From 921f0c6d4ba54c90b5458a418596c3a592da2cf0 Mon Sep 17 00:00:00 2001
From: Wabo <admin@wabo.cc>
Date: Wed, 3 Jun 2026 17:59:03 -0400
Subject: [PATCH] Fix SMS settings JS: add CSP nonce to inline script, update
 tests for toggle-hidden behavior

The inline script lacked a nonce and was blocked by the enforced CSP
(application_controller#set_csp uses a nonce'd script-src), so the toggle
and provider-switching handlers never ran. Add the standard
content_security_policy_nonce attribute, matching other inline scripts
(e.g. scripts/_autosize_field). Update the two original tests that assumed
the provider section is always visible, since it is now correctly hidden
when SMS is disabled.
---
 app/views/sms_settings/index.html.erb |  2 +-
 spec/system/sms_settings_spec.rb      | 12 +++++++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/app/views/sms_settings/index.html.erb b/app/views/sms_settings/index.html.erb
index 806d700d..0913f91e 100644
--- a/app/views/sms_settings/index.html.erb
+++ b/app/views/sms_settings/index.html.erb
@@ -198,7 +198,7 @@
   <div class="w-0 md:w-52"></div>
 </div>
 
-<script>
+<script nonce="<%= content_security_policy_nonce %>">
 (function() {
   function ready(fn) {
     if (document.readyState !== 'loading') {
diff --git a/spec/system/sms_settings_spec.rb b/spec/system/sms_settings_spec.rb
index 2e418160..171aaf61 100644
--- a/spec/system/sms_settings_spec.rb
+++ b/spec/system/sms_settings_spec.rb
@@ -9,6 +9,16 @@ RSpec.describe 'SMS Settings' do
   end
 
   it 'shows the SMS settings page with provider form and all provider blocks' do
+    create(:encrypted_config,
+           account:,
+           key: EncryptedConfig::SMS_CONFIGS_KEY,
+           value: {
+             'enabled' => true,
+             'provider' => 'bulkvs',
+             'basic_auth_token' => 'tok',
+             'from_number' => '15551234567'
+           })
+
     visit settings_sms_path
 
     expect(page).to have_content('SMS')
@@ -21,7 +31,7 @@ RSpec.describe 'SMS Settings' do
     visit settings_sms_path
 
     expect(page).to have_css("input[type='checkbox'].toggle")
-    expect(page).to have_css('select.base-select')
+    expect(page).to have_css('select.base-select', visible: :all)
   end
 
   it 'shows the save button' do