Www::SeoHelper::US_WAREHOUSE_DEPARTMENT, Www::SeoHelper::US_WAREHOUSE_HOURS

Constants included from IconHelper

IconHelper::CUSTOM_ICON_MAP, IconHelper::CUSTOM_SVG_DIR, IconHelper::DEFAULT_FAMILY

Instance Method Summary collapse

Methods included from Controllers::ReturnPathHandling

#check_for_return_path, #redirect_to_return_path_or_default

Methods included from Controllers::AnalyticsEvents

#consume_queued_analytics_events, #track_event

Methods included from Controllers::DeviceDetection

#device_detector, #is_ie?

Methods included from Controllers::SubdomainDetection

#is_crm_request?, #is_www_request?, #json_request?

Methods included from Controllers::TrackingDetection

#bot_request?, #gdpr_country?, #gdpr_country_data, #prevent_bots, #set_tracking_cookie, #track_visitor?

Methods included from Controllers::AcceleratedFileSending

#send_file_accelerated, #send_upload_accelerated

Methods included from Controllers::ErrorRendering

#excp_string, #mail_to_for_error_reporting, #render_400, #render_404, #render_406, #render_410, #render_500, #render_invalid_authenticity_token, #render_ip_spoof_error, #render_unpermitted_parameters, #safe_referer_or_fallback

Methods included from Controllers::TurnstileVerification

#load_turnstile_script_tag, #turnstile_lazy_widget, #turnstile_script_tag, #turnstile_widget, #validate_turnstile!

Methods included from Controllers::CloudflareCaching

edge_cached, #edge_cached_action?, #reset_cloudflare_cache, #set_cloudflare_cache, #skip_edge_cache!, #skip_session

Methods included from Controllers::Webpackable

#preload_webpack_fonts, #webpack_css_include, #webpack_css_url, #webpack_js_include, #wpd_is_running?

Methods included from Controllers::Localizable

#cloudflare_country_locale, #determine_request_locale, #geocoder_locale, #guest_user_locale_check, #locale_optional_www_auth_path?, #param_locale, #set_locale, #set_request_locale, #skip_localization?, #warmlyyours_ip_locale

Methods included from Controllers::Authenticable

#access_denied, #authenticate_account, #authenticate_account!, #authenticate_account_from_login_token!, #check_is_a_manager, #check_is_a_sales_manager, #check_is_an_admin, #check_is_an_employee, #check_party, #clear_mismatched_guest_user, #create_guest_user, #credentials?, #current_or_guest_user, #current_or_guest_user_id_read_only, #current_user, #devise_mapping, #fully_logged_in?, #generate_bot_id, #guest_user, #identifiable?, #init_current_user, #initialize_guest, #load_context_user, #logging_in, #resource, #resource_name, #restrict_access_for_non_employees, #scrubbed_request_path, #user_object, #warn_on_session_guest_id_leak

Methods included from ApplicationHelper

#better_number_to_currency, #check_force_logout, #check_or_cross, #check_or_times, #embedded_tab_frame_id, #error_messages, #general_disclaimer_on_product_installation_and_local_codes, #gridjs_from_html_table, #gridjs_table, #is_wy_ip, #line_break, #parent_layout, #pass_or_fail, #render_error_messages_list, #render_video_card, #resolved_auth_form_turbo_frame, #return_path_or, #safe_css_color, #set_return_path_if_present, #set_section_if_present, #tab_frame_id, #to_underscore, #track_page?, #turbo_section_wrapper, #turbo_tabs_request?, #url_on_same_domain_as_request, #widget_index_daily_focus_index_path, #working_hours?, #yes_or_no, #yes_or_no_highlighted, #yes_or_no_with_check_or_cross, #youtube_video

Methods included from UppyUploaderHelper

#file_uploader, #image_uploader, #large_file_uploader_s3, #lead_sketch_uploader, #rma_image_uploader, #rma_image_uploader_s3, #uppy_uploader, #video_uploader

Methods included from Www::ImagesHelper

#image_asset_tag, #image_asset_url

Methods included from Www::SeoHelper

#add_page_schema, #add_webpage_schema, #canada?, #company_social_links, #ensure_context_json, #json_ld_script_tag, #local_business_schema, #online_store_id, #online_store_schema, #page_main_entity, #page_main_entity_json, #render_auto_collection_page_schema, #render_collection_page_schema, #render_local_business_schema, #render_online_store_schema, #render_page_schemas, #render_page_video_schemas, #render_webpage_schema, #render_webpage_schema_with_collections, #usa?

Methods included from UrlsHelper

#catalog_breadcrumb_links, #catalog_link, #catalog_link_for_product_line, #catalog_link_for_sku, #cms_link, #delocalized_path, #path_to_sales_product_sku, #path_to_sales_product_sku_for_product_line, #path_to_sales_product_sku_for_product_line_slug, #product_line_from_catalog_link, #protocol_neutral_url, #sanitize_external_url, #valid_external_url?

Methods included from IconHelper

#account_nav_icon, #fa_icon, #star_rating_html

Instance Method Details

#account_impersonated?Boolean

Pretender does not ship a boolean helper, but it does set
session[:impersonated_account_id] whenever an impersonation is active
(see vendor/bundle/.../pretender.rb). We define one here as the canonical
check used everywhere in the app (views, MasqueradeGuarded, AnalyticsEvents,
AppsignalTagging, etc.).

Returns:

  • (Boolean) 


18
19
20
 
# File 'app/controllers/application_controller.rb', line 18

def 
  request.session[:impersonated_account_id].present?
end

#add_to_flash(message, type = :error, now: false) ⇒ Object (protected)

Append a message to flash[type], deduping against what's already there.

Pass now: true for one-shot messages set on a render (rather than a
redirect) — they'll show on this request only, the same way flash.now
works. Without it, the message persists into the next request, which
leaks onto the back/forward target after a Turbo Drive cache miss.



148
149
150
151
152
153
154
 
# File 'app/controllers/application_controller.rb', line 148

def add_to_flash(message, type = :error, now: false)
  return if message.blank? || (flash[type].present? && flash[type].to_s.downcase.include?(message.to_s.downcase))

  bucket = now ? flash.now : flash
  bucket[type] ||= +''
  bucket[type] += message
end

#after_sign_in_path_for(resource) ⇒ String

Default post-authentication landing for storefront flows. Every storefront
auth controller (sessions, registrations, passwords, invitations, omniauth)
already redirects to @devise_return_path || my_account_path on success;
this override applies the same rule for the implicit call sites Devise
makes directly — most importantly require_no_authentication, which lands
an already-signed-in user back here when they click a password-reset
email link. Without it, Devise's gem default root_path sent them to the
homepage with no signal. CRM falls through to super because the
employee subdomain has no my_account route.

Parameters:

  • resource (Account)

    the Devise resource that just authenticated

Returns:

  • (String)

    storefront: @devise_return_path when set, else my_account_path. CRM: Devise's default (usually root_path).



92
93
94
95
96
 
# File 'app/controllers/application_controller.rb', line 92

def (resource)
  return super if is_crm_request?

  @devise_return_path.presence || 
end

#bypass_forgery_protection?Boolean (protected)

Returns:

  • (Boolean) 


109
110
111
112
113
114
115
 
# File 'app/controllers/application_controller.rb', line 109

def bypass_forgery_protection?
  return true if json_request?
  # Because the user might be presented with a captcha, this can break the csrf check, so this is a workaround.
  return true if cloudflare_cleared?

  false
end

#chat_enabled?Boolean (protected)

Returns:

  • (Boolean) 


125
126
127
 
# File 'app/controllers/application_controller.rb', line 125

def chat_enabled?
  Rails.env.production? || ENV['ENABLE_LIVECHAT'].to_b
end

#cloudflare_cleared?Boolean (protected)

Returns:

  • (Boolean) 


104
105
106
107
 
# File 'app/controllers/application_controller.rb', line 104

def cloudflare_cleared?
  # See https://developers.cloudflare.com/fundamentals/reference/policies-compliances/cloudflare-cookies/
  request.cookies['cf_clearance'].present?
end

#default_catalogObject (protected) 



138
139
140
 
# File 'app/controllers/application_controller.rb', line 138

def default_catalog
  current_user.try(:catalog) || Catalog.locale_to_catalog(I18n.locale)
end

#default_url_options(options = {}) ⇒ Object (protected) 



168
169
170
 
# File 'app/controllers/application_controller.rb', line 168

def default_url_options(options = {})
  UrlHelper.default_url_options(options)
end

#enable_turbo_framesObject

Enable Turbo Frames and Streams for specific sections



76
77
78
 
# File 'app/controllers/application_controller.rb', line 76

def enable_turbo_frames
  @turbo_frames_enabled = true
end

#find_publication(sku, override_locale_store = nil) ⇒ Object (protected) 



133
134
135
136
 
# File 'app/controllers/application_controller.rb', line 133

def find_publication(sku, override_locale_store = nil)
  store = override_locale_store || locale_store
  Item.find_publication(sku, store)
end

#fix_invalid_accept_headerObject (protected)

Clean possibly misconfigured proxies or old browsers



239
240
241
242
243
 
# File 'app/controllers/application_controller.rb', line 239

def fix_invalid_accept_header
  return unless is_crm_request? || is_www_request?

  request.headers['Accept'] = '*/*' if request.headers['Accept'] == '*'
end

#init_js_utilsObject (protected) 



121
122
123
 
# File 'app/controllers/application_controller.rb', line 121

def init_js_utils
  @react_props = {}
end

#is_globals_call?Boolean (protected)

Returns:

  • (Boolean) 


117
118
119
 
# File 'app/controllers/application_controller.rb', line 117

def is_globals_call?
  request&.fullpath.to_s.start_with?('/globals')
end

#layout_by_resourceObject (protected) 



182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
 
# File 'app/controllers/application_controller.rb', line 182

def layout_by_resource
  # Turbo Frame requests only consume the matching <turbo-frame> from the
  # response; the surrounding layout chrome (navbar, sidebar, head/asset
  # tags, modal containers) is rendered then immediately discarded by the
  # browser. Skip it server-side to save render time and bandwidth on every
  # frame fetch, app-wide.
  return false if turbo_frame_request?

  if devise_controller?
    if is_crm_request?
      @disable_sign_in = true
      'crm/sessions'
    else
      'www/cms_page'
    end
  elsif is_crm_request?
    'crm/crm'
  else
    'www/cms_page'
  end
end

#locale_storeObject (protected) 



172
173
174
 
# File 'app/controllers/application_controller.rb', line 172

def locale_store
  Store.locale_to_catalog(I18n.locale)
end

#redirect_to(options = {}, response_options = {}) ⇒ Object

Hotwire: default redirects after mutating verbs to 303 See Other unless an explicit
status: is passed (matches Turbo / Rails 7 guidance for POST/PUT/PATCH/DELETE flows).

NOTE: explicitly public because this override sits below the protected keyword
above. Without this, the inherited public redirect_to becomes protected on the
whole app, and any gem that calls controller.redirect_to(...) externally (e.g. the
responders gem used by Devise's respond_with) raises NoMethodError.



279
280
281
282
283
284
285
 
# File 'app/controllers/application_controller.rb', line 279

public def redirect_to(options = {}, response_options = {})
  response_options = {} unless response_options.is_a?(Hash)
  unless response_options.key?(:status) || (options.is_a?(Hash) && options.key?(:status))
    response_options = { status: :see_other }.merge(response_options) if %w[POST PUT PATCH DELETE].include?(request.request_method)
  end
  super
end

#require_employee_for_crmObject (protected)

Gate: every request on the CRM subdomain must be from an authenticated employee.
Controllers with legitimate open access (webhooks, OAuth, token downloads) must
explicitly declare: skip_before_action :require_employee_for_crm



207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
 
# File 'app/controllers/application_controller.rb', line 207

def require_employee_for_crm
  return unless is_crm_request?
  return if devise_controller?

  # `current_account` is wrapped by Pretender, which can return a non-Account
  # value when the session is partially corrupt (e.g. `:impersonated_account_id`
  # set with no `true_account`). `&.is_employee?` only short-circuits on nil,
  # so an Array/Hash receiver crashes the request with a 500 instead of
  # redirecting to sign-in. Coerce anything that isn't an Account to nil.
   =  if .is_a?(Account)

  return if &.is_employee?

  if 
    flash[:error] = "Access to the CRM is restricted to employees."
    redirect_to cms_link('/my_account')
  else
    flash[:info] = t('controllers.authenticable.sign_in_to_proceed')
    redirect_to (devise_return_path: request.fullpath)
  end
end

#set_base_hostObject (protected) 



229
230
231
 
# File 'app/controllers/application_controller.rb', line 229

def set_base_host
  @base_url = "#{request.scheme}://#{request.host_with_port}"
end

#set_real_ipObject (protected) 



233
234
235
236
 
# File 'app/controllers/application_controller.rb', line 233

def set_real_ip
  # Fake our location in development when working locally, this is what request geocoder uses
  request.env['HTTP_X_REAL_IP'] = NetworkConstants::REAL_FAKE_IP if Rails.env.development?
end

#set_report_errors_forObject (protected) 



176
177
178
179
180
 
# File 'app/controllers/application_controller.rb', line 176

def set_report_errors_for
  # Stub, override in your own controllers, put the models that are updated in the array, note use instance variable @ not symbols
  @report_errors_for = []
  logger.debug "set_report_errors_for is set to #{@report_errors_for.join(', ')}" if @report_errors_for.present?
end

#should_render_layout?Boolean (protected)

Determines if a layout should be rendered based on the request type.

Returns false (no layout) for:

  • XHR requests (legacy AJAX approach)
  • Turbo Frame fetches that target this controller's content (e.g.
    Turbo-Frame: tab-content-<controller_name> or any non-tab frame
    like pagination scopes)

Returns true (full layout) for:

  • Plain navigation
  • Cross-controller tab-frame fetches (e.g. clicking an order link from
    inside the warehouse tab — Turbo-Frame: tab-content-warehouses on a
    request to OrdersController). These trigger turbo:frame-missing
    client-side, and the global handler's visit(response) fallback needs
    a complete HTML page to render. A layoutless response leaves the user
    staring at just the body content (no chrome, no nav, no breadcrumb).

Returns:

  • (Boolean) 


261
262
263
264
265
266
267
268
269
270
 
# File 'app/controllers/application_controller.rb', line 261

def should_render_layout?
  return false if request.xhr?
  return false if request.format.turbo_stream?
  return true unless turbo_frame_request?

  header = request.headers['Turbo-Frame'].to_s
  return false unless header.start_with?('tab-content-')

  header != "tab-content-#{controller_name}"
end

#stamp_impersonation_contextObject (protected) 



100
101
102
 
# File 'app/controllers/application_controller.rb', line 100

def stamp_impersonation_context
  CurrentScope. =  ? &.id : nil
end

#warmlyyours_canada_ip?(ip = nil) ⇒ Boolean (protected)

Returns:

  • (Boolean) 


163
164
165
166
 
# File 'app/controllers/application_controller.rb', line 163

def warmlyyours_canada_ip?(ip = nil)
  ip ||= request.remote_ip
  IpDetector.warmlyyours_canada_ip?(ip)
end

#warmlyyours_ip?(ip = nil) ⇒ Boolean (protected)

Returns:

  • (Boolean) 


158
159
160
161
 
# File 'app/controllers/application_controller.rb', line 158

def warmlyyours_ip?(ip = nil)
  ip ||= request.remote_ip
  IpDetector.warmlyyours_ip?(ip)
end

#y(value) ⇒ Object (protected) 



129
130
131
 
# File 'app/controllers/application_controller.rb', line 129

def y(value)
  value.to_b ? 'Yes' : 'No'
end