Refactor authentication token for new study-group-based authorization

app/controllers/application_controller.rb

@@ -48,7 +48,15 @@ class ApplicationController < ActionController::Base
 
     if token.expire_at.future?
       token.update(expire_at: Time.zone.now)
-      auto_login(token.user)
+      session[:study_group_id] = token.study_group_id
+
+      # Sorcery Login only works for InternalUsers
+      return auto_login(token.user) if token.user.is_a? InternalUser
+
+      # All external users are logged in "manually"
+      session[:external_user_id] = token.user.id
+      session.delete(:lti_parameters_id)
+      token.user
     end
   end
 

app/controllers/subscriptions_controller.rb

@@ -55,9 +55,10 @@ class SubscriptionsController < ApplicationController
   def subscription_params
     current_user_id = current_user.try(:id)
     current_user_class_name = current_user.try(:class).try(:name)
+    study_group_id = current_user.try(:current_study_group_id)
     if params[:subscription].present?
       params[:subscription].permit(:request_for_comment_id, :subscription_type).merge(user_id: current_user_id,
-        user_type: current_user_class_name, deleted: false)
+        user_type: current_user_class_name, study_group_id: study_group_id, deleted: false)
     end
   end
   private :subscription_params

app/mailers/user_mailer.rb

@@ -20,7 +20,7 @@ class UserMailer < ApplicationMailer
 
   def got_new_comment(comment, request_for_comment, commenting_user)
     # TODO: check whether we can take the last known locale of the receiver?
-    token = AuthenticationToken.generate!(request_for_comment.user)
+    token = AuthenticationToken.generate!(request_for_comment.user, request_for_comment.submission.study_group)
     @receiver_displayname = request_for_comment.user.displayname
     @commenting_user_displayname = commenting_user.displayname
     @comment_text = ERB::Util.html_escape comment.text
@@ -32,7 +32,7 @@ class UserMailer < ApplicationMailer
   end
 
   def got_new_comment_for_subscription(comment, subscription, from_user)
-    token = AuthenticationToken.generate!(subscription.user)
+    token = AuthenticationToken.generate!(subscription.user, subscription.study_group)
     @receiver_displayname = subscription.user.displayname
     @author_displayname = from_user.displayname
     @comment_text = ERB::Util.html_escape comment.text
@@ -45,7 +45,7 @@ class UserMailer < ApplicationMailer
   end
 
   def send_thank_you_note(request_for_comment, receiver)
-    token = AuthenticationToken.generate!(receiver)
+    token = AuthenticationToken.generate!(receiver, request_for_comment.submission.study_group)
     @receiver_displayname = receiver.displayname
     @author = request_for_comment.user.displayname
     @thank_you_note = ERB::Util.html_escape request_for_comment.thank_you_note

app/models/authentication_token.rb

@@ -6,11 +6,12 @@ class AuthenticationToken < ApplicationRecord
   include Creation
   belongs_to :study_group, optional: true
 
-  def self.generate!(user)
+  def self.generate!(user, study_group)
     create!(
       shared_secret: SecureRandom.hex(32),
       user: user,
-      expire_at: 7.days.from_now
+      expire_at: 7.days.from_now,
+      study_group: study_group
     )
   end
 end