Fix quantity ordered scope for SQLite: use pathname column instead of recursive CTE

SQLite's Arel visitor wraps CTE branches in extra parentheses, making
the UNION ALL inside recursive CTEs invalid. Also SQLite lacks LPAD()
and CAST(... AS BINARY). Fix by using the existing pathname column for
ordering on SQLite, which already encodes the hierarchical path.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

app/assets/stylesheets/application.css

@@ -113,6 +113,12 @@ textarea {
   border: solid 1px var(--color-gray);
   border-radius: 0.25em;
 }
+[name=cancel],
+.auxiliary {
+  border-color: var(--color-border-gray);
+  color: var(--color-nav-gray);
+  fill: var(--color-nav-gray);
+}
 input[type=checkbox],
 svg,
 textarea {
@@ -131,6 +137,7 @@ input[type=checkbox]:checked {
   -webkit-appearance: checkbox;
 }
 /* Hide spin buttons in input number fields */
+/* TODO: add spin buttons inside input[number]: before (-) and after (+) input */
 input[type=number] {
   appearance: textfield;
   -moz-appearance: textfield;
@@ -340,6 +347,7 @@ header {
   opacity: 1;
 }
 
+
 /* TODO: Hover over invalid should work like in measurements (thin vs thick border) */
 .labeled-form {
   align-items: center;
@@ -371,9 +379,17 @@ header {
 }
 .labeled-form input[type=submit] {
   font-size: 1rem;
-  margin: 1.5em auto 0 auto;
+  margin: 1em auto 0 auto;
   padding: 0.75em;
 }
+.labeled-form .auxiliary {
+  grid-column: 3;
+  /* If more buttons are needed, `grid-row` can be replaced with
+   * `reading-flow: grid-columns` to ensure proper tabindex order */
+  grid-row: 1;
+  height: 100%;
+  padding-block: 0;
+}
 
 
 /* TODO: remove .items class (?) and make 'form table' work properly */
@@ -532,11 +548,6 @@ table.items select:focus-within,
 table.items select:focus-visible {
   color: black;
 }
-form a[name=cancel] {
-  border-color: var(--color-border-gray);
-  color: var(--color-nav-gray);
-  fill: var(--color-nav-gray);
-}
 form table.items {
   border: none;
 }

app/controllers/application_controller.rb

@@ -25,6 +25,18 @@ class ApplicationController < ActionController::Base
   #   Turbo will reload 2nd time with HTML format and flashes will be lost.
   rescue_from *ActionDispatch::ExceptionWrapper.rescue_responses.keys, with: :rescue_turbo
 
+  # Required by #respond_with (gem `responders`) used by Devise controllers.
+  respond_to :html, :turbo_stream
+
+  def after_sign_in_path_for(resource)
+    # TODO: allow setting path per-user or save last path in session and restore
+    units_path
+  end
+
+  def after_sign_out_path_for(resource)
+    new_user_session_path
+  end
+
   protected
 
   def current_user_disguised?

app/controllers/measurements_controller.rb

@@ -1,7 +1,13 @@
 class MeasurementsController < ApplicationController
+  before_action except: :index do
+    raise AccessForbidden unless current_user.at_least(:active)
+  end
+
   def index
-    @measurements = []
-    #@measurements = current_user.units.ordered.includes(:base, :subunits)
+    readouts = current_user.readouts.includes(:quantity, :unit).order(created_at: :desc)
+    @measurements = readouts.group_by(&:created_at).map do |created_at, grouped|
+      Measurement.new(created_at: created_at, readouts: grouped)
+    end
   end
 
   def new
@@ -9,8 +15,33 @@ class MeasurementsController < ApplicationController
   end
 
   def create
+    timestamp = Time.current
+    @readouts = readout_params.map do |rp|
+      r = current_user.readouts.new(rp)
+      r.created_at = timestamp
+      r
+    end
+
+    if @readouts.all?(&:valid?)
+      Readout.transaction { @readouts.each(&:save!) }
+      @measurement = Measurement.new(readouts: @readouts, created_at: timestamp)
+      flash.now[:notice] = t('.success')
+    else
+      render :new, status: :unprocessable_entity
+    end
   end
 
   def destroy
+    @measurement = Measurement.new(id: params[:id].to_i,
+                                   created_at: Time.at(params[:id].to_i))
+    current_user.readouts.where(created_at: @measurement.created_at).delete_all
+    @measurements_empty = current_user.readouts.empty?
+    flash.now[:notice] = t('.success')
+  end
+
+  private
+
+  def readout_params
+    params.require(:readouts).map { |r| r.permit(:quantity_id, :value, :unit_id) }
   end
 end

app/controllers/user/profiles_controller.rb

@@ -1,6 +1,4 @@
-class RegistrationsController < Devise::RegistrationsController
-  before_action :authenticate_user!, only: [:edit, :update, :destroy]
-
+class User::ProfilesController < Devise::RegistrationsController
   def destroy
     # TODO: Disallow/disable deletion for last admin account; update :edit view
     super

app/controllers/users_controller.rb

@@ -37,7 +37,7 @@ class UsersController < ApplicationController
   end
 
   # NOTE: limited actions availabe to :admin by design. Users are meant to
-  # manage their accounts by themselves through registrations. :admin
+  # manage their accounts by themselves through profiles. :admin
   # is allowed to sign-in (disguise) as user and make changes from there.
 
   protected

app/helpers/application_helper.rb

@@ -72,13 +72,8 @@ module ApplicationHelper
   end
 
   def labeled_form_for(record, options = {}, &block)
-    extra_options = {builder: LabeledFormBuilder,
-                     data: {turbo: false},
-                     html: {class: 'labeled-form'}}
-    options = options.deep_merge(extra_options) do |key, left, right|
-      key == :class ? class_names(left, right) : right
-    end
-    form_for(record, **options, &block)
+    extra_options = {builder: LabeledFormBuilder, html: {class: 'labeled-form'}}
+    form_for(record, **merge_attributes(options, extra_options), &block)
   end
 
   class TabularFormBuilder < ActionView::Helpers::FormBuilder
@@ -135,16 +130,16 @@ module ApplicationHelper
     # [autofocus].  Otherwise IDs are not unique when multiple forms are open
     # and the first input gets focus.
     record_object, options = nil, record_object if record_object.is_a?(Hash)
-    options.merge!(builder: TabularFormBuilder, skip_default_ids: true)
+    extra_options = {builder: TabularFormBuilder, skip_default_ids: true}
+    options = merge_attributes(options, extra_options)
     # TODO: set error message with setCustomValidity instead of rendering to flash?
     render_errors(record_object || record_name)
     fields_for(record_name, record_object, **options, &block)
   end
 
   def tabular_form_with(**options, &block)
-    options = options.deep_merge(builder: TabularFormBuilder,
-                                 html: {autocomplete: 'off'})
-    form_with(**options, &block)
+    extra_options = {builder: TabularFormBuilder, html: {autocomplete: 'off'}}
+    form_with(**merge_attributes(options, extra_options), &block)
   end
 
   def svg_tag(source, label = nil, options = {})
@@ -159,6 +154,7 @@ module ApplicationHelper
       ['measurements', 'scale-bathroom', :restricted],
       ['quantities', 'axis-arrow', :restricted, 'right'],
       ['units', 'weight-gram', :restricted],
+      # TODO: display users tab only if >1 user present; sole_user?/sole_admin?
       ['users', 'account-multiple-outline', :admin],
     ]
 
@@ -206,6 +202,7 @@ module ApplicationHelper
 
   def render_errors(records)
     # Conversion of flash to Array only required because of Devise
+    # TODO: override Devise message setting to Array()?
     flash[:alert] = Array(flash[:alert])
     Array(records).each { |record| flash[:alert] += record.errors.full_messages }
   end
@@ -215,6 +212,7 @@ module ApplicationHelper
       # Conversion of flash to Array only required because of Devise
       Array(messages).map do |message|
         tag.div class: "flash #{entry}" do
+          # TODO: change button text to svg to make it aligned vertically
           tag.div(sanitize(message)) + tag.button(sanitize("&times;"), tabindex: -1,
                                                   onclick: "this.parentElement.remove();")
         end
@@ -252,4 +250,11 @@ module ApplicationHelper
 
     [name, html_options]
   end
+
+  # Like Hash#deep_merge, but aware of HTML attributes.
+  def merge_attributes(left, right)
+    left.deep_merge(right) do |key, lvalue, rvalue|
+      key == :class ? class_names(lvalue, rvalue) : rvalue
+    end
+  end
 end

app/javascript/application.js

@@ -37,6 +37,18 @@ window.detailsObserver = new MutationObserver((mutations) => {
   mutations[0].target.dispatchEvent(new Event('change', {bubbles: true}))
 });
 
+function formValidate(event) {
+  var id = event.submitter.getAttribute("data-validate")
+  if (!id) return;
+
+  var input = document.getElementById(id)
+  if (!input.checkValidity()) {
+    input.reportValidity()
+    event.preventDefault()
+  }
+}
+window.formValidate = formValidate
+
 
 /* Turbo stream actions */
 Turbo.StreamElement.prototype.disableElement = function(element) {

app/models/measurement.rb

@@ -1,3 +1,17 @@
 class Measurement
   include ActiveModel::Model
+
+  attr_accessor :readouts, :created_at
+
+  def id
+    created_at.to_i
+  end
+
+  def to_param
+    id.to_s
+  end
+
+  def persisted?
+    true
+  end
 end

app/models/quantity.rb

@@ -15,8 +15,8 @@ class Quantity < ApplicationRecord
     errors.add(:parent, :descendant_reference) if ancestor_of?(parent)
   end
   validates :name, presence: true, uniqueness: {scope: [:user_id, :parent_id]},
-    length: {maximum: type_for_attribute(:name).limit}
-  validates :description, length: {maximum: type_for_attribute(:description).limit}
+    length: {maximum: type_for_attribute(:name).limit || Float::INFINITY}
+  validates :description, length: {maximum: type_for_attribute(:description).limit || Float::INFINITY}
 
   # Update :depths of progenies after parent change
   before_save if: :parent_changed? do
@@ -61,18 +61,26 @@ class Quantity < ApplicationRecord
 
   # Return: ordered [sub]hierarchy
   scope :ordered, ->(root: nil, include_root: true) {
-    numbered = Arel::Table.new('numbered')
-
-    self.model.with(numbered: numbered(:parent_id, :name)).with_recursive(arel_table.name => [
-      numbered.project(
-        numbered[Arel.star],
-        numbered.cast(numbered[:child_number], 'BINARY').as('path')
-      ).where(numbered[root && include_root ? :id : :parent_id].eq(root)),
-      numbered.project(
-        numbered[Arel.star],
-        arel_table[:path].concat(numbered[:child_number])
-      ).join(arel_table).on(numbered[:parent_id].eq(arel_table[:id]))
-    ]).order(arel_table[:path])
+    if connection.adapter_name =~ /mysql/i
+      numbered = Arel::Table.new('numbered')
+      self.model.with(numbered: numbered(:parent_id, :name)).with_recursive(arel_table.name => [
+        numbered.project(
+          numbered[Arel.star],
+          numbered.cast(numbered[:child_number], 'BINARY').as('path')
+        ).where(numbered[root && include_root ? :id : :parent_id].eq(root)),
+        numbered.project(
+          numbered[Arel.star],
+          arel_table[:path].concat(numbered[:child_number])
+        ).join(arel_table).on(numbered[:parent_id].eq(arel_table[:id]))
+      ]).order(arel_table[:path])
+    elsif root.nil?
+      # SQLite: pathname column already stores the full hierarchical path
+      order(:pathname)
+    else
+      root_pathname = unscoped.where(id: root).pick(:pathname)
+      scope = order(:pathname).where("pathname LIKE ?", "#{root_pathname}#{PATHNAME_DELIMITER}%")
+      include_root ? scope.or(where(id: root)) : scope
+    end
   }
 
   # TODO: extract named functions to custom Arel extension

app/views/measurements/_measurement.html.erb

@@ -0,0 +1,14 @@
+<%= tag.tr id: dom_id(measurement) do %>
+  <td><%= l measurement.created_at, format: :short %></td>
+  <td>
+    <% measurement.readouts.each do |readout| %>
+      <span><%= readout.quantity.name %>: <%= readout.value %> <%= readout.unit %></span>
+    <% end %>
+  </td>
+  <% if current_user.at_least(:active) %>
+    <td class="actions">
+      <%= image_button_to t('.destroy'), 'delete-outline', measurement_path(measurement),
+        method: :delete %>
+    </td>
+  <% end %>
+<% end %>

app/views/measurements/create.turbo_stream.erb

@@ -0,0 +1,5 @@
+<%= turbo_stream.update :flashes %>
+<%= turbo_stream.remove :measurement_form %>
+<%= turbo_stream.remove :no_items %>
+<%= turbo_stream.enable :new_measurement_link %>
+<%= turbo_stream.prepend :measurements, @measurement %>

app/views/measurements/destroy.turbo_stream.erb

@@ -0,0 +1,3 @@
+<%= turbo_stream.update :flashes %>
+<%= turbo_stream.remove @measurement %>
+<%= turbo_stream.append(:measurements, render_no_items) if @measurements_empty %>

app/views/users/confirmations/create.turbo_stream.erb

@@ -0,0 +1 @@
+<% flash.discard %>

app/views/users/confirmations/new.html.erb

@@ -1,9 +0,0 @@
-<%= labeled_form_for resource, url: user_confirmation_path,
-  html: {class: 'main-area'} do |f| %>
-
-  <%= f.email_field :email, required: true, size: 30, autofocus: true,
-    autocomplete: 'email', value:
-    resource.pending_reconfirmation? ? resource.unconfirmed_email : resource.email %>
-
-  <%= f.submit t(:resend_confirmation) %>
-<% end %>

app/views/users/passwords/create.turbo_stream.erb

@@ -0,0 +1,2 @@
+<%# For some reason flash messages are duplicated in bot flash and flash.now %>
+<% flash.discard %>

app/views/users/passwords/edit.html.erb

@@ -1,5 +1,5 @@
 <%= labeled_form_for resource, url: user_password_path,
-  html: {method: :put, class: 'main-area'} do |f| %>
+  html: {method: :put, class: 'main-area', data: {turbo: false}} do |f| %>
 
   <%= f.hidden_field :reset_password_token %>
 

app/views/users/passwords/new.html.erb

@@ -1,8 +0,0 @@
-<%= labeled_form_for resource, url: user_password_path,
-  html: {class: 'main-area'} do |f| %>
-
-  <%= f.email_field :email, required: true, size: 30, autofocus: true,
-    autocomplete: 'email' %>
-
-  <%= f.submit t(:recover_password) %>
-<% end %>

app/views/users/profiles/new.html.erb

@@ -0,0 +1,17 @@
+<%= labeled_form_for resource, url: user_registration_path,
+  html: {class: 'main-area', onsubmit: 'formValidate(event)'} do |f| %>
+
+  <%= f.email_field :email, required: true, size: 30, autofocus: true,
+    autocomplete: 'email' %>
+  <%= f.password_field :password, required: true, size: 30,
+    minlength: @minimum_password_length, autocomplete: 'new-password' %>
+  <%= f.password_field :password_confirmation, required: true, size: 30,
+    minlength: @minimum_password_length, autocomplete: 'off' %>
+
+  <%= f.submit t(:register), data: {turbo: false} %>
+
+  <%# TODO: fix button text color after change link -> button %>
+  <%= image_button_tag t(:resend_confirmation), 'email-sync-outline',
+    class: 'auxiliary', formaction: user_confirmation_path, formnovalidate: true,
+    data: {validate: f.field_id(:email)} %>
+<% end %>

app/views/users/registrations/new.html.erb

@@ -1,16 +0,0 @@
-<div class="main-area">
-  <%= labeled_form_for resource, url: user_registration_path do |f| %>
-    <%= f.email_field :email, required: true, size: 30, autofocus: true,
-      autocomplete: 'email' %>
-    <%= f.password_field :password, required: true, size: 30,
-      minlength: @minimum_password_length, autocomplete: 'new-password' %>
-    <%= f.password_field :password_confirmation, required: true, size: 30,
-      minlength: @minimum_password_length, autocomplete: 'off' %>
-
-    <%= f.submit t(:register) %>
-  <% end %>
-
-  <%= content_tag :p, t(:or), style: 'text-align: center;' %>
-  <%= image_link_to t(:resend_confirmation), 'email-sync-outline',
-    new_user_confirmation_path, class: 'centered' %>
-</div>

app/views/users/sessions/new.html.erb

@@ -1,18 +1,19 @@
-<div class="main-area">
-  <%= labeled_form_for resource, url: user_session_path do |f| %>
-    <%= f.email_field :email, required: true, size: 30, autofocus: true,
-      autocomplete: 'email' %>
-    <%= f.password_field :password, required: true, size: 30,
-      minlength: @minimum_password_length, autocomplete: 'current-password' %>
+<%= labeled_form_for resource, url: user_session_path,
+  html: {class: 'main-area', onsubmit: 'formValidate(event)'} do |f| %>
 
-    <% if devise_mapping.rememberable? %>
-      <%= f.check_box :remember_me %>
-    <% end %>
+  <%= f.email_field :email, required: true, size: 30, autofocus: true,
+    autocomplete: 'email' %>
+  <%= f.password_field :password, required: true, size: 30,
+    autocomplete: 'current-password' %>
 
-    <%= f.submit t(:sign_in) %>
+  <% if devise_mapping.rememberable? %>
+    <%= f.check_box :remember_me %>
   <% end %>
 
-  <%= content_tag :p, t(:or), style: 'text-align: center;' %>
-  <%= image_link_to t(:recover_password), 'lock-reset', new_user_password_path,
-    class: 'centered' %>
-</div>
+  <%# /sign_in as HTML; /password as TURBO_STREAM %>
+  <%= f.submit t(:sign_in), data: {turbo: false} %>
+
+  <%= image_button_tag t(:recover_password), 'lock-reset', class: 'auxiliary',
+    formaction: user_password_path, formnovalidate: true,
+    data: {validate: f.field_id(:email)} %>
+<% end %>

config/initializers/devise.rb

@@ -91,7 +91,7 @@ Devise.setup do |config|
   # It will change confirmation, password recovery and other workflows
   # to behave the same regardless if the e-mail provided was right or wrong.
   # Does not affect registerable.
-  # config.paranoid = true
+  config.paranoid = true
 
   # By default Devise will store the user in session. You can skip storage for
   # particular strategies by setting this option.

config/locales/devise.en.yml

@@ -4,15 +4,15 @@ en:
   devise:
     confirmations:
       confirmed: "Your email address has been successfully confirmed."
-      send_instructions: "You will receive an email with instructions for how to confirm your email address in a few minutes."
-      send_paranoid_instructions: "If your email address exists in our database, you will receive an email with instructions for how to confirm your email address in a few minutes."
+      send_paranoid_instructions: >
+        If your email address is in our database, a message with instructions on how
+        to confirm your email address has been sent to you.
     failure:
       already_authenticated: "You are already signed in."
       inactive: "Your account is not activated yet."
-      invalid: "Invalid %{authentication_keys} or password."
+      invalid: "Invalid <b>%{authentication_keys}</b> or <b>password</b>."
       locked: "Your account is locked."
       last_attempt: "You have one more attempt before your account is locked."
-      not_found_in_database: "Invalid %{authentication_keys} or password."
       timeout: "Your session expired. Please sign in again to continue."
       unauthenticated: "You need to sign in or sign up before continuing."
       unconfirmed: "You have to confirm your email address before continuing."
@@ -32,8 +32,9 @@ en:
       success: "Successfully authenticated from %{kind} account."
     passwords:
       no_token: "You can't access this page without coming from a password reset email. If you do come from a password reset email, please make sure you used the full URL provided."
-      send_instructions: "You will receive an email with instructions on how to reset your password in a few minutes."
-      send_paranoid_instructions: "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes."
+      send_paranoid_instructions: >
+        If your email address is in our database, the password recovery link has been
+        sent to you.
       updated: "Your password has been changed successfully. You are now signed in."
       updated_not_active: "Your password has been changed successfully."
     registrations:
@@ -50,7 +51,6 @@ en:
       signed_out: "Signed out successfully."
       already_signed_out: "Signed out successfully."
     unlocks:
-      send_instructions: "You will receive an email with instructions for how to unlock your account in a few minutes."
       send_paranoid_instructions: "If your account exists, you will receive an email with instructions for how to unlock it in a few minutes."
       unlocked: "Your account has been unlocked successfully. Please sign in to continue."
   errors:

config/locales/en.yml

@@ -88,6 +88,12 @@ en:
       select_quantity: select the measured quantities...
     index:
       new_measurement: Add measurement
+    create:
+      success: Measurement saved.
+    destroy:
+      success: Measurement deleted.
+    measurement:
+      destroy: Delete
   readouts:
     form:
       select_unit: ...
@@ -150,7 +156,7 @@ en:
       edit:
         password_html: 'New password:%{password_length_hint_html}'
         update_password: Update password
-    registrations:
+    profiles:
       new:
         password_html: 'Password:%{password_length_hint_html}'
         password_confirmation: 'Retype password:'
@@ -169,7 +175,6 @@ en:
   cancel: Cancel
   delete: Delete
   :no: 'no'
-  or: or
   register: Register
   sign_in: Sign in
   recover_password: Recover password

config/routes.rb

@@ -24,8 +24,9 @@ Rails.application.routes.draw do
   # https://github.com/heartcombo/devise/issues/5786
   connection = ActiveRecord::Base.connection
   if connection.schema_version && connection.table_exists?(:users)
+    # NOTE: change helper prefix from *_registration to *_profile once possible
     devise_for :users, path: '', path_names: {registration: 'profile'},
-      controllers: {registrations: :registrations}
+      controllers: {registrations: 'user/profiles'}
   end
 
   resources :users, only: [:index, :show, :update] do
@@ -34,9 +35,7 @@ Rails.application.routes.draw do
   end
 
   unauthenticated do
-    as :user do
-      root to: redirect('/sign_in')
-    end
+    root to: redirect('/sign_in')
   end
   root to: redirect('/units'), as: :user_root
 

test/application_system_test_case.rb

@@ -1,6 +1,7 @@
 require "test_helper"
 
 class ApplicationSystemTestCase < ActionDispatch::SystemTestCase
+  include ActionView::Helpers::SanitizeHelper
   include ActionView::Helpers::UrlHelper
 
   # NOTE: geckodriver installed with Firefox, ignore incompatibility warning
@@ -32,7 +33,8 @@ class ApplicationSystemTestCase < ActionDispatch::SystemTestCase
   # Allow skipping interpolations when translating for testing purposes
   INTERPOLATION_PATTERNS = Regexp.union(I18n.config.interpolation_patterns)
   def translate(key, **options)
-    options.empty? ? super.split(INTERPOLATION_PATTERNS, 2).first : super
+    translation = options.empty? ? super.split(INTERPOLATION_PATTERNS, 2).first : super
+    sanitize(translation, tags: [])
   end
   alias :t :translate
 

test/system/users_test.rb

@@ -5,8 +5,8 @@ class UsersTest < ApplicationSystemTestCase
     @admin = users(:admin)
   end
 
-  test "sign in" do
-    visit new_user_session_path
+  test 'sign in' do
+    visit root_url
     assert find_link(href: new_user_session_path)[:disabled]
 
     sign_in
@@ -14,16 +14,23 @@ class UsersTest < ApplicationSystemTestCase
     assert_text t('devise.sessions.signed_in')
   end
 
-  test 'sign in fails with invalid password' do
-    sign_in password: random_password
+  test 'sign in fails with invalid credentials' do
+    label = User.human_attribute_name(:email)
+    # Both: valid and invalid emails should give the same (paranoid) error message.
+    email = [users.sample.email, random_email].sample
+
+    visit root_url
+    fill_in label, with: email
+    fill_in User.human_attribute_name(:password), with: random_password
+    click_on t(:sign_in)
+
     assert_current_path new_user_session_path
-    assert_text t('devise.failure.not_found_in_database',
-                  authentication_keys: User.human_attribute_name(:email))
+    assert_text t('devise.failure.invalid', authentication_keys: label.downcase_first)
     assert find_link(href: new_user_session_path)[:disabled]
-    assert_not_empty find_field(User.human_attribute_name(:email)).value
+    assert has_field?(label, with: email)
   end
 
-  test "sign out" do
+  test 'sign out' do
     sign_in
     visit root_url
     click_on t("layouts.application.sign_out")
@@ -31,79 +38,106 @@ class UsersTest < ApplicationSystemTestCase
     assert_text t("devise.sessions.signed_out")
   end
 
-  test "recover password" do
-    visit new_user_session_url
-    click_on t(:recover_password)
+  test 'recover password' do
+    label = User.human_attribute_name(:email)
+    email = users.select(&:confirmed?).sample.email
+
+    visit root_url
+    fill_in label, with: email
+    # Form validations should allow empty password.
+    assert has_field?(User.human_attribute_name(:password), with: nil)
 
-    fill_in User.human_attribute_name(:email),
-      with: users.select(&:confirmed?).sample.email
     assert_emails 1 do
       click_on t(:recover_password)
-      # Wait until redirected to make sure async request has been processed
       assert_current_path new_user_session_path
+      # Wait for flash message to make sure async request has been processed.
+      assert_text t("devise.passwords.send_paranoid_instructions")
     end
-    assert_text t("devise.passwords.send_instructions")
+    assert has_field?(label, with: email)
 
     with_last_email do |mail|
       visit Capybara.string(mail.body.to_s).find_link("Change my password")[:href]
+      assert_current_path edit_user_password_path, ignore_query: true
+      # Make sure flash message is not displayed twice.
+      assert_no_text t("devise.passwords.send_paranoid_instructions")
     end
     new_password = random_password
     fill_in t("users.passwords.edit.password_html"), with: new_password
     fill_in t("helpers.label.user.password_confirmation"), with: new_password
     assert_emails 1 do
       click_on t("users.passwords.edit.update_password")
-      # Wait until redirected to make sure async request has been processed
       assert_current_path units_path
+      assert_text t("devise.passwords.updated")
     end
-    assert_text t("devise.passwords.updated")
   end
 
-  test "register" do
-    visit new_user_session_url
+  test 'recover password for nonexistent user' do
+    label = User.human_attribute_name(:email)
+    email = random_email
+
+    visit root_url
+    fill_in label, with: email
+
+    assert_no_emails do
+      click_on t(:recover_password)
+      assert_current_path new_user_session_path
+      assert_text t("devise.passwords.send_paranoid_instructions")
+    end
+  end
+
+  test 'register' do
+    visit root_url
     click_on t(:register)
+    assert find_link(href: new_user_registration_path)[:disabled]
 
     fill_in User.human_attribute_name(:email), with: random_email
     password = random_password
     fill_in User.human_attribute_name(:password), with: password
-    fill_in t("users.registrations.new.password_confirmation"), with: password
-    assert_difference ->{User.count}, 1 do
+    fill_in t("users.profiles.new.password_confirmation"), with: password
+    assert_difference ->{ User.count }, 1 do
       assert_emails 1 do
         click_on t(:register)
-        # Wait until redirected to make sure async request has been processed
         assert_current_path new_user_session_path
+        assert_text t("devise.registrations.signed_up_but_unconfirmed")
       end
     end
-    assert_text t("devise.registrations.signed_up_but_unconfirmed")
 
-    with_last_email do |mail|
-      visit Capybara.string(mail.body.to_s).find_link("Confirm my account")[:href]
+    assert_changes ->{ User.last.confirmed? }, from: false, to: true do
+      with_last_email do |mail|
+        visit Capybara.string(mail.body.to_s).find_link("Confirm my account")[:href]
+        assert_current_path new_user_session_path
+        assert_text t("devise.confirmations.confirmed")
+      end
     end
-    assert_current_path new_user_session_path
-    assert_text t("devise.confirmations.confirmed")
-    assert User.last.confirmed?
   end
 
-  test "resend confirmation" do
-    visit new_user_session_url
-    click_on t(:register)
-    click_on t(:resend_confirmation)
+  test 'resend confirmation' do
+    label = User.human_attribute_name(:email)
+    user = users.reject(&:confirmed?).sample
+
+    visit root_url
+    click_on t(:register)
+    fill_in label, with: user.email
+    assert has_field?(User.human_attribute_name(:password), with: nil)
 
-    fill_in User.human_attribute_name(:email),
-      with: users.reject(&:confirmed?).sample.email
     assert_emails 1 do
       click_on t(:resend_confirmation)
-      # Wait until redirected to make sure async request has been processed
-      assert_current_path new_user_session_path
+      assert_current_path new_user_registration_path
+      assert_text t("devise.confirmations.send_paranoid_instructions")
     end
-    assert_current_path new_user_session_path
-    assert_text t("devise.confirmations.send_instructions")
+    assert has_field?(label, with: user.email)
 
-    with_last_email do |mail|
-      visit Capybara.string(mail.body.to_s).find_link("Confirm my account")[:href]
+    assert_changes ->{ user.reload.confirmed? }, from: false, to: true do
+      with_last_email do |mail|
+        visit Capybara.string(mail.body.to_s).find_link("Confirm my account")[:href]
+        assert_current_path new_user_session_path
+        assert_no_text t("devise.confirmations.send_paranoid_instructions")
+        assert_text t("devise.confirmations.confirmed")
+      end
     end
   end
 
-  test "show profile" do
+  test 'show profile' do
     sign_in user: users.select(&:admin?).select(&:confirmed?).sample
     click_on t("users.navigation")
     within all('tr').drop(1).sample do |tr|
@@ -113,7 +147,7 @@ class UsersTest < ApplicationSystemTestCase
     end
   end
 
-  test "disguise" do
+  test 'disguise' do
     user = users.select(&:admin?).select(&:confirmed?).sample
     sign_in user: user
 
@@ -129,7 +163,7 @@ class UsersTest < ApplicationSystemTestCase
     assert_link user.email
   end
 
-  test "disguise fails for admin when disallowed" do
+  test 'disguise fails for admin when disallowed' do
     user = users.select(&:admin?).select(&:confirmed?).sample
     sign_in user: user
 
@@ -142,13 +176,13 @@ class UsersTest < ApplicationSystemTestCase
     assert_title 'The change you wanted was rejected (422)'
   end
 
-  test "disguise forbidden for non admin" do
+  test 'disguise forbidden for non admin' do
     sign_in user: users.reject(&:admin?).select(&:confirmed?).sample
     visit disguise_user_path(User.all.sample)
     assert_title 'Access is forbidden to this page (403)'
   end
 
-  test "delete profile" do
+  test 'delete profile' do
     user = sign_in
     # TODO: remove condition after root_url changed to different path than
     # profile in routes.rb
@@ -156,23 +190,23 @@ class UsersTest < ApplicationSystemTestCase
       first(:link_or_button, user.email).click
     end
     assert_difference ->{ User.count }, -1 do
-      accept_confirm { click_on t("users.registrations.edit.delete") }
+      accept_confirm { click_on t("users.profiles.edit.delete") }
       assert_current_path new_user_session_path
     end
     assert_text t("devise.registrations.destroyed")
   end
 
-  test "index forbidden for non admin" do
+  test 'index forbidden for non admin' do
     sign_in user: users.reject(&:admin?).select(&:confirmed?).sample
     visit users_path
     assert_title "Access is forbidden to this page (403)"
   end
 
-  test "update profile" do
+  test 'update profile' do
     # TODO
   end
 
-  test "update status" do
+  test 'update status' do
     sign_in user: users.select(&:admin?).select(&:confirmed?).sample
     visit users_path
 
@@ -187,7 +221,7 @@ class UsersTest < ApplicationSystemTestCase
     assert_current_path users_path
   end
 
-  test "update status fails for admin when disallowed" do
+  test 'update status fails for admin when disallowed' do
     sign_in user: users.select(&:admin?).select(&:confirmed?).sample
     visit users_path
 
@@ -200,7 +234,7 @@ class UsersTest < ApplicationSystemTestCase
     assert_title 'The change you wanted was rejected (422)'
   end
 
-  test "update status forbidden for non admin" do
+  test 'update status forbidden for non admin' do
     sign_in user: users.reject(&:admin?).select(&:confirmed?).sample
     visit units_path
     inject_button_to find('body'), "update status", user_path(User.all.sample), method: :patch,