Update action in InvitationsController ignores conditions and triggers inappropriate validations on User model

[thibaudclement]

I am building a Rails 7 application, with Devise to manage authentication, and Devise Invitable to manage invitations (on the User model).

When a user receives an invite and clicks on the invitation link, they are redirected to the invitations/edit view, where they are able to sign up, by creating a password (their email address is auto-populated in the email field).

Because I have implemented a multi-step signup process, users are not required to provide a name and select a role until after they have confirmed their email address (i.e. confirmed? is true), or in the case of users who sign up from an invite, after they have accepted their invite (which confirms their account automatically behind the scenes).

Therefore, in the User model, I have the following validation:

validates :name, presence: true, if: :confirmed?
validates :role, presence: true, if: :confirmed?

This works as expected for users who sign up on their own (i.e. users who do not sign up from an invite), since Devise's registrations/new (i.e. the create action of the RegistrationsController) successfully ignores validation on the :name and :roleattributes until the user is confirmed?.

However, this does not work as expected for users who sign up from an invite, since Devise Invitable's invitations/edit (i.e. the update action of the InvitationsController) seem to enforce the validation on the :name and :role of the user even when the user is not confirmed?, which results in the following error:

Errors: ["Name can't be blank", "Role can't be blank"]
Completed 422 Unprocessable Entity

As a consequence, the form in invitations/edit is served again to the user, with the password field cleared, and the user is not updated, and the user has no way of providing a name or a role, since those are (again) not required until after they have confirmed their email address (or accepted an invitation, when signing up from an invite, which confirms their email address behind the scenes).

Here is what I have tried to avoid this issue so far, to no avail:

• Experiment with many variations of the conditions of the validations (checking for the value of invitation_token, invitation_accepted_at, persisted, etc.) to try and ignore those validations, but no matter what I do, it seems that the validations are triggered anyway, only and always in the case of a user who signs up from an invite, i.e. in invitations/edit.
• Implement a custom context in the controller that manages the step-by-step signup flow to only trigger validations on the step that requires the user to provide their name and role, but that did work out either.

Here are some approaches I refrained from employing:

• Using @user.assign_attributes(user_params) instead of @user.update(user_params) in the update action of the controller that handles the step-by-step signup flow: I am concerned about unforeseen ramifications of such a solution.
• Bypassing the validations in the update action of the InvitationsController by using the update_columns method, as again, I am concerned about unforeseen ramifications of skipping all validations and callbacks.

Am I missing something obvious, is this an known issue, or is there a bug somewhere? I am ears for suggestions to fix or work around this.

[scambra]

I think the good way is your first attempt, adding conditions to validations. There are some methods on invitable: accepting_invitation?, invitation_accepted?, accepted_or_not_invited?.

I can think 2 ways, although I haven't tested:

• adding :accepted_or_not_invited?, which will return true after invitation is accepted, but not while invitation is being accepted. It will probably return true for registered users before they confirm, so you should keep :confirmed? too: if: [:confirmed?, :accepted_or_not_invited?]
• adding unless: :accepting_invitation? so it will skip those validations while invitation is being accepted.

[thibaudclement]

@scambra thank you very much for your response : I did not even have to try your second suggestion, because the first worked right away, like a charm.

So, if it's any helpful for anyone else, to solve this issue, in the User model, I replaced:

validates :name, presence: true, if: :confirmed?
validates :role, presence: true, if: :confirmed?

with:

validates :name, presence: true, if: [:confirmed?, :accepted_or_not_invited?]
validates :role, presence: true, if: [:confirmed?, :accepted_or_not_invited?]