activeadmin 1.1.0 → 1.2.0

data/docs/2-resource-customization.md

@@ -10,7 +10,7 @@ resource you must first create a Rails model for it.
 ## Create a Resource
 
 The basic command for creating a resource is `rails g active_admin:resource Post`.
-The generator will produce an empty `app/admin/post.rb` file like so:
+The generator will produce an empty `app/admin/posts.rb` file like so:
 
 ```ruby
 ActiveAdmin.register Post do

data/features/index/filters.feature

@@ -23,6 +23,17 @@ Feature: Index Filtering
     And I should see "Hello World 2" within ".index_table"
     And I should see current filter "title_contains" equal to "Hello World 2" with label "Title contains"
 
+  Scenario: No XSS in Resources Filters
+    Given an index configuration of:
+    """
+      ActiveAdmin.register Post do
+        filter :title
+      end
+    """
+    When I fill in "Title" with "<script>alert('hax')</script>"
+    And I press "Filter"
+    Then I should see current filter "title_contains" equal to "alert('hax')" with label "Title contains"
+
   Scenario: Filtering posts with no results
     Given 3 posts exist
     And an index configuration of:

data/features/new_page.feature

@@ -56,6 +56,35 @@ Feature: New Page
     And I should see the attribute "Title" with "Hello World"
     And I should see the attribute "Body" with "This is the body"
 
+  Scenario: Generating a custom form decorated with virtual attributes
+    Given a configuration of:
+    """
+      ActiveAdmin.register Post do
+        decorate_with PostDecorator
+        permit_params :custom_category_id, :author_id, :virtual_title, :body, :published_date, :starred
+
+        form decorate: true do |f|
+          f.inputs "Your Post" do
+            f.input :virtual_title
+            f.input :body
+          end
+          f.inputs "Publishing" do
+            f.input :published_date
+          end
+          f.actions
+        end
+      end
+    """
+    Given I follow "New Post"
+    Then I should see a fieldset titled "Your Post"
+    And I should see a fieldset titled "Publishing"
+    When I fill in "Virtual title" with "Hello World"
+    And I fill in "Body" with "This is the body"
+    And I press "Create Post"
+    Then I should see "Post was successfully created."
+    And I should see the attribute "Title" with "Hello World"
+    And I should see the attribute "Body" with "This is the body"
+
   Scenario: Generating a form from a partial
     Given "app/views/admin/posts/_form.html.erb" contains:
     """

data/features/step_definitions/filter_steps.rb

@@ -22,24 +22,23 @@ Given(/^I add parameter "([^"]*)" with value "([^"]*)" to the URL$/) do |key, va
   visit url + separator + key.to_s + '=' + value.to_s
 end
 
-Then(/^I should( not)? have parameter "([^"]*)"( with value "([^"]*)")?$/) do |negative, key, compare_val, value|
+Then(/^I should( not)? have parameter "([^"]*)" with value "([^"]*)"$/) do |negative, key, value|
   query = URI(page.current_url).query
   if query.nil?
     expect(negative).to eq true
   else
     params = Rack::Utils.parse_query query
-    if compare_val
-      expect(params[key]).to_not eq value if negative
-      expect(params[key]).to eq value unless negative
-    else
-      expect(params[key]).to eq nil if negative
-      expect(params[key]).to be_present unless negative
-    end
+    expect(params[key]).to_not eq value if negative
+    expect(params[key]).to eq value unless negative
   end
 end
 
-Then /^I should see current filter "([^"]*)" equal to "([^"]*)"( with label "([^"]*)")?$/ do |name, value, label_block, label|
-  expect(page).to have_css "li.current_filter_#{name} span", text: label if label_block
+Then /^I should see current filter "([^"]*)" equal to "([^"]*)" with label "([^"]*)"$/ do |name, value, label|
+  expect(page).to have_css "li.current_filter_#{name} span", text: label
+  expect(page).to have_css "li.current_filter_#{name} b", text: value
+end
+
+Then /^I should see current filter "([^"]*)" equal to "([^"]*)"$/ do |name, value|
   expect(page).to have_css "li.current_filter_#{name} b", text: value
 end
 

data/gemfiles/rails_50.gemfile

@@ -5,6 +5,6 @@ eval_gemfile(File.expand_path(File.join("..", "Gemfile"), __dir__))
 gem "rails", "5.0.3"
 gem "devise", "~> 4.0"
 gem "draper", "~> 3.0"
-gem "activerecord-jdbcsqlite3-adapter", github: "jruby/activerecord-jdbc-adapter", branch: "rails-5", platforms: :jruby
+gem "activerecord-jdbcsqlite3-adapter", github: "jruby/activerecord-jdbc-adapter", platforms: :jruby
 
 gemspec path: "../"

data/gemfiles/rails_51.gemfile

@@ -5,6 +5,6 @@ eval_gemfile(File.expand_path(File.join("..", "Gemfile"), __dir__))
 gem "rails", "5.1.1"
 gem "devise", "~> 4.3"
 gem "draper", "~> 3.0"
-gem "activerecord-jdbcsqlite3-adapter", github: "jruby/activerecord-jdbc-adapter", branch: "rails-5", platforms: :jruby
+gem "activerecord-jdbcsqlite3-adapter", github: "jruby/activerecord-jdbc-adapter", platforms: :jruby
 
 gemspec path: "../"

data/lib/active_admin/csv_builder.rb

@@ -53,10 +53,12 @@ module ActiveAdmin
         csv << CSV.generate_line(columns.map{ |c| encode c.name, options }, csv_options)
       end
 
-      (1..paginated_collection.total_pages).each do |page|
-        paginated_collection(page).each do |resource|
-          resource = controller.send :apply_decorator, resource
-          csv << CSV.generate_line(build_row(resource, columns, options), csv_options)
+      ActiveRecord::Base.uncached do
+        (1..paginated_collection.total_pages).each do |page|
+          paginated_collection(page).each do |resource|
+            resource = controller.send :apply_decorator, resource
+            csv << CSV.generate_line(build_row(resource, columns, options), csv_options)
+          end
         end
       end
 

data/lib/active_admin/filters/active_filter.rb

@@ -19,7 +19,7 @@ module ActiveAdmin
       def values
         condition_values = condition.values.map(&:value)
         if related_class
-          related_class.find(condition_values)
+          related_class.where(related_primary_key => condition_values)
         else
           condition_values
         end
@@ -28,11 +28,13 @@ module ActiveAdmin
       def label
         # TODO: to remind us to go back to the simpler str.downcase once we support ruby >= 2.4 only.
         translated_predicate = predicate_name.mb_chars.downcase.to_s
-        if related_class
-          "#{related_class.model_name.human} #{translated_predicate}".strip
+        if filter_label
+          "#{filter_label} #{translated_predicate}"
+        elsif related_class
+          "#{related_class_name} #{translated_predicate}"
         else
-          "#{attribute_name} #{translated_predicate}".strip
-        end
+          "#{attribute_name} #{translated_predicate}"
+        end.strip
       end
 
       def predicate_name
@@ -54,6 +56,18 @@ module ActiveAdmin
         resource_class.human_attribute_name(name)
       end
 
+      def related_class_name
+        return unless related_class
+
+        related_class.model_name.human
+      end
+
+      def filter_label
+        return unless filter
+
+        filter[:label]
+      end
+
       #@return Ransack::Nodes::Attribute
       def condition_attribute
         condition.attributes[0]
@@ -75,13 +89,35 @@ module ActiveAdmin
       def find_class
         if condition_attribute.klass != resource_class && condition_attribute.klass.primary_key == name.to_s
           condition_attribute.klass
-        else
-          assoc = condition_attribute.klass.reflect_on_all_associations.
-            reject { |r| r.options[:polymorphic] }. #skip polymorphic
-            detect { |r| r.foreign_key.to_s == name.to_s }
-          assoc.class_name.constantize if assoc
+        elsif predicate_association
+          predicate_association.klass
+        end
+      end
+
+      def filter
+        resource.filters[name.to_sym]
+      end
+
+      def related_primary_key
+        if predicate_association
+          predicate_association.active_record_primary_key
+        elsif related_class
+          related_class.primary_key
         end
       end
+
+      def predicate_association
+        @predicate_association = find_predicate_association unless defined?(@predicate_association)
+        @predicate_association
+      end
+
+      private
+
+      def find_predicate_association
+        condition_attribute.klass.reflect_on_all_associations.
+          reject { |r| r.options[:polymorphic] }. #skip polymorphic
+          detect { |r| r.foreign_key.to_s == name.to_s }
+      end
     end
   end
 end

data/lib/active_admin/form_builder.rb

@@ -100,7 +100,7 @@ module ActiveAdmin
         has_many_form.input builder_options[:sortable], as: :hidden
 
         contents << template.content_tag(:li, class: 'handle') do
-          "MOVE"
+          I18n.t('active_admin.move')
         end
       end
 

data/lib/active_admin/inputs/filters/select_input.rb

@@ -15,7 +15,7 @@ module ActiveAdmin
             "#{reflection.through_reflection.name}_#{reflection.foreign_key}"
           else
             name = method.to_s
-            name.concat '_id' if reflection
+            name.concat "_#{reflection.association_primary_key}" if reflection_searchable?
             name
           end
         end
@@ -48,6 +48,10 @@ module ActiveAdmin
           klass.reorder("#{method} asc").distinct.pluck method
         end
 
+        def reflection_searchable?
+          reflection && !reflection.polymorphic?
+        end
+
       end
     end
   end

data/lib/active_admin/orm/active_record/comments/views/active_admin_comments.rb

@@ -12,7 +12,7 @@ module ActiveAdmin
 
         def build(resource)
           @resource = resource
-          @comments = ActiveAdmin::Comment.find_for_resource_in_namespace(resource, active_admin_namespace.name).page(params[:page])
+          @comments = ActiveAdmin::Comment.find_for_resource_in_namespace(resource, active_admin_namespace.name).includes(:author).page(params[:page])
           super(title, for: resource)
           build_comments
         end
@@ -24,8 +24,13 @@ module ActiveAdmin
         end
 
         def build_comments
-          @comments.any? ? @comments.each(&method(:build_comment)) : build_empty_message
-          div page_entries_info(@comments).html_safe, class: 'pagination_information'
+          if @comments.any?
+            @comments.each(&method(:build_comment))
+            div page_entries_info(@comments).html_safe, class: 'pagination_information'
+          else
+            build_empty_message
+          end
+
           text_node paginate @comments
           build_comment_form
         end

data/lib/active_admin/resource_controller/data_access.rb

@@ -115,6 +115,7 @@ module ActiveAdmin
         get_resource_ivar || begin
           resource = build_new_resource
           resource = apply_decorations(resource)
+          resource = assign_attributes(resource, resource_params)
           run_build_callbacks resource
           authorize_resource! resource
 
@@ -127,7 +128,10 @@ module ActiveAdmin
       #
       # @return [ActiveRecord::Base] An un-saved active record base object
       def build_new_resource
-        scoped_collection.send method_for_build, *resource_params
+        scoped_collection.send(
+          method_for_build,
+          *resource_params.map { |params| params.slice(active_admin_config.resource_class.inheritance_column) }
+        )
       end
 
       # Calls all the appropriate callbacks and then creates the new resource.

data/lib/active_admin/resource_dsl.rb

@@ -131,6 +131,8 @@ module ActiveAdmin
     # action.
     #
     def action(set, name, options = {}, &block)
+      warn "Warning: method `#{name}` already defined" if controller.method_defined?(name)
+
       set << ControllerAction.new(name, options)
       title = options.delete(:title)
 

data/lib/active_admin/version.rb

@@ -1,3 +1,3 @@
 module ActiveAdmin
-  VERSION = '1.1.0'
+  VERSION = '1.2.0'
 end

data/lib/active_admin/view_helpers/display_helper.rb

@@ -15,7 +15,7 @@ module ActiveAdmin
       # Attempts to call any known display name methods on the resource.
       # See the setting in `application.rb` for the list of methods and their priority.
       def display_name(resource)
-        render_in_context resource, display_name_method_for(resource) unless resource.nil?
+        sanitize(render_in_context(resource, display_name_method_for(resource)).to_s) unless resource.nil?
       end
 
       # Looks up and caches the first available display name method.
@@ -66,7 +66,7 @@ module ActiveAdmin
       def pretty_format(object)
         case object
         when String, Numeric, Symbol, Arbre::Element
-          object.to_s
+          sanitize(object.to_s)
         when Date, Time
           I18n.localize object, format: active_admin_application.localize_format
         else

data/lib/bug_report_templates/active_admin_master.rb

@@ -22,7 +22,6 @@ gemfile(true) do
   gem 'sqlite3', platform: :mri
   gem 'activerecord-jdbcsqlite3-adapter',
       git: 'https://github.com/jruby/activerecord-jdbc-adapter',
-      branch: 'rails-5',
       platform: :jruby
 end
 

data/lib/generators/active_admin/install/install_generator.rb

@@ -21,7 +21,7 @@ module ActiveAdmin
         template 'dashboard.rb', 'app/admin/dashboard.rb'
         if options[:users].present?
           @user_class = name
-          template 'admin_user.rb.erb', "app/admin/#{name.underscore}.rb"
+          template 'admin_users.rb.erb', "app/admin/#{name.underscore.pluralize}.rb"
         end
       end
 

data/lib/generators/active_admin/resource/resource_generator.rb

@@ -12,7 +12,7 @@ module ActiveAdmin
 
       def generate_config_file
         @boilerplate = ActiveAdmin::Generators::Boilerplate.new(class_name)
-        template "admin.rb.erb", "app/admin/#{file_path.tr('/', '_')}.rb"
+        template "admin.rb.erb", "app/admin/#{file_path.tr('/', '_').pluralize}.rb"
       end
 
     end

data/spec/support/rails_template.rb

@@ -50,9 +50,12 @@ generate :model, 'profile user_id:integer bio:text'
 generate :model, 'user type:string first_name:string last_name:string username:string age:integer'
 create_file 'app/models/user.rb', <<-RUBY.strip_heredoc, force: true
   class User < ActiveRecord::Base
+    class VIP < self
+    end
     has_many :posts, foreign_key: 'author_id'
     has_one :profile
     accepts_nested_attributes_for :profile, allow_destroy: true
+    accepts_nested_attributes_for :posts, allow_destroy: true
 
     ransacker :age_in_five_years, type: :numeric, formatter: proc { |v| v.to_i - 5 } do |parent|
       parent.table[:age]

data/spec/support/rails_template_with_data.rb

@@ -5,7 +5,7 @@ inject_into_file 'config/initializers/active_admin.rb', <<-RUBY, after: "ActiveA
   config.comments_menu = { parent: 'Administrative' }
 RUBY
 
-inject_into_file 'app/admin/admin_user.rb', <<-RUBY, after: "ActiveAdmin.register AdminUser do\n"
+inject_into_file 'app/admin/admin_users.rb', <<-RUBY, after: "ActiveAdmin.register AdminUser do\n"
 
   menu parent: "Administrative", priority: 1
 RUBY
@@ -80,14 +80,14 @@ RUBY
   generate :'active_admin:resource', type
 end
 
-inject_into_file 'app/admin/category.rb', <<-RUBY, after: "ActiveAdmin.register Category do\n"
+inject_into_file 'app/admin/categories.rb', <<-RUBY, after: "ActiveAdmin.register Category do\n"
 
   config.create_another = true
 
   permit_params [:name, :description]
 RUBY
 
-inject_into_file 'app/admin/user.rb', <<-RUBY, after: "ActiveAdmin.register User do\n"
+inject_into_file 'app/admin/users.rb', <<-RUBY, after: "ActiveAdmin.register User do\n"
 
   config.create_another = true
 
@@ -135,7 +135,7 @@ inject_into_file 'app/admin/user.rb', <<-RUBY, after: "ActiveAdmin.register User
   end
 RUBY
 
-inject_into_file 'app/admin/post.rb', <<-'RUBY', after: "ActiveAdmin.register Post do\n"
+inject_into_file 'app/admin/posts.rb', <<-'RUBY', after: "ActiveAdmin.register Post do\n"
 
   permit_params :custom_category_id, :author_id, :title, :body, :published_date, :position, :starred, taggings_attributes: [ :id, :tag_id, :name, :position, :_destroy ]
 
@@ -269,7 +269,7 @@ inject_into_file 'app/admin/post.rb', <<-'RUBY', after: "ActiveAdmin.register Po
   end
 RUBY
 
-inject_into_file 'app/admin/tag.rb', <<-RUBY, after: "ActiveAdmin.register Tag do\n"
+inject_into_file 'app/admin/tags.rb', <<-RUBY, after: "ActiveAdmin.register Tag do\n"
 
   config.create_another = true
 

data/spec/support/templates/post_decorator.rb

@@ -4,6 +4,20 @@ class PostDecorator < Draper::Decorator
   decorates :post
   delegate_all
 
+  # @param attributes [Hash]
+  def assign_attributes(attributes)
+    object.assign_attributes attributes.except(:virtual_title)
+    self.virtual_title = attributes.fetch(:virtual_title) if attributes.key?(:virtual_title)
+  end
+
+  def virtual_title
+    object.title
+  end
+
+  def virtual_title=(virtual_title)
+    object.title = virtual_title
+  end
+
   def decorator_method
     'A method only available on the decorator'
   end

data/spec/unit/action_builder_spec.rb

@@ -122,4 +122,37 @@ RSpec.describe 'defining actions from registration blocks', type: :controller do
       end
     end
   end
+
+  context 'when method with given name is already defined' do
+    around :each do |example|
+      original_stderr = $stderr
+      $stderr = StringIO.new
+      example.run
+      $stderr = original_stderr
+    end
+
+    describe 'defining member action' do
+      let :action! do
+        ActiveAdmin.register Post do
+          member_action :process
+        end
+      end
+
+      it 'writes warning to $stderr' do
+        expect($stderr.string).to include('Warning: method `process` already defined')
+      end
+    end
+
+    describe 'defining collection action' do
+      let :action! do
+        ActiveAdmin.register Post do
+          collection_action :process
+        end
+      end
+
+      it 'writes warning to $stderr' do
+        expect($stderr.string).to include('Warning: method `process` already defined')
+      end
+    end
+  end
 end