Fix SMS settings JS: add CSP nonce to inline script, update tests for toggle-hidden behavior

The inline script lacked a nonce and was blocked by the enforced CSP (application_controller#set_csp uses a nonce'd script-src), so the toggle and provider-switching handlers never ran. Add the standard content_security_policy_nonce attribute, matching other inline scripts (e.g. scripts/_autosize_field). Update the two original tests that assumed the provider section is always visible, since it is now correctly hidden when SMS is disabled.
2 weeks ago · 921f0c6d4b
parent d4c7a22fa2
commit 921f0c6d4b
2 changed files with 12 additions and 2 deletions
--- a/app/views/sms_settings/index.html.erb
+++ b/app/views/sms_settings/index.html.erb
@ -198,7 +198,7 @@
  <div class="w-0 md:w-52"></div>
 </div>

-<script>
+<script nonce="<%= content_security_policy_nonce %>">
 (function() {
  function ready(fn) {
    if (document.readyState !== 'loading') {
--- a/spec/system/sms_settings_spec.rb
+++ b/spec/system/sms_settings_spec.rb
@ -9,6 +9,16 @@ RSpec.describe 'SMS Settings' do
  end

  it 'shows the SMS settings page with provider form and all provider blocks' do
+    create(:encrypted_config,
+           account:,
+           key: EncryptedConfig::SMS_CONFIGS_KEY,
+           value: {
+             'enabled' => true,
+             'provider' => 'bulkvs',
+             'basic_auth_token' => 'tok',
+             'from_number' => '15551234567'
+           })
+
    visit settings_sms_path

    expect(page).to have_content('SMS')
@ -21,7 +31,7 @@ RSpec.describe 'SMS Settings' do
    visit settings_sms_path

    expect(page).to have_css("input[type='checkbox'].toggle")
-    expect(page).to have_css('select.base-select')
+    expect(page).to have_css('select.base-select', visible: :all)
  end

  it 'shows the save button' do