From 34433c0575bf66e3fc7f9afd664ee72d0aec4def Mon Sep 17 00:00:00 2001
From: Pete Matsyburka <pete@docuseal.com>
Date: Sun, 11 May 2025 16:11:02 +0300
Subject: [PATCH] adjust conditions

---
 .../api/templates_clone_controller.rb         |  2 +-
 .../submissions_archived_controller.rb        |  4 +---
 .../submissions_dashboard_controller.rb       |  4 +---
 app/controllers/templates_controller.rb       |  4 +---
 .../templates_dashboard_controller.rb         | 12 +++++++-----
 app/javascript/elements/dashboard_dropzone.js |  1 +
 app/javascript/elements/toggle_visible.js     |  2 +-
 app/models/submitter.rb                       |  2 +-
 app/views/icons/_lock_access.html.erb         |  8 +-------
 config/locales/i18n.yml                       |  6 ++++++
 lib/abilities/template_conditions.rb          | 19 ++++++++++++-------
 lib/ability.rb                                |  6 ++----
 12 files changed, 35 insertions(+), 35 deletions(-)

diff --git a/app/controllers/api/templates_clone_controller.rb b/app/controllers/api/templates_clone_controller.rb
index e7e1db7e..7879abfd 100644
--- a/app/controllers/api/templates_clone_controller.rb
+++ b/app/controllers/api/templates_clone_controller.rb
@@ -5,7 +5,7 @@ module Api
     load_and_authorize_resource :template
 
     def create
-      authorize!(:manage, @template)
+      authorize!(:create, @template)
 
       ActiveRecord::Associations::Preloader.new(
         records: [@template],
diff --git a/app/controllers/submissions_archived_controller.rb b/app/controllers/submissions_archived_controller.rb
index 3c3f49b6..f71638c7 100644
--- a/app/controllers/submissions_archived_controller.rb
+++ b/app/controllers/submissions_archived_controller.rb
@@ -7,9 +7,7 @@ class SubmissionsArchivedController < ApplicationController
     @submissions = @submissions.joins(:template)
     @submissions = @submissions.where.not(archived_at: nil)
                                .or(@submissions.where.not(templates: { archived_at: nil }))
-                               .preload(:created_by_user, template: :author)
-
-    @submissions = @submissions.preload(:template_accesses) unless current_user.role.in?(%w[admin superadmin])
+                               .preload(:template_accesses, :created_by_user, template: :author)
 
     @submissions = Submissions.search(@submissions, params[:q], search_template: true)
     @submissions = Submissions::Filter.call(@submissions, current_user, params)
diff --git a/app/controllers/submissions_dashboard_controller.rb b/app/controllers/submissions_dashboard_controller.rb
index 3403d22c..3386edd8 100644
--- a/app/controllers/submissions_dashboard_controller.rb
+++ b/app/controllers/submissions_dashboard_controller.rb
@@ -8,9 +8,7 @@ class SubmissionsDashboardController < ApplicationController
 
     @submissions = @submissions.where(archived_at: nil)
                                .where(templates: { archived_at: nil })
-                               .preload(:created_by_user, template: :author)
-
-    @submissions = @submissions.preload(:template_accesses) unless current_user.role.in?(%w[admin superadmin])
+                               .preload(:template_accesses, :created_by_user, template: :author)
 
     @submissions = Submissions.search(@submissions, params[:q], search_template: true)
     @submissions = Submissions::Filter.call(@submissions, current_user, params)
diff --git a/app/controllers/templates_controller.rb b/app/controllers/templates_controller.rb
index 3010d4ab..6eb91ed8 100644
--- a/app/controllers/templates_controller.rb
+++ b/app/controllers/templates_controller.rb
@@ -21,9 +21,7 @@ class TemplatesController < ApplicationController
                     submissions.order(id: :desc)
                   end
 
-    submissions = submissions.preload(:template_accesses) unless current_user.role.in?(%w[admin superadmin])
-
-    @pagy, @submissions = pagy(submissions.preload(submitters: :start_form_submission_events))
+    @pagy, @submissions = pagy(submissions.preload(:template_accesses, submitters: :start_form_submission_events))
   rescue ActiveRecord::RecordNotFound
     redirect_to root_path
   end
diff --git a/app/controllers/templates_dashboard_controller.rb b/app/controllers/templates_dashboard_controller.rb
index 0bd9a2be..319b0297 100644
--- a/app/controllers/templates_dashboard_controller.rb
+++ b/app/controllers/templates_dashboard_controller.rb
@@ -45,13 +45,15 @@ class TemplatesDashboardController < ApplicationController
     rel = templates.active.preload(:author, :template_accesses)
 
     if params[:q].blank?
-      if Docuseal.multitenant? && !current_account.testing?
-        rel = rel.where(folder_id: current_account.default_template_folder.id)
-      else
-        shared_template_ids =
-          TemplateSharing.where(account_id: [current_account.id, TemplateSharing::ALL_ID]).select(:template_id)
+      if Docuseal.multitenant? ? current_account.testing? : current_account.linked_account_account
+        shared_account_ids = [current_user.account_id]
+        shared_account_ids << TemplateSharing::ALL_ID if !Docuseal.multitenant? && !current_account.testing?
+
+        shared_template_ids = TemplateSharing.where(account_id: shared_account_ids).select(:template_id)
 
         rel = rel.where(folder_id: current_account.default_template_folder.id).or(rel.where(id: shared_template_ids))
+      else
+        rel = rel.where(folder_id: current_account.default_template_folder.id)
       end
     end
 
diff --git a/app/javascript/elements/dashboard_dropzone.js b/app/javascript/elements/dashboard_dropzone.js
index 8112735f..b99c00ff 100644
--- a/app/javascript/elements/dashboard_dropzone.js
+++ b/app/javascript/elements/dashboard_dropzone.js
@@ -60,6 +60,7 @@ export default targetable(class extends HTMLElement {
       dragPreview.style.width = `${rect.width}px`
       dragPreview.style.height = `${height}px`
       dragPreview.style.position = 'absolute'
+      dragPreview.style.top = '-1000px'
       dragPreview.style.pointerEvents = 'none'
       dragPreview.style.opacity = '0.9'
 
diff --git a/app/javascript/elements/toggle_visible.js b/app/javascript/elements/toggle_visible.js
index b7d29a9c..d93fdaf5 100644
--- a/app/javascript/elements/toggle_visible.js
+++ b/app/javascript/elements/toggle_visible.js
@@ -5,7 +5,7 @@ export default actionable(class extends HTMLElement {
     const elementIds = JSON.parse(this.dataset.elementIds)
 
     elementIds.forEach((elementId) => {
-      document.getElementById(elementId).classList.toggle('hidden', event.target.value !== elementId)
+      document.getElementById(elementId).classList.toggle('hidden', (event.target.dataset.toggleId || event.target.value) !== elementId)
     })
   }
 })
diff --git a/app/models/submitter.rb b/app/models/submitter.rb
index 45e38292..91322f96 100644
--- a/app/models/submitter.rb
+++ b/app/models/submitter.rb
@@ -54,7 +54,7 @@ class Submitter < ApplicationRecord
   has_many_attached :documents
   has_many_attached :attachments
   has_many_attached :preview_documents
-  has_many :template_accesses, through: :template
+  has_many :template_accesses, through: :submission
   has_many :email_events, as: :emailable, dependent: (Docuseal.multitenant? ? nil : :destroy)
 
   has_many :document_generation_events, dependent: :destroy
diff --git a/app/views/icons/_lock_access.html.erb b/app/views/icons/_lock_access.html.erb
index 7915748a..2ea5bebc 100644
--- a/app/views/icons/_lock_access.html.erb
+++ b/app/views/icons/_lock_access.html.erb
@@ -1,9 +1,3 @@
 <svg xmlns="http://www.w3.org/2000/svg" class="<%= local_assigns[:class] %>" width="44" height="44" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" fill="none" stroke-linecap="round" stroke-linejoin="round">
-   <path stroke="none" d="M0 0h24v24H0z" fill="none"></path>
-   <path d="M4 8v-2a2 2 0 0 1 2 -2h2"></path>
-   <path d="M4 16v2a2 2 0 0 0 2 2h2"></path>
-   <path d="M16 4h2a2 2 0 0 1 2 2v2"></path>
-   <path d="M16 20h2a2 2 0 0 0 2 -2v-2"></path>
-   <path d="M8 11m0 1a1 1 0 0 1 1 -1h6a1 1 0 0 1 1 1v3a1 1 0 0 1 -1 1h-6a1 1 0 0 1 -1 -1z"></path>
-   <path d="M10 11v-2a2 2 0 1 1 4 0v2"></path>
+  <path stroke="none" d="M0 0h24v24H0z" fill="none" /><path d="M4 8v-2a2 2 0 0 1 2 -2h2" /><path d="M4 16v2a2 2 0 0 0 2 2h2" /><path d="M16 4h2a2 2 0 0 1 2 2v2" /><path d="M16 20h2a2 2 0 0 0 2 -2v-2" /><path d="M8 11m0 1a1 1 0 0 1 1 -1h6a1 1 0 0 1 1 1v3a1 1 0 0 1 -1 1h-6a1 1 0 0 1 -1 -1z" /><path d="M10 11v-2a2 2 0 1 1 4 0v2" />
 </svg>
diff --git a/config/locales/i18n.yml b/config/locales/i18n.yml
index d1d18c69..893fe39c 100644
--- a/config/locales/i18n.yml
+++ b/config/locales/i18n.yml
@@ -21,6 +21,7 @@ en: &en
   language_ja: 日本語
   hi_there: Hi there
   thanks: Thanks
+  private: Private
   bcc_recipients: BCC recipients
   resend_pending: Re-send pending
   always_enforce_signing_order: Always enforce the signing order
@@ -823,6 +824,7 @@ en: &en
       read: Read your data
 
 es: &es
+  private: Privado
   resend_pending: Reenviar pendiente
   ensure_unique_recipients: Asegurar destinatarios únicos
   require_phone_2fa_to_open: Requiere 2FA por teléfono para abrir
@@ -1627,6 +1629,7 @@ es: &es
       read: Leer tus datos
 
 it: &it
+  private: Privato
   resend_pending: Reinvia in sospeso
   ensure_unique_recipients: Assicurarsi destinatari unici
   require_phone_2fa_to_open: Richiedi l'autenticazione a due fattori tramite telefono per aprire
@@ -2430,6 +2433,7 @@ it: &it
       read: Leggi i tuoi dati
 
 fr: &fr
+  private: Privé
   resend_pending: Renvoyer en attente
   ensure_unique_recipients: Assurer l'unicité des destinataires
   require_phone_2fa_to_open: Requiert une 2FA par téléphone pour ouvrir
@@ -3235,6 +3239,7 @@ fr: &fr
       read: Lire vos données
 
 pt: &pt
+  private: Privado
   resend_pending: Re-enviar pendente
   ensure_unique_recipients: Garantir destinatários únicos
   require_phone_2fa_to_open: Necessário autenticação de dois fatores via telefone para abrir
@@ -4040,6 +4045,7 @@ pt: &pt
       read: Ler seus dados
 
 de: &de
+  private: Privat
   resend_pending: Ausstehende erneut senden
   ensure_unique_recipients: Stellen Sie einzigartige Empfänger sicher
   require_phone_2fa_to_open: Telefon-2FA zum Öffnen erforderlich
diff --git a/lib/abilities/template_conditions.rb b/lib/abilities/template_conditions.rb
index 4a7ebf04..e39019b2 100644
--- a/lib/abilities/template_conditions.rb
+++ b/lib/abilities/template_conditions.rb
@@ -5,26 +5,31 @@ module Abilities
     module_function
 
     def collection(user, ability: nil)
-      template_ids = Template.where(account_id: user.account_id).select(:id)
+      templates = Template.where(account_id: user.account_id)
+
+      return templates unless user.account.testing?
 
       shared_ids =
-        TemplateSharing.where({ ability:,
-                                account_id: [user.account_id, TemplateSharing::ALL_ID] }.compact)
+        TemplateSharing.where({ ability:, account_id: [user.account_id, TemplateSharing::ALL_ID] }.compact)
                        .select(:template_id)
 
-      join_query = Template.arel_table
-                           .join(Arel::Nodes::TableAlias.new(template_ids.arel.union(shared_ids.arel), 'union_ids'))
-                           .on(Template.arel_table[:id].eq(Arel::Table.new(:union_ids)[:id]))
+      join_query =
+        Template.arel_table
+                .join(Arel::Nodes::TableAlias.new(templates.select(:id).arel.union(shared_ids.arel), 'union_ids'))
+                .on(Template.arel_table[:id].eq(Arel::Table.new(:union_ids)[:id]))
 
       Template.joins(join_query.join_sources.first)
     end
 
     def entity(template, user:, ability: nil)
+      return true if template.account_id.blank?
       return true if template.account_id == user.account_id
+      return false unless user.account.linked_account_account
+      return false if template.template_sharings.to_a.blank?
 
       account_ids = [user.account_id, TemplateSharing::ALL_ID]
 
-      template.template_sharings.any? do |e|
+      template.template_sharings.to_a.any? do |e|
         e.account_id.in?(account_ids) && (ability.nil? || e.ability == 'manage' || e.ability == ability)
       end
     end
diff --git a/lib/ability.rb b/lib/ability.rb
index 960a8beb..a721e089 100644
--- a/lib/ability.rb
+++ b/lib/ability.rb
@@ -4,13 +4,11 @@ class Ability
   include CanCan::Ability
 
   def initialize(user)
-    can :manage, Template, account_id: user.account_id
-
-    can %i[read update create], Template,
-        Abilities::TemplateConditions.collection(user) do |template|
+    can %i[read create update], Template, Abilities::TemplateConditions.collection(user) do |template|
       Abilities::TemplateConditions.entity(template, user:, ability: 'manage')
     end
 
+    can :destroy, Template, account_id: user.account_id
     can :manage, TemplateFolder, account_id: user.account_id
     can :manage, TemplateSharing, template: { account_id: user.account_id }
     can :manage, Submission, account_id: user.account_id