Mention and team visibility improvements

dutow · dutow · commit 449a82b0714c · 2026-01-18T14:04:03.000+01:00
Add settings both for user mentions (anybody, only team members) and
teams (private, visible, public) so people can have better
visibility/spam control.
diff --git a/app/assets/stylesheets/components/settings.css b/app/assets/stylesheets/components/settings.css
@@ -329,3 +329,56 @@
   margin-left: var(--spacing-2);
   font-style: italic;
 }
+
+/* Radio button groups */
+.settings-page .radio-group {
+  display: flex;
+  flex-direction: column;
+  gap: var(--spacing-3);
+}
+
+.settings-page .radio-group label {
+  display: flex;
+  align-items: flex-start;
+  gap: var(--spacing-3);
+  cursor: pointer;
+  padding: var(--spacing-3) var(--spacing-4);
+  border: var(--border-width) solid var(--color-border);
+  border-radius: var(--border-radius-md);
+  background: var(--color-bg-card);
+  transition: border-color var(--transition-fast), background-color var(--transition-fast);
+}
+
+.settings-page .radio-group label:hover {
+  border-color: var(--color-primary-300);
+  background: var(--color-bg-hover);
+}
+
+.settings-page .radio-group label:has(input:checked) {
+  border-color: var(--color-primary-500);
+  background: var(--color-primary-50);
+}
+
+.settings-page .radio-group input[type="radio"] {
+  width: auto;
+  margin: var(--spacing-1) 0 0 0;
+  padding: 0;
+  flex-shrink: 0;
+}
+
+.settings-page .radio-group .radio-text {
+  flex: 1;
+}
+
+.settings-page .radio-group .radio-text strong {
+  display: block;
+  color: var(--color-text-primary);
+  font-weight: var(--font-weight-semibold);
+}
+
+.settings-page .radio-group .radio-description {
+  display: block;
+  color: var(--color-text-secondary);
+  font-size: var(--font-size-sm);
+  margin-top: var(--spacing-1);
+}
diff --git a/app/controllers/settings/preferences_controller.rb b/app/controllers/settings/preferences_controller.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Settings
+  class PreferencesController < Settings::BaseController
+    def update
+      if current_user.update(preferences_params)
+        redirect_to settings_profile_path, notice: "Preferences updated"
+      else
+        redirect_to settings_profile_path, alert: current_user.errors.full_messages.to_sentence
+      end
+    end
+
+    private
+
+    def preferences_params
+      params.require(:user).permit(:mention_restriction)
+    end
+  end
+end
diff --git a/app/controllers/settings/teams_controller.rb b/app/controllers/settings/teams_controller.rb
@@ -2,10 +2,10 @@
 
 module Settings
   class TeamsController < Settings::BaseController
-    before_action :set_team, only: [:show, :destroy]
-    before_action :require_team_member!, only: [:show]
-    before_action :require_team_admin!, only: [:destroy]
-    skip_before_action :require_authentication, only: [:index]
+    before_action :set_team, only: [:show, :update, :destroy]
+    before_action :require_team_accessible!, only: [:show]
+    before_action :require_team_admin!, only: [:update, :destroy]
+    skip_before_action :require_authentication, only: [:index, :show]
 
     def index
       @your_teams = user_signed_in? ? current_user.teams.includes(team_members: :user) : []
@@ -14,8 +14,9 @@ def index
 
     def show
       @team_members = @team.team_members.includes(:user)
+      @is_member = user_signed_in? && @team.member?(current_user)
       @can_manage = user_signed_in? && @team.admin?(current_user)
-      @can_invite = user_signed_in? && @team.admin?(current_user)
+      @can_invite = @can_manage
     end
 
     def create
@@ -29,6 +30,14 @@ def create
       redirect_to settings_teams_path, alert: e.record.errors.full_messages.to_sentence
     end
 
+    def update
+      if @team.update(team_update_params)
+        redirect_to settings_team_path(@team), notice: "Team settings updated"
+      else
+        redirect_to settings_team_path(@team), alert: @team.errors.full_messages.to_sentence
+      end
+    end
+
     def destroy
       @team.destroy
       redirect_to settings_teams_path, notice: "Team deleted"
@@ -48,19 +57,24 @@ def team_params
       params.require(:team).permit(:name)
     end
 
+    def team_update_params
+      params.require(:team).permit(:visibility)
+    end
+
     def require_team_admin!
       unless user_signed_in? && @team.admin?(current_user)
         redirect_to settings_team_path(@team), alert: "Admins only" and return
       end
     end
 
-    def require_team_member!
-      unless user_signed_in?
+    def require_team_accessible!
+      return if @team.accessible_to?(current_user)
+
+      if user_signed_in?
+        render_404
+      else
         redirect_to new_session_path, alert: "Please sign in"
-        return
       end
-
-      render_404 unless @team.member?(current_user)
     end
   end
 end
diff --git a/app/models/team.rb b/app/models/team.rb
@@ -4,6 +4,12 @@ class Team < ApplicationRecord
   has_many :team_members, dependent: :destroy
   has_many :users, through: :team_members
 
+  # Visibility levels:
+  # - private: only members can see/access the team, only members can mention
+  # - visible: anyone can see/access the team, only members can mention
+  # - open: anyone can see/access the team, anyone can mention
+  enum :visibility, { private: "private", visible: "visible", open: "open" }, default: :private, prefix: true
+
   validates :name, presence: true
   validates :name, format: { with: /\A[a-zA-Z0-9_\-\.]+\z/ }
 
@@ -25,6 +31,16 @@ def last_admin?(team_member)
     team_members.role_admin.count == 1
   end
 
+  def accessible_to?(user)
+    return true if visibility_visible? || visibility_open?
+    member?(user)
+  end
+
+  def mentionable_by?(user)
+    return true if visibility_open?
+    member?(user)
+  end
+
   private
 
   def reserve_name
diff --git a/app/models/user.rb b/app/models/user.rb
@@ -14,12 +14,25 @@ class User < ApplicationRecord
   has_many :topic_stars, dependent: :destroy
   has_many :starred_topics, through: :topic_stars, source: :topic
 
+  enum :mention_restriction, { anyone: "anyone", teammates_only: "teammates_only" }, default: :anyone
+
   scope :active, -> { where(deleted_at: nil) }
 
   def primary_alias
     person&.default_alias
   end
 
+  def mentionable_by?(mentioner)
+    return false unless mentioner
+    return true if anyone?
+    shares_team_with?(mentioner)
+  end
+
+  def shares_team_with?(other_user)
+    return false unless other_user
+    team_ids.intersect?(other_user.team_ids)
+  end
+
   validates :username, format: { with: /\A[a-zA-Z0-9_\-\.]+\z/, allow_blank: true }
   validates :username, presence: true, on: :registration
 
diff --git a/app/services/note_builder.rb b/app/services/note_builder.rb
@@ -103,12 +103,26 @@ def resolve_mentions(names)
                when "Team" then teams[reservation.owner_id]
                end
       raise Error, "Unknown mention: @#{name}" unless record
+      validate_mention_permission!(record, name)
       record
     end
 
     mentionables.compact.uniq
   end
 
+  def validate_mention_permission!(mentionable, name)
+    case mentionable
+    when User
+      unless mentionable.mentionable_by?(author)
+        raise Error, "You cannot mention @#{name} (only their teammates can mention them)"
+      end
+    when Team
+      unless mentionable.mentionable_by?(author)
+        raise Error, "You cannot mention @#{name} (only team members can mention this team)"
+      end
+    end
+  end
+
   def fan_out!(note:, mentionables:, mark_author_read:)
     recipient_ids = recipients_for(note, mentionables:)
     payload = {
diff --git a/app/views/settings/profiles/show.html.slim b/app/views/settings/profiles/show.html.slim
@@ -10,3 +10,21 @@
         = f.label :username
         = f.text_field :username, placeholder: "your_name", value: current_user.username
       = f.submit "Save username", class: "button-primary"
+
+  .settings-section
+    h2 Mention Settings
+    p.settings-hint Control who can @mention you in notes.
+    = form_with model: current_user, url: settings_preferences_path, method: :patch, local: true do |f|
+      .form-group
+        .radio-group
+          label
+            = f.radio_button :mention_restriction, "anyone"
+            span.radio-text
+              strong Anyone
+              span.radio-description Any user can @mention you in notes
+          label
+            = f.radio_button :mention_restriction, "teammates_only"
+            span.radio-text
+              strong Teammates only
+              span.radio-description Only users who share a team with you can @mention you
+      = f.submit "Save", class: "button-primary"
diff --git a/app/views/settings/teams/show.html.slim b/app/views/settings/teams/show.html.slim
@@ -5,6 +5,43 @@
     .team-actions
       = button_to "Delete team", settings_team_path(@team), method: :delete, data: { turbo_confirm: "Delete this team?" }, class: "button-danger"
 
+  .team-settings
+    h2 Team Settings
+    .visibility-setting
+      h3 Visibility
+      - if @can_manage
+        = form_with model: @team, url: settings_team_path(@team), method: :patch, local: true do |f|
+          .form-group
+            .radio-group
+              label
+                = f.radio_button :visibility, "private"
+                span.radio-text
+                  strong Private
+                  span.radio-description Only team members can see this team and mention @#{@team.name}
+              label
+                = f.radio_button :visibility, "visible"
+                span.radio-text
+                  strong Visible
+                  span.radio-description Anyone can see this team, but only members can mention @#{@team.name}
+              label
+                = f.radio_button :visibility, "open"
+                span.radio-text
+                  strong Open
+                  span.radio-description Anyone can see this team and mention @#{@team.name}
+          = f.submit "Save", class: "button-primary"
+      - elsif @is_member
+        p.settings-hint
+          - case @team.visibility
+          - when "private"
+            | This team is <strong>private</strong>. Only members can see it and mention @#{@team.name}.
+          - when "visible"
+            | This team is <strong>visible</strong>. Anyone can see it, but only members can mention @#{@team.name}.
+          - when "open"
+            | This team is <strong>open</strong>. Anyone can see it and mention @#{@team.name}.
+          - unless @can_manage
+            br
+            | Only admins can change this setting.
+
   .team-members
     h2 Members
     - if @team_members.any?
@@ -21,13 +58,14 @@
     - else
       p No members yet.
 
-  .invite-section
-    h2 Add member
-    - unless @can_invite
-      p.settings-hint Only team admins can add members.
-    = form_with url: settings_team_team_members_path(@team), method: :post, local: true do |f|
-      fieldset disabled=(!@can_invite)
-        .form-group
-          = label_tag :username, "Username"
-          = text_field_tag :username, nil, required: true, placeholder: "existing_username"
-        = f.submit "Add", class: "button-primary"
+  - if @is_member
+    .invite-section
+      h2 Add member
+      - unless @can_invite
+        p.settings-hint Only team admins can add members.
+      = form_with url: settings_team_team_members_path(@team), method: :post, local: true do |f|
+        fieldset disabled=(!@can_invite)
+          .form-group
+            = label_tag :username, "Username"
+            = text_field_tag :username, nil, required: true, placeholder: "existing_username"
+          = f.submit "Add", class: "button-primary"
diff --git a/config/routes.rb b/config/routes.rb
@@ -28,11 +28,12 @@
     resource :import, only: [:show, :create]
     resource :deletion, only: [:show, :create]
 
-    resources :teams, only: [:index, :show, :create, :destroy] do
+    resources :teams, only: [:index, :show, :create, :update, :destroy] do
       resources :team_members, only: [:create, :destroy]
     end
 
     resource :username, only: [:update]
+    resource :preferences, only: [:update]
     patch "password/current", to: "passwords#update_current", as: :update_current_password
     resources :emails, only: [:create, :destroy] do
       post :primary, on: :member
diff --git a/db/migrate/20260118124706_add_visibility_to_teams.rb b/db/migrate/20260118124706_add_visibility_to_teams.rb
@@ -0,0 +1,6 @@
+class AddVisibilityToTeams < ActiveRecord::Migration[8.0]
+  def change
+    create_enum :team_visibility, %w[private visible open]
+    add_column :teams, :visibility, :enum, enum_type: :team_visibility, default: "private", null: false
+  end
+end
diff --git a/db/migrate/20260118124707_add_mention_restriction_to_users.rb b/db/migrate/20260118124707_add_mention_restriction_to_users.rb
@@ -0,0 +1,6 @@
+class AddMentionRestrictionToUsers < ActiveRecord::Migration[8.0]
+  def change
+    create_enum :user_mention_restriction, %w[anyone teammates_only]
+    add_column :users, :mention_restriction, :enum, enum_type: :user_mention_restriction, default: "anyone", null: false
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
diff --git a/spec/models/team_spec.rb b/spec/models/team_spec.rb
diff --git a/spec/models/user_mention_spec.rb b/spec/models/user_mention_spec.rb
diff --git a/spec/requests/teams_spec.rb b/spec/requests/teams_spec.rb
diff --git a/spec/services/note_builder_spec.rb b/spec/services/note_builder_spec.rb
