Enhance invitation handling by processing event invitation tokens and updating privacy checks

rsmithlal · rsmithlal · commit e0ee11db6239 · 2025-09-07T20:15:17.000-02:30
diff --git a/app/controllers/better_together/events_controller.rb b/app/controllers/better_together/events_controller.rb
@@ -126,6 +126,37 @@ def find_invitation_by_token
       )
     end
 
+    # Process event invitation tokens before inherited (ApplicationController) callbacks
+    # so we can bypass platform privacy checks for valid event invitations and
+    # return 404 for invalid tokens when the platform is private.
+    # prepend_before_action :process_event_invitation_for_privacy, only: %i[show]
+
+    # Override privacy check to handle event-specific invitation tokens.
+    # This keeps event lookup logic inside the events controller and avoids
+    # embedding event knowledge in ApplicationController.
+    def check_platform_privacy
+      # If host platform is public or user is signed in, let ApplicationController handle it
+      return super if helpers.host_platform.privacy_public? || current_user.present?
+
+      token = params[:invitation_token].presence || params[:token].presence
+      if token.present? && params[:id].present?
+        invitation = ::BetterTogether::EventInvitation.pending.not_expired.find_by(token: token)
+        if invitation
+          # Valid invitation: set locale and allow access
+          I18n.locale = invitation.locale if invitation.locale.present?
+          session[:locale] = I18n.locale
+          return true
+        else
+          # Invalid token for this event on a private platform: render 404
+          render_not_found
+          return
+        end
+      end
+
+      # Fall back to ApplicationController implementation for other cases
+      super
+    end
+
     private
 
     # rubocop:todo Metrics/MethodLength
diff --git a/app/controllers/better_together/invitations_controller.rb b/app/controllers/better_together/invitations_controller.rb
@@ -3,7 +3,8 @@
 module BetterTogether
   class InvitationsController < ApplicationController # rubocop:todo Style/Documentation
     # skip_before_action :authenticate_user!
-    before_action :find_invitation_by_token
+    prepend_before_action :find_invitation_by_token
+    skip_before_action :check_platform_privacy, if: -> { @invitation.present? }
 
     def show
       @event = @invitation.invitable if @invitation.is_a?(BetterTogether::EventInvitation)
@@ -55,7 +56,7 @@ def decline # rubocop:todo Metrics/MethodLength
     private
 
     def find_invitation_by_token
-      token = params[:token].to_s
+      token = params[:invitation_token].presence || params[:token].presence
       @invitation = BetterTogether::Invitation.pending.not_expired.find_by(token: token)
       render_not_found unless @invitation
     end
@@ -81,10 +82,5 @@ def ensure_authenticated!
 
       redirect_to redirect_path, notice: redirect_notice
     end
-
-    def set_event_invitation_from_session
-      # This ensures @event_invitation is available in ApplicationController
-      @event_invitation = @invitation if @invitation.is_a?(BetterTogether::EventInvitation)
-    end
   end
 end
