fixed merge conflict related to bump to ruby 2.3.4

.ruby-version

@@ -1 +1,3 @@
-2.3.1
+
+2.3.4
+

DOCKER.md

@@ -1,6 +1,23 @@
 # Running Klaxon with Docker
 
-*This guide is a work in progress.*
+## Development Quickstart
+
+1. Run the following commands:
+
+```
+docker-compose up -d database
+docker-compose build app
+docker-compose run app rake db:create db:migrate
+docker-compose run app rake users:create_admin
+docker-compose up app
+open http://localhost:3000
+```
+
+2. Enter '[email protected]' in the email window. It should redirect you to a page that says: "Email Sent".
+
+3. In the console find where it says "Go to Dashboard ( ... )" and copy and paste the link into the browser.
+
+4. You'll now be logged in. The page should say "Watch Your First Item".
 
 ## Expected environmental variables
 
@@ -20,10 +37,10 @@ If you would like to use [Amazon SES](https://aws.amazon.com/ses/) instead to se
 DATABASE_URL=
 SECRET_KEY_BASE=
 ADMIN_EMAILS=
-SMTP_PROVIDER=AMAZON_SES
-AMAZON_SES_ADDRESS=
-AMAZON_SES_USERNAME=
-AMAZON_SES_PASSWORD=
-AMAZON_SES_DOMAIN=
-EMAIL_FROM_ADDRESS=
+SMTP_PROVIDER=SES
+SES_ADDRESS=
+SES_USERNAME=
+SES_PASSWORD=
+SES_DOMAIN=
+MAILER_FROM_ADDRESS=
 ```

Dockerfile

@@ -1,4 +1,6 @@
-FROM ruby:2.3.1
+
+FROM ruby:2.3.4
+
 
 # throw errors if Gemfile has been modified since Gemfile.lock
 RUN bundle config --global frozen 1
@@ -19,9 +21,6 @@ RUN bundle install
 
 COPY . /usr/src/app
 
-ENV RACK_ENV "production"
-ENV RAILS_ENV "production"
-
 EXPOSE 3000
 ENTRYPOINT ["kubernetes-secret-env"]
 CMD ["bundle", "exec", "puma", "-C", "config/puma.rb"]

Gemfile

@@ -1,5 +1,6 @@
 source 'https://rubygems.org'
-ruby '~> 2.3.0'
+
+ruby '2.3.4'
 
 gem 'rails', '4.2.5.1'
 gem 'pg', '~> 0.15'

Gemfile.lock

@@ -309,7 +309,9 @@ DEPENDENCIES
   webmock
 
 RUBY VERSION
-   ruby 2.3.2p217
+
+   ruby 2.3.4p301
+
 
 BUNDLED WITH
-   1.13.6
+   1.14.6

NEWSROOMS.md

@@ -0,0 +1,24 @@
+# News organizations using Klaxon
+
+* Associated Press
+* Austin American-Statesman
+* Axios
+* Dallas Morning News
+* FiveThirtyEight
+* Fusion
+* Gizmodo
+* KBIA, in Columbia, Mo.
+* The Marshall Project
+* NBC Los Angeles
+* The New York Times
+* Omaha World-Herald
+* ProPublica
+* Reveal from the Center for Investigative Reporting
+* SBS News, Australia
+* Seattle Times
+* Texas Tribune
+* Verdens Gang AS in Oslo, Norway
+* Vermont Public Radio
+* Washington Post
+
+If you know of others who are finding Klaxon useful, please let us know with an email to klaxon-reports[at]themarshallproject[dot]org

README.md

@@ -12,7 +12,7 @@ Read more below, or say hello to the humans behind the project at the [Google Gr
 
 ## Alerting journalists to changes on the web
 
-Built and refined in the newsroom of [The Marshall Project](https://www.themarshallproject.org/), Klaxon has provided our journalists with many news tips, giving us early warnings and valuable time to pursue stories. Klaxon has been used and tested by journalists at The Marshall Project, The New York Times, the Texas Tribune, the Associated Press and elsewhere. The public release of this free and open source software was supported by Knight-Mozilla [OpenNews](https://opennews.org/). [If you need help using Klaxon once it's already been set up, [you can find it here.](https://github.com/themarshallproject/klaxon/blob/master/data/help.md)]
+Built and refined in the newsroom of [The Marshall Project](https://www.themarshallproject.org/), Klaxon has provided our journalists with many news tips, giving us early warnings and valuable time to pursue stories. Klaxon has been used and tested by journalists at The Marshall Project, The New York Times, the Texas Tribune, the Associated Press [and elsewhere](NEWSROOMS.md). The public release of this free and open source software was supported by Knight-Mozilla [OpenNews](https://opennews.org/). [If you need help using Klaxon once it's already been set up, [you can find it here.](https://github.com/themarshallproject/klaxon/blob/master/data/help.md)]
 
 [![Circle CI](https://circleci.com/gh/themarshallproject/klaxon.svg?style=svg)](https://circleci.com/gh/themarshallproject/klaxon)
 
@@ -74,6 +74,10 @@ Once you’re logged in, you should see the main page that will fill up in the c
 
 On the right side of the page, click the “Create New User” button. Add the reporter’s first and last name and email address, and she will get an email allowing her into the Klaxon. Now, finally, you and your users can start adding web pages you want Klaxon to watch.
 
+#### Limit new users to only those on specific email domain(s)
+
+By default, people with any email address can be added as new users. If you'd like to allow only users with *specific* email domains, set the `APPROVED_USER_DOMAINS` environment variable (or "Config Variable" in Heroku's lingo). That variable should be a comma-separated list of domains, e.g., `themarshallproject.org,nsa.gov`.
+
 ### Notify a Slack channel
 
 You’re all set for email notifications. If you’d like to also receive alerts through Slack, you can set that up now too. (If you want alerts from other services, [we welcome pull requests](CONTRIBUTING.md)) Click on the “Settings” button in the upper right corner of the page and choose “Integrations” from the menu. On the Integrations page, click the “Create Slack Integration” button. You can add an integration for any number of channels in your newsroom’s Slack. For each one, you just have to set up an Incoming Webhook. In Slack, click on the dropdown arrow in the upper left corner and choose “Apps & Integrations” from the menu. This will open a new window in your browser for you to search the Slack app directory. In the search box, type “Incoming Webhooks” and choose that option when it pops up. If you already have webhooks, you’ll see a button next to your Slack organization’s name that says “Configure.” Otherwise, click the green button that says “Install”.
@@ -111,12 +115,14 @@ The core contributors to Klaxon have been Ivar Vong, Andy Rossback, Tom Meagher
 
 We've been grateful for additional contributions to the project from:
 
-* Ryan Murphy
-* Jeremy Merrill
+* Jackson Gothe-Snape, SBS News
 * Emily Hopkins
-* Ari Shapell
 * Yolanda Martinez
-* Jackson Gothe-Snape, SBS News
+* Jeremy Merrill
+* Ryan Murphy
+* Justin Myers
+* Ari Shapell
+* Jeremy Singer-Vine
 * Mike Stucka
 * Bob Weston
 

app/assets/stylesheets/static.scss

@@ -12,7 +12,7 @@ a {
   border-bottom: 2px solid #ff0b3a;
 }
 
-a:hover, a:focus {
+a:not(.btn):hover, a:focus {
   color: #ff0b3a;
   text-decoration: none;
   border-bottom: 2px solid #ff0b3a;
@@ -86,6 +86,10 @@ table tbody tr td:last-child, table thead tr td:last-child  {
   color: #ff0b3a;
 }
 
+.form-check-box {
+  margin-bottom: 10px !important;
+}
+
 .btn {
   border-radius: 0 !important;
   border: 1px solid #ff0b3a;

app/controllers/sessions_controller.rb

@@ -5,7 +5,7 @@ def new
   end
 
   def create
-    user = User.find_by(email: params[:email])
+    user = User.find_by("LOWER(email) = ?", params[:email].downcase)
     if user.nil?
       redirect_to unknown_user_path and return false
     end
@@ -17,14 +17,24 @@ def create
 
   def token
     user = LoginToken.decode(token: params[:token])
-
     if user.present?
-      cookies.signed[:user_id] = { value: user.id, expires: 7.days.from_now, httponly: true }
-      redirect_to root_path
+      if user[:expired]
+        redirect_to expired_token_path(user[:user].id)
+      else
+        cookies.signed[:user_id] = { value: user.id, expires: 7.days.from_now, httponly: true }
+        redirect_to root_path
+      end
     else
       redirect_to unknown_user_path
     end
   end
+
+  def unknown_user
+  end
+
+  def expired_token
+    @user = User.find(params[:user_id].to_i)
+  end
 
   def destroy
     cookies.delete(:user_id)

app/controllers/static_controller.rb

@@ -1,15 +1,11 @@
 class StaticController < ApplicationController
-  before_filter :authorize, except: [:unknown_user]
 
   def help
     path = File.join(Rails.root, 'data', 'help.md')
     markdown = File.read(path)
     @html = Kramdown::Document.new(markdown).to_html
   end
 
-  def unknown_user
-  end
-
   def feed
   end
 

app/controllers/users_controller.rb

@@ -16,10 +16,12 @@ def show
   # GET /users/new
   def new
     @user = User.new
+    @current_user = current_user
   end
 
   # GET /users/1/edit
   def edit
+    @current_user = current_user
   end
 
   # POST /users
@@ -37,6 +39,11 @@ def create
 
   # PATCH/PUT /users/1
   def update
+    if user_params[:is_admin] && !@user.is_admin && !current_user.is_admin
+      redirect_to edit_user_url(@user), notice: 'You must be an admin to promote users.'
+      return false
+    end
+
     if @user.update(user_params)
       redirect_to users_url, notice: 'User was successfully updated.'
     else
@@ -46,6 +53,12 @@ def update
 
   # DELETE /users/1
   def destroy
+    unless current_user.is_admin
+      redirect_to edit_user_url(@user), notice: 'You must be an admin to delete users.'
+      return false
+    end
+
+    @user.subscriptions.destroy_all
     @user.destroy
     redirect_to users_url, notice: 'User was successfully deleted.'
   end
@@ -58,6 +71,6 @@ def set_user
 
     # Only allow a trusted parameter "white list" through.
     def user_params
-      params.require(:user).permit(:first_name, :last_name, :email)
+      params.require(:user).permit(:first_name, :last_name, :email, :is_admin)
     end
 end

app/lib/login_token.rb

@@ -18,9 +18,24 @@ def self.decode(token: nil)
     end
 
     begin
-      payload, _config = JWT.decode(token, self.secret_key, 'HS256')
+      payload, _config = JWT.decode(token, self.secret_key, true, { algorithm: 'HS256' })
     rescue JWT::ExpiredSignature
-      return false
+      # If the token has expired, try again to decode it, but with expiration
+      # checking turned off, so we can tell who tried to log in.
+      begin
+        payload, _config = JWT.decode(token, self.secret_key, true, { algorithm: 'HS256', verify_expiration: false })
+
+        user_id = payload['data']['user_id']
+        user = User.find_by(id: user_id)
+
+        if user.blank?
+          return false
+        else
+          return { user: user, expired: true }
+        end
+      rescue JWT::DecodeError
+        return false
+      end
     end
 
     user_id = payload['data']['user_id']

app/models/user.rb

@@ -1,5 +1,6 @@
 class User < ActiveRecord::Base
   validates :email, length: { minimum: 3 }, uniqueness: { case_sensitive: false }
+  validate :email_domain_is_approved, on: [ :create, :update ]
   has_many :pages
 
   def full_name
@@ -15,7 +16,7 @@ def subscriptions
   end
 
   def watching
-    subscriptions.map(&:watching)
+    subscriptions.map(&:watching).compact
   end
 
   def subscribe(watchable)
@@ -37,4 +38,22 @@ def send_notification(change)
     ChangeMailer.page(change: change, user: self).deliver_later
   end
 
+  def email_domain_is_approved
+    if not (email || '').include?('@')
+      errors.add(:email, 'Email address is invalid.')
+      return false
+    end
+
+    user_domain = email.strip.split('@')[-1].downcase
+    approved_domains = (ENV['APPROVED_USER_DOMAINS'] || '').strip.downcase.split(',')
+
+    approve_any_domain = approved_domains.length == 0
+    domain_is_approved = approved_domains.include?(user_domain)
+
+    if not (approve_any_domain or domain_is_approved)
+      errors.add(:email, 'Email address belongs to a non-approved domain.')
+      return false
+    end
+  end
+
 end

app/views/sessions/_login_form.html.erb

@@ -0,0 +1,26 @@
+  <div class="klax-section klax-spacer-lg">
+    <div class="container">
+      <div class="row">
+        <div class="col-md-12">
+          <form class="form-horizontal" method="POST" action="<%= create_session_path(return_to: params[:return_to]) %>">
+            <input name="authenticity_token" value="<%= form_authenticity_token %>" type="hidden">
+            <div class="form-group form-group-lg">
+              <div class="col-md-3">
+              </div>
+              <label class="col-sm-1">Email</label>
+              <div class="col-md-5">
+                <div class="input-group">
+                  <input name="email" class="form-control" value="<% if @user != nil %><%= @user.email %><% end %>" type="text" id="formGroupInputLarge">
+                  <span class="input-group-btn">
+                    <button class="btn btn-default btn-lg" type="submit">Login</button>
+                  </span>
+                </div>
+              </div>
+              <div class="col-md-3">
+              </div>
+            </div>
+          </form>
+        </div>
+      </div>
+    </div>
+  </div>

app/views/sessions/expired_token.html.erb

@@ -0,0 +1,17 @@
+<style>
+  #navbar { display: none !important; }
+</style>
+
+  <div class="klax-section klax-topper">
+    <div class="container">
+      <div class="row">
+        <div class="col-md-12">
+          <h1>Klaxon Login Expired</h1>
+        </div>
+      </div>
+      <div class="col-md-12">
+        <p class="lead">The login or invitation for <%= @user.email %> has expired. Please request a new invitation below.</p>
+      </div>
+      <%= render 'sessions/login_form.html.erb' %>
+    </div><!-- /.container -->
+  </div>