active_scaffold_san 3.0.18

data/lib/active_scaffold/actions/search.rb

@@ -0,0 +1,47 @@
+module ActiveScaffold::Actions
+  module Search
+    include ActiveScaffold::Actions::CommonSearch
+    def self.included(base)
+      base.before_filter :search_authorized_filter, :only => :show_search
+      base.before_filter :store_search_params_into_session, :only => [:index]
+      base.before_filter :do_search, :only => [:index]
+      base.helper_method :search_params
+    end
+
+    def show_search
+      respond_to_action(:search)
+    end
+
+    protected
+    def search_respond_to_html
+      render(:action => "search")
+    end
+    def search_respond_to_js
+      render(:partial => "search")
+    end
+    def do_search
+      query = search_params.to_s.strip rescue ''
+      unless query.empty?
+        columns = active_scaffold_config.search.columns
+        text_search = active_scaffold_config.search.text_search
+        search_conditions = self.class.create_conditions_for_columns(query.split(' '), columns, text_search)
+        self.active_scaffold_conditions = merge_conditions(self.active_scaffold_conditions, search_conditions)
+        @filtered = !search_conditions.blank?
+
+        includes_for_search_columns = columns.collect{ |column| column.includes}.flatten.uniq.compact
+        self.active_scaffold_includes.concat includes_for_search_columns
+
+        active_scaffold_config.list.user.page = nil
+      end
+    end
+
+    private
+    def search_authorized_filter
+      link = active_scaffold_config.search.link || active_scaffold_config.search.class.link
+      raise ActiveScaffold::ActionNotAllowed unless self.send(link.security_method)
+    end
+    def search_formats
+      (default_formats + active_scaffold_config.formats + active_scaffold_config.search.formats).uniq
+    end
+  end
+end

data/lib/active_scaffold/actions/show.rb

@@ -0,0 +1,61 @@
+module ActiveScaffold::Actions
+  module Show
+    def self.included(base)
+      base.before_filter :show_authorized_filter, :only => :show
+    end
+
+    def show
+      # rest destroy falls back to rest show in case of disabled javascript
+      # just render action_confirmation message for destroy
+      unless params.delete :destroy_action
+        do_show
+        successful?
+        respond_to_action(:show)
+      else
+        @record = find_if_allowed(params[:id], :read) if params[:id] && params[:id] && params[:id].to_i > 0
+        action_confirmation_respond_to_html(:destroy)
+      end
+    end
+
+    protected
+    
+    def show_respond_to_json
+      render :text => response_object.to_json(:only => active_scaffold_config.show.columns.names), :content_type => Mime::JSON, :status => response_status
+    end
+
+    def show_respond_to_yaml
+      render :text => Hash.from_xml(response_object.to_xml(:only => active_scaffold_config.show.columns.names)).to_yaml, :content_type => Mime::YAML, :status => response_status
+    end
+
+    def show_respond_to_xml
+      render :xml => response_object.to_xml(:only => active_scaffold_config.show.columns.names), :content_type => Mime::XML, :status => response_status
+    end
+
+    def show_respond_to_js
+      render :partial => 'show'
+    end
+
+    def show_respond_to_html
+      render :action => 'show'
+    end
+    # A simple method to retrieve and prepare a record for showing.
+    # May be overridden to customize show routine
+    def do_show
+      @record = find_if_allowed(params[:id], :read)
+    end
+
+    # The default security delegates to ActiveRecordPermissions.
+    # You may override the method to customize.
+    def show_authorized?(record = nil)
+      authorized_for?(:crud_type => :read)
+    end
+    private 
+    def show_authorized_filter
+      link = active_scaffold_config.show.link || active_scaffold_config.show.class.link
+      raise ActiveScaffold::ActionNotAllowed unless self.send(link.security_method)
+    end
+    def show_formats
+      (default_formats + active_scaffold_config.formats + active_scaffold_config.show.formats).uniq
+    end
+  end
+end

data/lib/active_scaffold/actions/subform.rb

@@ -0,0 +1,27 @@
+module ActiveScaffold::Actions
+  module Subform
+    def edit_associated
+      do_edit_associated
+      render :action => 'edit_associated'
+    end
+
+    protected
+
+    def do_edit_associated
+      @parent_record = params[:id].nil? ? new_model : find_if_allowed(params[:id], :update)
+      @column = active_scaffold_config.columns[params[:association]]
+
+      # NOTE: we don't check whether the user is allowed to update this record, because if not, we'll still let them associate the record. we'll just refuse to do more than associate, is all.
+      @record = @column.association.klass.find(params[:associated_id]) if params[:associated_id]
+      @record ||= if @column.singular_association?
+        @parent_record.send("build_#{@column.name}".to_sym)
+      else
+        @parent_record.send(@column.name).build
+      end
+
+      @scope = "[#{@column.name}]"
+      @scope += (@record.new_record?) ? "[#{(Time.now.to_f*1000).to_i.to_s}]" : "[#{@record.id}]" if @column.plural_association?
+    end
+
+  end
+end

data/lib/active_scaffold/actions/update.rb

@@ -0,0 +1,151 @@
+module ActiveScaffold::Actions
+  module Update
+    def self.included(base)
+      base.before_filter :update_authorized_filter, :only => [:edit, :update]
+      base.verify :method => [:post, :put],
+                  :only => :update,
+                  :redirect_to => { :action => :index }
+      base.helper_method :update_refresh_list?
+    end
+
+    def edit
+      do_edit
+      respond_to_action(:edit)
+    end
+
+    def update
+      do_update
+      respond_to_action(:update)
+    end
+
+    # for inline (inlist) editing
+    def update_column
+      do_update_column
+      render :action => 'update_column', :locals => {:column_span_id => params[:editor_id] || params[:editorId]}
+    end
+
+    protected
+    def edit_respond_to_html
+      if successful?
+        render(:action => 'update')
+      else
+        return_to_main
+      end
+    end
+    def edit_respond_to_js
+      render(:partial => 'update_form')
+    end
+    def update_respond_to_html  
+      if params[:iframe]=='true' # was this an iframe post ?
+        responds_to_parent do
+          render :action => 'on_update.js', :layout => false
+        end
+      else # just a regular post
+        if successful?
+          flash[:info] = as_(:updated_model, :model => @record.to_label)
+          return_to_main
+        else
+          render(:action => 'update')
+        end
+      end
+    end
+    def update_respond_to_js
+      if successful? && update_refresh_list? && !render_parent?
+        do_search if respond_to? :do_search
+        do_list
+      end
+      render :action => 'on_update'
+    end
+    def update_respond_to_xml
+      render :xml => response_object.to_xml(:only => active_scaffold_config.update.columns.names), :content_type => Mime::XML, :status => response_status
+    end
+    def update_respond_to_json
+      render :text => response_object.to_json(:only => active_scaffold_config.update.columns.names), :content_type => Mime::JSON, :status => response_status
+    end
+    def update_respond_to_yaml
+      render :text => Hash.from_xml(response_object.to_xml(:only => active_scaffold_config.update.columns.names)).to_yaml, :content_type => Mime::YAML, :status => response_status
+    end
+    # A simple method to find and prepare a record for editing
+    # May be overridden to customize the record (set default values, etc.)
+    def do_edit
+      register_constraints_with_action_columns(nested.constrained_fields, active_scaffold_config.update.hide_nested_column ? [] : [:update]) if nested?
+      @record = find_if_allowed(params[:id], :update)
+    end
+
+    # A complex method to update a record. The complexity comes from the support for subforms, and saving associated records.
+    # If you want to customize this algorithm, consider using the +before_update_save+ callback
+    def do_update
+      do_edit
+      update_save
+    end
+
+    def update_save(options = {})
+      begin
+        active_scaffold_config.model.transaction do
+          @record = update_record_from_params(@record, active_scaffold_config.update.columns, params[:record]) unless options[:no_record_param_update]
+          before_update_save(@record)
+          self.successful = [@record.valid?, @record.associated_valid?].all? {|v| v == true} # this syntax avoids a short-circuit
+          if successful?
+            @record.save! and @record.save_associated!
+            after_update_save(@record)
+          else
+            # some associations such as habtm are saved before saved is called on parent object
+            # we have to revert these changes if validation fails
+            raise ActiveRecord::Rollback, "don't save habtm associations unless record is valid"
+          end
+        end
+      rescue ActiveRecord::RecordInvalid
+      rescue ActiveRecord::StaleObjectError
+        @record.errors.add(:base, as_(:version_inconsistency))
+        self.successful=false
+      rescue ActiveRecord::RecordNotSaved
+        @record.errors.add(:base, as_(:record_not_saved)) if @record.errors.empty?
+        self.successful = false
+      end
+    end
+
+    def do_update_column
+      @record = active_scaffold_config.model.find(params[:id])
+      if @record.authorized_for?(:crud_type => :update, :column => params[:column])
+        column = active_scaffold_config.columns[params[:column].to_sym]
+        params[:value] ||= @record.column_for_attribute(params[:column]).default unless @record.column_for_attribute(params[:column]).nil? || @record.column_for_attribute(params[:column]).null
+        unless column.nil?
+          params[:value] = column_value_from_param_value(@record, column, params[:value])
+          params[:value] = [] if params[:value].nil? && column.form_ui && column.plural_association?
+        end
+        @record.send("#{params[:column]}=", params[:value])
+        before_update_save(@record)
+        @record.save
+        after_update_save(@record)
+      end
+    end
+
+    # override this method if you want to inject data in the record (or its associated objects) before the save
+    def before_update_save(record); end
+
+    # override this method if you want to do something after the save
+    def after_update_save(record); end
+
+    # should we refresh whole list after update operation
+    def update_refresh_list?
+      active_scaffold_config.update.refresh_list
+    end
+
+    # The default security delegates to ActiveRecordPermissions.
+    # You may override the method to customize.
+    def update_authorized?(record = nil)
+      (!nested? || !nested.readonly?) && authorized_for?(:crud_type => :update)
+    end
+    private
+    def update_authorized_filter
+      link = active_scaffold_config.update.link || active_scaffold_config.update.class.link
+      raise ActiveScaffold::ActionNotAllowed unless self.send(link.security_method)
+    end
+    def edit_formats
+      (default_formats + active_scaffold_config.formats).uniq
+    end
+    def update_formats
+      (default_formats + active_scaffold_config.formats + active_scaffold_config.update.formats).uniq
+    end
+  end
+end

data/lib/active_scaffold/active_record_permissions.rb

@@ -0,0 +1,134 @@
+# This module attempts to create permissions conventions for your ActiveRecord models. It supports english-based
+# methods that let you restrict access per-model, per-record, per-column, per-action, and per-user. All at once.
+#
+# You may define instance methods in the following formats:
+#  def #{column}_authorized_for_#{action}?
+#  def #{column}_authorized?
+#  def authorized_for_#{action}?
+#
+# Your methods should allow for the following special cases:
+#   * cron scripts
+#   * guest users (or nil current_user objects)
+module ActiveRecordPermissions
+  # ActiveRecordPermissions needs to know what method on your ApplicationController will return the current user,
+  # if available. This defaults to the :current_user method. You may configure this in your environment.rb if you
+  # have a different setup.
+  def self.current_user_method=(v); @@current_user_method = v; end
+  def self.current_user_method; @@current_user_method; end
+  @@current_user_method = :current_user
+
+  # Whether the default permission is permissive or not
+  # If set to true, then everything's allowed until configured otherwise
+  def self.default_permission=(v); @@default_permission = v; end
+  def self.default_permission; @@default_permission; end
+  @@default_permission = true
+
+  # This is a module aimed at making the current_user available to ActiveRecord models for permissions.
+  module ModelUserAccess
+    module Controller
+      def self.included(base)
+        base.prepend_before_filter :assign_current_user_to_models
+      end
+
+      # We need to give the ActiveRecord classes a handle to the current user. We don't want to just pass the object,
+      # because the object may change (someone may log in or out). So we give ActiveRecord a proc that ties to the
+      # current_user_method on this ApplicationController.
+      def assign_current_user_to_models
+        ActiveRecord::Base.current_user_proc = proc {send(ActiveRecordPermissions.current_user_method)}
+      end
+    end
+
+    module Model
+      def self.included(base)
+        base.extend ClassMethods
+      end
+
+      module ClassMethods
+        # The proc to call that retrieves the current_user from the ApplicationController.
+        attr_accessor :current_user_proc
+
+        # Class-level access to the current user
+        def current_user
+          ActiveRecord::Base.current_user_proc.call if ActiveRecord::Base.current_user_proc
+        end
+      end
+
+      # Instance-level access to the current user
+      def current_user
+        self.class.current_user
+      end
+    end
+  end
+
+  module Permissions
+    def self.included(base)
+      base.extend SecurityMethods
+      base.send :include, SecurityMethods
+    end
+
+    # Because any class-level queries get delegated to the instance level via a new record,
+    # it's useful to know when the authorization query is meant for a specific record or not.
+    # But using new_record? is confusing, even though accurate. So this is basically just a wrapper.
+    def existing_record_check?
+      !new_record?
+    end
+
+    module SecurityMethods
+      # A generic authorization query. This is what will be called programatically, since
+      # the actual permission methods can't be guaranteed to exist. And because we want to
+      # intelligently combine multiple applicable methods.
+      #
+      # options[:crud_type] should be a CRUD verb (:create, :read, :update, :destroy)
+      # options[:column] should be the name of a model attribute
+      # options[:action] is the name of a method
+      def authorized_for?(options = {})
+        raise ArgumentError, "unknown crud type #{options[:crud_type]}" if options[:crud_type] and ![:create, :read, :update, :delete].include?(options[:crud_type])
+
+        # column_authorized_for_crud_type? has the highest priority over other methods,
+        # you can disable a crud verb and enable that verb for a column
+        # (for example, disable update and enable inplace_edit in a column)
+        method = column_and_crud_type_security_method(options[:column], options[:crud_type])
+        return send(method) if method and respond_to?(method)
+
+        # authorized_for_action? has higher priority than other methods,
+        # you can disable a crud verb and enable an action with that crud verb
+        # (for example, disable update and enable an action with update as crud type)
+        method = action_security_method(options[:action])
+        return send(method) if method and respond_to?(method)
+
+        # collect other possibly-related methods that actually exist
+        methods = [
+          column_security_method(options[:column]),
+          crud_type_security_method(options[:crud_type]),
+        ].compact.select {|m| respond_to?(m)}
+
+        # if any method returns false, then return false
+        return false if methods.any? {|m| !send(m)}
+
+        # if any method actually exists then it must've returned true, so return true
+        return true unless methods.empty?
+
+        # if no method exists, return the default permission
+        return ActiveRecordPermissions.default_permission
+      end
+
+      private
+
+      def column_security_method(column)
+        "#{column}_authorized?" if column
+      end
+
+      def crud_type_security_method(crud_type)
+        "authorized_for_#{crud_type}?" if crud_type
+      end
+
+      def action_security_method(action)
+        "authorized_for_#{action}?" if action
+      end
+
+      def column_and_crud_type_security_method(column, crud_type)
+        "#{column}_authorized_for_#{crud_type}?" if column and crud_type
+      end
+    end
+  end
+end

data/lib/active_scaffold/attribute_params.rb

@@ -0,0 +1,211 @@
+module ActiveScaffold
+  # Provides support for param hashes assumed to be model attributes.
+  # Support is primarily needed for creating/editing associated records using a nested hash structure.
+  #
+  # Paradigm Params Hash (should write unit tests on this):
+  #   params[:record] = {
+  #     # a simple record attribute
+  #     'name' => 'John',
+  #     # a plural association hash
+  #     'roles' => {
+  #       # associate with an existing role
+  #       '5' => {'id' => 5}
+  #       # associate with an existing role and edit it
+  #       '6' => {'id' => 6, 'name' => 'designer'}
+  #       # create and associate a new role
+  #       '124521' => {'name' => 'marketer'}
+  #     }
+  #     # a singular association hash
+  #     'location' => {'id' => 12, 'city' => 'New York'}
+  #   }
+  #
+  # Simpler association structures are also supported, like:
+  #   params[:record] = {
+  #     # a simple record attribute
+  #     'name' => 'John',
+  #     # a plural association ... all ids refer to existing records
+  #     'roles' => ['5', '6'],
+  #     # a singular association ... all ids refer to existing records
+  #     'location' => '12'
+  # }
+  module AttributeParams
+    protected
+    # Takes attributes (as from params[:record]) and applies them to the parent_record. Also looks for
+    # association attributes and attempts to instantiate them as associated objects.
+    #
+    # This is a secure way to apply params to a record, because it's based on a loop over the columns
+    # set. The columns set will not yield unauthorized columns, and it will not yield unregistered columns.
+    def update_record_from_params(parent_record, columns, attributes)
+      crud_type = parent_record.new_record? ? :create : :update
+      return parent_record unless parent_record.authorized_for?(:crud_type => crud_type)
+
+      multi_parameter_attributes = {}
+      attributes.each do |k, v|
+        next unless k.include? '('
+        column_name = k.split('(').first.to_sym
+        multi_parameter_attributes[column_name] ||= []
+        multi_parameter_attributes[column_name] << [k, v]
+      end
+
+      columns.each :for => parent_record, :crud_type => crud_type, :flatten => true do |column|
+        # Set any passthrough parameters that may be associated with this column (ie, file column "keep" and "temp" attributes)
+        unless column.params.empty?
+          column.params.each{|p| parent_record.send("#{p}=", attributes[p]) if attributes.has_key? p}
+        end
+
+        if multi_parameter_attributes.has_key? column.name
+          parent_record.send(:assign_multiparameter_attributes, multi_parameter_attributes[column.name])
+        elsif attributes.has_key? column.name
+          value = column_value_from_param_value(parent_record, column, attributes[column.name]) 
+
+          # we avoid assigning a value that already exists because otherwise has_one associations will break (AR bug in has_one_association.rb#replace)
+          parent_record.send("#{column.name}=", value) unless parent_record.send(column.name) == value
+          
+        # plural associations may not actually appear in the params if all of the options have been unselected or cleared away.
+        # the "form_ui" check is necessary, becuase without it we have problems
+        # with subforms. the UI cuts out deep associations, which means they're not present in the
+        # params even though they're in the columns list. the result is that associations were being
+        # emptied out way too often.
+        elsif column.form_ui and column.plural_association?
+          parent_record.send("#{column.name}=", [])
+        end
+      end
+
+      if parent_record.new_record?
+        parent_record.class.reflect_on_all_associations.each do |a|
+          next unless [:has_one, :has_many].include?(a.macro) and not a.options[:through]
+          next unless association_proxy = parent_record.send(a.name)
+
+          raise ActiveScaffold::ReverseAssociationRequired, "Association #{a.name}: In order to support :has_one and :has_many where the parent record is new and the child record(s) validate the presence of the parent, ActiveScaffold requires the reverse association (the belongs_to)." unless a.reverse
+
+          association_proxy = [association_proxy] if a.macro == :has_one
+          association_proxy.each { |record| record.send("#{a.reverse}=", parent_record) }
+        end
+      end
+
+      parent_record
+    end
+    
+    def manage_nested_record_from_params(parent_record, column, attributes)
+      record = find_or_create_for_params(attributes, column, parent_record)
+      if record
+        record_columns = active_scaffold_config_for(column.association.klass).subform.columns
+        update_record_from_params(record, record_columns, attributes)
+        record.unsaved = true
+      end
+      record
+    end
+    
+    def column_value_from_param_value(parent_record, column, value)
+      # convert the value, possibly by instantiating associated objects
+      if value.is_a?(Hash)
+        column_value_from_param_hash_value(parent_record, column, value)
+      else
+        column_value_from_param_simple_value(parent_record, column, value)
+      end
+    end
+
+    def column_value_from_param_simple_value(parent_record, column, value)
+      if column.singular_association?
+        # it's a single id
+        column.association.klass.find(value) if value and not value.empty?
+      elsif column.plural_association?
+        column_plural_assocation_value_from_value(column, value)
+      elsif column.column && column.column.number? && [:i18n_number, :currency].include?(column.options[:format])
+        self.class.i18n_number_to_native_format(value)
+      else
+        # convert empty strings into nil. this works better with 'null => true' columns (and validations),
+        # and 'null => false' columns should just convert back to an empty string.
+        # ... but we can at least check the ConnectionAdapter::Column object to see if nulls are allowed
+        value = nil if value.is_a? String and value.empty? and !column.column.nil? and column.column.null
+        value
+      end
+    end
+
+    def column_plural_assocation_value_from_value(column, value)
+      # it's an array of ids
+      if value and not value.empty?
+        ids = value.select {|id| id.respond_to?(:empty?) ? !id.empty? : true}
+        ids.empty? ? [] : column.association.klass.find(ids)
+      end
+    end
+
+    def column_value_from_param_hash_value(parent_record, column, value)
+      # this is just for backwards compatibility. we should clean this up in 2.0.
+      if column.form_ui == :select
+        ids = if column.singular_association?
+          value[:id]
+        else
+          value.values.collect {|hash| hash[:id]}
+        end
+        (ids and not ids.empty?) ? column.association.klass.find(ids) : nil
+
+      elsif column.singular_association?
+        manage_nested_record_from_params(parent_record, column, value)
+      elsif column.plural_association?
+        value.collect {|key_value_pair| manage_nested_record_from_params(parent_record, column, key_value_pair[1])}.compact
+      else
+        value
+      end
+    end
+
+    # Attempts to create or find an instance of klass (which must be an ActiveRecord object) from the
+    # request parameters given. If params[:id] exists it will attempt to find an existing object
+    # otherwise it will build a new one.
+    def find_or_create_for_params(params, parent_column, parent_record)
+      current = parent_record.send(parent_column.name)
+      klass = parent_column.association.klass
+      return nil if parent_column.show_blank_record and attributes_hash_is_empty?(params, klass)
+
+      if params.has_key? :id
+        # modifying the current object of a singular association
+        if current and current.is_a? ActiveRecord::Base and current.id.to_s == params[:id]
+          return current
+        # modifying one of the current objects in a plural association
+        elsif current and current.respond_to?(:any?) and current.any? {|o| o.id.to_s == params[:id]}
+          return current.detect {|o| o.id.to_s == params[:id]}
+        # attaching an existing but not-current object
+        else
+          return klass.find(params[:id])
+        end
+      else
+        if klass.authorized_for?(:crud_type => :create)
+          if parent_column.singular_association?
+            return parent_record.send("build_#{parent_column.name}")
+          else
+            return parent_record.send(parent_column.name).build
+          end
+        end
+      end
+    end
+
+    # Determines whether the given attributes hash is "empty".
+    # This isn't a literal emptiness - it's an attempt to discern whether the user intended it to be empty or not.
+    def attributes_hash_is_empty?(hash, klass)
+      ignore_column_types = [:boolean]
+      hash.all? do |key,value|
+        # convert any possible multi-parameter attributes like 'created_at(5i)' to simply 'created_at'
+        parts = key.to_s.split('(')
+        #old style date form management... ignore them too
+        ignore_column_types = [:boolean, :datetime, :date, :time] if parts.length > 1
+        column_name = parts.first
+        column = klass.columns_hash[column_name]
+
+        # booleans and datetimes will always have a value. so we ignore them when checking whether the hash is empty.
+        # this could be a bad idea. but the current situation (excess record entry) seems worse.
+        next true if column and ignore_column_types.include?(column.type)
+
+        # defaults are pre-filled on the form. we can't use them to determine if the user intends a new row.
+        next true if column and value == column.default.to_s
+
+        if value.is_a?(Hash)
+          attributes_hash_is_empty?(value, klass)
+        elsif value.is_a?(Array)
+          value.any? {|id| id.respond_to?(:empty?) ? !id.empty? : true}
+        else
+          value.respond_to?(:empty?) ? value.empty? : false
+        end
+      end
+    end
+  end
+end