Fix quantity ordered scope for SQLite: use pathname column instead of recursive CTE

SQLite's Arel visitor wraps CTE branches in extra parentheses, making the UNION ALL inside recursive CTEs invalid. Also SQLite lacks LPAD() and CAST(... AS BINARY). Fix by using the existing pathname column for ordering on SQLite, which already encodes the hierarchical path. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Implement measurements create/destroy and index listing
2026-03-10 18:41:03 +00:00 · 2026-03-10 18:24:27 +00:00 · 2026-03-01 20:04:42 +01:00
37 changed files with 321 additions and 405 deletions
--- a/app/assets/stylesheets/application.css
+++ b/app/assets/stylesheets/application.css
@@ -113,6 +113,12 @@ textarea {
  border: solid 1px var(--color-gray);
  border-radius: 0.25em;
 }
 [name=cancel],
 .auxiliary {
  border-color: var(--color-border-gray);
  color: var(--color-nav-gray);
  fill: var(--color-nav-gray);
 }
 input[type=checkbox],
 svg,
 textarea {
@@ -131,6 +137,7 @@ input[type=checkbox]:checked {
  -webkit-appearance: checkbox;
 }
 /* Hide spin buttons in input number fields */
 /* TODO: add spin buttons inside input[number]: before (-) and after (+) input */
 input[type=number] {
  appearance: textfield;
  -moz-appearance: textfield;
@@ -340,6 +347,7 @@ header {
  opacity: 1;
 }
 /* TODO: Hover over invalid should work like in measurements (thin vs thick border) */
 .labeled-form {
  align-items: center;
@@ -371,9 +379,17 @@ header {
 }
 .labeled-form input[type=submit] {
  font-size: 1rem;
-  margin: 1.5em auto 0 auto;
+  margin: 1em auto 0 auto;
  padding: 0.75em;
 }
 .labeled-form .auxiliary {
  grid-column: 3;
  /* If more buttons are needed, `grid-row` can be replaced with
   * `reading-flow: grid-columns` to ensure proper tabindex order */
  grid-row: 1;
  height: 100%;
  padding-block: 0;
 }
 /* TODO: remove .items class (?) and make 'form table' work properly */
@@ -532,11 +548,6 @@ table.items select:focus-within,
 table.items select:focus-visible {
  color: black;
 }
 form a[name=cancel] {
  border-color: var(--color-border-gray);
  color: var(--color-nav-gray);
  fill: var(--color-nav-gray);
 }
 form table.items {
  border: none;
 }
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -9,7 +9,6 @@ class ApplicationController < ActionController::Base
  helper_method :current_user_disguised?
  helper_method :current_tab
  before_action :redirect_to_setup_if_needed
  before_action :authenticate_user!
  class AccessForbidden < StandardError; end
@@ -26,6 +25,18 @@ class ApplicationController < ActionController::Base
  #   Turbo will reload 2nd time with HTML format and flashes will be lost.
  rescue_from *ActionDispatch::ExceptionWrapper.rescue_responses.keys, with: :rescue_turbo
  # Required by #respond_with (gem `responders`) used by Devise controllers.
  respond_to :html, :turbo_stream
  def after_sign_in_path_for(resource)
    # TODO: allow setting path per-user or save last path in session and restore
    units_path
  end
  def after_sign_out_path_for(resource)
    new_user_session_path
  end
  protected
  def current_user_disguised?
@@ -44,16 +55,6 @@ class ApplicationController < ActionController::Base
  private
  # Redirect to the web setup wizard when the application has not yet been
  # initialised (i.e. no admin account exists in the database).
  def redirect_to_setup_if_needed
    return if User.exists?(status: :admin)
    redirect_to new_setup_path
  rescue ActiveRecord::StatementInvalid
    # Tables may not exist yet (migrations not run). Fall through and let the
    # normal request handling surface a meaningful error.
  end
  def render_no_content(record)
    helpers.render_errors(record)
    render html: nil, layout: true
--- a/app/controllers/measurements_controller.rb
+++ b/app/controllers/measurements_controller.rb
@@ -1,7 +1,13 @@
 class MeasurementsController < ApplicationController
  before_action except: :index do
    raise AccessForbidden unless current_user.at_least(:active)
  end
  def index
-    @measurements = []
+    readouts = current_user.readouts.includes(:quantity, :unit).order(created_at: :desc)
-    #@measurements = current_user.units.ordered.includes(:base, :subunits)
+    @measurements = readouts.group_by(&:created_at).map do |created_at, grouped|
      Measurement.new(created_at: created_at, readouts: grouped)
    end
  end
  def new
@@ -9,8 +15,33 @@ class MeasurementsController < ApplicationController
  end
  def create
    timestamp = Time.current
    @readouts = readout_params.map do |rp|
      r = current_user.readouts.new(rp)
      r.created_at = timestamp
      r
    end
    if @readouts.all?(&:valid?)
      Readout.transaction { @readouts.each(&:save!) }
      @measurement = Measurement.new(readouts: @readouts, created_at: timestamp)
      flash.now[:notice] = t('.success')
    else
      render :new, status: :unprocessable_entity
    end
  end
  def destroy
    @measurement = Measurement.new(id: params[:id].to_i,
                                   created_at: Time.at(params[:id].to_i))
    current_user.readouts.where(created_at: @measurement.created_at).delete_all
    @measurements_empty = current_user.readouts.empty?
    flash.now[:notice] = t('.success')
  end
  private
  def readout_params
    params.require(:readouts).map { |r| r.permit(:quantity_id, :value, :unit_id) }
  end
 end
--- a/app/controllers/registrations_controller.rb
+++ b/app/controllers/registrations_controller.rb
@@ -1,39 +0,0 @@
 class RegistrationsController < Devise::RegistrationsController
  before_action :authenticate_user!, only: [:edit, :update, :destroy]
  def destroy
    if current_user.sole_admin?
      redirect_back fallback_location: edit_user_registration_path,
        alert: t(".sole_admin")
      return
    end
    super
  end
  protected
  def build_resource(hash = {})
    super
    # Skip the email confirmation step when the admin has enabled this option
    # via the web setup wizard (stored as the "skip_email_confirmation" Setting).
    # The account becomes active immediately so the user can sign in right after
    # registering.
    resource.skip_confirmation! if Setting.get("skip_email_confirmation") == "true"
  end
  def update_resource(resource, params)
    # Based on update_with_password()
    if params[:password].blank?
      params.delete(:password)
      params.delete(:password_confirmation) if params[:password_confirmation].blank?
    end
    result = resource.update(params)
    resource.clean_up_passwords
    result
  end
  def after_inactive_sign_up_path_for(resource)
    new_user_session_path
  end
 end
--- a/app/controllers/setup_controller.rb
+++ b/app/controllers/setup_controller.rb
@@ -1,59 +0,0 @@
 # Handles the one-time web-based installation wizard.
 #
 # The wizard is only accessible when no admin account exists yet.  Once an
 # admin has been created the controller redirects every request to the root
 # path, so it can never be used to overwrite an existing installation.
 class SetupController < ActionController::Base
  # Use the full application layout (header, flash, etc.) so the page looks
  # consistent with the rest of the site.
  layout "application"
  before_action :redirect_if_installed
  def new
  end
  def create
    email    = params[:admin_email].to_s.strip
    password = params[:admin_password].to_s
    confirm  = params[:admin_password_confirmation].to_s
    errors = []
    errors << t(".email_blank")    if email.blank?
    errors << t(".password_blank") if password.blank?
    errors << t(".password_mismatch") if password != confirm
    if errors.any?
      flash.now[:alert] = errors.join("  ")
      return render :new, status: :unprocessable_entity
    end
    user = User.new(email: email, password: password, status: :admin)
    user.skip_confirmation!
    unless user.save
      flash.now[:alert] = user.errors.full_messages.join("  ")
      return render :new, status: :unprocessable_entity
    end
    # Persist runtime settings chosen during setup.
    Setting.set("skip_email_confirmation",
                params[:skip_email_confirmation] == "1")
    # Optionally seed the built-in default units.
    if params[:seed_units] == "1"
      load Rails.root.join("db/seeds/units.rb")
    end
    redirect_to new_user_session_path, notice: t(".success")
  end
  private
  def redirect_if_installed
    redirect_to root_path if User.exists?(status: :admin)
  rescue ActiveRecord::StatementInvalid
    # Tables are not yet migrated — stay on the setup page so the user sees a
    # meaningful error rather than a crash.
  end
 end
--- a/app/controllers/user/profiles_controller.rb
+++ b/app/controllers/user/profiles_controller.rb
@@ -0,0 +1,24 @@
 class User::ProfilesController < Devise::RegistrationsController
  def destroy
    # TODO: Disallow/disable deletion for last admin account; update :edit view
    super
  end
  protected
  def update_resource(resource, params)
    # Based on update_with_password()
    if params[:password].blank?
      params.delete(:password)
      params.delete(:password_confirmation) if params[:password_confirmation].blank?
    end
    result = resource.update(params)
    resource.clean_up_passwords
    result
  end
  def after_inactive_sign_up_path_for(resource)
    new_user_session_path
  end
 end
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -37,7 +37,7 @@ class UsersController < ApplicationController
  end
  # NOTE: limited actions availabe to :admin by design. Users are meant to
-  # manage their accounts by themselves through registrations. :admin
+  # manage their accounts by themselves through profiles. :admin
  # is allowed to sign-in (disguise) as user and make changes from there.
  protected
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -72,13 +72,8 @@ module ApplicationHelper
  end
  def labeled_form_for(record, options = {}, &block)
-    extra_options = {builder: LabeledFormBuilder,
+    extra_options = {builder: LabeledFormBuilder, html: {class: 'labeled-form'}}
-                     data: {turbo: false},
+    form_for(record, **merge_attributes(options, extra_options), &block)
                     html: {class: 'labeled-form'}}
    options = options.deep_merge(extra_options) do |key, left, right|
      key == :class ? class_names(left, right) : right
    end
    form_for(record, **options, &block)
  end
  class TabularFormBuilder < ActionView::Helpers::FormBuilder
@@ -135,16 +130,16 @@ module ApplicationHelper
    # [autofocus].  Otherwise IDs are not unique when multiple forms are open
    # and the first input gets focus.
    record_object, options = nil, record_object if record_object.is_a?(Hash)
-    options.merge!(builder: TabularFormBuilder, skip_default_ids: true)
+    extra_options = {builder: TabularFormBuilder, skip_default_ids: true}
    options = merge_attributes(options, extra_options)
    # TODO: set error message with setCustomValidity instead of rendering to flash?
    render_errors(record_object || record_name)
    fields_for(record_name, record_object, **options, &block)
  end
  def tabular_form_with(**options, &block)
-    options = options.deep_merge(builder: TabularFormBuilder,
+    extra_options = {builder: TabularFormBuilder, html: {autocomplete: 'off'}}
-                                 html: {autocomplete: 'off'})
+    form_with(**merge_attributes(options, extra_options), &block)
    form_with(**options, &block)
  end
  def svg_tag(source, label = nil, options = {})
@@ -159,6 +154,7 @@ module ApplicationHelper
      ['measurements', 'scale-bathroom', :restricted],
      ['quantities', 'axis-arrow', :restricted, 'right'],
      ['units', 'weight-gram', :restricted],
      # TODO: display users tab only if >1 user present; sole_user?/sole_admin?
      ['users', 'account-multiple-outline', :admin],
    ]
@@ -206,6 +202,7 @@ module ApplicationHelper
  def render_errors(records)
    # Conversion of flash to Array only required because of Devise
    # TODO: override Devise message setting to Array()?
    flash[:alert] = Array(flash[:alert])
    Array(records).each { |record| flash[:alert] += record.errors.full_messages }
  end
@@ -215,6 +212,7 @@ module ApplicationHelper
      # Conversion of flash to Array only required because of Devise
      Array(messages).map do |message|
        tag.div class: "flash #{entry}" do
          # TODO: change button text to svg to make it aligned vertically
          tag.div(sanitize(message)) + tag.button(sanitize("&times;"), tabindex: -1,
                                                  onclick: "this.parentElement.remove();")
        end
@@ -252,4 +250,11 @@ module ApplicationHelper
    [name, html_options]
  end
  # Like Hash#deep_merge, but aware of HTML attributes.
  def merge_attributes(left, right)
    left.deep_merge(right) do |key, lvalue, rvalue|
      key == :class ? class_names(lvalue, rvalue) : rvalue
    end
  end
 end
--- a/app/javascript/application.js
+++ b/app/javascript/application.js
@@ -37,6 +37,18 @@ window.detailsObserver = new MutationObserver((mutations) => {
  mutations[0].target.dispatchEvent(new Event('change', {bubbles: true}))
 });
 function formValidate(event) {
  var id = event.submitter.getAttribute("data-validate")
  if (!id) return;
  var input = document.getElementById(id)
  if (!input.checkValidity()) {
    input.reportValidity()
    event.preventDefault()
  }
 }
 window.formValidate = formValidate
 /* Turbo stream actions */
 Turbo.StreamElement.prototype.disableElement = function(element) {
--- a/app/models/measurement.rb
+++ b/app/models/measurement.rb
@@ -1,3 +1,17 @@
 class Measurement
  include ActiveModel::Model
  attr_accessor :readouts, :created_at
  def id
    created_at.to_i
  end
  def to_param
    id.to_s
  end
  def persisted?
    true
  end
 end
--- a/app/models/quantity.rb
+++ b/app/models/quantity.rb
@@ -61,8 +61,8 @@ class Quantity < ApplicationRecord
  # Return: ordered [sub]hierarchy
  scope :ordered, ->(root: nil, include_root: true) {
    if connection.adapter_name =~ /mysql/i
      numbered = Arel::Table.new('numbered')
      self.model.with(numbered: numbered(:parent_id, :name)).with_recursive(arel_table.name => [
        numbered.project(
          numbered[Arel.star],
@@ -73,6 +73,14 @@ class Quantity < ApplicationRecord
          arel_table[:path].concat(numbered[:child_number])
        ).join(arel_table).on(numbered[:parent_id].eq(arel_table[:id]))
      ]).order(arel_table[:path])
    elsif root.nil?
      # SQLite: pathname column already stores the full hierarchical path
      order(:pathname)
    else
      root_pathname = unscoped.where(id: root).pick(:pathname)
      scope = order(:pathname).where("pathname LIKE ?", "#{root_pathname}#{PATHNAME_DELIMITER}%")
      include_root ? scope.or(where(id: root)) : scope
    end
  }
  # TODO: extract named functions to custom Arel extension
--- a/app/models/setting.rb
+++ b/app/models/setting.rb
@@ -1,20 +0,0 @@
 # Key-value store for runtime application settings that are configured through
 # the web setup wizard (or updated by an administrator) rather than hard-coded
 # in application.rb.
 #
 # Known keys:
 #   skip_email_confirmation  – "true"/"false", mirrors the homonymous option
 #                              that was previously in application.rb.
 class Setting < ApplicationRecord
  validates :key, presence: true, uniqueness: true
  # Return the string value stored for +key+, or +default+ when absent.
  def self.get(key, default: nil)
    find_by(key: key)&.value || default
  end
  # Persist +value+ for +key+, creating the record if it does not yet exist.
  def self.set(key, value)
    find_or_initialize_by(key: key).update!(value: value.to_s)
  end
 end
--- a/app/models/unit.rb
+++ b/app/models/unit.rb
@@ -12,8 +12,8 @@ class Unit < ApplicationRecord
    errors.add(:base, :multilevel_nesting) if base.base_id?
  end
  validates :symbol, presence: true, uniqueness: {scope: :user_id},
-    length: {maximum: type_for_attribute(:symbol).limit || Float::INFINITY}
+    length: {maximum: type_for_attribute(:symbol).limit}
-  validates :description, length: {maximum: type_for_attribute(:description).limit || Float::INFINITY}
+  validates :description, length: {maximum: type_for_attribute(:description).limit}
  validates :multiplier, numericality: {equal_to: 1}, unless: :base
  validates :multiplier, numericality: {greater_than: 0, precision: true, scale: true}, if: :base
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -29,11 +29,4 @@ class User < ApplicationRecord
  def at_least(status)
    User.statuses[self.status] >= User.statuses[status]
  end
  # Returns true when this user is the only admin account in the system.
  # Used to block actions that would leave the application without an admin
  # (account deletion, status demotion).
  def sole_admin?
    admin? && !User.admin.where.not(id: id).exists?
  end
 end
--- a/app/views/measurements/_measurement.html.erb
+++ b/app/views/measurements/_measurement.html.erb
@@ -0,0 +1,14 @@
 <%= tag.tr id: dom_id(measurement) do %>
  <td><%= l measurement.created_at, format: :short %></td>
  <td>
    <% measurement.readouts.each do |readout| %>
      <span><%= readout.quantity.name %>: <%= readout.value %> <%= readout.unit %></span>
    <% end %>
  </td>
  <% if current_user.at_least(:active) %>
    <td class="actions">
      <%= image_button_to t('.destroy'), 'delete-outline', measurement_path(measurement),
        method: :delete %>
    </td>
  <% end %>
 <% end %>
--- a/app/views/measurements/create.turbo_stream.erb
+++ b/app/views/measurements/create.turbo_stream.erb
@@ -0,0 +1,5 @@
 <%= turbo_stream.update :flashes %>
 <%= turbo_stream.remove :measurement_form %>
 <%= turbo_stream.remove :no_items %>
 <%= turbo_stream.enable :new_measurement_link %>
 <%= turbo_stream.prepend :measurements, @measurement %>
--- a/app/views/measurements/destroy.turbo_stream.erb
+++ b/app/views/measurements/destroy.turbo_stream.erb
@@ -0,0 +1,3 @@
 <%= turbo_stream.update :flashes %>
 <%= turbo_stream.remove @measurement %>
 <%= turbo_stream.append(:measurements, render_no_items) if @measurements_empty %>
--- a/app/views/setup/new.html.erb
+++ b/app/views/setup/new.html.erb
@@ -1,39 +0,0 @@
 <%= form_with url: setup_path, method: :post, class: "labeled-form main-area" do %>
  <h3 style="grid-column: 1 / -1; text-align: left; margin: 0;">
    <%= t(".admin_account") %>
  </h3>
  <label for="admin_email"><%= t(".admin_email") %></label>
  <%= email_field_tag :admin_email, params[:admin_email],
        id: "admin_email", required: true, size: 30, autofocus: true,
        autocomplete: "email" %>
  <label for="admin_password"><%= t(".admin_password") %></label>
  <%= password_field_tag :admin_password, nil,
        id: "admin_password", required: true, size: 30,
        autocomplete: "new-password" %>
  <label for="admin_password_confirmation"><%= t(".admin_password_confirmation") %></label>
  <%= password_field_tag :admin_password_confirmation, nil,
        id: "admin_password_confirmation", required: true, size: 30,
        autocomplete: "off" %>
  <h3 style="grid-column: 1 / -1; text-align: left; margin: 0.5em 0 0 0;">
    <%= t(".options") %>
  </h3>
  <label for="skip_email_confirmation" style="grid-column: 1 / 3; text-align: left;">
    <%= check_box_tag :skip_email_confirmation, "1",
          params[:skip_email_confirmation] == "1",
          id: "skip_email_confirmation" %>
    <%= t(".skip_email_confirmation") %>
  </label>
  <label for="seed_units" style="grid-column: 1 / 3; text-align: left;">
    <%= check_box_tag :seed_units, "1", true, id: "seed_units" %>
    <%= t(".seed_units") %>
  </label>
  <%= submit_tag t(".submit") %>
 <% end %>
--- a/app/views/users/confirmations/create.turbo_stream.erb
+++ b/app/views/users/confirmations/create.turbo_stream.erb
@@ -0,0 +1 @@
 <% flash.discard %>
--- a/app/views/users/confirmations/new.html.erb
+++ b/app/views/users/confirmations/new.html.erb
@@ -1,9 +0,0 @@
 <%= labeled_form_for resource, url: user_confirmation_path,
  html: {class: 'main-area'} do |f| %>
  <%= f.email_field :email, required: true, size: 30, autofocus: true,
    autocomplete: 'email', value:
    resource.pending_reconfirmation? ? resource.unconfirmed_email : resource.email %>
  <%= f.submit t(:resend_confirmation) %>
 <% end %>
--- a/app/views/users/passwords/create.turbo_stream.erb
+++ b/app/views/users/passwords/create.turbo_stream.erb
@@ -0,0 +1,2 @@
 <%# For some reason flash messages are duplicated in bot flash and flash.now %>
 <% flash.discard %>
--- a/app/views/users/passwords/edit.html.erb
+++ b/app/views/users/passwords/edit.html.erb
@@ -1,5 +1,5 @@
 <%= labeled_form_for resource, url: user_password_path,
-  html: {method: :put, class: 'main-area'} do |f| %>
+  html: {method: :put, class: 'main-area', data: {turbo: false}} do |f| %>
  <%= f.hidden_field :reset_password_token %>
--- a/app/views/users/passwords/new.html.erb
+++ b/app/views/users/passwords/new.html.erb
@@ -1,8 +0,0 @@
 <%= labeled_form_for resource, url: user_password_path,
  html: {class: 'main-area'} do |f| %>
  <%= f.email_field :email, required: true, size: 30, autofocus: true,
    autocomplete: 'email' %>
  <%= f.submit t(:recover_password) %>
 <% end %>
--- a/app/views/users/registrations/edit.html.erb
+++ b/app/views/users/registrations/edit.html.erb
@@ -4,8 +4,9 @@
 <% end %>
 <div class="rightside-area buttongrid">
-  <%= image_button_to_if !current_user.sole_admin?, t('.delete'), 'account-remove-outline',
+  <%#= TODO: Disallow/disable deletion for last admin account, image_button_to_if %>
-    user_registration_path, form_class: 'tools-area', method: :delete, data: {turbo: false},
+  <%= image_button_to t('.delete'), 'account-remove-outline', user_registration_path,
    form_class: 'tools-area', method: :delete, data: {turbo: false},
    onclick: {confirm: t('.confirm_delete')} %>
 </div>
--- a/app/views/users/profiles/new.html.erb
+++ b/app/views/users/profiles/new.html.erb
@@ -0,0 +1,17 @@
 <%= labeled_form_for resource, url: user_registration_path,
  html: {class: 'main-area', onsubmit: 'formValidate(event)'} do |f| %>
  <%= f.email_field :email, required: true, size: 30, autofocus: true,
    autocomplete: 'email' %>
  <%= f.password_field :password, required: true, size: 30,
    minlength: @minimum_password_length, autocomplete: 'new-password' %>
  <%= f.password_field :password_confirmation, required: true, size: 30,
    minlength: @minimum_password_length, autocomplete: 'off' %>
  <%= f.submit t(:register), data: {turbo: false} %>
  <%# TODO: fix button text color after change link -> button %>
  <%= image_button_tag t(:resend_confirmation), 'email-sync-outline',
    class: 'auxiliary', formaction: user_confirmation_path, formnovalidate: true,
    data: {validate: f.field_id(:email)} %>
 <% end %>
--- a/app/views/users/registrations/new.html.erb
+++ b/app/views/users/registrations/new.html.erb
@@ -1,16 +0,0 @@
 <div class="main-area">
  <%= labeled_form_for resource, url: user_registration_path do |f| %>
    <%= f.email_field :email, required: true, size: 30, autofocus: true,
      autocomplete: 'email' %>
    <%= f.password_field :password, required: true, size: 30,
      minlength: @minimum_password_length, autocomplete: 'new-password' %>
    <%= f.password_field :password_confirmation, required: true, size: 30,
      minlength: @minimum_password_length, autocomplete: 'off' %>
    <%= f.submit t(:register) %>
  <% end %>
  <%= content_tag :p, t(:or), style: 'text-align: center;' %>
  <%= image_link_to t(:resend_confirmation), 'email-sync-outline',
    new_user_confirmation_path, class: 'centered' %>
 </div>
--- a/app/views/users/sessions/new.html.erb
+++ b/app/views/users/sessions/new.html.erb
@@ -1,18 +1,19 @@
-<div class="main-area">
+<%= labeled_form_for resource, url: user_session_path,
-  <%= labeled_form_for resource, url: user_session_path do |f| %>
+  html: {class: 'main-area', onsubmit: 'formValidate(event)'} do |f| %>
  <%= f.email_field :email, required: true, size: 30, autofocus: true,
    autocomplete: 'email' %>
  <%= f.password_field :password, required: true, size: 30,
-      minlength: @minimum_password_length, autocomplete: 'current-password' %>
+    autocomplete: 'current-password' %>
  <% if devise_mapping.rememberable? %>
    <%= f.check_box :remember_me %>
  <% end %>
-    <%= f.submit t(:sign_in) %>
+  <%# /sign_in as HTML; /password as TURBO_STREAM %>
-  <% end %>
+  <%= f.submit t(:sign_in), data: {turbo: false} %>
-  <%= content_tag :p, t(:or), style: 'text-align: center;' %>
+  <%= image_button_tag t(:recover_password), 'lock-reset', class: 'auxiliary',
-  <%= image_link_to t(:recover_password), 'lock-reset', new_user_password_path,
+    formaction: user_password_path, formnovalidate: true,
-    class: 'centered' %>
+    data: {validate: f.field_id(:email)} %>
-</div>
+<% end %>
--- a/config/application.rb.dist
+++ b/config/application.rb.dist
@@ -54,9 +54,5 @@ module FixinMe
    # Sender address of account registration-related messages
    Devise.mailer_sender = 'noreply@localhost'
    # Whether to skip e-mail confirmation for new registrations is configured
    # through the web setup wizard and stored in the database (Setting model),
    # so it does not need to be set here.
  end
 end
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -91,7 +91,7 @@ Devise.setup do |config|
  # It will change confirmation, password recovery and other workflows
  # to behave the same regardless if the e-mail provided was right or wrong.
  # Does not affect registerable.
-  # config.paranoid = true
+  config.paranoid = true
  # By default Devise will store the user in session. You can skip storage for
  # particular strategies by setting this option.
--- a/config/locales/devise.en.yml
+++ b/config/locales/devise.en.yml
@@ -4,15 +4,15 @@ en:
  devise:
    confirmations:
      confirmed: "Your email address has been successfully confirmed."
-      send_instructions: "You will receive an email with instructions for how to confirm your email address in a few minutes."
+      send_paranoid_instructions: >
-      send_paranoid_instructions: "If your email address exists in our database, you will receive an email with instructions for how to confirm your email address in a few minutes."
+        If your email address is in our database, a message with instructions on how
        to confirm your email address has been sent to you.
    failure:
      already_authenticated: "You are already signed in."
      inactive: "Your account is not activated yet."
-      invalid: "Invalid %{authentication_keys} or password."
+      invalid: "Invalid <b>%{authentication_keys}</b> or <b>password</b>."
      locked: "Your account is locked."
      last_attempt: "You have one more attempt before your account is locked."
      not_found_in_database: "Invalid %{authentication_keys} or password."
      timeout: "Your session expired. Please sign in again to continue."
      unauthenticated: "You need to sign in or sign up before continuing."
      unconfirmed: "You have to confirm your email address before continuing."
@@ -32,8 +32,9 @@ en:
      success: "Successfully authenticated from %{kind} account."
    passwords:
      no_token: "You can't access this page without coming from a password reset email. If you do come from a password reset email, please make sure you used the full URL provided."
-      send_instructions: "You will receive an email with instructions on how to reset your password in a few minutes."
+      send_paranoid_instructions: >
-      send_paranoid_instructions: "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes."
+        If your email address is in our database, the password recovery link has been
        sent to you.
      updated: "Your password has been changed successfully. You are now signed in."
      updated_not_active: "Your password has been changed successfully."
    registrations:
@@ -50,7 +51,6 @@ en:
      signed_out: "Signed out successfully."
      already_signed_out: "Signed out successfully."
    unlocks:
      send_instructions: "You will receive an email with instructions for how to unlock your account in a few minutes."
      send_paranoid_instructions: "If your account exists, you will receive an email with instructions for how to unlock it in a few minutes."
      unlocked: "Your account has been unlocked successfully. Please sign in to continue."
  errors:
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -88,6 +88,12 @@ en:
      select_quantity: select the measured quantities...
    index:
      new_measurement: Add measurement
    create:
      success: Measurement saved.
    destroy:
      success: Measurement deleted.
    measurement:
      destroy: Delete
  readouts:
    form:
      select_unit: ...
@@ -150,7 +156,7 @@ en:
      edit:
        password_html: 'New password:%{password_length_hint_html}'
        update_password: Update password
-    registrations:
+    profiles:
      new:
        password_html: 'Password:%{password_length_hint_html}'
        password_confirmation: 'Retype password:'
@@ -162,34 +168,13 @@ en:
          New password:
          <br><em>leave blank to keep unchanged</em>
          %{password_length_hint_html}
  registrations:
    destroy:
      sole_admin: You cannot delete the only admin account.
  actions: Actions
  setup:
    new:
      admin_account: Admin account
      admin_email: 'E-mail:'
      admin_password: 'Password:'
      admin_password_confirmation: 'Retype password:'
      options: Options
      skip_email_confirmation: Skip e-mail confirmation for new registrations
      seed_units: Seed built-in default units
      submit: Set up
    create:
      email_blank: E-mail cannot be blank.
      password_blank: Password cannot be blank.
      password_mismatch: Passwords do not match.
      success: >
        Installation complete. You can now sign in with the admin account you
        just created.
  add: Add
  apply: Apply
  back: Back
  cancel: Cancel
  delete: Delete
  :no: 'no'
  or: or
  register: Register
  sign_in: Sign in
  recover_password: Recover password
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -1,7 +1,4 @@
 Rails.application.routes.draw do
  # Web-based installation wizard — only reachable when no admin exists yet.
  resource :setup, only: [:new, :create], controller: :setup
  resources :measurements
  resources :readouts, only: [:new] do
@@ -27,8 +24,9 @@ Rails.application.routes.draw do
  # https://github.com/heartcombo/devise/issues/5786
  connection = ActiveRecord::Base.connection
  if connection.schema_version && connection.table_exists?(:users)
    # NOTE: change helper prefix from *_registration to *_profile once possible
    devise_for :users, path: '', path_names: {registration: 'profile'},
-      controllers: {registrations: :registrations}
+      controllers: {registrations: 'user/profiles'}
  end
  resources :users, only: [:index, :show, :update] do
@@ -37,10 +35,8 @@ Rails.application.routes.draw do
  end
  unauthenticated do
    as :user do
    root to: redirect('/sign_in')
  end
  end
  root to: redirect('/units'), as: :user_root
  direct(:source_code) { 'https://gitea.michalczyk.pro/fixin.me/fixin.me' }
--- a/db/migrate/20260228171524_create_settings.rb
+++ b/db/migrate/20260228171524_create_settings.rb
@@ -1,12 +0,0 @@
 class CreateSettings < ActiveRecord::Migration[7.2]
  def change
    create_table :settings do |t|
      t.string :key, null: false
      t.string :value
      t.timestamps
    end
    add_index :settings, :key, unique: true
  end
 end
--- a/db/seeds.rb
+++ b/db/seeds.rb
@@ -3,25 +3,13 @@
 #   bin/rails db:seed
 # command (or created alongside the database with db:setup).
 # Seeding process should be idempotent.
 #
 # Admin account setup
 # -------------------
 # The preferred way to create the first admin account is through the web setup
 # wizard, which is shown automatically on the first visit when no admin exists.
 # The wizard also lets you configure runtime options (e.g. skip e-mail
 # confirmation) and seed the default units without using the command line.
 #
 # The block below provides an alternative CLI path for headless / automated
 # deployments.  It is skipped when an admin account already exists (e.g. after
 # the web wizard has run).
 User.transaction do
  break if User.find_by status: :admin
-  password = SecureRandom.alphanumeric(12)
+  User.create! email: Rails.configuration.admin, password: 'admin', status: :admin do |user|
  User.create! email: Rails.configuration.admin, password: password, status: :admin do |user|
    user.skip_confirmation!
-    print "Creating #{user.status} account '#{user.email}' with password '#{password}'..."
+    print "Creating #{user.status} account '#{user.email}' with password '#{user.password}'..."
  end
  puts "done."
--- a/test/application_system_test_case.rb
+++ b/test/application_system_test_case.rb
@@ -1,6 +1,7 @@
 require "test_helper"
 class ApplicationSystemTestCase < ActionDispatch::SystemTestCase
  include ActionView::Helpers::SanitizeHelper
  include ActionView::Helpers::UrlHelper
  # NOTE: geckodriver installed with Firefox, ignore incompatibility warning
@@ -32,7 +33,8 @@ class ApplicationSystemTestCase < ActionDispatch::SystemTestCase
  # Allow skipping interpolations when translating for testing purposes
  INTERPOLATION_PATTERNS = Regexp.union(I18n.config.interpolation_patterns)
  def translate(key, **options)
-    options.empty? ? super.split(INTERPOLATION_PATTERNS, 2).first : super
+    translation = options.empty? ? super.split(INTERPOLATION_PATTERNS, 2).first : super
    sanitize(translation, tags: [])
  end
  alias :t :translate
--- a/test/controllers/registrations_controller_test.rb
+++ b/test/controllers/registrations_controller_test.rb
@@ -1,18 +0,0 @@
 require "test_helper"
 class RegistrationsControllerTest < ActionDispatch::IntegrationTest
  test "sole admin cannot delete account" do
    sign_in users(:admin)
    delete user_registration_path
    assert_redirected_to edit_user_registration_path
    assert_equal t("registrations.destroy.sole_admin"), flash[:alert]
    assert User.exists?(users(:admin).id)
  end
  test "non-admin can delete account" do
    sign_in users(:alice)
    assert_difference ->{ User.count }, -1 do
      delete user_registration_path
    end
  end
 end
--- a/test/system/users_test.rb
+++ b/test/system/users_test.rb
@@ -5,8 +5,8 @@ class UsersTest < ApplicationSystemTestCase
    @admin = users(:admin)
  end
-  test "sign in" do
+  test 'sign in' do
-    visit new_user_session_path
+    visit root_url
    assert find_link(href: new_user_session_path)[:disabled]
    sign_in
@@ -14,16 +14,23 @@ class UsersTest < ApplicationSystemTestCase
    assert_text t('devise.sessions.signed_in')
  end
-  test 'sign in fails with invalid password' do
+  test 'sign in fails with invalid credentials' do
-    sign_in password: random_password
+    label = User.human_attribute_name(:email)
    # Both: valid and invalid emails should give the same (paranoid) error message.
    email = [users.sample.email, random_email].sample
    visit root_url
    fill_in label, with: email
    fill_in User.human_attribute_name(:password), with: random_password
    click_on t(:sign_in)
    assert_current_path new_user_session_path
-    assert_text t('devise.failure.not_found_in_database',
+    assert_text t('devise.failure.invalid', authentication_keys: label.downcase_first)
                  authentication_keys: User.human_attribute_name(:email))
    assert find_link(href: new_user_session_path)[:disabled]
-    assert_not_empty find_field(User.human_attribute_name(:email)).value
+    assert has_field?(label, with: email)
  end
-  test "sign out" do
+  test 'sign out' do
    sign_in
    visit root_url
    click_on t("layouts.application.sign_out")
@@ -31,79 +38,106 @@ class UsersTest < ApplicationSystemTestCase
    assert_text t("devise.sessions.signed_out")
  end
-  test "recover password" do
+  test 'recover password' do
-    visit new_user_session_url
+    label = User.human_attribute_name(:email)
-    click_on t(:recover_password)
+    email = users.select(&:confirmed?).sample.email
    visit root_url
    fill_in label, with: email
    # Form validations should allow empty password.
    assert has_field?(User.human_attribute_name(:password), with: nil)
    fill_in User.human_attribute_name(:email),
      with: users.select(&:confirmed?).sample.email
    assert_emails 1 do
      click_on t(:recover_password)
      # Wait until redirected to make sure async request has been processed
      assert_current_path new_user_session_path
      # Wait for flash message to make sure async request has been processed.
      assert_text t("devise.passwords.send_paranoid_instructions")
    end
-    assert_text t("devise.passwords.send_instructions")
+    assert has_field?(label, with: email)
    with_last_email do |mail|
      visit Capybara.string(mail.body.to_s).find_link("Change my password")[:href]
      assert_current_path edit_user_password_path, ignore_query: true
      # Make sure flash message is not displayed twice.
      assert_no_text t("devise.passwords.send_paranoid_instructions")
    end
    new_password = random_password
    fill_in t("users.passwords.edit.password_html"), with: new_password
    fill_in t("helpers.label.user.password_confirmation"), with: new_password
    assert_emails 1 do
      click_on t("users.passwords.edit.update_password")
      # Wait until redirected to make sure async request has been processed
      assert_current_path units_path
    end
      assert_text t("devise.passwords.updated")
    end
  end
-  test "register" do
+  test 'recover password for nonexistent user' do
-    visit new_user_session_url
+    label = User.human_attribute_name(:email)
    email = random_email
    visit root_url
    fill_in label, with: email
    assert_no_emails do
      click_on t(:recover_password)
      assert_current_path new_user_session_path
      assert_text t("devise.passwords.send_paranoid_instructions")
    end
  end
  test 'register' do
    visit root_url
    click_on t(:register)
    assert find_link(href: new_user_registration_path)[:disabled]
    fill_in User.human_attribute_name(:email), with: random_email
    password = random_password
    fill_in User.human_attribute_name(:password), with: password
-    fill_in t("users.registrations.new.password_confirmation"), with: password
+    fill_in t("users.profiles.new.password_confirmation"), with: password
-    assert_difference ->{User.count}, 1 do
+    assert_difference ->{ User.count }, 1 do
      assert_emails 1 do
        click_on t(:register)
        # Wait until redirected to make sure async request has been processed
        assert_current_path new_user_session_path
      end
    end
        assert_text t("devise.registrations.signed_up_but_unconfirmed")
      end
    end
    assert_changes ->{ User.last.confirmed? }, from: false, to: true do
      with_last_email do |mail|
        visit Capybara.string(mail.body.to_s).find_link("Confirm my account")[:href]
    end
        assert_current_path new_user_session_path
        assert_text t("devise.confirmations.confirmed")
-    assert User.last.confirmed?
+      end
    end
  end
-  test "resend confirmation" do
+  test 'resend confirmation' do
-    visit new_user_session_url
+    label = User.human_attribute_name(:email)
-    click_on t(:register)
+    user = users.reject(&:confirmed?).sample
-    click_on t(:resend_confirmation)
+
    visit root_url
    click_on t(:register)
    fill_in label, with: user.email
    assert has_field?(User.human_attribute_name(:password), with: nil)
    fill_in User.human_attribute_name(:email),
      with: users.reject(&:confirmed?).sample.email
    assert_emails 1 do
      click_on t(:resend_confirmation)
-      # Wait until redirected to make sure async request has been processed
+      assert_current_path new_user_registration_path
-      assert_current_path new_user_session_path
+      assert_text t("devise.confirmations.send_paranoid_instructions")
    end
-    assert_current_path new_user_session_path
+    assert has_field?(label, with: user.email)
    assert_text t("devise.confirmations.send_instructions")
    assert_changes ->{ user.reload.confirmed? }, from: false, to: true do
      with_last_email do |mail|
        visit Capybara.string(mail.body.to_s).find_link("Confirm my account")[:href]
        assert_current_path new_user_session_path
        assert_no_text t("devise.confirmations.send_paranoid_instructions")
        assert_text t("devise.confirmations.confirmed")
      end
    end
  end
-  test "show profile" do
+  test 'show profile' do
    sign_in user: users.select(&:admin?).select(&:confirmed?).sample
    click_on t("users.navigation")
    within all('tr').drop(1).sample do |tr|
@@ -113,7 +147,7 @@ class UsersTest < ApplicationSystemTestCase
    end
  end
-  test "disguise" do
+  test 'disguise' do
    user = users.select(&:admin?).select(&:confirmed?).sample
    sign_in user: user
@@ -129,7 +163,7 @@ class UsersTest < ApplicationSystemTestCase
    assert_link user.email
  end
-  test "disguise fails for admin when disallowed" do
+  test 'disguise fails for admin when disallowed' do
    user = users.select(&:admin?).select(&:confirmed?).sample
    sign_in user: user
@@ -142,45 +176,37 @@ class UsersTest < ApplicationSystemTestCase
    assert_title 'The change you wanted was rejected (422)'
  end
-  test "disguise forbidden for non admin" do
+  test 'disguise forbidden for non admin' do
    sign_in user: users.reject(&:admin?).select(&:confirmed?).sample
    visit disguise_user_path(User.all.sample)
    assert_title 'Access is forbidden to this page (403)'
  end
-  test "delete profile" do
+  test 'delete profile' do
-    user = sign_in user: users.reject(&:admin?).select(&:confirmed?).sample
+    user = sign_in
    # TODO: remove condition after root_url changed to different path than
    # profile in routes.rb
    unless has_current_path?(edit_user_registration_path)
      first(:link_or_button, user.email).click
    end
    assert_difference ->{ User.count }, -1 do
-      accept_confirm { click_on t("users.registrations.edit.delete") }
+      accept_confirm { click_on t("users.profiles.edit.delete") }
      assert_current_path new_user_session_path
    end
    assert_text t("devise.registrations.destroyed")
  end
-  test "sole admin cannot delete profile" do
+  test 'index forbidden for non admin' do
    sign_in user: users(:admin)
    unless has_current_path?(edit_user_registration_path)
      first(:link_or_button, users(:admin).email).click
    end
    assert find(:button, t("users.registrations.edit.delete"))[:disabled]
  end
  test "index forbidden for non admin" do
    sign_in user: users.reject(&:admin?).select(&:confirmed?).sample
    visit users_path
    assert_title "Access is forbidden to this page (403)"
  end
-  test "update profile" do
+  test 'update profile' do
    # TODO
  end
-  test "update status" do
+  test 'update status' do
    sign_in user: users.select(&:admin?).select(&:confirmed?).sample
    visit users_path
@@ -195,7 +221,7 @@ class UsersTest < ApplicationSystemTestCase
    assert_current_path users_path
  end
-  test "update status fails for admin when disallowed" do
+  test 'update status fails for admin when disallowed' do
    sign_in user: users.select(&:admin?).select(&:confirmed?).sample
    visit users_path
@@ -208,7 +234,7 @@ class UsersTest < ApplicationSystemTestCase
    assert_title 'The change you wanted was rejected (422)'
  end
-  test "update status forbidden for non admin" do
+  test 'update status forbidden for non admin' do
    sign_in user: users.reject(&:admin?).select(&:confirmed?).sample
    visit units_path
    inject_button_to find('body'), "update status", user_path(User.all.sample), method: :patch,
		`@@ -0,0 +1,2 @@`
							`<%# For some reason flash messages are duplicated in bot flash and flash.now %>`
							`<% flash.discard %>`