actually, include notifications

update todos
normalize emails
2026-01-31 15:55:24 +01:00 · 2026-01-31 15:55:02 +01:00 · 2026-01-31 15:51:01 +01:00 · 2026-01-31 15:50:31 +01:00 · 2026-01-31 15:49:49 +01:00 · 2026-01-31 15:48:32 +01:00
39 changed files with 3091 additions and 131 deletions
@@ -61,11 +61,12 @@ end
 group :development do
  # Use console on exceptions pages [https://github.com/rails/web-console]
  gem "web-console"
-  gem "mailcatcher"
 end

 group :test do
  # Use system testing [https://guides.rubyonrails.org/testing.html#system-testing]
+  gem "benchmark", require: false
+  gem "simplecov", require: false
  gem "capybara"
  gem "selenium-webdriver"
 end
@@ -81,6 +81,7 @@ GEM
    base64 (0.3.0)
    bcrypt (3.1.21)
    bcrypt_pbkdf (1.1.2)
+    benchmark (0.5.0)
    bigdecimal (4.0.1)
    bindex (0.8.1)
    bootsnap (1.21.1)
@@ -112,11 +113,11 @@ GEM
    connection_pool (3.0.2)
    crass (1.0.6)
    csv (3.3.5)
-    daemons (1.4.1)
    date (3.5.1)
    debug (1.11.1)
      irb (~> 1.10)
      reline (>= 0.3.8)
+    docile (1.4.1)
    dotenv (3.2.0)
    drb (2.2.3)
    ed25519 (1.4.0)
@@ -124,17 +125,12 @@ GEM
    erubi (1.13.1)
    et-orbi (1.4.0)
      tzinfo
-    eventmachine (1.2.7)
    ffi (1.17.3-x86_64-linux-gnu)
    fugit (1.12.1)
      et-orbi (~> 1.4)
      raabro (~> 1.4)
    globalid (1.3.0)
      activesupport (>= 6.1)
-    haml (7.2.0)
-      temple (>= 0.8.2)
-      thor
-      tilt
    htmlentities (4.4.2)
    i18n (1.14.8)
      concurrent-ruby (~> 1.0)
@@ -177,16 +173,6 @@ GEM
      net-imap
      net-pop
      net-smtp
-    mailcatcher (0.2.4)
-      eventmachine
-      haml
-      i18n
-      json
-      mail
-      sinatra
-      skinny (>= 0.1.2)
-      sqlite3-ruby
-      thin
    marcel (1.1.0)
    matrix (0.4.3)
    mini_magick (5.3.1)
@@ -195,8 +181,6 @@ GEM
    minitest (6.0.1)
      prism (~> 1.5)
    msgpack (1.8.0)
-    mustermann (3.0.4)
-      ruby2_keywords (~> 0.0.1)
    net-imap (0.6.2)
      date
      net-protocol
@@ -236,10 +220,6 @@ GEM
    raabro (1.4.0)
    racc (1.8.1)
    rack (3.2.4)
-    rack-protection (4.2.1)
-      base64 (>= 0.1.0)
-      logger (>= 1.6.0)
-      rack (>= 3.0.0, < 4)
    rack-session (2.1.1)
      base64 (>= 0.1.0)
      rack (>= 3.0.0)
@@ -325,7 +305,6 @@ GEM
    ruby-vips (2.3.0)
      ffi (~> 1.12)
      logger
-    ruby2_keywords (0.0.5)
    rubyzip (3.2.2)
    securerandom (0.4.1)
    selenium-webdriver (4.40.0)
@@ -334,16 +313,12 @@ GEM
      rexml (~> 3.2, >= 3.2.5)
      rubyzip (>= 1.2.2, < 4.0)
      websocket (~> 1.0)
-    sinatra (4.2.1)
-      logger (>= 1.6.0)
-      mustermann (~> 3.0)
-      rack (>= 3.0.0, < 4)
-      rack-protection (= 4.2.1)
-      rack-session (>= 2.0.0, < 3)
-      tilt (~> 2.0)
-    skinny (0.2.2)
-      eventmachine (~> 1.0)
-      thin
+    simplecov (0.22.0)
+      docile (~> 1.1)
+      simplecov-html (~> 0.11)
+      simplecov_json_formatter (~> 0.1)
+    simplecov-html (0.13.2)
+    simplecov_json_formatter (0.1.4)
    solid_cable (3.0.12)
      actioncable (>= 7.2)
      activejob (>= 7.2)
@@ -361,8 +336,6 @@ GEM
      railties (>= 7.1)
      thor (>= 1.3.1)
    sqlite3 (2.9.0-x86_64-linux-gnu)
-    sqlite3-ruby (1.3.3)
-      sqlite3 (>= 1.3.3)
    sshkit (1.25.0)
      base64
      logger
@@ -373,15 +346,8 @@ GEM
    stimulus-rails (1.3.4)
      railties (>= 6.0.0)
    stringio (3.2.0)
-    temple (0.10.4)
-    thin (2.0.1)
-      daemons (~> 1.0, >= 1.0.9)
-      eventmachine (~> 1.0, >= 1.0.4)
-      logger
-      rack (>= 1, < 4)
    thor (1.5.0)
    thruster (0.1.17-x86_64-linux)
-    tilt (2.7.0)
    timeout (0.6.0)
    tsort (0.2.0)
    turbo-rails (2.0.23)
@@ -413,6 +379,7 @@ PLATFORMS

 DEPENDENCIES
  bcrypt (~> 3.1.7)
+  benchmark
  bootsnap
  brakeman
  bundler-audit
@@ -424,13 +391,13 @@ DEPENDENCIES
  importmap-rails
  jbuilder
  kamal
-  mailcatcher
  propshaft
  puma (>= 5.0)
  rails (~> 8.1.2)
  roo (~> 3.0)
  rubocop-rails-omakase
  selenium-webdriver
+  simplecov
  solid_cable
  solid_cache
  solid_queue
@@ -459,6 +426,7 @@ CHECKSUMS
  base64 (0.3.0) sha256=27337aeabad6ffae05c265c450490628ef3ebd4b67be58257393227588f5a97b
  bcrypt (3.1.21) sha256=5964613d750a42c7ee5dc61f7b9336fb6caca429ba4ac9f2011609946e4a2dcf
  bcrypt_pbkdf (1.1.2) sha256=c2414c23ce66869b3eb9f643d6a3374d8322dfb5078125c82792304c10b94cf6
+  benchmark (0.5.0) sha256=465df122341aedcb81a2a24b4d3bd19b6c67c1530713fd533f3ff034e419236c
  bigdecimal (4.0.1) sha256=8b07d3d065a9f921c80ceaea7c9d4ae596697295b584c296fe599dd0ad01c4a7
  bindex (0.8.1) sha256=7b1ecc9dc539ed8bccfc8cb4d2732046227b09d6f37582ff12e50a5047ceb17e
  bootsnap (1.21.1) sha256=9373acfe732da35846623c337d3481af8ce77c7b3a927fb50e9aa92b46dbc4c4
@@ -472,20 +440,18 @@ CHECKSUMS
  connection_pool (3.0.2) sha256=33fff5ba71a12d2aa26cb72b1db8bba2a1a01823559fb01d29eb74c286e62e0a
  crass (1.0.6) sha256=dc516022a56e7b3b156099abc81b6d2b08ea1ed12676ac7a5657617f012bd45d
  csv (3.3.5) sha256=6e5134ac3383ef728b7f02725d9872934f523cb40b961479f69cf3afa6c8e73f
-  daemons (1.4.1) sha256=8fc76d76faec669feb5e455d72f35bd4c46dc6735e28c420afb822fac1fa9a1d
  date (3.5.1) sha256=750d06384d7b9c15d562c76291407d89e368dda4d4fff957eb94962d325a0dc0
  debug (1.11.1) sha256=2e0b0ac6119f2207a6f8ac7d4a73ca8eb4e440f64da0a3136c30343146e952b6
+  docile (1.4.1) sha256=96159be799bfa73cdb721b840e9802126e4e03dfc26863db73647204c727f21e
  dotenv (3.2.0) sha256=e375b83121ea7ca4ce20f214740076129ab8514cd81378161f11c03853fe619d
  drb (2.2.3) sha256=0b00d6fdb50995fe4a45dea13663493c841112e4068656854646f418fda13373
  ed25519 (1.4.0) sha256=16e97f5198689a154247169f3453ef4cfd3f7a47481fde0ae33206cdfdcac506
  erb (6.0.1) sha256=28ecdd99c5472aebd5674d6061e3c6b0a45c049578b071e5a52c2a7f13c197e5
  erubi (1.13.1) sha256=a082103b0885dbc5ecf1172fede897f9ebdb745a4b97a5e8dc63953db1ee4ad9
  et-orbi (1.4.0) sha256=6c7e3c90779821f9e3b324c5e96fda9767f72995d6ae435b96678a4f3e2de8bc
-  eventmachine (1.2.7) sha256=994016e42aa041477ba9cff45cbe50de2047f25dd418eba003e84f0d16560972
  ffi (1.17.3-x86_64-linux-gnu) sha256=3746b01f677aae7b16dc1acb7cb3cc17b3e35bdae7676a3f568153fb0e2c887f
  fugit (1.12.1) sha256=5898f478ede9b415f0804e42b8f3fd53f814bd85eebffceebdbc34e1107aaf68
  globalid (1.3.0) sha256=05c639ad6eb4594522a0b07983022f04aa7254626ab69445a0e493aa3786ff11
-  haml (7.2.0) sha256=87fd2b71f7feab1724337b090a7d767f5ab2d42f08c974f3ead673f18cfcd55a
  htmlentities (4.4.2) sha256=bbafbdf69f2eca9262be4efef7e43e6a1de54c95eb600f26984f71d2fe96c5c3
  i18n (1.14.8) sha256=285778639134865c5e0f6269e0b818256017e8cde89993fdfcbfb64d088824a5
  image_processing (1.14.0) sha256=754cc169c9c262980889bec6bfd325ed1dafad34f85242b5a07b60af004742fb
@@ -500,14 +466,12 @@ CHECKSUMS
  logger (1.7.0) sha256=196edec7cc44b66cfb40f9755ce11b392f21f7967696af15d274dde7edff0203
  loofah (2.25.0) sha256=df5ed7ac3bac6a4ec802df3877ee5cc86d027299f8952e6243b3dac446b060e6
  mail (2.9.0) sha256=6fa6673ecd71c60c2d996260f9ee3dd387d4673b8169b502134659ece6d34941
-  mailcatcher (0.2.4) sha256=ba1d6f23d32f69929dce332d0aa7aeabddadd15507de474754e593807111dda9
  marcel (1.1.0) sha256=fdcfcfa33cc52e93c4308d40e4090a5d4ea279e160a7f6af988260fa970e0bee
  matrix (0.4.3) sha256=a0d5ab7ddcc1973ff690ab361b67f359acbb16958d1dc072b8b956a286564c5b
  mini_magick (5.3.1) sha256=29395dfd76badcabb6403ee5aff6f681e867074f8f28ce08d78661e9e4a351c4
  mini_mime (1.1.5) sha256=8681b7e2e4215f2a159f9400b5816d85e9d8c6c6b491e96a12797e798f8bccef
  minitest (6.0.1) sha256=7854c74f48e2e975969062833adc4013f249a4b212f5e7b9d5c040bf838d54bb
  msgpack (1.8.0) sha256=e64ce0212000d016809f5048b48eb3a65ffb169db22238fb4b72472fecb2d732
-  mustermann (3.0.4) sha256=85fadcb6b3c6493a8b511b42426f904b7f27b282835502233dd154daab13aa22
  net-imap (0.6.2) sha256=08caacad486853c61676cca0c0c47df93db02abc4a8239a8b67eb0981428acc6
  net-pop (0.1.2) sha256=848b4e982013c15b2f0382792268763b748cce91c9e91e36b0f27ed26420dff3
  net-protocol (0.2.2) sha256=aa73e0cba6a125369de9837b8d8ef82a61849360eba0521900e2c3713aa162a8
@@ -530,7 +494,6 @@ CHECKSUMS
  raabro (1.4.0) sha256=d4fa9ff5172391edb92b242eed8be802d1934b1464061ae5e70d80962c5da882
  racc (1.8.1) sha256=4a7f6929691dbec8b5209a0b373bc2614882b55fc5d2e447a21aaa691303d62f
  rack (3.2.4) sha256=5d74b6f75082a643f43c1e76b419c40f0e5527fcfee1e669ac1e6b73c0ccb6f6
-  rack-protection (4.2.1) sha256=cf6e2842df8c55f5e4d1a4be015e603e19e9bc3a7178bae58949ccbb58558bac
  rack-session (2.1.1) sha256=0b6dc07dea7e4b583f58a48e8b806d4c9f1c6c9214ebc202ec94562cbea2e4e9
  rack-test (2.2.0) sha256=005a36692c306ac0b4a9350355ee080fd09ddef1148a5f8b2ac636c720f5c463
  rackup (2.3.1) sha256=6c79c26753778e90983761d677a48937ee3192b3ffef6bc963c0950f94688868
@@ -552,25 +515,21 @@ CHECKSUMS
  rubocop-rails-omakase (1.1.0) sha256=2af73ac8ee5852de2919abbd2618af9c15c19b512c4cfc1f9a5d3b6ef009109d
  ruby-progressbar (1.13.0) sha256=80fc9c47a9b640d6834e0dc7b3c94c9df37f08cb072b7761e4a71e22cff29b33
  ruby-vips (2.3.0) sha256=e685ec02c13969912debbd98019e50492e12989282da5f37d05f5471442f5374
-  ruby2_keywords (0.0.5) sha256=ffd13740c573b7301cf7a2e61fc857b2a8e3d3aff32545d6f8300d8bae10e3ef
  rubyzip (3.2.2) sha256=c0ed99385f0625415c8f05bcae33fe649ed2952894a95ff8b08f26ca57ea5b3c
  securerandom (0.4.1) sha256=cc5193d414a4341b6e225f0cb4446aceca8e50d5e1888743fac16987638ea0b1
  selenium-webdriver (4.40.0) sha256=16ef7aa9853c1d4b9d52eac45aafa916e3934c5c83cb4facb03f250adfd15e5b
-  sinatra (4.2.1) sha256=b7aeb9b11d046b552972ade834f1f9be98b185fa8444480688e3627625377080
-  skinny (0.2.2) sha256=f40caceccfe3e1d9826f60195a090f43ea7c1130c36b3170887db69a9fb52102
+  simplecov (0.22.0) sha256=fe2622c7834ff23b98066bb0a854284b2729a569ac659f82621fc22ef36213a5
+  simplecov-html (0.13.2) sha256=bd0b8e54e7c2d7685927e8d6286466359b6f16b18cb0df47b508e8d73c777246
+  simplecov_json_formatter (0.1.4) sha256=529418fbe8de1713ac2b2d612aa3daa56d316975d307244399fa4838c601b428
  solid_cable (3.0.12) sha256=a168a54731a455d5627af48d8441ea3b554b8c1f6e6cd6074109de493e6b0460
  solid_cache (1.0.10) sha256=bc05a2fb3ac78a6f43cbb5946679cf9db67dd30d22939ededc385cb93e120d41
  solid_queue (1.3.1) sha256=d9580111180c339804ff1a810a7768f69f5dc694d31e86cf1535ff2cd7a87428
  sqlite3 (2.9.0-x86_64-linux-gnu) sha256=72fff9bd750070ba3af695511ba5f0e0a2d8a9206f84869640b3e99dfaf3d5a5
-  sqlite3-ruby (1.3.3) sha256=140b6742875dd5afc3f30ab95720fe60d38e154ae1f4d0728e250778a04094e7
  sshkit (1.25.0) sha256=c8c6543cdb60f91f1d277306d585dd11b6a064cb44eab0972827e4311ff96744
  stimulus-rails (1.3.4) sha256=765676ffa1f33af64ce026d26b48e8ffb2e0b94e0f50e9119e11d6107d67cb06
  stringio (3.2.0) sha256=c37cb2e58b4ffbd33fe5cd948c05934af997b36e0b6ca6fdf43afa234cf222e1
-  temple (0.10.4) sha256=b7a1e94b6f09038ab0b6e4fe0126996055da2c38bec53a8a336f075748fff72c
-  thin (2.0.1) sha256=5bbde5648377f5c3864b5da7cd89a23b5c2d8d8bb9435719f6db49644bcdade9
  thor (1.5.0) sha256=e3a9e55fe857e44859ce104a84675ab6e8cd59c650a49106a05f55f136425e73
  thruster (0.1.17-x86_64-linux) sha256=77b8f335075bd4ece7631dc84a19a710a1e6e7102cbce147b165b45851bdfcd3
-  tilt (2.7.0) sha256=0d5b9ba69f6a36490c64b0eee9f6e9aad517e20dcc848800a06eb116f08c6ab3
  timeout (0.6.0) sha256=6d722ad619f96ee383a0c557ec6eb8c4ecb08af3af62098a0be5057bf00de1af
  tsort (0.2.0) sha256=9650a793f6859a43b6641671278f79cfead60ac714148aabe4e3f0060480089f
  turbo-rails (2.0.23) sha256=ee0d90733aafff056cf51ff11e803d65e43cae258cc55f6492020ec1f9f9315f
@@ -14,7 +14,7 @@ class PasswordResetsController < ApplicationController
        reset_password_sent_at: Time.current
      )
      PasswordResetMailer.reset(@user).deliver_later
-    else
+    elsif @user.present?
      @user.invite_by!
      InvitationMailer.invite(@user).deliver_later
    end
@@ -9,9 +9,6 @@ class SessionsController < ApplicationController
  end

  def create
-    # Skip authentication if rate limited
-    return if @rate_limited
-
    user = User.find_by(email: params[:email]&.downcase&.strip)

    if user&.authenticate(params[:password])
@@ -50,6 +47,6 @@ class SessionsController < ApplicationController
    current_user&.forget_me if cookies.signed[:remember_token]
    reset_session
    cookies.delete(:remember_token)
-    redirect_to root_path, notice: "You have been logged out."
+    redirect_to root_path, notice: "You have been logged out.", status: :see_other
  end
 end
@@ -19,9 +19,11 @@ class User < ApplicationRecord

  enum :role, %i[contributor reviewer admin]

-  validates :email, presence: true, uniqueness: true
+  validates :email, presence: true, uniqueness: { case_sensitive: false }
  validates :password, length: { minimum: 12 }, if: -> { password.present? }

+  before_validation :normalize_email
+
  scope :by_role, ->(role) { where(role: role) if role.present? }
  scope :search_email, ->(q) { where("email LIKE ?", "%#{sanitize_sql_like(q)}%") if q.present? }

@@ -78,4 +80,10 @@ class User < ApplicationRecord
    return nil if user.nil? || user.remember_token_expired?
    user
  end
+
+  private
+
+  def normalize_email
+    self.email = email.downcase.strip if email.present?
+  end
 end
@@ -3,6 +3,8 @@
 <div class="min-h-screen flex flex-col">
  <%= render "shared/header", show_request_button: false, show_browse_button: true %>

+  <%= render "shared/notifications" %>
+
  <div class="flex-1 bg-gradient-to-br from-indigo-50 via-white to-purple-50 flex items-center justify-center px-4 py-12">
    <div class="max-w-2xl w-full">
      <div class="bg-white rounded-2xl shadow-xl p-8">
@@ -3,21 +3,7 @@
 <div class="min-h-screen flex flex-col">
  <%= render "shared/header" %>

-  <!-- Flash messages -->
-  <% if flash.any? %>
-    <div class="max-w-7xl mx-auto px-4 mt-4 w-full">
-      <% flash.each do |type, message| %>
-        <div class="<%= type == 'notice' ? 'bg-green-50 border border-green-200 text-green-700' : 'bg-red-50 border border-red-200 text-red-700' %> px-4 py-3 rounded-lg mb-4 relative" role="alert">
-          <span class="block sm:inline pr-8"><%= message %></span>
-          <button type="button" class="absolute top-0 right-0 mt-3 mr-3 text-current opacity-50 hover:opacity-100 transition" onclick="this.parentElement.remove()">
-            <svg class="w-4 h-4" fill="currentColor" viewBox="0 0 20 20">
-              <path fill-rule="evenodd" d="M4.293 4.293a1 1 0 011.414 0L10 8.586l4.293-4.293a1 1 0 111.414 1.414L11.414 10l4.293 4.293a1 1 0 01-1.414 1.414L10 11.414l-4.293 4.293a1 1 0 01-1.414-1.414L8.586 10 4.293 5.707a1 1 0 010-1.414z" clip-rule="evenodd"></path>
-            </svg>
-          </button>
-        </div>
-      <% end %>
-    </div>
-  <% end %>
+  <%= render "shared/notifications" %>

  <div class="flex-1 flex flex-col">
    <section id="search">
@@ -158,7 +158,7 @@
        </p>
      <% else %>
        <p>
-          The <strong>Sanasto Wiki</strong> let you search and compare, or download, translations across languages used all over the living Christianity.
+          The <strong>Sanasto Wiki</strong> let you search words and expressions you might need for interpretation work in the living Christianity.
        </p>

        <p>With a login account, you can contribute to this work.</p>
@@ -118,21 +118,7 @@
        document.addEventListener('turbo:load', setupAdminMobileMenu);
      </script>

-      <!-- Flash messages -->
-      <% if flash.any? %>
-        <div class="max-w-7xl mx-auto px-4 mt-4">
-          <% flash.each do |type, message| %>
-            <div class="<%= type == 'notice' ? 'bg-green-50 border border-green-200 text-green-700' : 'bg-red-50 border border-red-200 text-red-700' %> px-4 py-3 rounded-lg mb-4 relative" role="alert">
-              <span class="block sm:inline pr-8"><%= message %></span>
-              <button type="button" class="absolute top-0 right-0 mt-3 mr-3 text-current opacity-50 hover:opacity-100 transition" onclick="this.parentElement.remove()">
-                <svg class="w-4 h-4" fill="currentColor" viewBox="0 0 20 20">
-                  <path fill-rule="evenodd" d="M4.293 4.293a1 1 0 011.414 0L10 8.586l4.293-4.293a1 1 0 111.414 1.414L11.414 10l4.293 4.293a1 1 0 01-1.414 1.414L10 11.414l-4.293 4.293a1 1 0 01-1.414-1.414L8.586 10 4.293 5.707a1 1 0 010-1.414z" clip-rule="evenodd"></path>
-                </svg>
-              </button>
-            </div>
-          <% end %>
-        </div>
-      <% end %>
+      <%= render "shared/notifications" %>

      <!-- Main content -->
      <main class="flex-1 max-w-7xl w-full mx-auto px-4 py-8">
@@ -12,6 +12,8 @@
    </div>
  </header>

+  <%= render "shared/notifications" %>
+
  <div class="flex-1 flex items-center justify-center px-4 py-12 bg-slate-50">
    <div class="w-full max-w-md">
      <div class="bg-white rounded-2xl shadow-sm border border-slate-200 p-8">
@@ -20,11 +22,6 @@
          <p class="text-sm text-slate-600">Enter your new password below.</p>
        </div>

-        <% if flash[:alert] %>
-          <div class="bg-red-50 border border-red-200 text-red-700 px-4 py-3 rounded-lg mb-6" role="alert">
-            <%= flash[:alert] %>
-          </div>
-        <% end %>

        <%= form_with url: password_reset_path(params[:token]), method: :patch, local: true, data: { turbo: false }, class: "space-y-5" do |form| %>
          <div>
@@ -12,6 +12,8 @@
    </div>
  </header>

+  <%= render "shared/notifications" %>
+
  <div class="flex-1 flex items-center justify-center px-4 py-12 bg-slate-50">
    <div class="w-full max-w-md">
      <div class="bg-white rounded-2xl shadow-sm border border-slate-200 p-8">
@@ -20,11 +22,6 @@
          <p class="text-sm text-slate-600">Enter your email address and we'll send you a link to reset your password.</p>
        </div>

-        <% if flash[:alert] %>
-          <div class="bg-red-50 border border-red-200 text-red-700 px-4 py-3 rounded-lg mb-6" role="alert">
-            <%= flash[:alert] %>
-          </div>
-        <% end %>

        <%= form_with url: password_resets_path, method: :post, local: true, data: { turbo: false }, class: "space-y-5" do |form| %>
          <div>
@@ -3,6 +3,8 @@
 <div class="min-h-screen flex flex-col">
  <%= render "shared/header", show_request_button: false %>

+  <%= render "shared/notifications" %>
+
  <div class="flex-1 bg-gradient-to-br from-indigo-50 via-white to-purple-50 flex items-center justify-center px-4 py-12">
    <div class="max-w-2xl w-full">
      <div class="bg-white rounded-2xl shadow-xl p-8">
@@ -11,11 +13,6 @@
          <p class="text-gray-600">Is there a word you would like to see in this glossary?</p>
        </div>

-      <% if flash[:alert] %>
-        <div class="mb-6 p-4 bg-red-50 border border-red-200 rounded-lg text-red-800">
-          <%= flash[:alert] %>
-        </div>
-      <% end %>

      <% if @pending_count && @pending_count > 0 %>
        <div class="mb-6 p-4 bg-blue-50 border border-blue-200 rounded-lg text-blue-800">
@@ -12,6 +12,8 @@
    </div>
  </header>

+  <%= render "shared/notifications" %>
+
  <div class="flex-1 flex items-center justify-center px-4 py-12 bg-slate-50">
    <div class="w-full max-w-md">
      <div class="bg-white rounded-2xl shadow-sm border border-slate-200 p-8">
@@ -20,11 +22,6 @@
          <p class="text-sm text-slate-600">Enter your credentials to continue</p>
        </div>

-        <% if flash[:alert] %>
-          <div class="bg-red-50 border border-red-200 text-red-700 px-4 py-3 rounded-lg mb-6" role="alert">
-            <%= flash[:alert] %>
-          </div>
-        <% end %>

        <%= form_with url: login_path, method: :post, local: true, data: { turbo: false }, class: "space-y-5" do |form| %>
          <div>
@@ -28,7 +28,7 @@
            <% if admin? %>
              <%= link_to "Admin", admin_root_path, class: "bg-indigo-600 text-white px-4 py-2 rounded-lg text-sm font-semibold hover:bg-indigo-700 transition" %>
            <% end %>
-            <%= link_to "Sign Out", logout_path, data: { turbo_method: :delete, turbo: false },
+            <%= link_to "Sign Out", logout_path, data: { turbo_method: :delete },
                        class: "text-sm font-medium text-slate-600 hover:text-red-600 transition" %>
          </div>
        <% else %>
@@ -74,8 +74,8 @@
          <% if admin? %>
            <%= link_to "Admin", admin_root_path, class: "px-2 py-2 text-sm font-medium text-indigo-700 hover:bg-indigo-50 rounded transition" %>
          <% end %>
-          <%= link_to "Sign Out", logout_path, data: { turbo_method: :delete, turbo: false },
-                      class: "px-2 py-2 text-sm font-medium text-red-600 hover:bg-red-50 rounded transition" %>
+          <%= link_to "Sign Out", logout_path, data: { turbo_method: :delete },
+                      class: "block px-2 py-2 text-sm font-medium text-red-600 hover:bg-red-50 rounded transition" %>
        <% else %>
          <%= link_to "Sign In", login_path, class: "px-2 py-2 text-sm font-medium text-indigo-700 hover:bg-indigo-50 rounded transition" %>
        <% end %>
@@ -0,0 +1,16 @@
+<% if flash.any? %>
+  <div class="flex justify-center px-4 mt-4">
+    <div class="space-y-2">
+      <% flash.each do |type, message| %>
+        <div class="<%= type == 'notice' ? 'bg-green-50 border border-green-200 text-green-700' : 'bg-red-50 border border-red-200 text-red-700' %> px-6 py-3 rounded-lg relative shadow-sm" role="alert">
+          <span class="block pr-8 text-sm font-medium"><%= message %></span>
+          <button type="button" class="absolute top-0 right-0 mt-2.5 mr-2 text-current opacity-50 hover:opacity-100 transition" onclick="this.parentElement.remove()">
+            <svg class="w-4 h-4" fill="currentColor" viewBox="0 0 20 20">
+              <path fill-rule="evenodd" d="M4.293 4.293a1 1 0 011.414 0L10 8.586l4.293-4.293a1 1 0 111.414 1.414L11.414 10l4.293 4.293a1 1 0 01-1.414 1.414L10 11.414l-4.293 4.293a1 1 0 01-1.414-1.414L8.586 10 4.293 5.707a1 1 0 010-1.414z" clip-rule="evenodd"></path>
+            </svg>
+          </button>
+        </div>
+      <% end %>
+    </div>
+  </div>
+<% end %>
@@ -20,7 +20,7 @@ Rails.application.configure do

  # Show full error reports.
  config.consider_all_requests_local = true
-  config.cache_store = :null_store
+  config.cache_store = :memory_store

  # Render exception templates for rescuable exceptions and raise for other exceptions.
  config.action_dispatch.show_exceptions = :rescuable
@@ -19,7 +19,7 @@ Rails.application.routes.draw do
  # Authentication routes
  get "login", to: "sessions#new", as: :login
  post "login", to: "sessions#create"
-  get "logout", to: "sessions#destroy", as: :logout
+  delete "logout", to: "sessions#destroy", as: :logout

  # Password reset routes
  resources :password_resets, only: [ :new, :create ]
@@ -194,3 +194,40 @@ for i in range(10):
  ```
 ```
 </markdown_spec>
+
+<test_coverage>
+## Test Coverage Tracking
+
+The project uses SimpleCov to track test coverage. Coverage data is stored in `coverage/.resultset.json` after each test run.
+
+### Coverage Information
+- **Location**: `coverage/.resultset.json`
+- **Format**: JSON file with line-by-line coverage data for each Ruby file
+- **Generated by**: SimpleCov gem (runs automatically with tests)
+- **HTML Report**: `coverage/index.html` (open in browser for detailed report)
+
+### Reading Coverage Data
+
+When checking test coverage:
+1. Run tests: `bin/rails test`
+2. Check overall coverage in console output (e.g., "Line Coverage: 85.7% (707 / 825)")
+3. For detailed per-file coverage: open `coverage/index.html` in a browser
+4. The `.resultset.json` file contains raw coverage data if programmatic access is needed
+
+### Coverage Goals
+- Aim for **80%+ line coverage** for all models and helpers
+- Controllers should have **all actions tested** (both success and error paths)
+- Critical business logic should have **100% coverage**
+
+### Files Excluded from Coverage
+- `config/` - Configuration files
+- `db/` - Database migrations and schema
+- `test/` - Test files themselves
+- `vendor/` - Third-party code
+
+### Coverage Notes for Agents
+- Always run tests after making changes to verify coverage isn't decreasing
+- If adding new methods/classes, add corresponding tests
+- Coverage report shows which lines are NOT covered (highlighted in red in HTML report)
+- Missing coverage often indicates edge cases or error paths not tested
+</test_coverage>
@@ -109,14 +109,29 @@

 ## Testing

- [ ] **Controller tests** for all actions
- [ ] **System tests** for critical user flows
-  - [ ] Public browsing and search
-  - [ ] Contributor creates/edits entry
-  - [ ] Reviewer workflow
-  - [ ] Admin user management
- [ ] **Integration tests** for authentication flows
- [ ] **Performance tests** for search queries
+- [x] **Controller tests** for all actions
+  - [x] EntriesController (index, show, edit, update, download, filters, search)
+  - [x] PasswordResetsController (new, create, edit, update, token validation)
+  - [x] Existing tests: Sessions, Invitations, Setup, Admin controllers, Comments, Requests
+- [x] **System tests** for critical user flows
+  - [x] Public browsing and search
+  - [x] Contributor creates/edits entry
+  - [ ] Reviewer workflow (pending feature implementation)
+  - [x] Admin user management
+- [x] **Integration tests** for authentication flows
+  - [x] Sign in/sign out flows
+  - [x] Remember me functionality
+  - [x] Session timeout
+  - [x] Rate limiting
+  - [x] Password reset flow
+  - [x] Invitation acceptance flow
+- [x] **Performance tests** for search queries
+  - [x] Full text search benchmarks
+  - [x] Language-specific search
+  - [x] Alphabetical browsing
+  - [x] Category filtering
+  - [x] Combined filters
+  - [x] XLSX download performance

 ## Deployment

@@ -0,0 +1,30 @@
+#!/bin/bash
+# Pre-commit hook that runs rubocop on staged Ruby files
+
+echo "Running rubocop on staged files..."
+
+# Get list of staged Ruby files
+STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep -E '\.rb$|\.rake$')
+
+# If no Ruby files are staged, exit successfully
+if [ -z "$STAGED_FILES" ]; then
+  echo "No Ruby files staged, skipping rubocop."
+  exit 0
+fi
+
+# Run rubocop on staged files
+echo "$STAGED_FILES" | xargs bundle exec rubocop --force-exclusion
+
+RUBOCOP_EXIT=$?
+
+# If rubocop failed, prevent commit
+if [ $RUBOCOP_EXIT -ne 0 ]; then
+  echo ""
+  echo "❌ Rubocop found issues. Please fix them before committing."
+  echo "   You can run 'bundle exec rubocop -A' to auto-fix some issues."
+  echo "   To skip this hook, use 'git commit --no-verify'"
+  exit 1
+fi
+
+echo "✅ Rubocop passed!"
+exit 0
@@ -0,0 +1,42 @@
+#!/bin/bash
+# Pre-push hook that runs security scans (brakeman + bundler-audit)
+
+echo "Running security scans..."
+echo ""
+
+# Run brakeman
+echo "🔍 Running brakeman..."
+bundle exec brakeman --no-pager --quiet
+
+BRAKEMAN_EXIT=$?
+
+if [ $BRAKEMAN_EXIT -ne 0 ]; then
+  echo ""
+  echo "❌ Brakeman found security issues."
+  echo "   Run 'bundle exec brakeman' for detailed output."
+  echo ""
+fi
+
+# Run bundler-audit
+echo "🔍 Running bundler-audit..."
+bundle exec bundler-audit check --update
+
+BUNDLER_AUDIT_EXIT=$?
+
+if [ $BUNDLER_AUDIT_EXIT -ne 0 ]; then
+  echo ""
+  echo "❌ Bundler-audit found vulnerable dependencies."
+  echo "   Run 'bundle exec bundler-audit check' for detailed output."
+  echo ""
+fi
+
+# If either scan failed, prevent push
+if [ $BRAKEMAN_EXIT -ne 0 ] || [ $BUNDLER_AUDIT_EXIT -ne 0 ]; then
+  echo "❌ Security scans failed. Please fix the issues before pushing."
+  echo "   To skip this hook, use 'git push --no-verify'"
+  exit 1
+fi
+
+echo ""
+echo "✅ All security scans passed!"
+exit 0
@@ -0,0 +1,16 @@
+#!/bin/bash
+# Setup script to install git hooks via symlinks
+
+echo "Installing git hooks..."
+
+# Create symlinks from .git/hooks to docs/hooks
+ln -sf ../../docs/hooks/pre-commit .git/hooks/pre-commit
+ln -sf ../../docs/hooks/pre-push .git/hooks/pre-push
+
+echo "✅ Git hooks installed successfully!"
+echo ""
+echo "Installed hooks (via symlinks):"
+echo "  • pre-commit: Runs rubocop on staged files"
+echo "  • pre-push: Runs brakeman + bundler-audit security scans"
+echo ""
+echo "See docs/GIT_HOOKS.md for more information."
@@ -0,0 +1,15 @@
+require "test_helper"
+require "capybara/rails"
+require "capybara/minitest"
+
+class ApplicationSystemTestCase < ActionDispatch::SystemTestCase
+  driven_by :selenium, using: :headless_chrome, screen_size: [ 1400, 1400 ]
+
+  # Helper to login as a user
+  def login_as(user)
+    visit login_path
+    fill_in "Email", with: user.email
+    fill_in "Password", with: "password123456"
+    click_button "Sign In"
+  end
+end
@@ -140,4 +140,404 @@ class Admin::InvitationsControllerTest < ActionDispatch::IntegrationTest

    assert_redirected_to root_path
  end
+
+  # Resend action tests
+  test "should resend invitation for pending invitation" do
+    login_as(users(:admin_user))
+    pending_user = users(:pending_invitation)
+    original_token = pending_user.invitation_token
+    original_sent_at = pending_user.invitation_sent_at
+
+    assert_enqueued_emails 1 do
+      put resend_admin_invitation_path(pending_user)
+    end
+
+    assert_redirected_to admin_invitations_path
+    assert_match /Invitation resent to #{pending_user.email}/, flash[:notice]
+
+    pending_user.reload
+    assert_not_equal original_token, pending_user.invitation_token
+    assert_operator pending_user.invitation_sent_at, :>, original_sent_at
+  end
+
+  test "should not resend accepted invitation" do
+    login_as(users(:admin_user))
+    accepted_user = users(:contributor_user)
+
+    assert_enqueued_emails 0 do
+      put resend_admin_invitation_path(accepted_user)
+    end
+
+    assert_redirected_to admin_invitations_path
+    assert_equal "Cannot resend an accepted invitation.", flash[:alert]
+  end
+
+  test "should update invitation_sent_at when resending" do
+    login_as(users(:admin_user))
+    pending_user = users(:pending_invitation)
+
+    freeze_time do
+      put resend_admin_invitation_path(pending_user)
+
+      pending_user.reload
+      assert_in_delta Time.current.to_i, pending_user.invitation_sent_at.to_i, 2
+    end
+  end
+
+  test "should generate new token when resending" do
+    login_as(users(:admin_user))
+    pending_user = users(:pending_invitation)
+    original_token = pending_user.invitation_token
+
+    put resend_admin_invitation_path(pending_user)
+
+    pending_user.reload
+    assert_not_nil pending_user.invitation_token
+    assert_not_equal original_token, pending_user.invitation_token
+    assert pending_user.invitation_token.length >= 32
+  end
+
+  test "should not allow non-admin to resend invitation" do
+    login_as(users(:contributor_user))
+
+    put resend_admin_invitation_path(users(:pending_invitation))
+
+    assert_redirected_to root_path
+  end
+
+  test "should require authentication to resend invitation" do
+    put resend_admin_invitation_path(users(:pending_invitation))
+
+    assert_redirected_to login_path
+  end
+
+  # Index action tests
+  test "should list pending invitations in descending order by sent date" do
+    login_as(users(:admin_user))
+
+    # Create multiple pending invitations
+    user1 = User.create!(email: "user1@example.com", name: "User 1", password: "temp123456789")
+    user1.invite_by!(users(:admin_user))
+
+    user2 = User.create!(email: "user2@example.com", name: "User 2", password: "temp123456789")
+    user2.update_columns(invitation_token: "token2", invitation_sent_at: 1.hour.ago)
+
+    get admin_invitations_path
+
+    assert_response :success
+    assert_select "h3", /Pending Invitations/i
+    # Check both emails appear in the page
+    assert_select "td", text: "user1@example.com"
+    assert_select "td", text: "user2@example.com"
+  end
+
+  test "should display accepted invitations section" do
+    login_as(users(:admin_user))
+
+    get admin_invitations_path
+
+    assert_response :success
+    assert_select "h3", /Recently Accepted/i
+  end
+
+  test "should show pending invitation count badge" do
+    login_as(users(:admin_user))
+
+    get admin_invitations_path
+
+    assert_response :success
+    assert_select "span.bg-yellow-100"
+  end
+
+  test "should display pending invitations table when invitations exist" do
+    login_as(users(:admin_user))
+
+    get admin_invitations_path
+
+    assert_select "table"
+    assert_select "th", text: "Email"
+    assert_select "th", text: "Role"
+    assert_select "th", text: "Sent"
+  end
+
+  # Create action - additional tests
+  test "should create invitation with reviewer role" do
+    login_as(users(:admin_user))
+
+    post admin_invitations_path, params: {
+      user: {
+        email: "reviewer@example.com",
+        name: "New Reviewer",
+        role: "reviewer",
+        primary_language: "en"
+      }
+    }
+
+    new_user = User.find_by(email: "reviewer@example.com")
+    assert_equal "reviewer", new_user.role
+  end
+
+  test "should create invitation with admin role" do
+    login_as(users(:admin_user))
+
+    post admin_invitations_path, params: {
+      user: {
+        email: "admin@example.com",
+        name: "New Admin",
+        role: "admin",
+        primary_language: "en"
+      }
+    }
+
+    new_user = User.find_by(email: "admin@example.com")
+    assert_equal "admin", new_user.role
+  end
+
+  test "should ignore invalid role parameter" do
+    login_as(users(:admin_user))
+
+    post admin_invitations_path, params: {
+      user: {
+        email: "newuser@example.com",
+        name: "New User",
+        role: "superadmin",
+        primary_language: "en"
+      }
+    }
+
+    new_user = User.find_by(email: "newuser@example.com")
+    assert_equal "contributor", new_user.role
+  end
+
+  test "should set invited_by to current admin" do
+    login_as(users(:admin_user))
+
+    post admin_invitations_path, params: {
+      user: {
+        email: "newuser@example.com",
+        name: "New User",
+        role: "contributor",
+        primary_language: "en"
+      }
+    }
+
+    new_user = User.find_by(email: "newuser@example.com")
+    assert_equal users(:admin_user).id, new_user.invited_by_id
+  end
+
+  test "should generate random password for new invitation" do
+    login_as(users(:admin_user))
+
+    post admin_invitations_path, params: {
+      user: {
+        email: "newuser@example.com",
+        name: "New User",
+        role: "contributor",
+        primary_language: "en"
+      }
+    }
+
+    new_user = User.find_by(email: "newuser@example.com")
+    assert new_user.password_digest.present?
+  end
+
+  test "should not create invitation with duplicate email" do
+    login_as(users(:admin_user))
+    existing_user = users(:admin_user)
+
+    assert_no_difference("User.count") do
+      post admin_invitations_path, params: {
+        user: {
+          email: existing_user.email,
+          name: "Duplicate User",
+          role: "contributor",
+          primary_language: "en"
+        }
+      }
+    end
+
+    assert_response :unprocessable_entity
+    assert_select "div.text-red-700", text: /already been taken/i
+  end
+
+  test "should create invitation even with blank name" do
+    login_as(users(:admin_user))
+
+    assert_difference("User.count", 1) do
+      post admin_invitations_path, params: {
+        user: {
+          email: "newuser@example.com",
+          name: "",
+          role: "contributor",
+          primary_language: "en"
+        }
+      }
+    end
+
+    assert_redirected_to admin_invitations_path
+    new_user = User.find_by(email: "newuser@example.com")
+    assert_not_nil new_user
+  end
+
+  test "should show success message with email after creating invitation" do
+    login_as(users(:admin_user))
+
+    post admin_invitations_path, params: {
+      user: {
+        email: "newuser@example.com",
+        name: "New User",
+        role: "contributor",
+        primary_language: "en"
+      }
+    }
+
+    assert_redirected_to admin_invitations_path
+    assert_match /Invitation sent to newuser@example\.com/, flash[:notice]
+  end
+
+  # Destroy action - additional tests
+  test "should show success message after cancelling invitation" do
+    login_as(users(:admin_user))
+
+    delete admin_invitation_path(users(:pending_invitation))
+
+    assert_redirected_to admin_invitations_path
+    assert_equal "Invitation cancelled.", flash[:notice]
+  end
+
+  test "should delete user record when cancelling invitation" do
+    login_as(users(:admin_user))
+    pending_user = users(:pending_invitation)
+    user_id = pending_user.id
+
+    delete admin_invitation_path(pending_user)
+
+    assert_nil User.find_by(id: user_id)
+  end
+
+  test "should not allow destroying user with entries" do
+    login_as(users(:admin_user))
+    user_with_entries = users(:contributor_user)
+
+    # This user has accepted invitation and potentially has entries
+    assert_no_difference("User.count") do
+      delete admin_invitation_path(user_with_entries)
+    end
+
+    assert_redirected_to admin_invitations_path
+    assert_equal "Cannot cancel an accepted invitation.", flash[:alert]
+  end
+
+  # Security tests
+  test "should only permit email, name, primary_language, and role params" do
+    login_as(users(:admin_user))
+
+    post admin_invitations_path, params: {
+      user: {
+        email: "newuser@example.com",
+        name: "New User",
+        role: "contributor",
+        primary_language: "en",
+        password: "hackedpassword123",
+        invitation_token: "hacked_token",
+        invitation_accepted_at: Time.current
+      }
+    }
+
+    new_user = User.find_by(email: "newuser@example.com")
+    assert_not_nil new_user
+    # Password should be randomly generated, not from params
+    assert_not new_user.authenticate("hackedpassword123")
+    # Invitation token should be generated by invite_by, not from params
+    assert_not_equal "hacked_token", new_user.invitation_token
+    # Invitation should not be pre-accepted
+    assert_nil new_user.invitation_accepted_at
+  end
+
+  test "should require admin role for all actions" do
+    login_as(users(:reviewer_user))
+
+    # Index
+    get admin_invitations_path
+    assert_redirected_to root_path
+
+    # New
+    get new_admin_invitation_path
+    assert_redirected_to root_path
+
+    # Create
+    post admin_invitations_path, params: { user: { email: "test@example.com", name: "Test" } }
+    assert_redirected_to root_path
+
+    # Resend
+    put resend_admin_invitation_path(users(:pending_invitation))
+    assert_redirected_to root_path
+
+    # Destroy
+    delete admin_invitation_path(users(:pending_invitation))
+    assert_redirected_to root_path
+  end
+
+  # Edge cases
+  test "should handle resending expired invitation" do
+    login_as(users(:admin_user))
+    pending_user = users(:pending_invitation)
+    pending_user.update_columns(invitation_sent_at: 20.days.ago)
+
+    put resend_admin_invitation_path(pending_user)
+
+    assert_redirected_to admin_invitations_path
+    pending_user.reload
+    assert pending_user.invitation_sent_at > 1.hour.ago
+  end
+
+  test "should normalize email to lowercase when creating invitation" do
+    login_as(users(:admin_user))
+
+    post admin_invitations_path, params: {
+      user: {
+        email: "NewUser@Example.COM",
+        name: "New User",
+        role: "contributor",
+        primary_language: "en"
+      }
+    }
+
+    new_user = User.find_by(email: "newuser@example.com")
+    assert_not_nil new_user
+    assert_equal "newuser@example.com", new_user.email
+  end
+
+  test "should handle missing role parameter gracefully" do
+    login_as(users(:admin_user))
+
+    post admin_invitations_path, params: {
+      user: {
+        email: "newuser@example.com",
+        name: "New User",
+        primary_language: "en"
+      }
+    }
+
+    new_user = User.find_by(email: "newuser@example.com")
+    assert_not_nil new_user
+    assert_equal "contributor", new_user.role
+  end
+
+  test "should handle blank role parameter" do
+    login_as(users(:admin_user))
+
+    post admin_invitations_path, params: {
+      user: {
+        email: "newuser@example.com",
+        name: "New User",
+        role: "",
+        primary_language: "en"
+      }
+    }
+
+    new_user = User.find_by(email: "newuser@example.com")
+    assert_not_nil new_user
+    assert_equal "contributor", new_user.role
+  end
 end
@@ -43,9 +43,9 @@ class Admin::RequestsControllerTest < ActionDispatch::IntegrationTest

    assert_response :success
    assert_select "h1", "Entry Request Details"
-    assert_match @requested_entry.fi, response.body
-    assert_match @requested_entry.en, response.body
-    assert_match @requested_entry.requested_by.name, response.body
+    assert_select "div", text: @requested_entry.fi
+    assert_select "div", text: @requested_entry.en
+    assert_select "span", text: @requested_entry.requested_by.name
  end

  test "should show edit form for requested entry" do
@@ -18,6 +18,26 @@ class Admin::UsersControllerTest < ActionDispatch::IntegrationTest
    assert_response :success
  end

+  test "should filter users by role" do
+    login_as(users(:admin_user))
+
+    get admin_users_path, params: { role: "reviewer" }
+
+    assert_response :success
+    assert_select "td", text: /#{Regexp.escape(users(:reviewer_user).email)}/
+    assert_select "td", text: /#{Regexp.escape(users(:contributor_user).email)}/, count: 0
+  end
+
+  test "should filter users by email query" do
+    login_as(users(:admin_user))
+
+    get admin_users_path, params: { q: "admin" }
+
+    assert_response :success
+    assert_select "td", text: /#{Regexp.escape(users(:admin_user).email)}/
+    assert_select "td", text: /#{Regexp.escape(users(:contributor_user).email)}/, count: 0
+  end
+
  test "should get edit page for user when logged in as admin" do
    login_as(users(:admin_user))
    get edit_admin_user_path(users(:contributor_user))
@@ -35,6 +55,45 @@ class Admin::UsersControllerTest < ActionDispatch::IntegrationTest
    assert_equal "reviewer", users(:contributor_user).reload.role
  end

+  test "should not allow admin to update own role" do
+    admin_user = users(:admin_user)
+    login_as(admin_user)
+
+    patch admin_user_path(admin_user), params: {
+      user: { role: "reviewer" }
+    }
+
+    assert_redirected_to admin_users_path
+    assert_equal "You cannot modify your own role.", flash[:alert]
+    assert_equal "admin", admin_user.reload.role
+  end
+
+  test "should ignore invalid role updates" do
+    login_as(users(:admin_user))
+    contributor = users(:contributor_user)
+
+    patch admin_user_path(contributor), params: {
+      user: { role: "invalid_role", name: "Updated Name" }
+    }
+
+    assert_redirected_to admin_users_path
+    contributor.reload
+    assert_equal "contributor", contributor.role
+    assert_equal "Updated Name", contributor.name
+  end
+
+  test "should render edit when update is invalid" do
+    login_as(users(:admin_user))
+    contributor = users(:contributor_user)
+
+    patch admin_user_path(contributor), params: {
+      user: { email: "" }
+    }
+
+    assert_response :unprocessable_entity
+    assert_select "li", text: "Email can't be blank"
+  end
+
  test "should delete user when logged in as admin" do
    login_as(users(:admin_user))

@@ -46,6 +105,37 @@ class Admin::UsersControllerTest < ActionDispatch::IntegrationTest
    assert_redirected_to admin_users_path
  end

+  test "should not allow admin to delete own account" do
+    admin_user = users(:admin_user)
+    login_as(admin_user)
+
+    assert_no_difference("User.count") do
+      delete admin_user_path(admin_user)
+    end
+
+    assert_redirected_to admin_users_path
+    assert_equal "You cannot delete your own account.", flash[:alert]
+  end
+
+  test "should not allow deleting first admin user" do
+    other_admin = User.create!(
+      email: "other-admin@example.com",
+      name: "Other Admin",
+      role: :admin,
+      primary_language: "en",
+      password: "password123456",
+      invitation_accepted_at: Time.current
+    )
+    login_as(other_admin)
+
+    assert_no_difference("User.count") do
+      delete admin_user_path(User.first)
+    end
+
+    assert_redirected_to admin_users_path
+    assert_equal "Cannot delete the first admin user (system default contact).", flash[:alert]
+  end
+
  test "should not allow non-admin to update user" do
    login_as(users(:contributor_user))

@@ -0,0 +1,176 @@
+require "test_helper"
+require "roo"
+require "tempfile"
+
+class EntriesControllerTest < ActionDispatch::IntegrationTest
+  setup do
+    @entry = entries(:one)
+    @user = users(:admin_user)
+  end
+
+  # INDEX tests
+  test "should get index" do
+    get entries_url
+    assert_response :success
+  end
+
+  test "should filter by language" do
+    get entries_url, params: { language: "fi" }
+    assert_response :success
+    assert_select "input[type=hidden][name='language'][value='fi']"
+  end
+
+  test "should filter by category" do
+    get entries_url, params: { category: "word" }
+    assert_response :success
+    assert_select "input[type=hidden][name='category'][value='word']"
+  end
+
+  test "should search with query" do
+    get entries_url, params: { q: "test" }
+    assert_response :success
+    assert_select "input[name='q'][value='test']"
+  end
+
+  test "should filter by starts_with" do
+    get entries_url, params: { starts_with: "a" }
+    assert_response :success
+    assert_select "input[type=hidden][name='starts_with'][value='a']"
+  end
+
+  test "should paginate results" do
+    get entries_url, params: { page: 2 }
+    assert_response :success
+    assert_select "div", text: /Page 2 of/i
+  end
+
+  test "should handle invalid language code" do
+    get entries_url, params: { language: "invalid" }
+    assert_response :success
+    assert_select "input[name='language']", count: 0
+  end
+
+  test "should respond to turbo_stream" do
+    get entries_url, as: :turbo_stream
+    assert_response :success
+  end
+
+  test "should only show active entries in index" do
+    # Create a requested entry that should not appear
+    requested_entry = Entry.create!(
+      fi: "Requested",
+      category: :word,
+      status: :requested,
+      requested_by: @user
+    )
+
+    get entries_url
+    assert_response :success
+    assert_select "td", text: requested_entry.fi, count: 0
+  end
+
+  # SHOW tests
+  test "should show entry" do
+    get entry_url(@entry)
+    assert_response :success
+  end
+
+  test "should show entry with comments" do
+    get entry_url(@entry)
+    assert_response :success
+    assert_select "p", text: @entry.fi
+  end
+
+  # EDIT tests
+  test "should get edit" do
+    get edit_entry_url(@entry)
+    assert_response :success
+  end
+
+  # UPDATE tests
+  test "should update entry" do
+    patch entry_url(@entry), params: {
+      entry: {
+        fi: "Updated Finnish",
+        en: "Updated English",
+        category: "word"
+      }
+    }
+    assert_redirected_to entry_url(@entry)
+    @entry.reload
+    assert_equal "Updated Finnish", @entry.fi
+  end
+
+  test "should not update entry with invalid data" do
+    patch entry_url(@entry), params: {
+      entry: {
+        fi: "",
+        en: "",
+        sv: "",
+        no: "",
+        ru: "",
+        de: ""
+      }
+    }
+    assert_response :unprocessable_entity
+  end
+
+  test "should update entry category" do
+    patch entry_url(@entry), params: {
+      entry: { category: "phrase" }
+    }
+    assert_redirected_to entry_url(@entry)
+    @entry.reload
+    assert_equal "phrase", @entry.category
+  end
+
+  # DOWNLOAD tests
+  test "should download xlsx" do
+    get download_entries_url(format: :xlsx)
+    assert_response :success
+    assert_equal "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+                 response.media_type
+  end
+
+  test "should include active entries in xlsx" do
+    unique_entry = Entry.create!(
+      fi: "UniqueActiveEntry123",
+      category: :word,
+      status: :active
+    )
+
+    get download_entries_url(format: :xlsx)
+    assert_response :success
+
+    Tempfile.create([ "entries", ".xlsx" ]) do |file|
+      file.binmode
+      file.write(response.body)
+      file.flush
+
+      sheet = Roo::Excelx.new(file.path).sheet(0)
+      cell_values = sheet.to_a.flatten.compact
+      assert_includes cell_values, unique_entry.fi
+    end
+  end
+
+  # Statistics tests
+  test "should calculate entry statistics" do
+    get entries_url
+    assert_response :success
+    assert_select "div", text: /entries/i
+    assert_select "div", text: /% complete/i
+  end
+
+  test "should calculate language completion" do
+    get entries_url
+    assert_response :success
+    assert_select "div", text: /% complete/i
+  end
+
+  # Language ordering tests
+  test "should prioritize selected language in display" do
+    get entries_url, params: { language: "fi" }
+    assert_response :success
+    assert_select "th span", text: "FI", count: 1
+  end
+end
@@ -90,4 +90,306 @@ class InvitationsControllerTest < ActionDispatch::IntegrationTest
    assert_redirected_to root_path
    assert_equal "Invalid or expired invitation link.", flash[:alert]
  end
+
+  test "should redirect admin to dashboard after accepting invitation" do
+    inviter = users(:admin_user)
+    pending_admin = User.create!(
+      email: "pending-admin@example.com",
+      name: "Pending Admin",
+      role: :admin,
+      primary_language: "en",
+      invitation_token: "pending_admin_token",
+      invitation_sent_at: 1.day.ago,
+      invited_by: inviter,
+      password: "password123456"
+    )
+
+    patch accept_invitation_path(pending_admin.invitation_token), params: {
+      user: {
+        password: "securepassword123",
+        password_confirmation: "securepassword123"
+      }
+    }
+
+    pending_admin.reload
+    assert_not_nil pending_admin.invitation_accepted_at
+    assert_nil pending_admin.invitation_token
+    assert_equal pending_admin.id, session[:user_id]
+    assert_redirected_to admin_root_path
+  end
+
+  # Entry activation tests
+  test "should activate approved entries on invitation acceptance" do
+    user = users(:pending_invitation)
+
+    # Create approved entry for this user
+    approved_entry = Entry.create!(
+      category: :word,
+      fi: "Test word",
+      status: :approved,
+      requested_by: user
+    )
+
+    # Create requested entry (should not be activated)
+    requested_entry = Entry.create!(
+      category: :word,
+      fi: "Requested word",
+      status: :requested,
+      requested_by: user
+    )
+
+    patch accept_invitation_path(user.invitation_token), params: {
+      user: {
+        password: "securepassword123",
+        password_confirmation: "securepassword123"
+      }
+    }
+
+    approved_entry.reload
+    requested_entry.reload
+
+    assert_equal "active", approved_entry.status
+    assert_equal "requested", requested_entry.status
+  end
+
+  test "should activate multiple approved entries on invitation acceptance" do
+    user = users(:pending_invitation)
+
+    # Create multiple approved entries
+    entries = 3.times.map do |i|
+      Entry.create!(
+        category: :word,
+        fi: "Word #{i}",
+        status: :approved,
+        requested_by: user
+      )
+    end
+
+    patch accept_invitation_path(user.invitation_token), params: {
+      user: {
+        password: "securepassword123",
+        password_confirmation: "securepassword123"
+      }
+    }
+
+    entries.each do |entry|
+      entry.reload
+      assert_equal "active", entry.status
+    end
+  end
+
+  test "should not activate entries for other users" do
+    user = users(:pending_invitation)
+    other_user = users(:admin_user)
+
+    # Create approved entry for another user
+    other_entry = Entry.create!(
+      category: :word,
+      fi: "Other user word",
+      status: :approved,
+      requested_by: other_user
+    )
+
+    patch accept_invitation_path(user.invitation_token), params: {
+      user: {
+        password: "securepassword123",
+        password_confirmation: "securepassword123"
+      }
+    }
+
+    other_entry.reload
+    assert_equal "approved", other_entry.status
+  end
+
+  test "should handle invitation acceptance with no entries" do
+    user = users(:pending_invitation)
+
+    # Ensure the user has no entries
+    Entry.where(requested_by: user).delete_all
+    assert_equal 0, Entry.where(requested_by: user).count
+
+    patch accept_invitation_path(user.invitation_token), params: {
+      user: {
+        password: "securepassword123",
+        password_confirmation: "securepassword123"
+      }
+    }
+
+    assert_redirected_to root_path
+    user.reload
+    assert_not_nil user.invitation_accepted_at
+  end
+
+  # Security tests
+  test "should only permit password parameters" do
+    user = users(:pending_invitation)
+    original_email = user.email
+    original_name = user.name
+    original_role = user.role
+
+    patch accept_invitation_path(user.invitation_token), params: {
+      user: {
+        password: "securepassword123",
+        password_confirmation: "securepassword123",
+        email: "hacker@example.com",
+        name: "Hacker Name",
+        role: "admin"
+      }
+    }
+
+    user.reload
+    assert_equal original_email, user.email
+    assert_equal original_name, user.name
+    assert_equal original_role, user.role
+  end
+
+  test "should not log in user when password validation fails" do
+    user = users(:pending_invitation)
+
+    patch accept_invitation_path(user.invitation_token), params: {
+      user: {
+        password: "short",
+        password_confirmation: "short"
+      }
+    }
+
+    assert_nil session[:user_id]
+  end
+
+  # Edge cases
+  test "should handle already accepted invitation" do
+    user = users(:pending_invitation)
+    user.update!(invitation_accepted_at: Time.current, invitation_token: nil)
+
+    patch accept_invitation_path("some_token"), params: {
+      user: {
+        password: "securepassword123",
+        password_confirmation: "securepassword123"
+      }
+    }
+
+    assert_redirected_to root_path
+    assert_equal "Invalid or expired invitation link.", flash[:alert]
+  end
+
+  test "should set invitation_accepted_at timestamp" do
+    user = users(:pending_invitation)
+    assert_nil user.invitation_accepted_at
+
+    freeze_time do
+      patch accept_invitation_path(user.invitation_token), params: {
+        user: {
+          password: "securepassword123",
+          password_confirmation: "securepassword123"
+        }
+      }
+
+      user.reload
+      assert_in_delta Time.current.to_i, user.invitation_accepted_at.to_i, 2
+    end
+  end
+
+  test "should clear invitation token after acceptance" do
+    user = users(:pending_invitation)
+    token = user.invitation_token
+    assert_not_nil token
+
+    patch accept_invitation_path(token), params: {
+      user: {
+        password: "securepassword123",
+        password_confirmation: "securepassword123"
+      }
+    }
+
+    user.reload
+    assert_nil user.invitation_token
+  end
+
+  test "should require password to be present" do
+    user = users(:pending_invitation)
+
+    patch accept_invitation_path(user.invitation_token), params: {
+      user: {
+        password: nil,
+        password_confirmation: nil
+      }
+    }
+
+    # has_secure_password validates password presence when setting password
+    user.reload
+    assert_nil user.invitation_accepted_at
+  end
+
+  test "should show validation errors for short password" do
+    user = users(:pending_invitation)
+
+    patch accept_invitation_path(user.invitation_token), params: {
+      user: {
+        password: "short",
+        password_confirmation: "short"
+      }
+    }
+
+    assert_response :unprocessable_entity
+    assert_select "div.text-red-700", text: /too short/i
+  end
+
+  test "should show validation errors for mismatched passwords" do
+    user = users(:pending_invitation)
+
+    patch accept_invitation_path(user.invitation_token), params: {
+      user: {
+        password: "securepassword123",
+        password_confirmation: "differentpassword"
+      }
+    }
+
+    assert_response :unprocessable_entity
+    assert_select "div.text-red-700", text: /confirmation/i
+  end
+
+  test "should authenticate with new password after acceptance" do
+    user = users(:pending_invitation)
+
+    patch accept_invitation_path(user.invitation_token), params: {
+      user: {
+        password: "mynewpassword123",
+        password_confirmation: "mynewpassword123"
+      }
+    }
+
+    user.reload
+    assert user.authenticate("mynewpassword123")
+    assert_not user.authenticate("oldpassword")
+  end
+
+  test "should log in user immediately after acceptance" do
+    user = users(:pending_invitation)
+
+    # First visit the invitation page to establish session
+    get invitation_path(user.invitation_token)
+    assert_nil session[:user_id]
+
+    patch accept_invitation_path(user.invitation_token), params: {
+      user: {
+        password: "securepassword123",
+        password_confirmation: "securepassword123"
+      }
+    }
+
+    assert_equal user.id, session[:user_id]
+  end
+
+  test "should show welcome message with user name" do
+    user = users(:pending_invitation)
+
+    patch accept_invitation_path(user.invitation_token), params: {
+      user: {
+        password: "securepassword123",
+        password_confirmation: "securepassword123"
+      }
+    }
+
+    assert_match /Welcome to Sanasto Wiki, #{user.name}!/, flash[:notice]
+  end
 end
@@ -0,0 +1,196 @@
+require "test_helper"
+
+class PasswordResetsControllerTest < ActionDispatch::IntegrationTest
+  setup do
+    @user = users(:admin_user)
+    @user.update!(invitation_accepted_at: Time.current)
+  end
+
+  # NEW tests
+  test "should get new" do
+    get new_password_reset_url
+    assert_response :success
+  end
+
+  test "should show password reset form" do
+    get new_password_reset_url
+    assert_select "form"
+    assert_select "input[type=email]"
+  end
+
+  # CREATE tests
+  test "should send reset email for existing user" do
+    assert_enqueued_emails 1 do
+      post password_resets_url, params: { email: @user.email }
+    end
+    assert_redirected_to login_url
+    assert_match /password reset instructions/i, flash[:notice]
+  end
+
+  test "should generate reset token for existing user" do
+    post password_resets_url, params: { email: @user.email }
+    @user.reload
+    assert_not_nil @user.reset_password_token
+    assert_not_nil @user.reset_password_sent_at
+  end
+
+  test "should handle non-existent email gracefully" do
+    post password_resets_url, params: { email: "nonexistent@example.com" }
+    assert_redirected_to login_url
+    assert_match /if that email address is in our system/i, flash[:notice]
+  end
+
+  test "should send invitation for user without accepted invitation" do
+    pending_user = users(:pending_invitation)
+    assert_nil pending_user.invitation_accepted_at
+
+    assert_enqueued_emails 1 do
+      post password_resets_url, params: { email: pending_user.email }
+    end
+    assert_redirected_to login_url
+  end
+
+  test "should handle blank email" do
+    post password_resets_url, params: { email: "" }
+    assert_redirected_to login_url
+  end
+
+  test "should handle email with whitespace" do
+    post password_resets_url, params: { email: "  #{@user.email}  " }
+    @user.reload
+    assert_not_nil @user.reset_password_token
+  end
+
+  # EDIT tests
+  test "should show reset password form with valid token" do
+    @user.update!(
+      reset_password_token: SecureRandom.urlsafe_base64(32),
+      reset_password_sent_at: Time.current
+    )
+    get edit_password_reset_url(@user.reset_password_token)
+    assert_response :success
+    assert_select "form"
+    assert_select "input[type=password]", count: 2
+  end
+
+  test "should reject invalid token" do
+    get edit_password_reset_url("invalid_token")
+    assert_redirected_to login_url
+    assert_match /invalid/i, flash[:alert]
+  end
+
+  test "should reject expired token" do
+    @user.update!(
+      reset_password_token: SecureRandom.urlsafe_base64(32),
+      reset_password_sent_at: 2.hours.ago
+    )
+    get edit_password_reset_url(@user.reset_password_token)
+    assert_redirected_to new_password_reset_url
+    assert_match /expired/i, flash[:alert]
+  end
+
+  # UPDATE tests
+  test "should reset password with valid token" do
+    @user.update!(
+      reset_password_token: SecureRandom.urlsafe_base64(32),
+      reset_password_sent_at: Time.current
+    )
+
+    patch password_reset_url(@user.reset_password_token), params: {
+      password: "newpassword12345",
+      password_confirmation: "newpassword12345"
+    }
+
+    assert_redirected_to root_url
+    assert_match /password has been reset/i, flash[:notice]
+
+    @user.reload
+    assert_nil @user.reset_password_token
+    assert_nil @user.reset_password_sent_at
+    assert @user.authenticate("newpassword12345")
+  end
+
+  test "should auto-login after successful password reset" do
+    @user.update!(
+      reset_password_token: SecureRandom.urlsafe_base64(32),
+      reset_password_sent_at: Time.current
+    )
+
+    patch password_reset_url(@user.reset_password_token), params: {
+      password: "newpassword12345",
+      password_confirmation: "newpassword12345"
+    }
+
+    assert_equal @user.id, session[:user_id]
+  end
+
+  test "should reject mismatched passwords" do
+    @user.update!(
+      reset_password_token: SecureRandom.urlsafe_base64(32),
+      reset_password_sent_at: Time.current
+    )
+
+    patch password_reset_url(@user.reset_password_token), params: {
+      password: "newpassword12345",
+      password_confirmation: "differentpassword"
+    }
+
+    assert_response :unprocessable_entity
+    assert_match /doesn't match/i, flash[:alert]
+  end
+
+  test "should reject blank password" do
+    @user.update!(
+      reset_password_token: SecureRandom.urlsafe_base64(32),
+      reset_password_sent_at: Time.current
+    )
+
+    patch password_reset_url(@user.reset_password_token), params: {
+      password: "",
+      password_confirmation: ""
+    }
+
+    assert_response :unprocessable_entity
+    assert_match /cannot be blank/i, flash[:alert]
+  end
+
+  test "should reject expired token on update" do
+    @user.update!(
+      reset_password_token: SecureRandom.urlsafe_base64(32),
+      reset_password_sent_at: 2.hours.ago
+    )
+
+    patch password_reset_url(@user.reset_password_token), params: {
+      password: "newpassword12345",
+      password_confirmation: "newpassword12345"
+    }
+
+    assert_redirected_to new_password_reset_url
+    assert_match /expired/i, flash[:alert]
+  end
+
+  test "should reject invalid token on update" do
+    patch password_reset_url("invalid_token"), params: {
+      password: "newpassword12345",
+      password_confirmation: "newpassword12345"
+    }
+
+    assert_redirected_to login_url
+    assert_match /invalid/i, flash[:alert]
+  end
+
+  test "should enforce password validations" do
+    @user.update!(
+      reset_password_token: SecureRandom.urlsafe_base64(32),
+      reset_password_sent_at: Time.current
+    )
+
+    # Password too short (less than 12 characters)
+    patch password_reset_url(@user.reset_password_token), params: {
+      password: "short",
+      password_confirmation: "short"
+    }
+
+    assert_response :unprocessable_entity
+  end
+end
@@ -0,0 +1,210 @@
+require "test_helper"
+
+class EntriesHelperTest < ActionView::TestCase
+  setup do
+    @entry = entries(:one)
+  end
+
+  # alphabet_letters tests
+  test "alphabet_letters returns A-Z for blank language code" do
+    result = alphabet_letters(nil)
+    assert_equal ("A".."Z").to_a, result
+    assert_equal 26, result.length
+  end
+
+  test "alphabet_letters returns A-Z for empty string" do
+    result = alphabet_letters("")
+    assert_equal ("A".."Z").to_a, result
+  end
+
+  test "alphabet_letters returns A-Z for unknown language" do
+    result = alphabet_letters("unknown")
+    assert_equal ("A".."Z").to_a, result
+  end
+
+  test "alphabet_letters returns A-Z for English" do
+    result = alphabet_letters("en")
+    assert_equal ("A".."Z").to_a, result
+    assert_equal 26, result.length
+  end
+
+  test "alphabet_letters returns A-Z for German" do
+    result = alphabet_letters("de")
+    assert_equal ("A".."Z").to_a, result
+  end
+
+  test "alphabet_letters returns Cyrillic alphabet for Russian" do
+    result = alphabet_letters("ru")
+    assert_equal 33, result.length
+    assert_includes result, "А"
+    assert_includes result, "Я"
+    assert_includes result, "Ё"
+    assert_not_includes result, "A"
+    assert_not_includes result, "Z"
+  end
+
+  test "alphabet_letters returns A-Z plus Æ Ø Å for Norwegian" do
+    result = alphabet_letters("no")
+    assert_equal 29, result.length
+    assert_includes result, "A"
+    assert_includes result, "Z"
+    assert_includes result, "Æ"
+    assert_includes result, "Ø"
+    assert_includes result, "Å"
+    assert_equal [ "Æ", "Ø", "Å" ], result.last(3)
+  end
+
+  test "alphabet_letters returns A-Z plus Å Ä Ö for Swedish" do
+    result = alphabet_letters("sv")
+    assert_equal 29, result.length
+    assert_includes result, "A"
+    assert_includes result, "Z"
+    assert_includes result, "Å"
+    assert_includes result, "Ä"
+    assert_includes result, "Ö"
+    assert_equal [ "Å", "Ä", "Ö" ], result.last(3)
+  end
+
+  test "alphabet_letters returns A-Z plus Å Ä Ö for Finnish" do
+    result = alphabet_letters("fi")
+    assert_equal 29, result.length
+    assert_includes result, "A"
+    assert_includes result, "Z"
+    assert_includes result, "Å"
+    assert_includes result, "Ä"
+    assert_includes result, "Ö"
+    assert_equal [ "Å", "Ä", "Ö" ], result.last(3)
+  end
+
+  # entry_translation_for tests
+  test "entry_translation_for returns Finnish translation" do
+    @entry.fi = "Suomalainen sana"
+    result = entry_translation_for(@entry, "fi")
+    assert_equal "Suomalainen sana", result
+  end
+
+  test "entry_translation_for returns English translation" do
+    @entry.en = "English word"
+    result = entry_translation_for(@entry, "en")
+    assert_equal "English word", result
+  end
+
+  test "entry_translation_for returns Swedish translation" do
+    @entry.sv = "Svenskt ord"
+    result = entry_translation_for(@entry, "sv")
+    assert_equal "Svenskt ord", result
+  end
+
+  test "entry_translation_for returns Norwegian translation" do
+    @entry.no = "Norsk ord"
+    result = entry_translation_for(@entry, "no")
+    assert_equal "Norsk ord", result
+  end
+
+  test "entry_translation_for returns Russian translation" do
+    @entry.ru = "Русское слово"
+    result = entry_translation_for(@entry, "ru")
+    assert_equal "Русское слово", result
+  end
+
+  test "entry_translation_for returns German translation" do
+    @entry.de = "Deutsches Wort"
+    result = entry_translation_for(@entry, "de")
+    assert_equal "Deutsches Wort", result
+  end
+
+  test "entry_translation_for returns nil for invalid language code" do
+    result = entry_translation_for(@entry, "invalid")
+    assert_nil result
+  end
+
+  test "entry_translation_for returns nil for non-existent attribute" do
+    result = entry_translation_for(@entry, "zz")
+    assert_nil result
+  end
+
+  test "entry_translation_for returns nil for blank translation" do
+    @entry.fi = nil
+    result = entry_translation_for(@entry, "fi")
+    assert_nil result
+  end
+
+  test "entry_translation_for handles symbol language code" do
+    @entry.fi = "Test"
+    result = entry_translation_for(@entry, :fi)
+    assert_equal "Test", result
+  end
+
+  # format_entry_category tests
+  test "format_entry_category formats word category" do
+    @entry.category = "word"
+    result = format_entry_category(@entry)
+    assert_equal "Word", result
+  end
+
+  test "format_entry_category formats phrase category" do
+    @entry.category = "phrase"
+    result = format_entry_category(@entry)
+    assert_equal "Phrase", result
+  end
+
+  test "format_entry_category formats proper_name category" do
+    @entry.category = "proper_name"
+    result = format_entry_category(@entry)
+    assert_equal "Proper name", result
+  end
+
+  test "format_entry_category formats title category" do
+    @entry.category = "title"
+    result = format_entry_category(@entry)
+    assert_equal "Title", result
+  end
+
+  test "format_entry_category formats reference category" do
+    @entry.category = "reference"
+    result = format_entry_category(@entry)
+    assert_equal "Reference", result
+  end
+
+  test "format_entry_category formats other category" do
+    @entry.category = "other"
+    result = format_entry_category(@entry)
+    assert_equal "Other", result
+  end
+
+  # format_entry_status tests
+  test "format_entry_status returns requested badge" do
+    @entry.status = :requested
+    result = format_entry_status(@entry)
+    assert_match /Requested/, result
+    assert_match /bg-yellow-100/, result
+    assert_match /text-yellow-800/, result
+  end
+
+  test "format_entry_status returns approved badge" do
+    @entry.status = :approved
+    result = format_entry_status(@entry)
+    assert_match /Approved/, result
+    assert_match /bg-blue-100/, result
+    assert_match /text-blue-800/, result
+  end
+
+  test "format_entry_status returns active badge" do
+    @entry.status = :active
+    result = format_entry_status(@entry)
+    assert_match /Active/, result
+    assert_match /bg-green-100/, result
+    assert_match /text-green-800/, result
+  end
+
+  test "format_entry_status badge contains proper HTML structure" do
+    @entry.status = :active
+    result = format_entry_status(@entry)
+    assert_match /<span/, result
+    assert_match /class=/, result
+    assert_match /px-2 py-1/, result
+    assert_match /text-xs/, result
+    assert_match /font-semibold/, result
+    assert_match /rounded-full/, result
+  end
+end
@@ -0,0 +1,317 @@
+require "test_helper"
+
+class AuthenticationFlowTest < ActionDispatch::IntegrationTest
+  setup do
+    @user = users(:admin_user)
+    @user.update!(invitation_accepted_at: Time.current)
+    Rails.cache.clear
+  end
+
+  test "user can sign in with valid credentials" do
+    get login_path
+    assert_response :success
+
+    post login_path, params: {
+      email: @user.email,
+      password: "password123456"
+    }
+
+    assert_redirected_to admin_root_path
+    follow_redirect!
+    assert_response :success
+    assert_equal @user.id, session[:user_id]
+  end
+
+  test "user cannot sign in with invalid password" do
+    post login_path, params: {
+      email: @user.email,
+      password: "wrongpassword"
+    }
+
+    assert_response :unprocessable_entity
+    assert_nil session[:user_id]
+    assert_select "div[role='alert']", text: /invalid email or password/i
+  end
+
+  test "user cannot sign in with non-existent email" do
+    post login_path, params: {
+      email: "nonexistent@example.com",
+      password: "password123456"
+    }
+
+    assert_response :unprocessable_entity
+    assert_nil session[:user_id]
+  end
+
+  test "pending user cannot sign in" do
+    pending_user = users(:pending_invitation)
+
+    post login_path, params: {
+      email: pending_user.email,
+      password: "password123456"
+    }
+
+    assert_response :unprocessable_entity
+    assert_nil session[:user_id]
+    assert_select "div[role='alert']", text: /pending/i
+  end
+
+  test "user can sign out" do
+    # Sign in first
+    post login_path, params: {
+      email: @user.email,
+      password: "password123456"
+    }
+    assert_equal @user.id, session[:user_id]
+
+    # Sign out
+    delete logout_path
+
+    assert_redirected_to root_path
+    assert_nil session[:user_id]
+  end
+
+  test "session persists across requests" do
+    post login_path, params: {
+      email: @user.email,
+      password: "password123456"
+    }
+
+    assert_equal @user.id, session[:user_id]
+
+    get root_path
+    assert_equal @user.id, session[:user_id]
+
+    get entries_path
+    assert_equal @user.id, session[:user_id]
+  end
+
+  test "remember me creates cookie" do
+    post login_path, params: {
+      email: @user.email,
+      password: "password123456",
+      remember_me: "1"
+    }
+
+    assert_not_nil cookies[:remember_token]
+    @user.reload
+    assert_not_nil @user.remember_token
+    assert_not_nil @user.remember_created_at
+  end
+
+  test "remember me cookie logs user in automatically" do
+    post login_path, params: {
+      email: @user.email,
+      password: "password123456",
+      remember_me: "1"
+    }
+    remember_cookie = cookies[:remember_token]
+    assert_not_nil remember_cookie
+
+    # Clear session
+    reset!
+
+    # Make request with remember cookie
+    cookies[:remember_token] = remember_cookie
+    get root_path
+
+    assert_equal @user.id, session[:user_id]
+  end
+
+  test "logout clears remember me cookie" do
+    # Sign in with remember me
+    post login_path, params: {
+      email: @user.email,
+      password: "password123456",
+      remember_me: "1"
+    }
+
+    assert_not_nil cookies[:remember_token]
+
+    # Sign out
+    delete logout_path
+
+    remember_cookie = cookies[:remember_token]
+    assert remember_cookie.nil? || remember_cookie.empty?
+    @user.reload
+    assert_nil @user.remember_token
+  end
+
+  test "rate limiting prevents brute force" do
+    max_attempts = 5
+    responses = []
+
+    (max_attempts + 1).times do
+      post login_path, params: {
+        email: @user.email,
+        password: "wrongpassword"
+      }
+      responses << response.status
+    end
+
+    assert responses.first(max_attempts).all? { |status| status == 422 },
+           "Expected first #{max_attempts} responses to be 422, got #{responses.first(max_attempts)}"
+
+    if Rails.cache.is_a?(ActiveSupport::Cache::NullStore)
+      assert responses.last == 422,
+             "Expected last response to be 422 with null cache store, got #{responses.last}"
+    else
+      assert responses.last == 429, "Expected last response to be 429, got #{responses.last}"
+    end
+    assert_select "div[role='alert']", text: /too many/i
+  end
+
+  test "successful login resets rate limit" do
+    # Fail a few times
+    3.times do
+      post login_path, params: {
+        email: @user.email,
+        password: "wrongpassword"
+      }
+    end
+
+    # Then succeed
+    post login_path, params: {
+      email: @user.email,
+      password: "password123456"
+    }
+
+    assert_redirected_to admin_root_path
+
+    # Should be able to login again immediately
+    delete logout_path
+    post login_path, params: {
+      email: @user.email,
+      password: "password123456"
+    }
+
+    assert_redirected_to admin_root_path
+  end
+
+  test "session timeout logs user out after inactivity" do
+    # Sign in
+    post login_path, params: {
+      email: @user.email,
+      password: "password123456"
+    }
+    assert_equal @user.id, session[:user_id]
+
+    # Simulate time passing
+    travel 4.days do
+      get root_path
+      assert_redirected_to login_path
+      assert_match /expired/i, flash[:alert]
+      assert_nil session[:user_id]
+    end
+  end
+
+  test "remember me prevents session timeout" do
+    # Sign in with remember me
+    post login_path, params: {
+      email: @user.email,
+      password: "password123456",
+      remember_me: "1"
+    }
+
+    remember_cookie = cookies[:remember_token]
+
+    # Simulate time passing (but within remember me period)
+    travel 5.days do
+      cookies[:remember_token] = remember_cookie
+      get root_path
+      assert_response :success
+      assert_equal @user.id, session[:user_id]
+    end
+  end
+
+  test "password reset flow completes successfully" do
+    # Request reset
+    post password_resets_path, params: { email: @user.email }
+    assert_redirected_to login_path
+
+    @user.reload
+    assert_not_nil @user.reset_password_token
+
+    # Visit reset form
+    get edit_password_reset_path(@user.reset_password_token)
+    assert_response :success
+
+    # Submit new password
+    patch password_reset_path(@user.reset_password_token), params: {
+      password: "newpassword12345",
+      password_confirmation: "newpassword12345"
+    }
+
+    assert_redirected_to root_path
+    assert_equal @user.id, session[:user_id]
+
+    @user.reload
+    assert @user.authenticate("newpassword12345")
+    assert_nil @user.reset_password_token
+  end
+
+  test "invitation acceptance flow" do
+    pending_user = users(:pending_invitation)
+
+    # Visit invitation
+    get invitation_path(pending_user.invitation_token)
+    assert_response :success
+
+    # Accept invitation
+    patch accept_invitation_path(pending_user.invitation_token), params: {
+      user: {
+        password: "newpassword12345",
+        password_confirmation: "newpassword12345"
+      }
+    }
+
+    assert_redirected_to root_path
+    assert_equal pending_user.id, session[:user_id]
+
+    pending_user.reload
+    assert_not_nil pending_user.invitation_accepted_at
+    assert pending_user.authenticate("newpassword12345")
+  end
+
+  test "expired invitation cannot be accepted" do
+    pending_user = users(:pending_invitation)
+    pending_user.update!(invitation_sent_at: 15.days.ago)
+
+    get invitation_path(pending_user.invitation_token)
+    assert_redirected_to root_path
+    assert_match /expired/i, flash[:alert]
+  end
+
+  test "admin user redirects to admin dashboard after login" do
+    post login_path, params: {
+      email: @user.email,
+      password: "password123456"
+    }
+
+    assert_redirected_to admin_root_path
+  end
+
+  test "contributor redirects to root after login" do
+    contributor = users(:contributor_user)
+    contributor.update!(invitation_accepted_at: Time.current)
+
+    post login_path, params: {
+      email: contributor.email,
+      password: "password123456"
+    }
+
+    assert_redirected_to root_path
+  end
+
+  test "already logged in user redirects from login page" do
+    # Sign in first
+    post login_path, params: {
+      email: @user.email,
+      password: "password123456"
+    }
+
+    # Try to visit login page again
+    get login_path
+    assert_redirected_to admin_root_path
+  end
+end
@@ -127,7 +127,7 @@ class EntryRequestFlowTest < ActionDispatch::IntegrationTest
    assert_response :success

    # Active entry should be counted
-    assert_match /#{Entry.active_entries.count}/, response.body
+    assert_select "div", text: "#{Entry.active_entries.count} entries"

    # Verify counts exclude requested/approved entries
    total_entries = Entry.count
@@ -0,0 +1,129 @@
+require "test_helper"
+require "benchmark"
+
+class SearchPerformanceTest < ActionDispatch::IntegrationTest
+  setup do
+    # Create a substantial number of test entries for performance testing
+    @test_entries = []
+    50.times do |i|
+      @test_entries << Entry.create!(
+        fi: "Testi sana #{i}",
+        en: "Test word #{i}",
+        sv: "Test ord #{i}",
+        category: :word,
+        status: :active
+      )
+    end
+  end
+
+  teardown do
+    # Clean up test entries
+    Entry.where(id: @test_entries.map(&:id)).delete_all
+  end
+
+  test "full text search completes in reasonable time" do
+    measure_time("Full text search") do
+      get entries_path, params: { q: "test" }
+      assert_response :success
+    end
+  end
+
+  test "language-specific search is performant" do
+    measure_time("Language-specific search") do
+      get entries_path, params: { q: "test", language: "en" }
+      assert_response :success
+    end
+  end
+
+  test "alphabetical browsing is performant" do
+    measure_time("Alphabetical browsing") do
+      get entries_path, params: { language: "fi", starts_with: "t" }
+      assert_response :success
+    end
+  end
+
+  test "category filtering is performant" do
+    measure_time("Category filtering") do
+      get entries_path, params: { category: "word" }
+      assert_response :success
+    end
+  end
+
+  test "combined filters are performant" do
+    measure_time("Combined filters") do
+      get entries_path, params: { q: "test", language: "fi", category: "word" }
+      assert_response :success
+    end
+  end
+
+  test "pagination does not degrade performance" do
+    measure_time("Pagination") do
+      get entries_path, params: { page: 2 }
+      assert_response :success
+    end
+  end
+
+  test "entry show page loads quickly" do
+    entry = @test_entries.first
+
+    measure_time("Entry show page") do
+      get entry_path(entry)
+      assert_response :success
+    end
+  end
+
+  test "XLSX download handles large datasets" do
+    measure_time("XLSX download") do
+      get download_entries_path(format: :xlsx)
+      assert_response :success
+    end
+  end
+
+  test "statistics calculation is performant" do
+    measure_time("Statistics calculation") do
+      get entries_path
+      assert_response :success
+      assert_select "div", text: /entries/i
+      assert_select "div", text: /% complete/i
+    end
+  end
+
+  test "search with no results is fast" do
+    measure_time("No results search") do
+      get entries_path, params: { q: "nonexistentword12345xyz" }
+      assert_response :success
+    end
+  end
+
+  test "multiple sequential searches maintain performance" do
+    searches = [ "test", "sana", "word", "ord" ]
+
+    total_time = Benchmark.measure do
+      searches.each do |query|
+        get entries_path, params: { q: query }
+        assert_response :success
+      end
+    end
+
+    assert total_time.real < 2.0, "Multiple searches took too long: #{total_time.real}s"
+  end
+
+  test "turbo stream responses are performant" do
+    measure_time("Turbo stream response") do
+      get entries_path, as: :turbo_stream, params: { q: "test" }
+      assert_response :success
+    end
+  end
+
+  private
+
+  def measure_time(description, max_time_ms: 500)
+    time = Benchmark.measure do
+      yield
+    end
+
+    time_ms = (time.real * 1000).round(2)
+    assert time_ms < max_time_ms,
+           "#{description} took too long: #{time_ms}ms (max: #{max_time_ms}ms)"
+  end
+end
@@ -0,0 +1,23 @@
+require "test_helper"
+
+class PasswordResetMailerTest < ActionMailer::TestCase
+  test "reset email contains token and expiry" do
+    user = users(:admin_user)
+    user.update!(
+      reset_password_token: "reset_token_123",
+      reset_password_sent_at: Time.current
+    )
+
+    email = PasswordResetMailer.reset(user)
+    assert_emails 1 do
+      email.deliver_now
+    end
+
+    assert_equal [ user.email ], email.to
+    assert_equal "Reset your Sanasto Wiki password", email.subject
+    assert_includes email.content_type, "text/html"
+    assert_includes email.body.encoded, "reset_token_123"
+    assert_includes email.body.encoded, "Password Reset Request"
+    assert_includes email.body.encoded, "will expire on"
+  end
+end
@@ -37,4 +37,422 @@ class UserTest < ActiveSupport::TestCase
    assert_not user.valid?
    assert_includes user.errors[:password], "is too short (minimum is 12 characters)"
  end
+
+  # Association tests
+  test "can have invited_by association" do
+    inviter = users(:admin_user)
+    user = User.create!(email: "invited@example.com", password: "password123456", invited_by: inviter)
+    assert_equal inviter, user.invited_by
+  end
+
+  test "can have invited_users" do
+    inviter = users(:admin_user)
+    user = User.create!(email: "invited@example.com", password: "password123456", invited_by: inviter)
+    assert_includes inviter.invited_users, user
+  end
+
+  test "has many created_entries" do
+    user = users(:admin_user)
+    assert_respond_to user, :created_entries
+  end
+
+  test "has many updated_entries" do
+    user = users(:admin_user)
+    assert_respond_to user, :updated_entries
+  end
+
+  test "has many requested_entries" do
+    user = users(:admin_user)
+    assert_respond_to user, :requested_entries
+  end
+
+  test "has many submitted_suggested_meanings" do
+    user = users(:admin_user)
+    assert_respond_to user, :submitted_suggested_meanings
+  end
+
+  test "has many reviewed_suggested_meanings" do
+    user = users(:admin_user)
+    assert_respond_to user, :reviewed_suggested_meanings
+  end
+
+  test "has many comments" do
+    user = users(:admin_user)
+    assert_respond_to user, :comments
+  end
+
+  # Scope tests
+  test "by_role scope filters contributors" do
+    contributor_user = users(:contributor_user)
+    results = User.by_role(:contributor)
+    assert_includes results, contributor_user
+  end
+
+  test "by_role scope filters reviewers" do
+    reviewer_user = users(:reviewer_user)
+    results = User.by_role(:reviewer)
+    assert_includes results, reviewer_user
+  end
+
+  test "by_role scope filters admins" do
+    admin_user = users(:admin_user)
+    results = User.by_role(:admin)
+    assert_includes results, admin_user
+  end
+
+  test "by_role scope returns all when role is blank" do
+    results = User.by_role(nil)
+    assert_equal User.all, results
+  end
+
+  test "search_email scope finds users by email" do
+    admin_user = users(:admin_user)
+    results = User.search_email("admin")
+    assert_includes results, admin_user
+  end
+
+  test "search_email scope returns all when query is blank" do
+    results = User.search_email(nil)
+    assert_equal User.all, results
+  end
+
+  test "search_email scope finds partial matches" do
+    admin_user = users(:admin_user)
+    results = User.search_email("exam")
+    assert_includes results, admin_user
+  end
+
+  # invitation_expired? tests
+  test "invitation_expired? returns false when invitation_sent_at is nil" do
+    user = User.new(email: "test@example.com", password: "password123456")
+    assert_not user.invitation_expired?
+  end
+
+  test "invitation_expired? returns false for recent invitation" do
+    user = User.new(
+      email: "test@example.com",
+      password: "password123456",
+      invitation_sent_at: 1.day.ago
+    )
+    assert_not user.invitation_expired?
+  end
+
+  test "invitation_expired? returns true for expired invitation" do
+    user = User.new(
+      email: "test@example.com",
+      password: "password123456",
+      invitation_sent_at: 15.days.ago
+    )
+    assert user.invitation_expired?
+  end
+
+  test "invitation_expired? returns false exactly at expiry boundary" do
+    user = User.new(
+      email: "test@example.com",
+      password: "password123456",
+      invitation_sent_at: 13.days.ago
+    )
+    assert_not user.invitation_expired?
+  end
+
+  # invitation_pending? tests
+  test "invitation_pending? returns true for valid pending invitation" do
+    user = User.new(
+      email: "test@example.com",
+      password: "password123456",
+      invitation_token: "valid_token",
+      invitation_sent_at: 1.day.ago,
+      invitation_accepted_at: nil
+    )
+    assert user.invitation_pending?
+  end
+
+  test "invitation_pending? returns false when invitation is accepted" do
+    user = User.new(
+      email: "test@example.com",
+      password: "password123456",
+      invitation_token: "valid_token",
+      invitation_sent_at: 1.day.ago,
+      invitation_accepted_at: Time.current
+    )
+    assert_not user.invitation_pending?
+  end
+
+  test "invitation_pending? returns false when invitation is expired" do
+    user = User.new(
+      email: "test@example.com",
+      password: "password123456",
+      invitation_token: "valid_token",
+      invitation_sent_at: 15.days.ago,
+      invitation_accepted_at: nil
+    )
+    assert_not user.invitation_pending?
+  end
+
+  test "invitation_pending? returns false when no invitation token" do
+    user = User.new(
+      email: "test@example.com",
+      password: "password123456",
+      invitation_token: nil,
+      invitation_sent_at: 1.day.ago,
+      invitation_accepted_at: nil
+    )
+    assert_not user.invitation_pending?
+  end
+
+  # invite_by tests
+  test "invite_by sets invited_by and generates token" do
+    inviter = users(:admin_user)
+    user = User.new(email: "test@example.com", password: "password123456")
+    user.invite_by(inviter)
+
+    assert_equal inviter, user.invited_by
+    assert_not_nil user.invitation_token
+    assert_not_nil user.invitation_sent_at
+  end
+
+  test "invite_by does not override existing invited_by" do
+    original_inviter = users(:admin_user)
+    new_inviter = users(:reviewer_user)
+    user = User.new(email: "test@example.com", password: "password123456", invited_by: original_inviter)
+    user.invite_by(new_inviter)
+
+    assert_equal original_inviter, user.invited_by
+  end
+
+  test "invite_by handles nil invitee" do
+    user = User.new(email: "test@example.com", password: "password123456")
+    user.invite_by(nil)
+
+    assert_nil user.invited_by
+    assert_not_nil user.invitation_token
+    assert_not_nil user.invitation_sent_at
+  end
+
+  test "invite_by generates 32-character token" do
+    inviter = users(:admin_user)
+    user = User.new(email: "test@example.com", password: "password123456")
+    user.invite_by(inviter)
+
+    assert user.invitation_token.length >= 32
+  end
+
+  # invite_by! tests
+  test "invite_by! saves the user" do
+    inviter = users(:admin_user)
+    user = User.new(email: "test@example.com", password: "password123456")
+    user.invite_by!(inviter)
+
+    assert_not_nil user.id
+    assert user.persisted?
+  end
+
+  test "invite_by! works without invitee parameter" do
+    user = User.new(email: "test@example.com", password: "password123456")
+    user.invite_by!
+
+    assert_not_nil user.id
+    assert_not_nil user.invitation_token
+  end
+
+  # find_by_valid_invitation_token tests
+  test "find_by_valid_invitation_token finds user with valid token" do
+    user = User.create!(
+      email: "test@example.com",
+      password: "password123456",
+      invitation_token: "valid_token_12345",
+      invitation_sent_at: 1.day.ago,
+      invitation_accepted_at: nil
+    )
+
+    found_user = User.find_by_valid_invitation_token("valid_token_12345")
+    assert_equal user, found_user
+  end
+
+  test "find_by_valid_invitation_token returns nil for expired token" do
+    User.create!(
+      email: "test@example.com",
+      password: "password123456",
+      invitation_token: "expired_token",
+      invitation_sent_at: 15.days.ago,
+      invitation_accepted_at: nil
+    )
+
+    found_user = User.find_by_valid_invitation_token("expired_token")
+    assert_nil found_user
+  end
+
+  test "find_by_valid_invitation_token returns nil for accepted invitation" do
+    User.create!(
+      email: "test@example.com",
+      password: "password123456",
+      invitation_token: "accepted_token",
+      invitation_sent_at: 1.day.ago,
+      invitation_accepted_at: Time.current
+    )
+
+    found_user = User.find_by_valid_invitation_token("accepted_token")
+    assert_nil found_user
+  end
+
+  test "find_by_valid_invitation_token returns nil for non-existent token" do
+    found_user = User.find_by_valid_invitation_token("nonexistent_token")
+    assert_nil found_user
+  end
+
+  # remember_me tests
+  test "remember_me generates token and saves" do
+    user = users(:admin_user)
+    token = user.remember_me
+
+    assert_not_nil token
+    assert_not_nil user.remember_token
+    assert_not_nil user.remember_created_at
+    assert_equal token, user.remember_token
+  end
+
+  test "remember_me returns the generated token" do
+    user = users(:admin_user)
+    token = user.remember_me
+
+    assert_kind_of String, token
+    assert token.length >= 32
+  end
+
+  test "remember_me updates database immediately" do
+    user = users(:admin_user)
+    user.remember_me
+
+    user.reload
+    assert_not_nil user.remember_token
+    assert_not_nil user.remember_created_at
+  end
+
+  test "remember_me saves without validation" do
+    user = users(:admin_user)
+    # Make user invalid (email already taken by changing to duplicate)
+    user.email = ""
+    token = user.remember_me
+
+    assert_not_nil token
+    user.reload
+    assert_not_nil user.remember_token
+  end
+
+  # forget_me tests
+  test "forget_me clears remember token and timestamp" do
+    user = users(:admin_user)
+    user.remember_me
+    assert_not_nil user.remember_token
+
+    user.forget_me
+    user.reload
+
+    assert_nil user.remember_token
+    assert_nil user.remember_created_at
+  end
+
+  test "forget_me works when no remember token exists" do
+    user = users(:admin_user)
+    user.forget_me
+
+    assert_nil user.remember_token
+    assert_nil user.remember_created_at
+  end
+
+  # remember_token_expired? tests
+  test "remember_token_expired? returns true when remember_created_at is nil" do
+    user = users(:admin_user)
+    assert user.remember_token_expired?
+  end
+
+  test "remember_token_expired? returns false for recent token" do
+    user = users(:admin_user)
+    user.remember_token = "token"
+    user.remember_created_at = 1.day.ago
+    user.save(validate: false)
+
+    assert_not user.remember_token_expired?
+  end
+
+  test "remember_token_expired? returns true for expired token" do
+    user = users(:admin_user)
+    user.remember_token = "token"
+    user.remember_created_at = 3.weeks.ago
+    user.save(validate: false)
+
+    assert user.remember_token_expired?
+  end
+
+  test "remember_token_expired? boundary at 2 weeks" do
+    user = users(:admin_user)
+    user.remember_token = "token"
+    user.remember_created_at = 13.days.ago
+    user.save(validate: false)
+
+    assert_not user.remember_token_expired?
+  end
+
+  # find_by_valid_remember_token tests
+  test "find_by_valid_remember_token finds user with valid token" do
+    user = users(:admin_user)
+    token = user.remember_me
+
+    found_user = User.find_by_valid_remember_token(token)
+    assert_equal user, found_user
+  end
+
+  test "find_by_valid_remember_token returns nil for expired token" do
+    user = users(:admin_user)
+    user.remember_token = "expired_token"
+    user.remember_created_at = 3.weeks.ago
+    user.save(validate: false)
+
+    found_user = User.find_by_valid_remember_token("expired_token")
+    assert_nil found_user
+  end
+
+  test "find_by_valid_remember_token returns nil for non-existent token" do
+    found_user = User.find_by_valid_remember_token("nonexistent_token")
+    assert_nil found_user
+  end
+
+  test "find_by_valid_remember_token returns nil when user has no remember_created_at" do
+    user = users(:admin_user)
+    user.remember_token = "token_without_timestamp"
+    user.remember_created_at = nil
+    user.save(validate: false)
+
+    found_user = User.find_by_valid_remember_token("token_without_timestamp")
+    assert_nil found_user
+  end
+
+  # Password authentication tests
+  test "authenticate returns user for correct password" do
+    user = User.create!(email: "test@example.com", password: "password123456")
+    assert_equal user, user.authenticate("password123456")
+  end
+
+  test "authenticate returns false for incorrect password" do
+    user = User.create!(email: "test@example.com", password: "password123456")
+    assert_not user.authenticate("wrongpassword")
+  end
+
+  # Email normalization tests
+  test "email uniqueness is case-insensitive" do
+    User.create!(email: "Test@Example.com", password: "password123456")
+    duplicate_user = User.new(email: "test@example.com", password: "password123456")
+
+    # Note: This depends on database collation, but should be tested
+    assert_not duplicate_user.valid?
+  end
+
+  # Constants tests
+  test "INVITATION_TOKEN_EXPIRY is 14 days" do
+    assert_equal 14.days, User::INVITATION_TOKEN_EXPIRY
+  end
+
+  test "REMEMBER_TOKEN_EXPIRY is 2 weeks" do
+    assert_equal 2.weeks, User::REMEMBER_TOKEN_EXPIRY
+  end
 end
@@ -0,0 +1,299 @@
+require "application_system_test_case"
+
+class AdminWorkflowTest < ApplicationSystemTestCase
+  setup do
+    @admin = users(:admin_user)
+    @admin.update!(invitation_accepted_at: Time.current)
+  end
+
+  test "admin can access dashboard" do
+    login_as(@admin)
+
+    visit admin_root_path
+
+    assert_text "Dashboard"
+    assert_text "Total Users"
+    assert_text "Total Entries"
+  end
+
+  test "admin sees admin button in header" do
+    login_as(@admin)
+    visit root_path
+
+    within "header" do
+      assert_link "Admin"
+    end
+  end
+
+  test "admin can send invitation" do
+    login_as(@admin)
+
+    visit admin_invitations_path
+    click_link "Send New Invitation"
+
+    assert_current_path new_admin_invitation_path
+
+    fill_in "Name", with: "New User"
+    fill_in "Email", with: "newuser@example.com"
+    select "Contributor", from: "Role"
+
+    click_button "Send Invitation"
+
+    assert_current_path admin_invitations_path
+    assert_text "Invitation sent"
+    assert_text "newuser@example.com"
+  end
+
+  test "admin can view users list" do
+    login_as(@admin)
+
+    visit admin_users_path
+
+    assert_text "Users"
+    assert_selector "table"
+    assert_text @admin.email
+  end
+
+  test "admin can edit user role" do
+    user = users(:contributor_user)
+    login_as(@admin)
+
+    visit admin_users_path
+    within "#user_#{user.id}" do
+      click_link "Edit"
+    end
+
+    assert_current_path edit_admin_user_path(user)
+
+    select "Reviewer", from: "Role"
+    click_button "Update User"
+
+    assert_current_path admin_users_path
+    assert_text "User updated"
+
+    user.reload
+    assert_equal "reviewer", user.role
+  end
+
+  test "admin can delete user" do
+    user = users(:contributor_user)
+    login_as(@admin)
+
+    visit admin_users_path
+
+    within "#user_#{user.id}" do
+      click_button "Delete"
+    end
+
+    assert_current_path admin_users_path
+    assert_text "User deleted"
+    assert_no_text user.email
+  end
+
+  test "admin can view entry requests" do
+    requested_entry = Entry.create!(
+      fi: "Requested Entry",
+      category: :word,
+      status: :requested,
+      requested_by: users(:contributor_user)
+    )
+
+    login_as(@admin)
+
+    visit admin_requests_path
+
+    assert_text "Requested Entry"
+    assert_link "View"
+    assert_link "Edit"
+    assert_button "Approve"
+  end
+
+  test "admin can approve entry request" do
+    requester = users(:contributor_user)
+    requested_entry = Entry.create!(
+      fi: "Requested Entry",
+      category: :word,
+      status: :requested,
+      requested_by: requester
+    )
+
+    login_as(@admin)
+
+    visit admin_requests_path
+
+    within "#entry_#{requested_entry.id}" do
+      click_button "Approve"
+    end
+
+    assert_current_path admin_requests_path
+    assert_text "approved"
+
+    requested_entry.reload
+    assert_equal "approved", requested_entry.status
+  end
+
+  test "admin can edit entry request before approval" do
+    requested_entry = Entry.create!(
+      fi: "Requested Entry",
+      category: :word,
+      status: :requested,
+      requested_by: users(:contributor_user)
+    )
+
+    login_as(@admin)
+
+    visit edit_admin_request_path(requested_entry)
+
+    fill_in "Finnish", with: "Edited Finnish"
+    fill_in "English", with: "Added English"
+    click_button "Save Changes"
+
+    assert_current_path admin_requests_path
+    requested_entry.reload
+    assert_equal "Edited Finnish", requested_entry.fi
+    assert_equal "Added English", requested_entry.en
+  end
+
+  test "admin can reject entry request" do
+    requested_entry = Entry.create!(
+      fi: "Requested Entry",
+      category: :word,
+      status: :requested,
+      requested_by: users(:contributor_user)
+    )
+
+    login_as(@admin)
+
+    visit admin_requests_path
+
+    within "#entry_#{requested_entry.id}" do
+      click_button "Reject"
+    end
+
+    assert_current_path admin_requests_path
+    assert_text "rejected"
+    assert_nil Entry.find_by(id: requested_entry.id)
+  end
+
+  test "admin can resend invitation" do
+    pending_user = users(:pending_invitation)
+    login_as(@admin)
+
+    visit admin_invitations_path
+
+    within "#invitation_#{pending_user.id}" do
+      click_button "Resend"
+    end
+
+    assert_current_path admin_invitations_path
+    assert_text "Invitation resent"
+  end
+
+  test "admin can cancel invitation" do
+    pending_user = users(:pending_invitation)
+    login_as(@admin)
+
+    visit admin_invitations_path
+
+    within "#invitation_#{pending_user.id}" do
+      click_button "Cancel"
+    end
+
+    assert_current_path admin_invitations_path
+    assert_text "deleted"
+    assert_nil User.find_by(id: pending_user.id)
+  end
+
+  test "admin sees request count badge" do
+    Entry.create!(
+      fi: "Requested Entry 1",
+      category: :word,
+      status: :requested,
+      requested_by: users(:contributor_user)
+    )
+    Entry.create!(
+      fi: "Requested Entry 2",
+      category: :word,
+      status: :requested,
+      requested_by: users(:contributor_user)
+    )
+
+    login_as(@admin)
+    visit admin_root_path
+
+    within "header" do
+      assert_text "2"
+    end
+  end
+
+  test "admin navigation is responsive" do
+    login_as(@admin)
+    visit admin_root_path
+
+    # Test mobile menu if visible
+    if page.has_selector?("#admin-mobile-menu-button", visible: true)
+      click_button id: "admin-mobile-menu-button"
+      assert_selector "#admin-mobile-menu", visible: true
+      assert_link "Dashboard"
+      assert_link "Users"
+      assert_link "Invitations"
+    end
+  end
+
+  test "admin cannot delete themselves" do
+    login_as(@admin)
+
+    visit admin_users_path
+
+    within "#user_#{@admin.id}" do
+      click_button "Delete"
+    end
+
+    assert_text "cannot delete yourself"
+    assert User.exists?(@admin.id)
+  end
+
+  test "admin can view dashboard statistics" do
+    login_as(@admin)
+
+    visit admin_dashboard_path
+
+    assert_text "Total Users"
+    assert_text "Total Entries"
+    assert_text "Pending Invitations"
+    assert_text "Entry Requests"
+  end
+
+  test "admin can navigate between admin sections" do
+    login_as(@admin)
+
+    visit admin_root_path
+
+    click_link "Users"
+    assert_current_path admin_users_path
+
+    click_link "Invitations"
+    assert_current_path admin_invitations_path
+
+    click_link "Requests"
+    assert_current_path admin_requests_path
+
+    click_link "Dashboard"
+    assert_current_path admin_dashboard_path
+  end
+
+  test "admin can return to main site from admin" do
+    login_as(@admin)
+
+    visit admin_root_path
+
+    # On mobile, click hamburger menu first
+    if page.has_selector?("#admin-mobile-menu-button", visible: true)
+      click_button id: "admin-mobile-menu-button"
+    end
+
+    click_link "Back to Site"
+
+    assert_current_path root_path
+  end
+end
@@ -0,0 +1,185 @@
+require "application_system_test_case"
+
+class ContributorWorkflowTest < ApplicationSystemTestCase
+  setup do
+    @contributor = users(:contributor_user)
+    @contributor.update!(invitation_accepted_at: Time.current)
+  end
+
+  test "contributor can sign in" do
+    visit login_path
+
+    fill_in "Email", with: @contributor.email
+    fill_in "Password", with: "password123456"
+    click_button "Sign In"
+
+    assert_text "Welcome back"
+    within "header" do
+      assert_text @contributor.name.split.first
+    end
+  end
+
+  test "contributor can edit entry" do
+    entry = entries(:one)
+    login_as(@contributor)
+
+    visit entry_path(entry)
+    click_link "Edit"
+
+    assert_current_path edit_entry_path(entry)
+
+    fill_in "Finnish", with: "Updated Finnish Text"
+    fill_in "English", with: "Updated English Text"
+    select "Phrase", from: "Category"
+    fill_in "Additional Notes", with: "Updated notes"
+
+    click_button "Save Changes"
+
+    assert_current_path entry_path(entry)
+    assert_text "Entry updated"
+    assert_text "Updated Finnish Text"
+    assert_text "Updated English Text"
+  end
+
+  test "contributor can add comment to entry" do
+    entry = entries(:one)
+    login_as(@contributor)
+
+    visit entry_path(entry)
+
+    click_button "Add Comment"
+
+    within "#comment_form_modal" do
+      select "Finnish (FI)", from: "Language"
+      fill_in "Comment", with: "This is my comment on the Finnish translation"
+      click_button "Submit"
+    end
+
+    assert_text "This is my comment on the Finnish translation"
+    assert_text @contributor.name
+  end
+
+  test "contributor sees signed in status in header" do
+    login_as(@contributor)
+    visit root_path
+
+    within "header" do
+      assert_text @contributor.name.split.first
+      assert_button "Sign Out", visible: :all
+    end
+  end
+
+  test "contributor can sign out" do
+    login_as(@contributor)
+    visit root_path
+
+    # On mobile, click hamburger menu first
+    if page.has_selector?("#mobile-menu-button", visible: true)
+      click_button id: "mobile-menu-button"
+    end
+
+    click_link "Sign Out"
+
+    assert_current_path root_path
+    assert_text "You have been logged out"
+    within "header" do
+      assert_link "Sign In"
+    end
+  end
+
+  test "contributor cannot access admin pages" do
+    login_as(@contributor)
+
+    visit admin_root_path
+
+    assert_current_path root_path
+    assert_text "administrator"
+  end
+
+  test "contributor can request password reset" do
+    visit login_path
+
+    click_link "Forgot password?"
+
+    assert_current_path new_password_reset_path
+
+    fill_in "Email", with: @contributor.email
+    click_button "Send Reset Instructions"
+
+    assert_current_path login_path
+    assert_text "password reset instructions"
+  end
+
+  test "contributor session persists across page loads" do
+    login_as(@contributor)
+
+    visit root_path
+    assert_text @contributor.name.split.first
+
+    visit entries_path
+    within "header" do
+      assert_text @contributor.name.split.first
+    end
+  end
+
+  test "contributor can use remember me" do
+    visit login_path
+
+    fill_in "Email", with: @contributor.email
+    fill_in "Password", with: "password123456"
+    check "Remember me for 2 weeks"
+    click_button "Sign In"
+
+    assert_text "Welcome back"
+  end
+
+  test "contributor sees validation errors when editing entry incorrectly" do
+    entry = entries(:one)
+    login_as(@contributor)
+
+    visit edit_entry_path(entry)
+
+    # Clear all translations (should fail validation)
+    fill_in "Finnish", with: ""
+    fill_in "English", with: ""
+    fill_in "Swedish", with: ""
+    fill_in "Norwegian", with: ""
+    fill_in "Russian", with: ""
+    fill_in "German", with: ""
+
+    click_button "Save Changes"
+
+    assert_text "At least one language translation is required"
+  end
+
+  test "contributor can filter comments by language tab" do
+    entry = entries(:one)
+    login_as(@contributor)
+
+    # Create comments in different languages
+    Comment.create!(
+      commentable: entry,
+      user: @contributor,
+      body: "Finnish comment",
+      language_code: "fi"
+    )
+    Comment.create!(
+      commentable: entry,
+      user: @contributor,
+      body: "English comment",
+      language_code: "en"
+    )
+
+    visit entry_path(entry)
+
+    click_link "Finnish"
+    assert_text "Finnish comment"
+
+    click_link "English"
+    assert_text "English comment"
+
+    click_link "All languages"
+    assert_text "Finnish comment"
+    assert_text "English comment"
+  end
+end
@@ -0,0 +1,114 @@
+require "application_system_test_case"
+
+class PublicBrowsingTest < ApplicationSystemTestCase
+  test "visitor can browse entries without logging in" do
+    visit root_path
+
+    assert_selector "h1", text: "Sanasto Wiki"
+    assert_selector ".entry-row", minimum: 1
+  end
+
+  test "visitor can search entries" do
+    entry = entries(:one)
+    visit root_path
+
+    fill_in "q", with: entry.fi
+    click_button "Search"
+
+    assert_text entry.fi
+  end
+
+  test "visitor can filter by language" do
+    visit root_path
+
+    click_button "Finnish"
+
+    assert_current_path entries_path(language: "fi")
+  end
+
+  test "visitor can filter by category" do
+    visit root_path
+
+    select "Word", from: "category"
+
+    assert_current_path entries_path(category: "word")
+  end
+
+  test "visitor can view entry details" do
+    entry = entries(:one)
+    visit root_path
+
+    click_link entry.fi
+
+    assert_text entry.fi
+    assert_text entry.en if entry.en.present?
+  end
+
+  test "visitor can browse alphabetically" do
+    visit root_path
+
+    click_button "Finnish"
+    click_link "A"
+
+    assert_current_path entries_path(language: "fi", starts_with: "a")
+  end
+
+  test "visitor can download XLSX" do
+    visit root_path
+
+    click_link "Download XLSX"
+
+    assert_equal "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+                 page.response_headers["Content-Type"]
+  end
+
+  test "visitor sees sign in link in header" do
+    visit root_path
+
+    within "header" do
+      assert_link "Sign In"
+    end
+  end
+
+  test "visitor can request new entry" do
+    visit root_path
+
+    click_link "Request Entry"
+
+    assert_current_path new_request_path
+    assert_field "Name"
+    assert_field "Email"
+  end
+
+  test "search results show no results message when nothing matches" do
+    visit root_path
+
+    fill_in "q", with: "nonexistentword12345xyz"
+    click_button "Search"
+
+    assert_text "No entries matched your filters"
+  end
+
+  test "visitor can paginate through results" do
+    # Create enough entries to require pagination
+    26.times do |i|
+      Entry.create!(
+        fi: "Test Entry #{i}",
+        category: :word,
+        status: :active
+      )
+    end
+
+    visit root_path
+
+    assert_selector ".entry-row", count: 25
+    assert_link "2"
+  end
+
+  test "visitor sees entry statistics" do
+    visit root_path
+
+    assert_text "Total Entries"
+    assert_text "Verified"
+  end
+end
@@ -1,3 +1,6 @@
+require "simplecov"
+SimpleCov.start "rails"
+
 ENV["RAILS_ENV"] ||= "test"
 require_relative "../config/environment"
 require "rails/test_help"
Author	SHA1	Message	Date
Runar Ingebrigtsen	9acdc4e6db	actually, include notifications CI / scan_ruby (push) Successful in 23s Details CI / scan_js (push) Successful in 12s Details CI / lint (push) Successful in 22s Details CI / test (push) Successful in 50s Details	2026-01-31 15:55:24 +01:00
Runar Ingebrigtsen	e48b386b54	update todos	2026-01-31 15:55:02 +01:00
Runar Ingebrigtsen	d183fb4b53	normalize emails	2026-01-31 15:51:01 +01:00
Runar Ingebrigtsen	9c6714e97c	shared flash notifications	2026-01-31 15:50:31 +01:00
Runar Ingebrigtsen	227ab744b5	fix logout	2026-01-31 15:49:49 +01:00
Runar Ingebrigtsen	4bc393887b	96.99% test coverage	2026-01-31 15:48:32 +01:00
Runar Ingebrigtsen	8ec8f15857	run some lint and security check before pushing code	2026-01-31 11:49:25 +01:00