Allow Capybara test server host in HostAuthorization

Capybara starts a Puma server on 127.0.0.1:<random_port> for system tests. Rails HostAuthorization was blocking all requests from that host since it was not in the config.hosts allowlist, causing every page to return a blank 403 response and all system tests to fail. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-02 19:10:23 +00:00
16 changed files with 7 additions and 189 deletions
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -1,84 +0,0 @@
 # CLAUDE.md
 This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
 ## Project Overview
 Fixin.me is a "quantified self" Rails 7.2.3 application for personal data tracking. Users define hierarchical **quantities** (metrics to track), **units** (with optional conversion hierarchies), and **readouts** (individual measurements). There is also a non-persistent **measurement** model used as a form wrapper.
 ## Setup
 Configuration files are distributed as `.dist` templates — copy and customize before use:
 ```bash
 cp config/application.rb.dist config/application.rb
 cp config/database.yml.dist config/database.yml
 cp config/puma.rb.dist config/puma.rb
 ```
 ```bash
 bundle config --local frozen true
 bundle config --local path .gem
 bundle config --local with mysql development test   # or: pg, sqlite
 bundle install
 RAILS_ENV=development bundle exec rails db:create db:migrate db:seed
 ```
 ## Common Commands
 ```bash
 bundle exec rails s                                          # start server
 bundle exec rails test                                       # all unit/model/controller tests
 bundle exec rails test:system                                # all system tests (Capybara + Selenium)
 bundle exec rails test test/system/units_test.rb            # single test file
 bundle exec rails test --seed 64690 --name test_add_unit    # single test by name
 bundle exec rails db:seed:export                             # export default settings as seed file
 ```
 ## Architecture
 ### Data Model
 - **Quantity** — hierarchical tree (self-referential `parent_id`). Cached `depth` and `pathname` fields are recomputed via recursive CTEs on write. Direct assignment to cached fields is blocked.
 - **Unit** — optional hierarchy via `base_id` and `multiplier` for unit conversion. Multiplier precision/scale is validated by a custom validator.
 - **Readout** — single measurement: `value` (IEEE 754 float), `quantity`, `unit`, `category`.
 - **Measurement** — `ActiveModel::Model` form wrapper (not database-backed); bridges the readout creation form.
 - **User** — Devise-managed with a status enum: `admin`, `active`, `restricted`, `locked`, `disabled`. Admins can disguise as other users.
 ### Hierarchical Queries
 Both `Quantity` and `Unit` use recursive CTEs for tree traversal (ordered traversal, ancestors, progenies, common ancestors). `lib/core_ext/arel/` patches Arel to support CTE with `UPDATE`/`DELETE` statements, working around Rails issue #54658.
 ### Custom Extensions (`lib/core_ext/`)
 - **arel/** — CTE support for UPDATE/DELETE
 - **active_model/** — precision/scale validator used by `Unit#multiplier`
 - **active_record/** — `attr_cached` mechanism (see `ApplicationRecord`)
 - **action_view/** — record identifier suffixes
 - Miscellaneous: `Array#delete_bang`, `BigDecimal` scientific notation
 ### Response Handling
 Controllers respond to both HTML and Turbo Stream formats. Errors during Turbo Stream requests trigger a redirect with flash rather than rendering inline, handled in `ApplicationController`.
 ### Numeric Precision
 Readout values are stored as IEEE 754 double-precision floats (not fixed-point decimals). Rationale in `DESIGN.md`: biological values span many orders of magnitude; 15-digit float precision is sufficient and avoids conversion overhead.
 ### Routes
 ```
 measurements   GET/POST /measurements
 readouts       GET/POST /readouts, DELETE /readouts/:id/discard
 quantities     CRUD + POST /quantities/:id/reparent
 units          CRUD + POST /units/:id/rebase
 users          CRUD + POST /users/:id/disguise, POST /users/revert
 default/       namespace for default units import/export and admin panel
 root           → /units (authenticated), /sign_in (unauthenticated)
 ```
 ## Database Requirements
 The database must support:
 - Recursive CTEs with `UPDATE`/`DELETE` (MySQL ≥ 8.0, PostgreSQL, or SQLite3)
 - Decimal precision of 30+ digits
--- a/app/controllers/quantities_controller.rb
+++ b/app/controllers/quantities_controller.rb
@@ -8,10 +8,6 @@ class QuantitiesController < ApplicationController
    raise AccessForbidden unless current_user.at_least(:active)
  end
  before_action only: [:new, :edit, :create, :update] do
    @user_units = current_user.units.ordered
  end
  def index
    @quantities = current_user.quantities.ordered.includes(:parent, :subquantities)
  end
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -86,7 +86,6 @@ module ApplicationHelper
    def initialize(...)
      super(...)
      @default_options.merge!(@options.slice(:form))
      @default_html_options.merge!(@options.slice(:form))
    end
    [:text_field, :password_field, :text_area].each do |selector|
--- a/app/models/quantity.rb
+++ b/app/models/quantity.rb
@@ -1,10 +1,9 @@
 class Quantity < ApplicationRecord
-  ATTRIBUTES = [:name, :description, :parent_id, :default_unit_id]
+  ATTRIBUTES = [:name, :description, :parent_id]
  attr_cached :depth, :pathname
  belongs_to :user, optional: true
  belongs_to :parent, optional: true, class_name: "Quantity"
  belongs_to :default_unit, optional: true, class_name: "Unit"
  has_many :subquantities, ->{ order(:name) }, class_name: "Quantity",
    inverse_of: :parent, dependent: :restrict_with_error
--- a/app/models/readout.rb
+++ b/app/models/readout.rb
@@ -1,5 +1,5 @@
 class Readout < ApplicationRecord
-  ATTRIBUTES = [:quantity_id, :value, :unit_id, :taken_at]
+  ATTRIBUTES = [:quantity_id, :value, :unit_id]
  belongs_to :user
  belongs_to :quantity
--- a/app/views/measurements/_form.html.erb
+++ b/app/views/measurements/_form.html.erb
@@ -8,7 +8,7 @@
        <tr class="italic">
          <td class="hexpand hmin50"><%= t '.taken_at_html' %></td>
          <td colspan="3" class="ralign">
-            <%= form.datetime_field :taken_at, required: true, value: Time.current.strftime('%Y-%m-%dT%H:%M') %>
+            <%= form.datetime_field :taken_at, required: true %>
          </td>
        </tr>
      <% end %>
--- a/app/views/quantities/_form.html.erb
+++ b/app/views/quantities/_form.html.erb
@@ -8,11 +8,6 @@
    <td>
      <%= form.text_area :description, cols: 30, rows: 1, escape: false %>
    </td>
    <td>
      <%= form.collection_select :default_unit_id, @user_units, :id,
        ->(u){ sanitize('&emsp;' * (u.base_id? ? 1 : 0) + u.symbol) },
        {include_blank: true}, onchange: "this.dataset.changed = ''" %>
    </td>
    <td class="flex">
      <%= form.button %>
--- a/app/views/quantities/_quantity.html.erb
+++ b/app/views/quantities/_quantity.html.erb
@@ -10,7 +10,6 @@
      onclick: 'this.blur();', data: {turbo_stream: true} %>
  </td>
  <td><%= quantity.description %></td>
  <td><%= quantity.default_unit&.symbol %></td>
  <% if current_user.at_least(:active) %>
    <td class="flex">
--- a/app/views/quantities/index.html.erb
+++ b/app/views/quantities/index.html.erb
@@ -16,7 +16,6 @@
    <tr>
      <th><%= Quantity.human_attribute_name(:name) %></th>
      <th class="hexpand"><%= Quantity.human_attribute_name(:description) %></th>
      <th><%= Quantity.human_attribute_name(:default_unit) %></th>
      <% if current_user.at_least(:active) %>
        <th><%= t :actions %></th>
        <th></th>
@@ -26,7 +25,7 @@
               ondragover: "dragOver(event)", ondrop: "drop(event)",
               ondragenter: "dragEnter(event)", ondragleave: "dragLeave(event)",
               data: {drop_id: "quantity_", drop_id_param: "quantity[parent_id]"} do %>
-      <th colspan="5"><%= t '.top_level_drop' %></th>
+      <th colspan="4"><%= t '.top_level_drop' %></th>
    <% end %>
  </thead>
  <tbody id="quantities">
--- a/app/views/readouts/_form.html.erb
+++ b/app/views/readouts/_form.html.erb
@@ -12,17 +12,10 @@
    <td>
      <%= form.collection_select :unit_id, @user_units, :id,
        ->(u){ sanitize('&emsp;' * (u.base_id ? 1 : 0) + u.symbol) },
-        {prompt: '', disabled: '', selected: readout.quantity.default_unit_id || ''}, required: true,
+        {prompt: '', disabled: '', selected: ''}, required: true %>
        data: {default_unit_id: readout.quantity.default_unit_id || ''},
        onchange: "readoutUnitChanged(this)" %>
    </td>
    <td class="flex">
      <%# TODO: change to _link_ after giving up displaying relative paths %>
      <%= image_button_tag '', 'check-circle-outline',
        class: 'set-default-unit', name: nil, type: 'button', disabled: true,
        title: t('readouts.form.set_default_unit'),
        data: {path: quantity_path(readout.quantity)},
        onclick: 'setDefaultUnit(this)' %>
      <%= image_button_tag '', 'delete-outline', class: 'dangerous', name: nil,
        formaction: discard_readouts_path(readout.quantity),
        formmethod: :get, formnovalidate: true, data: {turbo_stream: true} %>
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -11,13 +11,8 @@ en:
  activerecord:
    attributes:
      quantity:
        default_unit: Default unit
        description: Description
        name: Name
      readout:
        created_at: Recorded at
        taken_at: Taken at
        value: Value
      unit:
        base: Base unit
        description: Description
@@ -86,9 +81,6 @@ en:
      revert: Revert
      sign_out: Sign out
      source_code: Get code
  readouts:
    form:
      set_default_unit: Set as default unit
  measurements:
    navigation: Measurements
    no_items: There are no measurements taken. You can Add some now.
@@ -97,15 +89,6 @@ en:
      taken_at_html: Measurement taken at&emsp;
    index:
      new_measurement: Add measurement
    readout:
      destroy: Delete
    create:
      success:
        one: Recorded 1 measurement.
        other: Recorded %{count} measurements.
      no_readouts: No readouts selected.
    destroy:
      success: Measurement deleted.
  quantities:
    navigation: Quantities
    no_items: There are no configured quantities. You can Add some or Import from defaults.
--- a/db/migrate/20260402000000_add_taken_at_to_readouts.rb
+++ b/db/migrate/20260402000000_add_taken_at_to_readouts.rb
@@ -1,6 +0,0 @@
 class AddTakenAtToReadouts < ActiveRecord::Migration[7.2]
  def change
    add_column :readouts, :taken_at, :datetime
    add_index :readouts, [:user_id, :taken_at]
  end
 end
--- a/db/migrate/20260403000000_add_default_unit_to_quantities.rb
+++ b/db/migrate/20260403000000_add_default_unit_to_quantities.rb
@@ -1,5 +0,0 @@
 class AddDefaultUnitToQuantities < ActiveRecord::Migration[7.2]
  def change
    add_reference :quantities, :default_unit, foreign_key: {to_table: :units}, null: true
  end
 end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
-ActiveRecord::Schema[7.2].define(version: 2026_04_03_000000) do
+ActiveRecord::Schema[7.2].define(version: 2025_01_21_230456) do
  create_table "quantities", charset: "utf8mb4", collation: "utf8mb4_0900_as_ci", force: :cascade do |t|
    t.bigint "user_id"
    t.string "name", limit: 31, null: false
@@ -20,8 +20,6 @@ ActiveRecord::Schema[7.2].define(version: 2026_04_03_000000) do
    t.datetime "updated_at", null: false
    t.integer "depth", default: 0, null: false
    t.string "pathname", limit: 511, null: false
    t.bigint "default_unit_id"
    t.index ["default_unit_id"], name: "index_quantities_on_default_unit_id"
    t.index ["parent_id"], name: "index_quantities_on_parent_id"
    t.index ["user_id", "parent_id", "name"], name: "index_quantities_on_user_id_and_parent_id_and_name", unique: true
    t.index ["user_id"], name: "index_quantities_on_user_id"
@@ -34,12 +32,10 @@ ActiveRecord::Schema[7.2].define(version: 2026_04_03_000000) do
    t.decimal "value", precision: 30, scale: 15, null: false
    t.datetime "created_at", null: false
    t.datetime "updated_at", null: false
    t.datetime "taken_at"
    t.index ["quantity_id", "created_at"], name: "index_readouts_on_quantity_id_and_created_at", unique: true
    t.index ["quantity_id"], name: "index_readouts_on_quantity_id"
    t.index ["unit_id"], name: "index_readouts_on_unit_id"
    t.index ["user_id"], name: "index_readouts_on_user_id"
    t.index ["user_id", "taken_at"], name: "index_readouts_on_user_id_and_taken_at"
  end
  create_table "units", charset: "utf8mb4", collation: "utf8mb4_0900_as_ci", force: :cascade do |t|
@@ -74,7 +70,6 @@ ActiveRecord::Schema[7.2].define(version: 2026_04_03_000000) do
  end
  add_foreign_key "quantities", "quantities", column: "parent_id", on_delete: :cascade
  add_foreign_key "quantities", "units", column: "default_unit_id"
  add_foreign_key "quantities", "users"
  add_foreign_key "readouts", "quantities"
  add_foreign_key "readouts", "units"
--- a/test/system/quantities_test.rb
+++ b/test/system/quantities_test.rb
@@ -1,45 +0,0 @@
 require "application_system_test_case"
 class QuantitiesTest < ApplicationSystemTestCase
  setup do
    @user = sign_in(user: users(:alice))
    @unit = @user.units.create!(symbol: 'kg')
    @quantity = @user.quantities.create!(name: 'Weight')
    visit quantities_path
  end
  test "update button turns red when default unit changes" do
    click_on 'Weight'
    button = find('button[name=button]')
    initial_color = evaluate_script("getComputedStyle(arguments[0]).backgroundColor", button)
    select 'kg', from: 'quantity[default_unit_id]'
    changed_color = evaluate_script("getComputedStyle(arguments[0]).backgroundColor", button)
    refute_equal initial_color, changed_color, "Button color should change when default unit is altered"
  end
  test "saving default unit pre-selects it in measurements form" do
    click_on 'Weight'
    select 'kg', from: 'quantity[default_unit_id]'
    click_on t('helpers.submit.update')
    assert_selector '.flash.notice'
    @quantity.reload
    assert_equal @unit.id, @quantity.default_unit_id
    visit measurements_path
    find(:link_or_button, t('measurements.index.new_measurement')).click
    assert_selector '#measurement_form'
    within '#quantity_select' do
      check 'Weight'
    end
    find('button[formaction]').click
    within 'tbody#readouts' do
      assert_selector "option[value='#{@unit.id}'][selected]"
    end
  end
 end
--- a/test/system/users_test.rb
+++ b/test/system/users_test.rb
@@ -229,7 +229,7 @@ class UsersTest < ApplicationSystemTestCase
      user = User.find_by_email!(first(:link).text)
      inject_button_to first('td:not(.link)'), "update status", user_path(user), method: :patch,
        params: {user: {status: User.statuses.keys.sample}}, data: {turbo: false}
-      execute_script("arguments[0].click()", find_button("update status"))
+      click_on "update status"
    end
    assert_title 'The change you wanted was rejected (422)'
  end