Always require a fully authenticated user for controllers

There are only a few exceptions when no authenticated user is needed. The app's behavior shouldn't be touched by this commit, it is rather a refactoring and safeguard.

Author: MrSerth

app/controllers/application_controller.rb

@@ -13,11 +13,13 @@ class ApplicationController < ActionController::Base
   LEGAL_SETTINGS = CodeOcean::Config.new(:code_ocean).read[:legal] || {}
   MONITORING_USER_AGENT = /updown\.io/
 
-  before_action :deny_access_from_render_host
+  before_action :require_fully_authenticated_user!
+  before_action :deny_access_from_render_host, prepend: true
   after_action :verify_authorized, except: %i[welcome]
-  around_action :mnemosyne_trace
-  around_action :switch_locale
+  around_action :mnemosyne_trace, prepend: true
+  around_action :switch_locale, prepend: true
   before_action :set_sentry_context, :load_embed_options, :set_document_policy
+  skip_before_action :require_fully_authenticated_user!, only: %i[welcome]
   protect_from_forgery(with: :exception, prepend: true)
   rescue_from Pundit::NotAuthorizedError, with: :render_not_authorized
   rescue_from ActiveRecord::RecordNotFound, with: :render_not_found
@@ -48,7 +50,7 @@ def welcome
 
   private
 
-  def require_user!
+  def require_fully_authenticated_user!
     raise Pundit::NotAuthorizedError unless current_user
   end
 

app/controllers/code_ocean/files_controller.rb

@@ -11,7 +11,7 @@ class FilesController < ApplicationController
     skip_before_action :deny_access_from_render_host, only: :render_protected_upload
     skip_before_action :verify_authenticity_token, only: :render_protected_upload
     skip_before_action :set_sentry_context, only: :render_protected_upload
-    before_action :require_user!, except: :render_protected_upload
+    skip_before_action :require_fully_authenticated_user!, only: :render_protected_upload
 
     # In case the .realpath cannot resolve a file (for example because it is no longer available)
     rescue_from Errno::ENOENT, with: :render_not_found

app/controllers/community_solutions_controller.rb

@@ -5,7 +5,6 @@ class CommunitySolutionsController < ApplicationController
   include RedirectBehavior
   include SubmissionParameters
 
-  before_action :require_user!
   before_action :set_community_solution, only: %i[edit update]
   before_action :set_community_solution_lock, only: %i[edit]
   before_action :set_exercise_and_submission, only: %i[edit update]

app/controllers/events_controller.rb

@@ -1,8 +1,6 @@
 # frozen_string_literal: true
 
 class EventsController < ApplicationController
-  before_action :require_user!
-
   def create
     @event = Event.new(event_params)
     authorize!

app/controllers/exercises_controller.rb

@@ -19,6 +19,7 @@ class ExercisesController < ApplicationController
   before_action :set_available_tips, only: %i[implement show new edit]
 
   skip_before_action :verify_authenticity_token, only: %i[import_task import_uuid_check]
+  skip_before_action :require_fully_authenticated_user!, only: %i[import_task import_uuid_check]
   skip_after_action :verify_authorized, only: %i[import_task import_uuid_check]
   skip_after_action :verify_policy_scoped, only: %i[import_task import_uuid_check], raise: false
 

app/controllers/external_users_controller.rb

@@ -3,8 +3,6 @@
 class ExternalUsersController < ApplicationController
   include TimeHelper
 
-  before_action :require_user!
-
   def authorize!
     authorize(@user || @users)
   end

app/controllers/flowr_controller.rb

@@ -2,7 +2,6 @@
 
 class FlowrController < ApplicationController
   def insights
-    require_user!
     # get the latest submission for this user that also has a test run (i.e. structured_errors if applicable)
     submission = Submission.joins(:testruns)
       .where(submissions: {contributor: current_contributor})

app/controllers/internal_users_controller.rb

@@ -3,12 +3,12 @@
 class InternalUsersController < ApplicationController
   include CommonBehavior
 
-  before_action :require_user!, except: %i[activate forgot_password reset_password]
   before_action :require_activation_token, only: :activate
   before_action :require_reset_password_token, only: :reset_password
   before_action :set_user, only: MEMBER_ACTIONS + %i[change_password]
   before_action :collect_set_and_unset_study_group_memberships, only: MEMBER_ACTIONS + %i[create]
-  after_action :verify_authorized, except: %i[activate forgot_password reset_password]
+  skip_before_action :require_fully_authenticated_user!, only: %i[activate forgot_password reset_password]
+  skip_after_action :verify_authorized, only: %i[activate forgot_password reset_password]
 
   def activate
     set_up_password if request.patch? || request.put?

app/controllers/live_streams_controller.rb

@@ -9,7 +9,7 @@ class LiveStreamsController < ApplicationController
   skip_before_action :deny_access_from_render_host, only: :download_submission_file
   skip_before_action :verify_authenticity_token, only: :download_submission_file
   skip_before_action :set_sentry_context, only: :download_submission_file
-  before_action :require_user!, except: :download_submission_file
+  skip_before_action :require_fully_authenticated_user!, only: :download_submission_file
 
   def download_submission_file
     @submission = AuthenticatedUrlHelper.retrieve!(Submission, request)

app/controllers/ping_controller.rb

@@ -2,7 +2,8 @@
 
 class PingController < ApplicationController
   before_action :postgres_connected!, :runner_manager_healthy!
-  after_action :verify_authorized, except: %i[index]
+  skip_before_action :require_fully_authenticated_user!, only: %i[index]
+  skip_after_action :verify_authorized, only: %i[index]
 
   def index
     render json: {