Safer reviewer tokens

lmrodriguezr · lmrodriguezr · commit 615ef111e533 · 2025-05-21T01:54:18.000+02:00
diff --git a/app/controllers/genomes_controller.rb b/app/controllers/genomes_controller.rb
@@ -23,7 +23,6 @@ def index
 
   # GET /genomes/1 or /genomes/1.json
   def show
-    @register ||= @genome.names.first&.register
     @crumbs = [['Genomes', genomes_path], @genome.title('')]
   end
 
@@ -93,10 +92,9 @@ def set_genome
     def set_name
       @name = params[:name].present? ?
                 Name.find(params[:name]) : @genome.names.first
-      if @name.can_view?(current_user) || cookies[:reviewer_token].present?
+
+      if @name&.can_view?(current_user, cookies[:reviewer_token])
         @register = @name.try(:register)
-        @register.current_reviewer_token = cookies[:reviewer_token] if @register
-        @register = nil unless @name.can_view?(current_user)
       end
     end
 
diff --git a/app/controllers/names_controller.rb b/app/controllers/names_controller.rb
@@ -515,13 +515,8 @@ def unobserve
     def set_name
       @name = Name.find(params[:id])
 
-      if @name.can_view?(current_user) || cookies[:reviewer_token].present?
+      if @name&.can_view?(current_user, cookies[:reviewer_token])
         @register = @name.try(:register)
-        @register.current_reviewer_token = cookies[:reviewer_token] if @register
-        @register = nil unless @name.can_view?(current_user)
-      end
-
-      if @name.can_view?(current_user)
         current_user
           &.unseen_notifications
           &.where(notifiable: @name)
diff --git a/app/controllers/registers_controller.rb b/app/controllers/registers_controller.rb
@@ -448,14 +448,15 @@ def reviewer_token_delete
     def set_register
       @no_register_sentinel = true
       @register = Register.find_by(accession: params[:accession])
+
       if params[:token]
         if params[:token] == 'no'
           cookies[:reviewer_token] = nil
         elsif @register.reviewer_token == params[:token]
           cookies[:reviewer_token] = params[:token]
         end
       end
-      @register.current_reviewer_token = cookies[:reviewer_token]
+
       current_user
         &.unseen_notifications
         &.where(notifiable: @register)
@@ -494,7 +495,7 @@ def register_notify_params
     end
 
     def authenticate_can_view!
-      unless @register&.can_view?(current_user)
+      unless @register&.can_view?(current_user, cookies[:reviewer_token])
         flash[:alert] = 'User cannot access register list'
         redirect_to(root_path)
       end
diff --git a/app/controllers/strains_controller.rb b/app/controllers/strains_controller.rb
@@ -74,10 +74,9 @@ def set_strain
   def set_name
     @name = params[:name].present? ?
               Name.find(params[:name]) : @strain.names.first
-    if @name.can_view?(current_user) || cookies[:reviewer_token].present?
+
+    if @name&.can_view?(current_user, cookies[:reviewer_token])
       @register = @name.try(:register)
-      @register.current_reviewer_token = cookies[:reviewer_token] if @register
-      @register = nil unless @name.can_view?(current_user)
     end
   end
 
diff --git a/app/models/name.rb b/app/models/name.rb
@@ -670,9 +670,9 @@ def not_validly_proposed_in?(publication)
 
   # ============ --- USERS --- ============
 
-  def can_view?(user)
+  def can_view?(user, token = nil)
     return true if public?
-    return true if register.try(:current_reviewer_token?)
+    return true if token.present? && token == register.try(:reviewer_token)
 
     (!user.nil?) && (user.curator? || user?(user))
   end
diff --git a/app/models/register.rb b/app/models/register.rb
@@ -53,7 +53,6 @@ class Register < ApplicationRecord
   include Register::SampleSet
 
   attr_accessor :modal_form_id
-  attr_accessor :current_reviewer_token
 
   def to_param
     accession
@@ -122,15 +121,15 @@ def last_submission_date
     [notified_at, submitted_at].compact.max || names.pluck(:submitted_at).max
   end
 
+  def correct_reviewer_token?(token)
+    token.present? && token == reviewer_token
+  end
+
   def user?(user)
     user && user_id == user.id
   end
   alias :created_by? :user?
 
-  def current_reviewer_token?
-    current_reviewer_token.present? && current_reviewer_token == reviewer_token
-  end
-
   def can_edit?(user)
     return false if validated?
     return false unless user
@@ -139,9 +138,9 @@ def can_edit?(user)
     user?(user) # && !submitted
   end
 
-  def can_view?(user)
+  def can_view?(user, token = nil)
     return true if submitted? || validated? || notified?
-    return true if current_reviewer_token?
+    return true if correct_reviewer_token?(token)
     return false unless user
 
     user.curator? || user?(user)
diff --git a/app/models/register/status.rb b/app/models/register/status.rb
@@ -50,7 +50,7 @@ def draft?
   end
 
   def public?
-    can_view? nil
+    can_view?(nil)
   end
 
   def all_endorsed?
diff --git a/app/views/layouts/_sentinel_bar.html.erb b/app/views/layouts/_sentinel_bar.html.erb
@@ -12,8 +12,8 @@
     sentinel_bar[:register] = @register
   end
 
-  if !@no_reviewer_sentinel && @register.present? &&
-      @register.current_reviewer_token?
+  if !@no_reviewer_sentinel &&
+      @register&.correct_reviewer_token?(cookies[:reviewer_token])
     sentinel_bar[:reviewer] = reviewer_token_register_url(@register)
   end
 %>
diff --git a/app/views/names/_citation.html.erb b/app/views/names/_citation.html.erb
@@ -129,7 +129,7 @@
     <%= help_message(@name.status_name) { @name.status_help } %>
   </dd>
 
-  <% if @name.register&.can_view?(current_user) %>
+  <% if @name.register&.can_view?(current_user, cookies[:reviewer_token]) %>
     <dt><%= fa_icon('clipboard-list') %> Register List</dt>
     <dd>
       <%= link_to(@name.register.acc_url, @name.register) %>
