refactor: Renames user roles, improves security

app/assets/javascripts/manage/lib/setupDataTables.js

@@ -36,7 +36,7 @@ var setupDataTables = function () {
     ],
   });
 
-  $('.datatable.admins').DataTable({
+  $('.datatable.staff').DataTable({
     order: [2, 'asc'],
     columns: [
       { orderable: true, data: 'id', visible: false },

app/controllers/manage/application_controller.rb

@@ -1,27 +1,30 @@
 class Manage::ApplicationController < ApplicationController
   before_action :logged_in
-  before_action :require_admin_or_limited_admin
-  before_action :limit_write_access_to_admins, only: ["edit", "update", "new", "create", "destroy", "deliver", "merge", "perform_merge", "toggle_bus_captain", "duplicate", "update_acc_status", "send_update_email", "live_preview"]
+  before_action :require_director_or_organizer_or_volunteer
+  before_action :limit_write_access_to_directors, only: ["edit", "update", "new", "create", "destroy", "deliver", "merge", "perform_merge", "toggle_bus_captain", "duplicate", "update_acc_status", "send_update_email", "live_preview"]
   skip_before_action :verify_authenticity_token, if: :json_request?
 
   def logged_in
     authenticate_user!
   end
 
-  def require_full_admin
-    return redirect_to root_path unless current_user.try(:admin?)
+  def require_director
+    return redirect_to manage_checkins_path if current_user.volunteer?
+    return redirect_to manage_root_path if current_user.organizer?
+    return redirect_to root_path unless current_user.try(:director?)
   end
 
-  def require_admin_or_limited_admin
-    return redirect_to root_path unless current_user.try(:admin?) || current_user.try(:admin_limited_access?)
+  def require_director_or_organizer
+    return redirect_to manage_checkins_path if current_user.volunteer?
+    return redirect_to root_path unless current_user.organizing_staff?
   end
 
-  def require_admin_or_limited_admin_or_event_tracking
-    redirect_to root_path unless current_user.try(:admin?) || current_user.try(:admin_limited_access?) || current_user.try(:event_tracking?)
+  def require_director_or_organizer_or_volunteer
+    redirect_to root_path unless current_user.staff?
   end
 
-  def limit_write_access_to_admins
-    redirect_to url_for(controller: controller_name, action: :index) unless current_user.try(:admin?)
+  def limit_write_access_to_directors
+    redirect_to url_for(controller: controller_name, action: :index) unless current_user.try(:director?)
   end
 
   def json_request?

app/controllers/manage/configs_controller.rb

@@ -1,5 +1,5 @@
 class Manage::ConfigsController < Manage::ApplicationController
-  before_action :limit_access_admin
+  before_action :require_director
   before_action :get_config, only: [:edit, :update, :update_only_css_variables]
 
   respond_to :html, :json
@@ -69,7 +69,4 @@ def get_config
     end
   end
 
-  def limit_access_admin
-    redirect_to root_path unless current_user.admin?
-  end
 end

app/controllers/manage/dashboard_controller.rb

@@ -1,6 +1,5 @@
 class Manage::DashboardController < Manage::ApplicationController
-  skip_before_action :require_admin_or_limited_admin
-  before_action :require_admin_or_limited_admin
+  before_action :require_director_or_organizer
 
   def index
   end

app/controllers/manage/data_exports_controller.rb

@@ -1,6 +1,5 @@
 class Manage::DataExportsController < Manage::ApplicationController
-  skip_before_action :require_admin_or_limited_admin
-  before_action :require_full_admin
+  before_action :require_director
 
   before_action :set_data_export, only: [:destroy]
 

app/controllers/manage/messages_controller.rb

@@ -1,7 +1,8 @@
 class Manage::MessagesController < Manage::ApplicationController
+  before_action :require_director_or_organizer
   before_action :set_message, only: [:show, :edit, :update, :destroy, :deliver, :preview, :duplicate]
   before_action :check_message_access, only: [:edit, :update, :destroy]
-  before_action :limit_template_access_to_admins, only: [:template, :template_preview, :template_update, :template_replace_with_default]
+  before_action :limit_template_access_to_directors, only: [:template, :template_preview, :template_update, :template_replace_with_default]
 
   respond_to :html, :json
 
@@ -106,9 +107,9 @@ def template_replace_with_default
 
   private
 
-  def limit_template_access_to_admins
+  def limit_template_access_to_directors
     # From Manage::ApplicationController
-    limit_write_access_to_admins
+    limit_write_access_to_directors
   end
 
   def message_params

app/controllers/manage/stats_controller.rb

@@ -1,4 +1,5 @@
 class Manage::StatsController < Manage::ApplicationController
+  before_action :require_director_or_organizer
 
   respond_to :html, :json
 

app/controllers/manage/trackable_events_controller.rb

@@ -1,9 +1,6 @@
 class Manage::TrackableEventsController < Manage::ApplicationController
-  skip_before_action :require_admin_or_limited_admin
-  before_action :require_admin_or_limited_admin_or_event_tracking
-
   before_action :set_trackable_event, only: [:show, :edit, :update, :destroy]
-  before_action :scope_limited_admin_access, only: [:edit, :update, :destroy]
+  before_action :scope_organizer_access, only: [:edit, :update, :destroy]
 
   respond_to :html, :json
 
@@ -81,13 +78,13 @@ def trackable_event_params
     params.require(:trackable_event).permit(:band_id, :trackable_tag_id)
   end
 
-  # Permit limited-access admins (overrides Manage::ApplicationController#limit_write_access_to_admins)
-  def limit_write_access_to_admins
+  # Permit limited-access directors (overrides Manage::ApplicationController#limit_write_access_to_directors)
+  def limit_write_access_to_directors
   end
 
-  # If the user isn't a full admin, scope changes only to those they created
-  def scope_limited_admin_access
-    return if current_user.admin? || @trackable_event.blank? || @trackable_event.user.blank?
+  # If the user isn't a director, scope changes only to those they created
+  def scope_organizer_access
+    return if current_user.director? || @trackable_event.blank? || @trackable_event.user.blank?
     redirect_to manage_trackable_events_path, notice: 'You may not view events you did not create.' if @trackable_event.user != current_user
   end
 end

app/controllers/manage/trackable_tags_controller.rb

@@ -1,7 +1,4 @@
 class Manage::TrackableTagsController < Manage::ApplicationController
-  skip_before_action :require_admin_or_limited_admin
-  before_action :require_admin_or_limited_admin_or_event_tracking
-
   before_action :set_trackable_tag, only: [:show, :edit, :update, :destroy]
 
   respond_to :html, :json

app/controllers/manage/users_controller.rb

@@ -1,19 +1,19 @@
 class Manage::UsersController < Manage::ApplicationController
-  before_action :require_full_admin
+  before_action :require_director
   before_action :find_user, only: [:show, :edit, :update, :destroy]
 
   respond_to :html, :json
 
   def index
-    respond_with(:manage, User.where(role: [:admin, :admin_limited_access, :event_tracking]))
+    respond_with(:manage, User.where(role: [:director, :organizer, :volunteer]))
   end
 
   def user_datatable
     render json: UserDatatable.new(params, view_context: view_context)
   end
 
-  def admin_datatable
-    render json: AdminDatatable.new(params, view_context: view_context)
+  def staff_datatable
+    render json: StaffDatatable.new(params, view_context: view_context)
   end
 
   def show

app/datatables/questionnaire_datatable.rb

@@ -35,7 +35,7 @@ def note(record)
 
   def bus_captain(record)
     return "No" unless record.bus_list_id?
-    return record.is_bus_captain? ? '<span class="badge badge-success">Yes</span>' : "No" unless current_user.admin?
+    return record.is_bus_captain? ? '<span class="badge badge-success">Yes</span>' : "No" unless current_user.director?
 
     if record.is_bus_captain?
       link_to("Remove", toggle_bus_captain_manage_bus_list_path(record.bus_list_id, questionnaire_id: record.id, bus_captain: "0"), method: "post", class: "text-danger")
@@ -47,7 +47,7 @@ def bus_captain(record)
   def data
     records.map do |record|
       {
-        bulk: current_user.admin? ? "<input type=\"checkbox\" data-bulk-row-edit=\"#{record.id}\">".html_safe : "",
+        bulk: current_user.director? ? "<input type=\"checkbox\" data-bulk-row-edit=\"#{record.id}\">".html_safe : "",
         link: link_to('<i class="fa fa-search"></i>'.html_safe, manage_questionnaire_path(record)),
         note: note(record),
         id: record.id,

app/datatables/admin_datatable.rb → app/datatables/staff_datatable.rb

@@ -1,4 +1,4 @@
-class AdminDatatable < ApplicationDatatable
+class StaffDatatable < ApplicationDatatable
   def_delegators :@view, :link_to, :manage_user_path, :bold, :display_datetime
 
   def view_columns
@@ -43,6 +43,6 @@ def data
   end
 
   def get_raw_records
-    User.where(role: [:admin, :admin_limited_access, :event_tracking])
+    User.where(role: [:director, :organizer, :volunteer])
   end
 end

app/jobs/bulk_message_job.rb

@@ -27,11 +27,11 @@ def self.build_recipients(recipient_types)
   def self.user_ids(type)
     case type
     when "all"
-      # Everyone, including admins that completed a questionnaire
-      User.non_admins.pluck(:id) + Questionnaire.pluck(:user_id)
+      # Everyone, including organizers that completed a questionnaire
+      User.non_organizer.pluck(:id) + Questionnaire.pluck(:user_id)
     when "incomplete"
-      # Incomplete applications, excluding admins that don't have a questionnaire
-      User.non_admins.pluck(:id) - Questionnaire.pluck(:user_id)
+      # Incomplete applications, excluding organizers that don't have a questionnaire
+      User.non_organizer.pluck(:id) - Questionnaire.pluck(:user_id)
     when "complete"
       Questionnaire.pluck(:user_id)
     when "accepted"

app/jobs/admin_weekly_report_job.rb → app/jobs/staff_weekly_report_job.rb

@@ -1,11 +1,11 @@
-class AdminWeeklyReportJob < ApplicationJob
+class StaffWeeklyReportJob < ApplicationJob
   queue_as :default
 
   def perform
     # Queue all eligible users and let the is_active (or other) logic determine if they should really receive it
     users = User.where(receive_weekly_report: true)
     users.each do |user|
-      AdminMailer.weekly_report(user.id).deliver_later
+      StaffMailer.weekly_report(user.id).deliver_later
     end
   end
 end

app/mailers/mail_preview.rb

@@ -5,8 +5,8 @@ def bulk_message_email
       UserMailer.bulk_message_email(message, User.first.id)
     end
 
-    def admin_weekly_report
-      AdminMailer.weekly_report(User.first.id)
+    def staff_weekly_report
+      StaffMailer.weekly_report(User.first.id)
     end
   end
 end

app/mailers/admin_mailer.rb → app/mailers/staff_mailer.rb

@@ -1,8 +1,8 @@
-class AdminMailer < ApplicationMailer
+class StaffMailer < ApplicationMailer
   include Roadie::Rails::Automatic
   add_template_helper(HackathonManagerHelper)
 
-  layout "admin_mailer"
+  layout "staff_mailer"
 
   def weekly_report(user_id)
     # Don't send emails more than 7 days after event starts

app/mailers/user_mailer.rb

@@ -16,7 +16,7 @@ def bulk_message_email(message_id, user_id, message = nil, use_examples = false)
 
   def incomplete_reminder_email(user_id)
     @user = User.find_by_id(user_id)
-    return if @user.blank? || @user.admin? || @user.questionnaire || Time.now.in_time_zone.to_date > Date.parse(HackathonConfig["last_day_to_apply"]).in_time_zone.to_date
+    return if @user.blank? || @user.director? || @user.questionnaire || Time.now.in_time_zone.to_date > Date.parse(HackathonConfig["last_day_to_apply"]).in_time_zone.to_date
 
     Message.queue_for_trigger("user.24hr_incomplete_application", @user.id)
   end

app/models/user.rb

@@ -23,7 +23,7 @@ class User < ApplicationRecord
   after_create :queue_reminder_email
   after_initialize :set_default_role, if: :new_record?
 
-  enum role: { user: 0, event_tracking: 1, admin_limited_access: 2, admin: 3 }
+  enum role: { user: 0, volunteer: 1, organizer: 2, director: 3 }
 
   def set_default_role
     self.role ||= :user
@@ -56,6 +56,14 @@ def full_name
     "#{first_name} #{last_name}"
   end
 
+  def staff?
+    director? || organizer? || volunteer?
+  end
+
+  def organizing_staff?
+    director? || organizer?
+  end
+
   def self.from_omniauth(auth)
     matching_provider = where(provider: auth.provider, uid: auth.uid)
     matching_email = where(email: auth.info.email)
@@ -75,11 +83,11 @@ def self.from_omniauth(auth)
     current_user
   end
 
-  def self.non_admins
-    User.where.not(role: :admin).where.not(role: :admin_limited_access)
+  def self.non_organizer
+    User.where.not(role: :director).where.not(role: :organizer)
   end
 
   def self.without_questionnaire
-    non_admins.left_outer_joins(:questionnaire).where(questionnaires: { id: nil })
+    non_organizer.left_outer_joins(:questionnaire).where(questionnaires: { id: nil })
   end
 end

app/views/layouts/_header.html.haml

@@ -10,6 +10,8 @@
         = btn_link_to "Home", homepage_url
     .header-nav
       - if user_signed_in?
-        - if current_user.admin? or current_user.admin_limited_access?
+        - if current_user.organizing_staff?
           = btn_link_to "Manage", manage_root_path
+        - elsif current_user.volunteer?
+          = btn_link_to "Manage", manage_checkins_path
         = btn_link_to "Sign Out", destroy_user_session_path, method: :delete

app/views/layouts/manage/_page_title.html.haml

@@ -4,5 +4,5 @@
     - if defined?(subtitle) && subtitle.present?
       %small.text-muted= subtitle
 
-  - if current_user.try(:admin?)
+  - if current_user.try(:director?)
     = yield

app/views/layouts/manage/application.html.haml

@@ -28,20 +28,32 @@
             %h6.sidebar-heading.d-flex.justify-content-between.align-items-center.px-3.mt-4.mb-1.text-muted
               %span
                 = t(:overview, scope: 'layouts.manage.navigation')
-            %ul.nav.flex-column.mb-2
-              %li.nav-item
-                = active_link_to manage_root_path, class: "nav-link", active_children: false do
-                  .fa.fa-area-chart.fa-fw.icon-space-r-half
-                  = t(:title, scope: 'pages.manage.dashboard')
-              %li.nav-item
-                = active_link_to manage_questionnaires_path, class: "nav-link" do
-                  .fa.fa-inbox.fa-fw.icon-space-r-half
-                  = t(:title, scope: 'pages.manage.questionnaires')
-              %li.nav-item
-                = active_link_to manage_messages_path, class: "nav-link" do
-                  .fa.fa-bullhorn.fa-fw.icon-space-r-half
-                  = t(:title, scope: 'pages.manage.messages')
+            - if current_user.organizing_staff?
+              %ul.nav.flex-column.mb-2
+                %li.nav-item
+                  = active_link_to manage_root_path, class: "nav-link", active_children: false do
+                    .fa.fa-area-chart.fa-fw.icon-space-r-half
+                    = t(:title, scope: 'pages.manage.dashboard')
+                %li.nav-item
+                  = active_link_to manage_questionnaires_path, class: "nav-link" do
+                    .fa.fa-inbox.fa-fw.icon-space-r-half
+                    = t(:title, scope: 'pages.manage.questionnaires')
+                %li.nav-item
+                  = active_link_to manage_messages_path, class: "nav-link" do
+                    .fa.fa-bullhorn.fa-fw.icon-space-r-half
+                    = t(:title, scope: 'pages.manage.messages')
+            - elsif current_user.volunteer?
+              %ul.nav.flex-column.mb-2
+                %li.nav-item
+                  = active_link_to manage_checkins_path, class: "nav-link" do
+                    .fa.fa-drivers-license-o.fa-fw.icon-space-r-half
+                    = t(:title, scope: 'pages.manage.check-in')
+                %li.nav-item
+                  = active_link_to manage_questionnaires_path, class: "nav-link" do
+                    .fa.fa-inbox.fa-fw.icon-space-r-half
+                    = t(:title, scope: 'pages.manage.questionnaires')
 
+            - if current_user.organizing_staff?
               %h6.sidebar-heading.d-flex.justify-content-between.align-items-center.px-3.mt-4.mb-1.text-muted
                 %span
                   = t(:logistics, scope: 'layouts.manage.navigation')
@@ -59,20 +71,20 @@
                     .fa.fa-tag.fa-fw.icon-space-r-half
                     = t(:title, scope: 'pages.manage.trackable-tags')
 
-              %h6.sidebar-heading.d-flex.justify-content-between.align-items-center.px-3.mt-4.mb-1.text-muted
-                %span
-                  = t(:travel, scope: 'layouts.manage.navigation')
-              %ul.nav.flex-column.mb-2
-                %li.nav-item
-                  = active_link_to manage_bus_lists_path, class: "nav-link" do
-                    .fa.fa-bus.fa-fw.icon-space-r-half
-                    = t(:title, scope: 'pages.manage.bus-lists')
-                %li.nav-item
-                  = active_link_to manage_schools_path, class: "nav-link" do
-                    .fa.fa-home.fa-fw.icon-space-r-half
-                    = t(:title, scope: 'pages.manage.schools')
+            %h6.sidebar-heading.d-flex.justify-content-between.align-items-center.px-3.mt-4.mb-1.text-muted
+              %span
+                = t(:travel, scope: 'layouts.manage.navigation')
+            %ul.nav.flex-column.mb-2
+              %li.nav-item
+                = active_link_to manage_bus_lists_path, class: "nav-link" do
+                  .fa.fa-bus.fa-fw.icon-space-r-half
+                  = t(:title, scope: 'pages.manage.bus-lists')
+              %li.nav-item
+                = active_link_to manage_schools_path, class: "nav-link" do
+                  .fa.fa-home.fa-fw.icon-space-r-half
+                  = t(:title, scope: 'pages.manage.schools')
 
-            - if current_user.admin?
+            - if current_user.director?
               %h6.sidebar-heading.d-flex.justify-content-between.align-items-center.px-3.mt-4.mb-1.text-muted
                 %span
                   = t(:administration, scope: 'layouts.manage.navigation')