From f848f073aab88b542a9b5688c741a93d46979b12 Mon Sep 17 00:00:00 2001
From: Wabo <admin@wabo.cc>
Date: Tue, 2 Jun 2026 08:18:44 -0400
Subject: [PATCH] Fix CI failures: omniauth config, users#index auth, missing
 logo partials

- Add Google OAuth2 provider config to devise initializer (was lost in upstream sync)
- Add explicit admin authorization check for UsersController#index
- Create _wabosign_logo partials for start_form and submit_form (were renamed by rebrand-sync but files never created)
---
 app/controllers/users_controller.rb           |  2 ++
 app/views/start_form/_wabosign_logo.html.erb  |  6 ++++++
 app/views/submit_form/_wabosign_logo.html.erb |  4 ++++
 config/initializers/devise.rb                 | 19 +++++++++++++++++++
 4 files changed, 31 insertions(+)
 create mode 100644 app/views/start_form/_wabosign_logo.html.erb
 create mode 100644 app/views/submit_form/_wabosign_logo.html.erb

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 69b20db5..e95b6364 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -7,6 +7,8 @@ class UsersController < ApplicationController
   authorize_resource :user, only: %i[new create]
 
   def index
+    authorize!(:manage, current_account)
+
     @users =
       if params[:status] == 'archived'
         @users.archived.where.not(role: 'integration')
diff --git a/app/views/start_form/_wabosign_logo.html.erb b/app/views/start_form/_wabosign_logo.html.erb
new file mode 100644
index 00000000..f65f6686
--- /dev/null
+++ b/app/views/start_form/_wabosign_logo.html.erb
@@ -0,0 +1,6 @@
+<a href="/" class="flex justify-center items-center">
+  <span class="mr-3">
+    <%= render 'shared/logo', width: '50px', height: '50px' %>
+  </span>
+  <h1 class="text-5xl font-bold text-center">WaboSign</h1>
+</a>
diff --git a/app/views/submit_form/_wabosign_logo.html.erb b/app/views/submit_form/_wabosign_logo.html.erb
new file mode 100644
index 00000000..c633f860
--- /dev/null
+++ b/app/views/submit_form/_wabosign_logo.html.erb
@@ -0,0 +1,4 @@
+<a href="<%= root_path %>" class="mx-auto text-2xl md:text-3xl font-bold items-center flex space-x-3">
+  <%= render 'shared/logo', class: 'w-9 h-9 md:w-12 md:h-12' %>
+  <span><%= Wabosign.product_name %></span>
+</a>
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index efa97448..c51bee29 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -334,6 +334,25 @@ Devise.setup do |config|
   # changed. Defaults to true, so a user is signed in automatically after changing a password.
   # config.sign_in_after_change_password = true
 
+  # NB: Wabosign-the-module relies on Rails.root, which isn't available yet
+  # when this initializer runs. Read ENV directly here so the omniauth strategy
+  # can be registered at boot. Controllers/models access the same values via
+  # Wabosign::GOOGLE_* once Rails is fully initialized.
+  google_client_id = ENV.fetch('GOOGLE_CLIENT_ID', nil)
+  google_client_secret = ENV.fetch('GOOGLE_CLIENT_SECRET', nil)
+  if google_client_id.present? && google_client_secret.present?
+    config.omniauth :google_oauth2,
+                    google_client_id,
+                    google_client_secret,
+                    {
+                      scope: 'email,profile',
+                      prompt: 'select_account',
+                      access_type: 'online',
+                      hd: ENV.fetch('GOOGLE_ALLOWED_DOMAINS', '')
+                              .split(',').map(&:strip).reject(&:empty?).presence
+                    }
+  end
+
   ActiveSupport.run_load_hooks(:devise_config, config)
 end
 # rubocop:enable Metrics/BlockLength