* add named signing order values and defer to template signing order
* the enum changes and the default in submission.rb don't REALLY matter since almost all of our changes in future commits defer to templates.
* add template methods to know how many actual submitters there are and add complex default logic based on when fields are added or removed.
For example: If only 1 employee field it's single sided. If we add a manager field it automatically changes to employee_then_manager unless manually changed to a different dual sided. If either field is removed, it automatically switches back to single_sided
* enforce new signing order logic
- replace submitters_order_preserved? with signing_order_enforced? in send_signature_requests
- add manager_then_employee branch to send_signature_requests to send to second submitter first, while we don't send out emails with Docuseal, there are changes further down the line required
- skip submitters without fields for single_sided in create_from_submitters, this is mostly necessary for single_sided manager forms
- refactor current_submitter_order? to reverse submitter_items for manager_then_employee instead of special-casing index
* wire up named signing order through controllers
* when saving a template, check if preferences have changed, if it has changed, fire webhook event.
* changes in templates_controller.rb are for automatic updates based on field types. So if only 1 field type (employee fields only) this automatically updates
* template_preferences_controller.rb handles manual updates to signing order from user
* add signing order UI
- add SigningOrderModal component for selecting signing order from within the template builder
- show signing order button in builder toolbar only when template has 2+ submitter fields
* add template.preferences_updated webhook job
* add template.preferences_updated webhook support
- add template.preferences_updated to account default webhook events
- guard account create_careerplug_webhook against missing CAREERPLUG_WEBHOOK_URL env var
- create partnership-scoped webhook for template.preferences_updated on partnership creation
- add template.preferences_updated to WebhookUrl::EVENTS
- update PARTNERSHIP_EVENTS to only include template.preferences_updated
- return WebhookUrl.none instead of raising for templates with neither account nor partnership
- extend webhooks:setup_development rake task to create partnership webhooks
* rubocop and rspec fixes
* erb_lint violation fixes
* harden webhooks with account_id and partnership_id in payload
* we're requiring two points of contact in the db for multitenancy
* use external account id to match correctly in webhook payload
* PR comments
* handle submitter UUID not matching correctly with flash alert that surfaces to user
* add more testing for simultaneous and single sided orders
* add comment for skipping Devise auth for Iframe auth
* refactor template webhook enqueue to a shared concern
* use safe navigation for first_party name
* make default submitters_order value consistent between `lib/submissions.rb` and `submission.rb`
* more descriptive error message for signing order error
* update to non-predicate method for rubocop
we used to just return true or false, but we are using nil to signify that the submitter uuid is not found for the controller so the error can be surfaced to the user.
* erb_lint formatting fix
* PR comment changes
* change current_submitter_order to validate_submitter_order for clarity
* add translations
This pull request enhances the audit logging capabilities within DocuSeal to granularly track user actions and data changes.
Key Changes:
* User Attribution: Added user_id to SubmissionEvent to identify exactly who performed an action.
* Granular Change Tracking: Implemented a new form_update event type that records specific field changes, capturing both previous and new values (from -> to).
* Enhanced Exports & Webhooks: Updated ExportSubmissionService and SendFormCompletedWebhookRequestJob to include detailed form values and the full submission event history in their outputs.
* Refactoring: Updated controllers and services to propagate the current_user context for accurate tracking.
* Testing: Added specs to verify the correct recording of form field updates and data integrity in exports.
- Extract complex ATS prefill logic from PrefillFieldsHelper into dedicated AtsPrefill service
- Create modular service objects: FieldExtractor, FieldMapper, ValueMerger, and CacheManager
- Implement proper caching strategy with Rails.cache for performance optimization
- Add comprehensive test coverage for all new service components
- Maintain backward compatibility through facade methods in PrefillFieldsHelper
- Improve security by validating field name patterns and sanitizing inputs
- Enhance performance with optimized field lookup caching
BREAKING CHANGE: PrefillFieldsHelper now delegates to AtsPrefill service layer. Direct usage of helper methods remains unchanged, but internal implementation has been refactored.
* Add external_id fields to accounts and users tables
Adds external_account_id and external_user_id fields to support
integration with external ATS systems. These fields will map
DocuSeal accounts/users to their corresponding ATS entities.
* Add external ID support to Account and User models
Implements find_or_create_by_external_id methods for both Account
and User models to support automatic provisioning from external
ATS systems. Users now have access tokens for authentication.
* Add external authentication API endpoint
Creates /api/external_auth/get_user_token endpoint for external API systems
to authenticate users and receive access tokens.
* Refactor authentication to support token-based login
Replaces demo user authentication and setup redirect logic with token-based authentication via params, session, or X-Auth-Token header.
Users do not login, they are just authenticated via token.
* Replace authenticate_user! with authenticate_via_token!
Refactored controllers to use authenticate_via_token! instead of authenticate_user! for authentication. Added authenticate_via_token! method to ApiBaseController.
* Update controller authentication and authorization logic
Removed and replaced several before_action and authorization checks in ExportController, SetupController, and TemplateDocumentsController.
* Add external authentication API endpoint
* Add IframeAuthentication concern for AJAX requests in iframe context
* Create shared concern to handle authentication from HTTP referer
* Extracts auth token from referer URL when AJAX requests don't include token
* Supports Vue component requests within iframes
* Remove old user authentication from dashboard controller
* Quick fix for request changes
Now that we have scoped users, we're changing this to compare to the template authot
* rubocop fixes
* Add and update authentication and model specs
Introduces new specs for iframe authentication, account, user, application controller, and external auth API.
* add safe navigation and remove dead method
- Replace present? check with blank? for better nil handling
- Add input size validation to prevent DoS attacks (64KB limit)
- Fix string formatting and indentation in audit logging
- Optimize caching with proper error handling for Redis failures
- Simplify conditional logic in field value merging
- Add frozen string literal comments for Ruby 3.4 compatibility
- Improve test coverage with better mocking and assertions
Security improvements include input validation and audit logging for ATS prefill usage tracking.
- Add input size limits (64KB for encoded, 32KB for decoded JSON) to prevent DoS attacks
- Implement audit logging for ATS prefill usage tracking
- Add caching layer for field UUID lookups with 30-minute TTL
- Optimize field resolution with O(1) lookup cache instead of O(n) search
- Add comprehensive error handling and logging throughout prefill pipeline
- Validate ATS field names against allowed patterns with security checks
- Add Base64-encoded JSON parameter support for ATS prefill values
- Implement field mapping between ATS field names and template field UUIDs
- Enhance merge logic to preserve existing submitter values while adding ATS prefill data
- Add comprehensive error handling for invalid Base64 and JSON parsing
- Update form rendering to use merged ATS values for prefill functionality
- Add integration tests for complete ATS prefill workflow
Add support for fetching prefill values from ATS system when task_assignment_id parameter is provided. This includes:
- New ATS API integration in PrefillFieldsHelper to fetch prefill values
- Cache layer for ATS prefill values with 30-minute TTL
- Merge logic to respect existing submitter values over ATS prefill values
- Error handling and logging for ATS API failures
- Integration with SubmitFormController to fetch values before form rendering
The feature allows forms to be pre-populated with candidate data from the ATS system while preserving any values already entered by submitters.
Ryan Arakawa
Bernardo Anderson
Bernardo Anderson
Pete Matsyburka
Pete Matsyburka
Oleksandr Turchyn
DocuSeal
Alex Turchyn