Merge upstream/final-form into master

Incorporates WIP alternative measurement form (single select form with
multiple select actions) and readouts controller.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

app/assets/stylesheets/application.css

@@ -57,16 +57,7 @@
 :focus-visible {
   outline: none;
 }
-/* NOTE: move to higher priority layer instead of using !important? */
+
-[disabled] {
-  border-color: var(--color-border-gray) !important;
-  color: var(--color-border-gray) !important;
-  /* NOTE: cannot set cursor with `pointer-events: none`; can be fixed by setting
-   * `cursor` on wrapping element.
-  cursor: not-allowed; */
-  fill: var(--color-border-gray) !important;
-  pointer-events: none !important;
-}
 /* [hidden] submit elements cannot have `display` set as it makes them visible. */
 [hidden] {
   display: none !important;
@@ -99,6 +90,13 @@ textarea {
   border-radius: 0.25em;
   padding: 0.2em 0.4em;
 }
+[name=cancel],
+.auxiliary {
+  border-color: var(--color-border-gray);
+  color: var(--color-nav-gray);
+  fill: var(--color-nav-gray);
+}
+input[type=checkbox],
 svg,
 textarea {
   margin: 0;
@@ -117,8 +115,8 @@ input[type=checkbox]:checked {
   appearance: checkbox;
   -webkit-appearance: checkbox;
 }
-/* Hide spin buttons of <input type=number>. */
+/* Hide spin buttons in input number fields */
-/* TODO: add spin buttons inside <input type=number>: before (-) and after (+) input. */
+/* TODO: add spin buttons inside input[number]: before (-) and after (+) input */
 input[type=number] {
   appearance: textfield;
   -moz-appearance: textfield;
@@ -348,6 +346,7 @@ header {
 }
 
 
+/* TODO: Hover over invalid should work like in measurements (thin vs thick border) */
 .labeled-form {
   align-items: center;
   display: grid;
@@ -384,7 +383,7 @@ header {
 .labeled-form .auxiliary {
   grid-column: 3;
   /* If more buttons are needed, `grid-row` can be replaced with
-   * `reading-flow: grid-columns` to ensure proper [tabindex] order. */
+   * `reading-flow: grid-columns` to ensure proper tabindex order */
   grid-row: 1;
   height: 100%;
   padding-block: 0;
@@ -546,6 +545,7 @@ table .button {
   color: var(--color-table-gray);
 }
 
+
 form table.items {
   border: none;
 }
@@ -575,17 +575,11 @@ form table select {
   display: flex;
   gap: 0.8em;
 }
-.hflex.reverse {
-  flex-direction: row-reverse;
-}
 .hflex.centered {
   justify-content: center;
 }
-.hint {
+.vexpand {
-  color: var(--color-table-gray);
+  width: 100%;
-  font-style: italic;
-  font-size: 0.9rem;
-  text-align: center;
 }
 .vflex {
   display: flex;

app/controllers/application_controller.rb

@@ -26,6 +26,18 @@ class ApplicationController < ActionController::Base
   #   Turbo will reload 2nd time with HTML format and flashes will be lost.
   rescue_from *ActionDispatch::ExceptionWrapper.rescue_responses.keys, with: :rescue_turbo
 
+  # Required by #respond_with (gem `responders`) used by Devise controllers.
+  respond_to :html, :turbo_stream
+
+  def after_sign_in_path_for(resource)
+    # TODO: allow setting path per-user or save last path in session and restore
+    units_path
+  end
+
+  def after_sign_out_path_for(resource)
+    new_user_session_path
+  end
+
   protected
 
   def current_user_disguised?

app/controllers/readouts_controller.rb

@@ -1,16 +1,23 @@
 class ReadoutsController < ApplicationController
-  before_action :find_quantities, only: [:new]
+  before_action :find_quantity, only: [:new, :discard]
-  before_action :find_quantity, only: [:discard]
   before_action :find_prev_quantities, only: [:new, :discard]
 
   def new
-    @quantities -= @prev_quantities
+    new_quantities =
-    # TODO: raise ParameterInvalid if new_quantities.empty?
+      case params[:button]
-    @readouts = current_user.readouts.build(@quantities.map { |q| {quantity: q} })
+      when 'children'
+        @quantity.subquantities
+      when 'subtree'
+        @quantity.progenies
+      else
+        [@quantity]
+      end
+    new_quantities -= @prev_quantities
+    @readouts = current_user.readouts.build(new_quantities.map { |q| {quantity: q} })
 
     @user_units = current_user.units.ordered
 
-    quantities = @prev_quantities + @quantities
+    quantities = @prev_quantities + new_quantities
     @superquantity = current_user.quantities
       .common_ancestors(quantities.map(&:parent_id)).first
   end
@@ -24,9 +31,6 @@ class ReadoutsController < ApplicationController
 
   private
 
-  def find_quantities
-    @quantities = current_user.quantities.find(params[:quantity])
-  end
 
   def find_quantity
     @quantity = current_user.quantities.find_by!(id: params[:id])

app/controllers/user/profiles_controller.rb

@@ -1,6 +1,4 @@
-class RegistrationsController < Devise::RegistrationsController
+class User::ProfilesController < Devise::RegistrationsController
-  before_action :authenticate_user!, only: [:edit, :update, :destroy]
-
   def destroy
     if current_user.sole_admin?
       redirect_back fallback_location: edit_user_registration_path,

app/controllers/users_controller.rb

@@ -37,7 +37,7 @@ class UsersController < ApplicationController
   end
 
   # NOTE: limited actions availabe to :admin by design. Users are meant to
-  # manage their accounts by themselves through registrations. :admin
+  # manage their accounts by themselves through profiles. :admin
   # is allowed to sign-in (disguise) as user and make changes from there.
 
   protected

app/javascript/application.js

@@ -37,6 +37,18 @@ window.detailsObserver = new MutationObserver((mutations) => {
   mutations[0].target.dispatchEvent(new Event('change', {bubbles: true}))
 });
 
+function formValidate(event) {
+  var id = event.submitter.getAttribute("data-validate")
+  if (!id) return;
+
+  var input = document.getElementById(id)
+  if (!input.checkValidity()) {
+    input.reportValidity()
+    event.preventDefault()
+  }
+}
+window.formValidate = formValidate
+
 
 /* Turbo stream actions */
 Turbo.StreamElement.prototype.disableElement = function(element) {

app/views/measurements/_form.html.erb

@@ -1,28 +1,23 @@
-<%= tabular_form_with model: Measurement.new, id: :measurement_form,
+<%= tabular_form_with model: Measurement.new do |form| %>
-  class: 'topside-area vflex', html: {onkeydown: 'formProcessKey(event)'} do |form| %>
+  <fieldset>
     <table class="items centered">
-    <tbody id="readouts"></tbody>
+      <tbody id="readouts">
-  </table>
+        <tr id="readouts_form">
-
+          <td colspan="4">
-  <div class="hflex">
+            <%= collection_select :quantity, :id, @quantities, :id, :to_s_with_depth,
-    <%# TODO: right-click selection %>
+              {prompt: t('.select_quantity'), disabled: '', selected: ''},
-    <details id="quantity_select" class="hexpand" open
+              {name: :id, class: 'quantity vexpand',
-             onkeydown="detailsProcessKey(event)">
+               onchange: "this.form.requestSubmit(new_readout_submit);"} %>
-      <summary autofocus>
+            <%= form.submit id: :new_readout_submit, name: nil, value: nil,
-        <!-- TODO: Set content with CSS when span empty to avoid duplication -->
-        <span data-prompt="<%= t('.select_quantity') %>">
-          <%= t('.select_quantity') %>
-        </span>
-        <%= image_button_tag t(:apply), "update", name: nil, disabled: true,
               formaction: new_readout_path, formmethod: :get, formnovalidate: true,
-          data: {turbo_stream: true} %>
+              hidden: true, data: {turbo_stream: true} %>
-      </summary>
+          </td>
-      <ul><%= quantities_check_boxes %></ul>
+        </tr>
-    </details>
+      </tbody>
-    <%= form.button id: :create_measurement_button, disabled: true -%>
+    </table>
-  </div>
+  </fieldset>
-
+  <div class="hflex centered">
-  <div class="hflex reverse">
+    <%= form.button -%>
     <%= image_link_to t(:cancel), "close-outline", measurements_path, name: :cancel,
       class: 'dangerous', onclick: render_turbo_stream('form_close') %>
   </div>

app/views/measurements/_form_close.html.erb

@@ -1,3 +1,4 @@
+<%= turbo_stream.update :measurement_form %>
 <%= turbo_stream.update :flashes %>
 <%= turbo_stream.remove :measurement_form %>
 <%= turbo_stream.show :no_items -%>

app/views/measurements/index.html.erb

@@ -1,5 +1,5 @@
 <%# TODO: show hint when no quantities/units defined %>
-<div class="rightside-area buttongrid">
+<div class="rightside buttongrid">
   <% if current_user.at_least(:active) %>
     <%= image_link_to t('.new_measurement'), 'plus-outline', new_measurement_path,
       id: :new_measurement_link, onclick: 'this.blur();',
@@ -7,7 +7,9 @@
   <% end %>
 </div>
 
-<table class="main-area">
+<%= tag.div class: 'topside', id: :measurement_form %>
+
+<table class="main">
   <tbody id="measurements">
     <%= render(@measurements) || render_no_items %>
   </tbody>

app/views/measurements/new.turbo_stream.erb

@@ -1,5 +1,4 @@
 <%= turbo_stream.disable :new_measurement_link -%>
-<%= turbo_stream.hide :no_items -%>
+<%= turbo_stream.update :measurement_form do %>
-<%= turbo_stream.append_all 'body' do %>
   <%= render partial: 'form' %>
 <% end %>

app/views/readouts/_form.html.erb

@@ -1,25 +1,22 @@
 <%# TODO: add readout reordering by dragging %>
 <%= tabular_fields_for 'readouts[]', readout do |form| %>
-  <%- tag.tr id: dom_id(readout.quantity, :new, :readout) do %>
+  <%- tag.tr id: dom_id(readout.quantity, :new, :readout),
-    <td class="actions">
+             onkeydown: 'processKey(event)' do %>
-      <%# TODO: change to _link_ after giving up displaying relative paths %>
-      <%= image_button_tag '', 'delete-outline', class: 'dangerous', name: nil,
-        formaction: discard_readouts_path(readout.quantity),
-        formmethod: :get, formnovalidate: true, data: {turbo_stream: true} %>
-    </td>
     <td>
       <%= readout.quantity.relative_pathname(@superquantity) %>
     </td>
     <td>
-      <%= form.number_field :value, required: true,
+      <%= form.number_field :value, required: true, autofocus: true, size: 10 %>
-        size: readout.type_for_attribute(:value).precision / 2,
-        autofocus: readout_counter == 0 %>
     </td>
     <td>
       <%= form.hidden_field :quantity_id %>
       <%= form.collection_select :unit_id, @user_units, :id,
-        ->(u){ sanitize('&emsp;' * (u.base_id ? 1 : 0) + u.symbol) },
+        ->(u){ sanitize('&emsp;' * (u.base_id ? 1 : 0) + u.symbol) } %>
-        {prompt: t('.select_unit'), disabled: '', selected: ''}, required: true %>
+    </td>
+    <td class="actions">
+      <%= image_button_tag '', 'delete-outline', class: 'dangerous', name: :discard,
+        formaction: discard_readouts_path(readout.quantity),
+        formmethod: :get, formnovalidate: true, data: {turbo_stream: true} %>
     </td>
   <% end %>
 <% end %>

app/views/readouts/discard.turbo_stream.erb

@@ -1,4 +1,4 @@
-<%= turbo_stream.disable :create_measurement_button if @prev_quantities.one? %>
 <%= turbo_stream.remove dom_id(@quantity, :new, :readout) %>
+<%= turbo_stream.disable_all 'button[name="discard"]' if @prev_quantities.one? %>
+<%= turbo_stream.enable_all "select.quantity option[value='#{@quantity.id}']" %>
 <%= render partial: 'form_repath' %>
-<%= turbo_stream.unselect dom_id(@quantity) %>

app/views/readouts/new.turbo_stream.erb

@@ -1,8 +1,9 @@
-<% @readouts.each do |r| %>
-  <%= turbo_stream.disable dom_id(r.quantity) %>
-<% end %>
 <%= render partial: 'form_repath' %>
-<%= turbo_stream.append :readouts do %>
+<%# is .one? proper condition? can @readouts be empty? %>
+<%= turbo_stream.enable_all 'button[name="discard"]' if @prev_quantities.one? %>
+<% @readouts.each do |r| %>
+  <%= turbo_stream.disable_all "select.quantity option[value='#{r.quantity_id}']" %>
+<% end %>
+<%= turbo_stream.before :readouts_form do %>
   <%= render partial: 'form', collection: @readouts, as: :readout %>
 <% end %>
-<%= turbo_stream.enable :create_measurement_button if @prev_quantities.empty? %>

app/views/users/confirmations/create.turbo_stream.erb

@@ -0,0 +1 @@
+<% flash.discard %>

app/views/users/confirmations/new.html.erb

@@ -1,9 +0,0 @@
-<%= labeled_form_for resource, url: user_confirmation_path,
-  html: {class: 'main-area'} do |f| %>
-
-  <%= f.email_field :email, required: true, size: 30, autofocus: true,
-    autocomplete: 'email', value:
-    resource.pending_reconfirmation? ? resource.unconfirmed_email : resource.email %>
-
-  <%= f.submit t(:resend_confirmation) %>
-<% end %>

app/views/users/passwords/create.turbo_stream.erb

@@ -0,0 +1,2 @@
+<%# For some reason flash messages are duplicated in bot flash and flash.now %>
+<% flash.discard %>

app/views/users/passwords/edit.html.erb

@@ -1,5 +1,5 @@
 <%= labeled_form_for resource, url: user_password_path,
-  html: {method: :put, class: 'main-area'} do |f| %>
+  html: {method: :put, class: 'main-area', data: {turbo: false}} do |f| %>
 
   <%= f.hidden_field :reset_password_token %>
 

app/views/users/passwords/new.html.erb

@@ -1,8 +0,0 @@
-<%= labeled_form_for resource, url: user_password_path,
-  html: {class: 'main-area'} do |f| %>
-
-  <%= f.email_field :email, required: true, size: 30, autofocus: true,
-    autocomplete: 'email' %>
-
-  <%= f.submit t(:recover_password) %>
-<% end %>

app/views/users/profiles/new.html.erb

@@ -0,0 +1,17 @@
+<%= labeled_form_for resource, url: user_registration_path,
+  html: {class: 'main-area', onsubmit: 'formValidate(event)'} do |f| %>
+
+  <%= f.email_field :email, required: true, size: 30, autofocus: true,
+    autocomplete: 'email' %>
+  <%= f.password_field :password, required: true, size: 30,
+    minlength: @minimum_password_length, autocomplete: 'new-password' %>
+  <%= f.password_field :password_confirmation, required: true, size: 30,
+    minlength: @minimum_password_length, autocomplete: 'off' %>
+
+  <%= f.submit t(:register), data: {turbo: false} %>
+
+  <%# TODO: fix button text color after change link -> button %>
+  <%= image_button_tag t(:resend_confirmation), 'email-sync-outline',
+    class: 'auxiliary', formaction: user_confirmation_path, formnovalidate: true,
+    data: {validate: f.field_id(:email)} %>
+<% end %>

app/views/users/registrations/new.html.erb

@@ -1,16 +0,0 @@
-<div class="main-area">
-  <%= labeled_form_for resource, url: user_registration_path do |f| %>
-    <%= f.email_field :email, required: true, size: 30, autofocus: true,
-      autocomplete: 'email' %>
-    <%= f.password_field :password, required: true, size: 30,
-      minlength: @minimum_password_length, autocomplete: 'new-password' %>
-    <%= f.password_field :password_confirmation, required: true, size: 30,
-      minlength: @minimum_password_length, autocomplete: 'off' %>
-
-    <%= f.submit t(:register) %>
-  <% end %>
-
-  <%= content_tag :p, t(:or), style: 'text-align: center;' %>
-  <%= image_link_to t(:resend_confirmation), 'email-sync-outline',
-    new_user_confirmation_path, class: 'centered' %>
-</div>

app/views/users/sessions/new.html.erb

@@ -1,18 +1,19 @@
-<div class="main-area">
+<%= labeled_form_for resource, url: user_session_path,
-  <%= labeled_form_for resource, url: user_session_path do |f| %>
+  html: {class: 'main-area', onsubmit: 'formValidate(event)'} do |f| %>
+
   <%= f.email_field :email, required: true, size: 30, autofocus: true,
     autocomplete: 'email' %>
   <%= f.password_field :password, required: true, size: 30,
-      minlength: @minimum_password_length, autocomplete: 'current-password' %>
+    autocomplete: 'current-password' %>
 
   <% if devise_mapping.rememberable? %>
     <%= f.check_box :remember_me %>
   <% end %>
 
-    <%= f.submit t(:sign_in) %>
+  <%# /sign_in as HTML; /password as TURBO_STREAM %>
-  <% end %>
+  <%= f.submit t(:sign_in), data: {turbo: false} %>
 
-  <%= content_tag :p, t(:or), style: 'text-align: center;' %>
+  <%= image_button_tag t(:recover_password), 'lock-reset', class: 'auxiliary',
-  <%= image_link_to t(:recover_password), 'lock-reset', new_user_password_path,
+    formaction: user_password_path, formnovalidate: true,
-    class: 'centered' %>
+    data: {validate: f.field_id(:email)} %>
-</div>
+<% end %>

config/initializers/devise.rb

@@ -91,7 +91,7 @@ Devise.setup do |config|
   # It will change confirmation, password recovery and other workflows
   # to behave the same regardless if the e-mail provided was right or wrong.
   # Does not affect registerable.
-  # config.paranoid = true
+  config.paranoid = true
 
   # By default Devise will store the user in session. You can skip storage for
   # particular strategies by setting this option.

config/locales/devise.en.yml

@@ -4,15 +4,15 @@ en:
   devise:
     confirmations:
       confirmed: "Your email address has been successfully confirmed."
-      send_instructions: "You will receive an email with instructions for how to confirm your email address in a few minutes."
+      send_paranoid_instructions: >
-      send_paranoid_instructions: "If your email address exists in our database, you will receive an email with instructions for how to confirm your email address in a few minutes."
+        If your email address is in our database, a message with instructions on how
+        to confirm your email address has been sent to you.
     failure:
       already_authenticated: "You are already signed in."
       inactive: "Your account is not activated yet."
-      invalid: "Invalid %{authentication_keys} or password."
+      invalid: "Invalid <b>%{authentication_keys}</b> or <b>password</b>."
       locked: "Your account is locked."
       last_attempt: "You have one more attempt before your account is locked."
-      not_found_in_database: "Invalid %{authentication_keys} or password."
       timeout: "Your session expired. Please sign in again to continue."
       unauthenticated: "You need to sign in or sign up before continuing."
       unconfirmed: "You have to confirm your email address before continuing."
@@ -32,8 +32,9 @@ en:
       success: "Successfully authenticated from %{kind} account."
     passwords:
       no_token: "You can't access this page without coming from a password reset email. If you do come from a password reset email, please make sure you used the full URL provided."
-      send_instructions: "You will receive an email with instructions on how to reset your password in a few minutes."
+      send_paranoid_instructions: >
-      send_paranoid_instructions: "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes."
+        If your email address is in our database, the password recovery link has been
+        sent to you.
       updated: "Your password has been changed successfully. You are now signed in."
       updated_not_active: "Your password has been changed successfully."
     registrations:
@@ -50,7 +51,6 @@ en:
       signed_out: "Signed out successfully."
       already_signed_out: "Signed out successfully."
     unlocks:
-      send_instructions: "You will receive an email with instructions for how to unlock your account in a few minutes."
       send_paranoid_instructions: "If your account exists, you will receive an email with instructions for how to unlock it in a few minutes."
       unlocked: "Your account has been unlocked successfully. Please sign in to continue."
   errors:

config/locales/en.yml

@@ -85,7 +85,7 @@ en:
     navigation: Measurements
     no_items: There are no measurements taken. You can Add some now.
     form:
-      select_quantity: select the measured quantities...
+      select_quantity: select the measured quantity...
     index:
       new_measurement: Add measurement
     create:
@@ -97,6 +97,7 @@ en:
   readouts:
     form:
       select_unit: ...
+      new_children: Children
   quantities:
     navigation: Quantities
     no_items: There are no configured quantities. You can Add some or Import from defaults.
@@ -156,7 +157,7 @@ en:
       edit:
         password_html: 'New password:%{password_length_hint_html}'
         update_password: Update password
-    registrations:
+    profiles:
       new:
         password_html: 'Password:%{password_length_hint_html}'
         password_confirmation: 'Retype password:'
@@ -195,7 +196,6 @@ en:
   cancel: Cancel
   delete: Delete
   :no: 'no'
-  or: or
   register: Register
   sign_in: Sign in
   recover_password: Recover password

config/routes.rb

@@ -4,6 +4,7 @@ Rails.application.routes.draw do
 
   resources :measurements
 
+
   resources :readouts, only: [:new] do
     collection {get 'new/:id/discard', action: :discard, as: :discard}
   end
@@ -27,8 +28,9 @@ Rails.application.routes.draw do
   # https://github.com/heartcombo/devise/issues/5786
   connection = ActiveRecord::Base.connection
   if connection.schema_version && connection.table_exists?(:users)
+    # NOTE: change helper prefix from *_registration to *_profile once possible
     devise_for :users, path: '', path_names: {registration: 'profile'},
-      controllers: {registrations: :registrations}
+      controllers: {registrations: 'user/profiles'}
   end
 
   resources :users, only: [:index, :show, :update] do
@@ -37,10 +39,8 @@ Rails.application.routes.draw do
   end
 
   unauthenticated do
-    as :user do
     root to: redirect('/sign_in')
   end
-  end
   root to: redirect('/units'), as: :user_root
 
   direct(:source_code) { 'https://gitea.michalczyk.pro/fixin.me/fixin.me' }

test/application_system_test_case.rb

@@ -1,6 +1,7 @@
 require "test_helper"
 
 class ApplicationSystemTestCase < ActionDispatch::SystemTestCase
+  include ActionView::Helpers::SanitizeHelper
   include ActionView::Helpers::UrlHelper
 
   # NOTE: geckodriver installed with Firefox, ignore incompatibility warning
@@ -32,7 +33,8 @@ class ApplicationSystemTestCase < ActionDispatch::SystemTestCase
   # Allow skipping interpolations when translating for testing purposes
   INTERPOLATION_PATTERNS = Regexp.union(I18n.config.interpolation_patterns)
   def translate(key, **options)
-    options.empty? ? super.split(INTERPOLATION_PATTERNS, 2).first : super
+    translation = options.empty? ? super.split(INTERPOLATION_PATTERNS, 2).first : super
+    sanitize(translation, tags: [])
   end
   alias :t :translate
 

test/system/users_test.rb

@@ -5,8 +5,8 @@ class UsersTest < ApplicationSystemTestCase
     @admin = users(:admin)
   end
 
-  test "sign in" do
+  test 'sign in' do
-    visit new_user_session_path
+    visit root_url
     assert find_link(href: new_user_session_path)[:disabled]
 
     sign_in
@@ -14,16 +14,23 @@ class UsersTest < ApplicationSystemTestCase
     assert_text t('devise.sessions.signed_in')
   end
 
-  test 'sign in fails with invalid password' do
+  test 'sign in fails with invalid credentials' do
-    sign_in password: random_password
+    label = User.human_attribute_name(:email)
+    # Both: valid and invalid emails should give the same (paranoid) error message.
+    email = [users.sample.email, random_email].sample
+
+    visit root_url
+    fill_in label, with: email
+    fill_in User.human_attribute_name(:password), with: random_password
+    click_on t(:sign_in)
+
     assert_current_path new_user_session_path
-    assert_text t('devise.failure.not_found_in_database',
+    assert_text t('devise.failure.invalid', authentication_keys: label.downcase_first)
-                  authentication_keys: User.human_attribute_name(:email))
     assert find_link(href: new_user_session_path)[:disabled]
-    assert_not_empty find_field(User.human_attribute_name(:email)).value
+    assert has_field?(label, with: email)
   end
 
-  test "sign out" do
+  test 'sign out' do
     sign_in
     visit root_url
     click_on t("layouts.application.sign_out")
@@ -31,79 +38,106 @@ class UsersTest < ApplicationSystemTestCase
     assert_text t("devise.sessions.signed_out")
   end
 
-  test "recover password" do
+  test 'recover password' do
-    visit new_user_session_url
+    label = User.human_attribute_name(:email)
-    click_on t(:recover_password)
+    email = users.select(&:confirmed?).sample.email
+
+    visit root_url
+    fill_in label, with: email
+    # Form validations should allow empty password.
+    assert has_field?(User.human_attribute_name(:password), with: nil)
 
-    fill_in User.human_attribute_name(:email),
-      with: users.select(&:confirmed?).sample.email
     assert_emails 1 do
       click_on t(:recover_password)
-      # Wait until redirected to make sure async request has been processed
       assert_current_path new_user_session_path
+      # Wait for flash message to make sure async request has been processed.
+      assert_text t("devise.passwords.send_paranoid_instructions")
     end
-    assert_text t("devise.passwords.send_instructions")
+    assert has_field?(label, with: email)
 
     with_last_email do |mail|
       visit Capybara.string(mail.body.to_s).find_link("Change my password")[:href]
+      assert_current_path edit_user_password_path, ignore_query: true
+      # Make sure flash message is not displayed twice.
+      assert_no_text t("devise.passwords.send_paranoid_instructions")
     end
     new_password = random_password
     fill_in t("users.passwords.edit.password_html"), with: new_password
     fill_in t("helpers.label.user.password_confirmation"), with: new_password
     assert_emails 1 do
       click_on t("users.passwords.edit.update_password")
-      # Wait until redirected to make sure async request has been processed
       assert_current_path units_path
-    end
       assert_text t("devise.passwords.updated")
     end
+  end
 
-  test "register" do
+  test 'recover password for nonexistent user' do
-    visit new_user_session_url
+    label = User.human_attribute_name(:email)
+    email = random_email
+
+    visit root_url
+    fill_in label, with: email
+
+    assert_no_emails do
+      click_on t(:recover_password)
+      assert_current_path new_user_session_path
+      assert_text t("devise.passwords.send_paranoid_instructions")
+    end
+  end
+
+  test 'register' do
+    visit root_url
     click_on t(:register)
+    assert find_link(href: new_user_registration_path)[:disabled]
 
     fill_in User.human_attribute_name(:email), with: random_email
     password = random_password
     fill_in User.human_attribute_name(:password), with: password
-    fill_in t("users.registrations.new.password_confirmation"), with: password
+    fill_in t("users.profiles.new.password_confirmation"), with: password
-    assert_difference ->{User.count}, 1 do
+    assert_difference ->{ User.count }, 1 do
       assert_emails 1 do
         click_on t(:register)
-        # Wait until redirected to make sure async request has been processed
         assert_current_path new_user_session_path
-      end
-    end
         assert_text t("devise.registrations.signed_up_but_unconfirmed")
+      end
+    end
 
+    assert_changes ->{ User.last.confirmed? }, from: false, to: true do
       with_last_email do |mail|
         visit Capybara.string(mail.body.to_s).find_link("Confirm my account")[:href]
-    end
         assert_current_path new_user_session_path
         assert_text t("devise.confirmations.confirmed")
-    assert User.last.confirmed?
+      end
+    end
   end
 
-  test "resend confirmation" do
+  test 'resend confirmation' do
-    visit new_user_session_url
+    label = User.human_attribute_name(:email)
-    click_on t(:register)
+    user = users.reject(&:confirmed?).sample
-    click_on t(:resend_confirmation)
+
+    visit root_url
+    click_on t(:register)
+    fill_in label, with: user.email
+    assert has_field?(User.human_attribute_name(:password), with: nil)
 
-    fill_in User.human_attribute_name(:email),
-      with: users.reject(&:confirmed?).sample.email
     assert_emails 1 do
       click_on t(:resend_confirmation)
-      # Wait until redirected to make sure async request has been processed
+      assert_current_path new_user_registration_path
-      assert_current_path new_user_session_path
+      assert_text t("devise.confirmations.send_paranoid_instructions")
     end
-    assert_current_path new_user_session_path
+    assert has_field?(label, with: user.email)
-    assert_text t("devise.confirmations.send_instructions")
 
+    assert_changes ->{ user.reload.confirmed? }, from: false, to: true do
       with_last_email do |mail|
         visit Capybara.string(mail.body.to_s).find_link("Confirm my account")[:href]
+        assert_current_path new_user_session_path
+        assert_no_text t("devise.confirmations.send_paranoid_instructions")
+        assert_text t("devise.confirmations.confirmed")
+      end
     end
   end
 
-  test "show profile" do
+  test 'show profile' do
     sign_in user: users.select(&:admin?).select(&:confirmed?).sample
     click_on t("users.navigation")
     within all('tr').drop(1).sample do |tr|
@@ -113,7 +147,7 @@ class UsersTest < ApplicationSystemTestCase
     end
   end
 
-  test "disguise" do
+  test 'disguise' do
     user = users.select(&:admin?).select(&:confirmed?).sample
     sign_in user: user
 
@@ -129,7 +163,7 @@ class UsersTest < ApplicationSystemTestCase
     assert_link user.email
   end
 
-  test "disguise fails for admin when disallowed" do
+  test 'disguise fails for admin when disallowed' do
     user = users.select(&:admin?).select(&:confirmed?).sample
     sign_in user: user
 
@@ -142,13 +176,13 @@ class UsersTest < ApplicationSystemTestCase
     assert_title 'The change you wanted was rejected (422)'
   end
 
-  test "disguise forbidden for non admin" do
+  test 'disguise forbidden for non admin' do
     sign_in user: users.reject(&:admin?).select(&:confirmed?).sample
     visit disguise_user_path(User.all.sample)
     assert_title 'Access is forbidden to this page (403)'
   end
 
-  test "delete profile" do
+  test 'delete profile' do
     user = sign_in user: users.reject(&:admin?).select(&:confirmed?).sample
     # TODO: remove condition after root_url changed to different path than
     # profile in routes.rb
@@ -156,13 +190,13 @@ class UsersTest < ApplicationSystemTestCase
       first(:link_or_button, user.email).click
     end
     assert_difference ->{ User.count }, -1 do
-      accept_confirm { click_on t("users.registrations.edit.delete") }
+      accept_confirm { click_on t("users.profiles.edit.delete") }
       assert_current_path new_user_session_path
     end
     assert_text t("devise.registrations.destroyed")
   end
 
-  test "sole admin cannot delete profile" do
+  test 'sole admin cannot delete profile' do
     sign_in user: users(:admin)
     unless has_current_path?(edit_user_registration_path)
       first(:link_or_button, users(:admin).email).click
@@ -170,17 +204,17 @@ class UsersTest < ApplicationSystemTestCase
     assert find(:button, t("users.registrations.edit.delete"))[:disabled]
   end
 
-  test "index forbidden for non admin" do
+  test 'index forbidden for non admin' do
     sign_in user: users.reject(&:admin?).select(&:confirmed?).sample
     visit users_path
     assert_title "Access is forbidden to this page (403)"
   end
 
-  test "update profile" do
+  test 'update profile' do
     # TODO
   end
 
-  test "update status" do
+  test 'update status' do
     sign_in user: users.select(&:admin?).select(&:confirmed?).sample
     visit users_path
 
@@ -195,7 +229,7 @@ class UsersTest < ApplicationSystemTestCase
     assert_current_path users_path
   end
 
-  test "update status fails for admin when disallowed" do
+  test 'update status fails for admin when disallowed' do
     sign_in user: users.select(&:admin?).select(&:confirmed?).sample
     visit users_path
 
@@ -208,7 +242,7 @@ class UsersTest < ApplicationSystemTestCase
     assert_title 'The change you wanted was rejected (422)'
   end
 
-  test "update status forbidden for non admin" do
+  test 'update status forbidden for non admin' do
     sign_in user: users.reject(&:admin?).select(&:confirmed?).sample
     visit units_path
     inject_button_to find('body'), "update status", user_path(User.all.sample), method: :patch,