closed-social
/
mastodon
3
0
Fork 2
Code Issues 5 Pull Requests 0 Projects 0 Releases 3 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
17162 Commits
4 Branches
567 MiB
Tree: 7452a95998
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '7452a95998'
${ noResults }
mastodon/app/controllers/auth/registrations_controller.rb

162 lines
4.1 KiB
Raw Normal View History

Fix rubocop issues, introduce usage of frozen literal to improve performance
7 years ago
Customizing devise views and controllers
8 years ago
Add honeypot fields and minimum fill-out time for sign-up form (#15276) * Add honeypot fields to limit non-specialized spam Add two honeypot fields: a fake website input and a fake password confirmation one. The label/placeholder/aria-label tells not to fill them, and they are hidden in CSS, so legitimate users should not fall into these. This should cut down on some non-Mastodon-specific spambots. * Require a 3 seconds delay before submitting the registration form * Fix tests * Move registration form time check to model validation * Give people a chance to clear the honeypot fields * Refactor honeypot translation strings Co-authored-by: Claire <claire.github-309c@sitedethib.com>
3 years ago
Fix other sessions not being logged out on password change (#14252) While OAuth tokens were immediately revoked, accessing the home controller immediately generated new OAuth tokens and "revived" the session due to a combination of using remember_me tokens and overwriting the `authenticate_user!` method
3 years ago
Fix #611 - Layout setting in registrations controller
7 years ago
Customizing devise views and controllers
8 years ago
Add autofollow option to invites (#7805) * Add autofollow option to invites * Trigger CodeClimate rebuild
6 years ago
New admin setting: open/close registrations, with custom message, from the admin UI
7 years ago
Improve code style
7 years ago
Fixed typos
6 years ago
Add overview of active sessions (#3929) * Add overview of active sessions * Better display of browser/platform name * Improve how browser information is stored and displayed for sessions overview * Fix test
7 years ago
Add appeals (#17364) * Add appeals * Add ability to reject appeals and ability to browse pending appeals in admin UI * Add strikes to account page in settings * Various fixes and improvements - Add separate notification setting for appeals, separate from reports - Fix style of links in report/strike header - Change approving an appeal to not restore statuses (due to federation complexities) - Change style of successfully appealed strikes on account settings page - Change account settings page to only show unappealed or recently appealed strikes * Change appealed_at to overruled_at * Fix missing method error
2 years ago
Set InstancePresenter to `Auth::RegistrationsController#create` (#5366)
6 years ago
Fix styling in /auth/edit (#9117)
5 years ago
Change unconfirmed user login behaviour (#11375) Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication.
4 years ago
Fix settings pages being cacheable by the browser (#12714) Fix #12255
4 years ago
Add server rules to sign-up flow (#19296)
1 year ago
Add honeypot fields and minimum fill-out time for sign-up form (#15276) * Add honeypot fields to limit non-specialized spam Add two honeypot fields: a fake website input and a fake password confirmation one. The label/placeholder/aria-label tells not to fill them, and they are hidden in CSS, so legitimate users should not fall into these. This should cut down on some non-Mastodon-specific spambots. * Require a 3 seconds delay before submitting the registration form * Fix tests * Move registration form time check to model validation * Give people a chance to clear the honeypot fields * Refactor honeypot translation strings Co-authored-by: Claire <claire.github-309c@sitedethib.com>
3 years ago
Change unconfirmed user login behaviour (#11375) Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication.
4 years ago
Customizing devise views and controllers
8 years ago
Add "why do you want to join" field to invite requests (#10524) * Add "why do you want to join" field to invite requests Fix #10512 * Remove unused translations * Fix broken registrations when no invite request text is submitted
5 years ago
Fix Devise destroy method being available to delete user record (#3266) (You may think that we need account deletions, but this way would've just orphaned the db records)
7 years ago
Fix password change/reset not immediately invalidating other sessions (#12928) While making browser requests in the other sessions after a password change or reset does not allow you to be logged in and correctly invalidates the session making the request, sessions have API tokens associated with them, which can still be used until that session is invalidated. This is a security issue for accounts that were already compromised some other way because it makes it harder to throw out the hijacker.
4 years ago
Autofix Rubocop Style/IfUnlessModifier (#23697)
1 year ago
Fix password change/reset not immediately invalidating other sessions (#12928) While making browser requests in the other sessions after a password change or reset does not allow you to be logged in and correctly invalidates the session making the request, sessions have API tokens associated with them, which can still be used until that session is invalidated. This is a security issue for accounts that were already compromised some other way because it makes it harder to throw out the hijacker.
4 years ago
Customizing devise views and controllers
8 years ago
pam authentication (#5303) * add pam support, without extra column * bugfixes for pam login * document options * fix code style * fix codestyle * fix tests * don't call remember_me without password * fix codestyle * improve checks for pam usage (should fix tests) * fix remember_me part 1 * add remember_token column because :rememberable requires either a password or this column. * migrate db for remember_token * move pam_authentication to the right place, fix logic bug in edit.html.haml * fix tests * fix pam authentication, improve username lookup, add comment * valid? is sometimes not honored, return nil instead trying to authenticate with pam * update devise_pam_authenticatable2 and adjust code. Fixes sideeffects observed in tests * update devise_pam_authenticatable gem, fixes for codeconventions, fix finding user * codeconvention fixes * code convention fixes * fix idention * update dependency, explicit conflict check * fix disabled password updates if in pam mode * fix check password if password is present, fix templates * block registration if account is maintained by pam * Revert "block registration if account is maintained by pam" This reverts commit 8e7a083d650240b6fac414926744b4b90b435f20. * fix identation error introduced by rebase * block usernames maintained by pam * document pam settings better * fix code style
6 years ago
Fix password change/reset not immediately invalidating other sessions (#12928) While making browser requests in the other sessions after a password change or reset does not allow you to be logged in and correctly invalidates the session making the request, sessions have API tokens associated with them, which can still be used until that session is invalidated. This is a security issue for accounts that were already compromised some other way because it makes it harder to throw out the hijacker.
4 years ago
pam authentication (#5303) * add pam support, without extra column * bugfixes for pam login * document options * fix code style * fix codestyle * fix tests * don't call remember_me without password * fix codestyle * improve checks for pam usage (should fix tests) * fix remember_me part 1 * add remember_token column because :rememberable requires either a password or this column. * migrate db for remember_token * move pam_authentication to the right place, fix logic bug in edit.html.haml * fix tests * fix pam authentication, improve username lookup, add comment * valid? is sometimes not honored, return nil instead trying to authenticate with pam * update devise_pam_authenticatable2 and adjust code. Fixes sideeffects observed in tests * update devise_pam_authenticatable gem, fixes for codeconventions, fix finding user * codeconvention fixes * code convention fixes * fix idention * update dependency, explicit conflict check * fix disabled password updates if in pam mode * fix check password if password is present, fix templates * block registration if account is maintained by pam * Revert "block registration if account is maintained by pam" This reverts commit 8e7a083d650240b6fac414926744b4b90b435f20. * fix identation error introduced by rebase * block usernames maintained by pam * document pam settings better * fix code style
6 years ago
Customizing devise views and controllers
8 years ago
Add consumable invites (#5814) * Add consumable invites * Add UI for generating invite codes * Add tests * Display max uses and expiration in invites table, delete invite * Remove unused column and redundant validator - Default follows not used, probably bad idea - InviteCodeValidator is redundant because RegistrationsController checks invite code validity * Add admin setting to disable invites * Add admin UI for invites, configurable role for invite creation - Admin UI that lists everyone's invites, always available - Admin setting min_invite_role to control who can invite people - Non-admin invite UI only visible if users are allowed to * Do not remove invites from database, expire them instantly
6 years ago
Add honeypot fields and minimum fill-out time for sign-up form (#15276) * Add honeypot fields to limit non-specialized spam Add two honeypot fields: a fake website input and a fake password confirmation one. The label/placeholder/aria-label tells not to fill them, and they are hidden in CSS, so legitimate users should not fall into these. This should cut down on some non-Mastodon-specific spambots. * Require a 3 seconds delay before submitting the registration form * Fix tests * Move registration form time check to model validation * Give people a chance to clear the honeypot fields * Refactor honeypot translation strings Co-authored-by: Claire <claire.github-309c@sitedethib.com>
3 years ago
Add consumable invites (#5814) * Add consumable invites * Add UI for generating invite codes * Add tests * Display max uses and expiration in invites table, delete invite * Remove unused column and redundant validator - Default follows not used, probably bad idea - InviteCodeValidator is redundant because RegistrationsController checks invite code validity * Add admin setting to disable invites * Add admin UI for invites, configurable role for invite creation - Admin UI that lists everyone's invites, always available - Admin setting min_invite_role to control who can invite people - Non-admin invite UI only visible if users are allowed to * Do not remove invites from database, expire them instantly
6 years ago
Improve code style
7 years ago
Customizing devise views and controllers
8 years ago
Fix single name variables on controller folder (#20092) Co-authored-by: petrokoriakin1 <116151189+petrokoriakin1@users.noreply.github.com> Co-authored-by: petrokoriakin1 <116151189+petrokoriakin1@users.noreply.github.com> Co-authored-by: Effy Elden <effy@effy.space>
1 year ago
Customizing devise views and controllers
8 years ago
Moving Salmon notifications to background processing, fixing mini-profiler behaviour with Turbolinks enabled, optimizing Rabl for production
8 years ago
Change unconfirmed user login behaviour (#11375) Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication.
4 years ago
Customizing devise views and controllers
8 years ago
Add single user mode
7 years ago
If signed in, redirect autofollow invite to profile page (#7956) Fix #7944
5 years ago
Fix #390 - fix redirect after sign-up (to login page instead of homepage)
7 years ago
Add confirmation step for email changes (#6071) * Add confirmation step for email changes This adds a confirmation step for email changes of existing users. Like the initial account confirmation, a confirmation link is sent to the new address. Additionally, a notification is sent to the existing address when the change is initiated. This message includes instruction to reset the password immediately or to contact the instance admin if the change was not initiated by the account owner. Fixes #3871 * Add review fixes
6 years ago
New admin setting: open/close registrations, with custom message, from the admin UI
7 years ago
Add ability to block sign-ups from IP (#19037)
1 year ago
Add consumable invites (#5814) * Add consumable invites * Add UI for generating invite codes * Add tests * Display max uses and expiration in invites table, delete invite * Remove unused column and redundant validator - Default follows not used, probably bad idea - InviteCodeValidator is redundant because RegistrationsController checks invite code validity * Add admin setting to disable invites * Add admin UI for invites, configurable role for invite creation - Admin UI that lists everyone's invites, always available - Admin setting min_invite_role to control who can invite people - Non-admin invite UI only visible if users are allowed to * Do not remove invites from database, expire them instantly
6 years ago
Admission-based registrations mode (#10250) Fix #6856 Fix #6951
5 years ago
Add consumable invites (#5814) * Add consumable invites * Add UI for generating invite codes * Add tests * Display max uses and expiration in invites table, delete invite * Remove unused column and redundant validator - Default follows not used, probably bad idea - InviteCodeValidator is redundant because RegistrationsController checks invite code validity * Add admin setting to disable invites * Add admin UI for invites, configurable role for invite creation - Admin UI that lists everyone's invites, always available - Admin setting min_invite_role to control who can invite people - Non-admin invite UI only visible if users are allowed to * Do not remove invites from database, expire them instantly
6 years ago
Add OMNIAUTH_ONLY environment variable to enforce externa log-in (#17288) * Remove support for OAUTH_REDIRECT_AT_SIGN_IN Fixes #15959 Introduced in #6540, OAUTH_REDIRECT_AT_SIGN_IN allowed skipping the log-in form to instead redirect to the external OmniAuth login provider. However, it did not prevent the log-in form on /about introduced by #10232 from appearing, and completely broke with the introduction of #15228. As I restoring that previous log-in flow without introducing a security vulnerability may require extensive care and knowledge of how OmniAuth works, this commit removes support for OAUTH_REDIRECT_AT_SIGN_IN instead for the time being. * Add OMNIAUTH_ONLY environment variable to enforce external log-in only * Disable user registration when OMNIAUTH_ONLY is set to true * Replace log-in links When OMNIAUTH_ONLY is set with exactly one OmniAuth provider
2 years ago
Add ability to block sign-ups from IP (#19037)
1 year ago
Add consumable invites (#5814) * Add consumable invites * Add UI for generating invite codes * Add tests * Display max uses and expiration in invites table, delete invite * Remove unused column and redundant validator - Default follows not used, probably bad idea - InviteCodeValidator is redundant because RegistrationsController checks invite code validity * Add admin setting to disable invites * Add admin UI for invites, configurable role for invite creation - Admin UI that lists everyone's invites, always available - Admin setting min_invite_role to control who can invite people - Non-admin invite UI only visible if users are allowed to * Do not remove invites from database, expire them instantly
6 years ago
Add single user mode
7 years ago
New admin setting: open/close registrations, with custom message, from the admin UI
7 years ago
Fix #611 - Layout setting in registrations controller
7 years ago
New admin setting: open/close registrations, with custom message, from the admin UI
7 years ago
Finalized theme loading and stuff
6 years ago
sign_in and sign_up views present og meta infos (#5308)
6 years ago
Compensate for scrollbar disappearing when media modal visible (#8100) * Compensate for scrollbar disappearing when media modal visible Make auth pages backgrounds lighter * Fix typo
5 years ago
Fix styling in /auth/edit (#9117)
5 years ago
Compensate for scrollbar disappearing when media modal visible (#8100) * Compensate for scrollbar disappearing when media modal visible Make auth pages backgrounds lighter * Fix typo
5 years ago
Add autofollow option to invites (#7805) * Add autofollow option to invites * Trigger CodeClimate rebuild
6 years ago
Add appeals (#17364) * Add appeals * Add ability to reject appeals and ability to browse pending appeals in admin UI * Add strikes to account page in settings * Various fixes and improvements - Add separate notification setting for appeals, separate from reports - Fix style of links in report/strike header - Change approving an appeal to not restore statuses (due to federation complexities) - Change style of successfully appealed strikes on account settings page - Change account settings page to only show unappealed or recently appealed strikes * Change appealed_at to overruled_at * Fix missing method error
2 years ago
Add autofollow option to invites (#7805) * Add autofollow option to invites * Trigger CodeClimate rebuild
6 years ago
Fix #611 - Layout setting in registrations controller
7 years ago
Add overview of active sessions (#3929) * Add overview of active sessions * Better display of browser/platform name * Improve how browser information is stored and displayed for sessions overview * Fix test
7 years ago
Change unconfirmed user login behaviour (#11375) Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication.
4 years ago
Add appeals (#17364) * Add appeals * Add ability to reject appeals and ability to browse pending appeals in admin UI * Add strikes to account page in settings * Various fixes and improvements - Add separate notification setting for appeals, separate from reports - Fix style of links in report/strike header - Change approving an appeal to not restore statuses (due to federation complexities) - Change style of successfully appealed strikes on account settings page - Change account settings page to only show unappealed or recently appealed strikes * Change appealed_at to overruled_at * Fix missing method error
2 years ago
Change old moderation strikes to be displayed in a separate page (#17566) * Change old moderation strikes to be displayed in a separate page Fixes #17552 This changes the moderation strikes displayed on `/auth/edit` to be those from the past 3 months, and make all moderation strikes targeting the current user available in `/disputes`. * Add short description of what the strikes page is for * Move link to list of strikes to “Account status” instead of navigation item * Normalize i18n file * Fix layout and styling of strikes link * Revert highlights_on regexp * Reintroduce account status summary - this way, “Account status” is never empty - account status is not necessarily bound to strikes, or recent strikes
2 years ago
Add appeals (#17364) * Add appeals * Add ability to reject appeals and ability to browse pending appeals in admin UI * Add strikes to account page in settings * Various fixes and improvements - Add separate notification setting for appeals, separate from reports - Fix style of links in report/strike header - Change approving an appeal to not restore statuses (due to federation complexities) - Change style of successfully appealed strikes on account settings page - Change account settings page to only show unappealed or recently appealed strikes * Change appealed_at to overruled_at * Fix missing method error
2 years ago
Change unconfirmed user login behaviour (#11375) Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account. Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review. After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses. Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication.
4 years ago
Fix settings pages being cacheable by the browser (#12714) Fix #12255
4 years ago
Add server rules to sign-up flow (#19296)
1 year ago
Fix invites (#19560) Fixes #19507 Fix regression from #19296
1 year ago
Add server rules to sign-up flow (#19296)
1 year ago
Fix settings pages being cacheable by the browser (#12714) Fix #12255
4 years ago
Add 'private' to Cache-Control, match Rails expectations (#20608) Several controlers set quite intricate Cache-Control headers in order to hopefully not be cached by any intermediate proxies or local caches. Unfortunately, these headers are processed by ActionDispatch::HTTP::Cache in a way that squashes and discards any values set alongside no-store other than private: https://github.com/rails/rails/blob/8015c2c2cf5c8718449677570f372ceb01318a32/actionpack/lib/action_dispatch/http/cache.rb#L207-L209 We want to preserve no-store on these responses, but we might as well remove parts that are going to be dropped anyway. As many of the endpoints in these controllers are private to a particular user, we should also add "private", which will be preserved alongside no-store.
1 year ago
Fix settings pages being cacheable by the browser (#12714) Fix #12255
4 years ago
Customizing devise views and controllers
8 years ago
 
  1. # frozen_string_literal: true
  2. 

  3. class Auth::RegistrationsController < Devise::RegistrationsController
  4.   include RegistrationSpamConcern
  5. 

  6.   layout :determine_layout
  7. 

  8.   before_action :set_invite, only: [:new, :create]
  9.   before_action :check_enabled_registrations, only: [:new, :create]
  10.   before_action :configure_sign_up_params, only: [:create]
  11.   before_action :set_pack
  12.   before_action :set_sessions, only: [:edit, :update]
  13.   before_action :set_strikes, only: [:edit, :update]
  14.   before_action :set_instance_presenter, only: [:new, :create, :update]
  15.   before_action :set_body_classes, only: [:new, :create, :edit, :update]
  16.   before_action :require_not_suspended!, only: [:update]
  17.   before_action :set_cache_headers, only: [:edit, :update]
  18.   before_action :set_rules, only: :new
  19.   before_action :require_rules_acceptance!, only: :new
  20.   before_action :set_registration_form_time, only: :new
  21. 

  22.   skip_before_action :require_functional!, only: [:edit, :update]
  23. 

  24.   def new
  25.     super(&:build_invite_request)
  26.   end
  27. 

  28.   def destroy
  29.     not_found
  30.   end
  31. 

  32.   def update
  33.     super do |resource|
  34.       resource.clear_other_sessions(current_session.session_id) if resource.saved_change_to_encrypted_password?
  35.     end
  36.   end
  37. 

  38.   protected
  39. 

  40.   def update_resource(resource, params)
  41.     params[:password] = nil if Devise.pam_authentication && resource.encrypted_password.blank?
  42. 

  43.     super
  44.   end
  45. 

  46.   def build_resource(hash = nil)
  47.     super(hash)
  48. 

  49.     resource.locale                 = I18n.locale
  50.     resource.invite_code            = params[:invite_code] if resource.invite_code.blank?
  51.     resource.registration_form_time = session[:registration_form_time]
  52.     resource.sign_up_ip             = request.remote_ip
  53. 

  54.     resource.build_account if resource.account.nil?
  55.   end
  56. 

  57.   def configure_sign_up_params
  58.     devise_parameter_sanitizer.permit(:sign_up) do |user_params|
  59.       user_params.permit({ account_attributes: [:username, :display_name], invite_request_attributes: [:text] }, :email, :password, :password_confirmation, :invite_code, :agreement, :website, :confirm_password)
  60.     end
  61.   end
  62. 

  63.   def after_sign_up_path_for(_resource)
  64.     auth_setup_path
  65.   end
  66. 

  67.   def after_sign_in_path_for(_resource)
  68.     set_invite
  69. 

  70.     if @invite&.autofollow?
  71.       short_account_path(@invite.user.account)
  72.     else
  73.       super
  74.     end
  75.   end
  76. 

  77.   def after_inactive_sign_up_path_for(_resource)
  78.     new_user_session_path
  79.   end
  80. 

  81.   def after_update_path_for(_resource)
  82.     edit_user_registration_path
  83.   end
  84. 

  85.   def check_enabled_registrations
  86.     redirect_to root_path if single_user_mode? || omniauth_only? || !allowed_registrations? || ip_blocked?
  87.   end
  88. 

  89.   def allowed_registrations?
  90.     Setting.registrations_mode != 'none' || @invite&.valid_for_use?
  91.   end
  92. 

  93.   def omniauth_only?
  94.     ENV['OMNIAUTH_ONLY'] == 'true'
  95.   end
  96. 

  97.   def ip_blocked?
  98.     IpBlock.where(severity: :sign_up_block).where('ip >>= ?', request.remote_ip.to_s).exists?
  99.   end
  100. 

  101.   def invite_code
  102.     if params[:user]
  103.       params[:user][:invite_code]
  104.     else
  105.       params[:invite_code]
  106.     end
  107.   end
  108. 

  109.   private
  110. 

  111.   def set_pack
  112.     use_pack %w(edit update).include?(action_name) ? 'admin' : 'auth'
  113.   end
  114. 

  115.   def set_instance_presenter
  116.     @instance_presenter = InstancePresenter.new
  117.   end
  118. 

  119.   def set_body_classes
  120.     @body_classes = %w(edit update).include?(action_name) ? 'admin' : 'lighter'
  121.   end
  122. 

  123.   def set_invite
  124.     @invite = begin
  125.       invite = Invite.find_by(code: invite_code) if invite_code.present?
  126.       invite if invite&.valid_for_use?
  127.     end
  128.   end
  129. 

  130.   def determine_layout
  131.     %w(edit update).include?(action_name) ? 'admin' : 'auth'
  132.   end
  133. 

  134.   def set_sessions
  135.     @sessions = current_user.session_activations
  136.   end
  137. 

  138.   def set_strikes
  139.     @strikes = current_account.strikes.recent.latest
  140.   end
  141. 

  142.   def require_not_suspended!
  143.     forbidden if current_account.suspended?
  144.   end
  145. 

  146.   def set_rules
  147.     @rules = Rule.ordered
  148.   end
  149. 

  150.   def require_rules_acceptance!
  151.     return if @rules.empty? || (session[:accept_token].present? && params[:accept] == session[:accept_token])
  152. 

  153.     @accept_token = session[:accept_token] = SecureRandom.hex
  154.     @invite_code  = invite_code
  155. 

  156.     set_locale { render :rules }
  157.   end
  158. 

  159.   def set_cache_headers
  160.     response.headers['Cache-Control'] = 'private, no-store'
  161.   end
  162. end