RubyGems - avo - Versions diffs - 0.2.1 → 0.3.1 - Mend

avo 0.2.1 → 0.3.1

Potentially problematic release.

This version of avo might be problematic. Click here for more details.

Files changed (67) hide show

data/app/controllers/avo/resources_controller.rb CHANGED

@@ -2,21 +2,26 @@ require_dependency 'avo/application_controller'
 module Avo
   class ResourcesController < ApplicationController
+    before_action :authorize_user
     def index
       params[:page] ||= 1
       params[:per_page] ||= Avo.configuration.per_page
       params[:sort_by] = params[:sort_by].present? ? params[:sort_by] : :created_at
       params[:sort_direction] = params[:sort_direction].present? ? params[:sort_direction] : :desc
-      filters = get_filters
+      query = AuthorizationService.with_policy current_user, resource_model
       if params[:via_resource_name].present? and params[:via_resource_id].present? and params[:via_relationship].present?
-        # get the reated resource (via_resource)
-        related_resource = App.get_resource_by_name(params[:via_resource_name])
-        related_model = related_resource.model
-        # fetch the entries
-        query = related_model.find(params[:via_resource_id]).public_send(params[:via_relationship])
+        # get the related resource (via_resource)
+        related_model = App.get_resource_by_name(params[:via_resource_name]).model
+        relation = related_model.find(params[:via_resource_id]).public_send(params[:via_relationship])
+        query = AuthorizationService.with_policy current_user, relation
         params[:per_page] = Avo.configuration.via_per_page
       elsif ['has_many', 'has_and_belongs_to_many'].include? params[:for_relation]
+        # has_many searchable query
         resources = resource_model.all.map do |model|
           {
             value: model.id,
@@ -27,22 +32,18 @@ module Avo
         return render json: {
           resources: resources
         }
-      else
-        query = resource_model
       end
       query = query.order("#{params[:sort_by]} #{params[:sort_direction]}")
-      if filters.present?
-        filters.each do |filter_class, filter_value|
-          query = filter_class.safe_constantize.new.apply_query request, query, filter_value
-        end
+      applied_filters.each do |filter_class, filter_value|
+        query = filter_class.safe_constantize.new.apply_query request, query, filter_value
       end
       # Eager load the attachments
       query = eager_load_files(query)
-      # Eager lood the relations
+      # Eager load the relations
       if avo_resource.includes.present?
         query = query.includes(*avo_resource.includes)
       end
@@ -51,48 +52,21 @@ module Avo
       resources_with_fields = []
       resources.each do |resource|
-        resources_with_fields << Avo::Resources::Resource.hydrate_resource(resource, avo_resource, :index)
+        resources_with_fields << Avo::Resources::Resource.hydrate_resource(model: resource, resource: avo_resource, view: :index, user: current_user)
       end
-      meta = {
-        per_page_steps: Avo.configuration.per_page_steps,
-        available_view_types: avo_resource.available_view_types,
-        default_view_type: avo_resource.default_view_type || Avo.configuration.default_view_type,
-      }
       render json: {
         success: true,
-        meta: meta,
+        meta: build_meta,
         resources: resources_with_fields,
         per_page: params[:per_page],
         total_pages: resources.total_pages,
       }
     end
-    def search
-      if params[:resource_name].present?
-        resources = add_link_to_search_results search_resource(avo_resource)
-      else
-        resources = []
-        resources_to_search_through = App.get_resources.select { |r| r.search.present? }
-        resources_to_search_through.each do |resource_model|
-          found_resources = add_link_to_search_results search_resource(resource_model)
-          resources.push({
-            label: resource_model.name,
-            resources: found_resources
-          })
-        end
-      end
-      render json: {
-        resources: resources
-      }
-    end
     def show
       render json: {
-        resource: Avo::Resources::Resource.hydrate_resource(resource, avo_resource, @view || :show),
+        resource: Avo::Resources::Resource.hydrate_resource(model: resource, resource: avo_resource, view: @view || :show, user: current_user),
       }
     end
@@ -120,7 +94,7 @@ module Avo
       render json: {
         success: true,
-        resource: Avo::Resources::Resource.hydrate_resource(resource, avo_resource, :show),
+        resource: Avo::Resources::Resource.hydrate_resource(model: resource, resource: avo_resource, view: :show, user: current_user),
         message: 'Resource updated',
       }
     end
@@ -143,16 +117,14 @@ module Avo
       render json: {
         success: true,
-        resource: Avo::Resources::Resource.hydrate_resource(resource, avo_resource, :create),
+        resource: Avo::Resources::Resource.hydrate_resource(model: resource, resource: avo_resource, view: :create, user: current_user),
         message: 'Resource created',
       }
     end
-    def fields
-      resource = resource_model.new
+    def new
       render json: {
-        resource: Avo::Resources::Resource.hydrate_resource(resource, avo_resource, :create),
+        resource: Avo::Resources::Resource.hydrate_resource(model: resource_model.new, resource: avo_resource, view: :create, user: current_user),
       }
     end
@@ -164,64 +136,7 @@ module Avo
       }
     end
-    def filters
-      avo_filters = avo_resource.get_filters
-      filters = []
-      avo_filters.each do |filter|
-        filters.push(filter.new.render_response)
-      end
-      render json: {
-        filters: filters,
-      }
-    end
-    def attach
-      attachment_class = App.get_model_class_by_name params[:attachment_name].pluralize 1
-      attachment_model = attachment_class.safe_constantize.find params[:attachment_id]
-      attached = resource.send(params[:attachment_name]) << attachment_model
-      render json: {
-        success: true,
-        message: "#{attachment_class} attached.",
-      }
-    end
-    def detach
-      attachment_class = App.get_model_class_by_name params[:attachment_name].pluralize 1
-      attachment_model = attachment_class.safe_constantize.find params[:attachment_id]
-      attached = resource.send(params[:attachment_name]).delete attachment_model
-      render json: {
-        success: true,
-        message: "#{attachment_class} attached.",
-      }
-    end
-    def cast_nullable(params)
-      fields = avo_resource.get_fields
-      nullable_fields = fields.filter { |field| field.nullable }
-                              .map { |field| [field.id, field.null_values] }
-                              .to_h
-      params.each do |key, value|
-        nullable = nullable_fields[key.to_sym]
-        if nullable.present? && value.in?(nullable)
-          params[key] = nil
-        end
-      end
-      params
-    end
     private
-      def resource
-        eager_load_files(resource_model).find params[:id]
-      end
       def permitted_params
         permitted = avo_resource.get_fields.select(&:updatable).map do |field|
           # If it's a relation
@@ -250,41 +165,6 @@ module Avo
         params.require(:resource).permit(permitted_params)
       end
-      def search_resource(avo_resource)
-        avo_resource.query_search(query: params[:q], via_resource_name: params[:via_resource_name], via_resource_id: params[:via_resource_id])
-      end
-      def add_link_to_search_results(resources)
-        resources.map do |model|
-          resource = model.as_json
-          resource[:link] = "/resources/#{model.class.to_s.singularize.underscore}/#{model.id}"
-          resource
-        end
-      end
-      def eager_load_files(query)
-        if avo_resource.attached_file_fields.present?
-          avo_resource.attached_file_fields.map(&:id).map do |field|
-            query = query.send :"with_attached_#{field}"
-          end
-        end
-        query
-      end
-      def process_file_field(field, attachment)
-        if attachment.is_a? ActionDispatch::Http::UploadedFile
-          # New file has been attached
-          field.attach attachment
-        elsif attachment.blank?
-          # File has been deleted
-          field.purge
-        elsif attachment.is_a? String
-          # Field is unchanged
-        end
-      end
       def update_file_fields
         # Pick and attach file fields
         attached_file_fields = avo_resource.attached_file_fields
@@ -322,7 +202,19 @@ module Avo
         end
       end
-      def get_filters
+      def process_file_field(field, attachment)
+        if attachment.is_a? ActionDispatch::Http::UploadedFile
+          # New file has been attached
+          field.attach attachment
+        elsif attachment.blank?
+          # File has been deleted
+          field.purge
+        elsif attachment.is_a? String
+          # Field is unchanged
+        end
+      end
+      def applied_filters
         if params[:filters].present?
           return JSON.parse(Base64.decode64(params[:filters]))
         end
@@ -339,5 +231,37 @@ module Avo
         filter_defaults
       end
+      def cast_nullable(params)
+        fields = avo_resource.get_fields
+        nullable_fields = fields.filter { |field| field.nullable }
+                                .map { |field| [field.id, field.null_values] }
+                                .to_h
+        params.each do |key, value|
+          nullable = nullable_fields[key.to_sym]
+          if nullable.present? && value.in?(nullable)
+            params[key] = nil
+          end
+        end
+        params
+      end
+      def build_meta
+        {
+          per_page_steps: Avo.configuration.per_page_steps,
+          available_view_types: avo_resource.available_view_types,
+          default_view_type: avo_resource.default_view_type || Avo.configuration.default_view_type,
+          authorization: {
+            create: AuthorizationService::authorize(current_user, avo_resource.model, Avo.configuration.authorization_methods.stringify_keys['create']),
+            update: AuthorizationService::authorize(current_user, avo_resource.model, Avo.configuration.authorization_methods.stringify_keys['update']),
+            show: AuthorizationService::authorize(current_user, avo_resource.model, Avo.configuration.authorization_methods.stringify_keys['show']),
+            destroy: AuthorizationService::authorize(current_user, avo_resource.model, Avo.configuration.authorization_methods.stringify_keys['destroy']),
+          },
+        }
+      end
   end
 end

data/app/controllers/avo/search_controller.rb ADDED

@@ -0,0 +1,55 @@
+require_dependency 'avo/application_controller'
+module Avo
+  class SearchController < ApplicationController
+    before_action :authorize_user
+    def index
+      resources = []
+      resources_to_search_through = App.get_resources
+        .select { |resource| resource.search.present? }
+        .select { |resource| AuthorizationService.authorize_action current_user, resource.model, 'index' }
+        .each do |resource_model|
+          found_resources = add_link_to_search_results(search_resource(resource_model), resource_model)
+          resources.push({
+            label: resource_model.name,
+            resources: found_resources
+          })
+        end
+      render json: {
+        resources: resources
+      }
+    end
+    def resource
+      render json: {
+        resources: add_link_to_search_results(search_resource(avo_resource), avo_resource)
+      }
+    end
+    private
+      def add_link_to_search_results(resources, avo_resource)
+        resources.map do |model|
+          {
+            id: model.id,
+            search_label: model.send(avo_resource.title),
+            link: "/resources/#{model.class.to_s.singularize.underscore}/#{model.id}",
+          }
+        end
+      end
+      def search_resource(avo_resource)
+        avo_resource.query_search(query: params[:q], via_resource_name: params[:via_resource_name], via_resource_id: params[:via_resource_id], user: current_user)
+      end
+      def authorize_user
+        return if params[:action] == 'index'
+        action = params[:action] == 'resource' ? :index : params[:action]
+        return render_unauthorized unless AuthorizationService::authorize_action current_user, avo_resource.model, action
+      end
+  end
+end

data/app/helpers/avo/application_helper.rb CHANGED

@@ -10,12 +10,16 @@ module Avo
       render partial: 'vendor/avo/partials/logo' rescue render partial: 'partials/logo'
     end
+    def render_header
+      render partial: 'vendor/avo/partials/header' rescue render partial: 'partials/header'
+    end
     def render_footer
       render partial: 'vendor/avo/partials/footer' rescue render partial: 'partials/footer'
     end
-    def render_header
-      render partial: 'vendor/avo/partials/header' rescue render partial: 'partials/header'
+    def render_scripts
+      render partial: 'vendor/avo/partials/scripts' rescue ''
     end
   end
 end

data/app/views/layouts/avo/_javascript.html.erb CHANGED

@@ -2,4 +2,5 @@
   var rootPath = '<%= Avo.configuration.root_path %>';
   var timezone = '<%= Avo.configuration.timezone %>';
   var defaultViewType = '<%= Avo.configuration.default_view_type %>';
+  var license = <%= Avo::App.license.properties.to_json.html_safe %>;
 </script>

data/app/views/layouts/avo/application.html.erb CHANGED

@@ -13,27 +13,44 @@
 <body class="bg-gray-200">
 <div id="app" class="flex min-h-screen flex-row h-full">
-  <application-sidebar :resources='<%= Avo::App.get_resources_navigation.as_json.html_safe %>'>
-    <%= render_logo %>
-  </application-sidebar>
+  <app-layout class="flex flex-1 w-full"
+    :router-key="routerKey"
+    :layout="layout"
+    inline-template
+  >
+    <div>
+      <application-sidebar :resources='<%= Avo::App.get_resources_navigation(current_user).as_json.html_safe %>' v-if="layout !== 'blank'">
+        <template #logo>
+          <%= render_logo %>
+        </template>
+        <template #licensing>
+          <license-warnings></license-warnings>
+        </template>
+      </application-sidebar>
-  <div class="flex-1 h-full overflow-auto">
-    <div class="relative bg-white p-2 shadow-md h-16 w-full flex items-center z-40">
-      <div class="ml-6">
-        <%= render_header %>
-      </div>
-      <div class="flex-1 flex justify-center">
-        <div class="w-64">
-          <resources-search :global="true">
+      <div class="flex-1 h-full overflow-auto">
+        <div class="relative bg-white p-2 shadow-md h-16 w-full flex items-center z-40" v-if="layout !== 'blank'">
+          <div class="ml-6">
+            <%= render_header %>
+          </div>
+          <div class="flex-1 flex justify-center">
+            <div class="w-64">
+              <resources-search :global="true">
+            </div>
+          </div>
         </div>
-      </div>
-    </div>
-    <div class="content p-8">
-      <%= yield %>
-      <%= render_footer %>
+        <div v-if="layout === 'blank'" class="h-full w-full flex justify-center items-center">
+          <%= yield %>
+        </div>
+        <div class="content p-8" v-else>
+          <%= yield %>
+          <%= render_footer %>
+        </div>
+      </div>
     </div>
-  </div>
+  </app-layout>
 </div>
+<%= render_scripts %>
 </body>
 </html>

data/app/views/partials/_footer.html.erb CHANGED

@@ -1,3 +1,3 @@
 <div class="text-center text-sm text-gray-700">
-  <a href="https://avohq.io/" target="_blank">Avo</a> // &copy; <%= Date.today.year %> AvoHQ // v<%= Avo::VERSION %>
+  <a href="https://avohq.io/" target="_blank">Avo</a> · &copy; <%= Date.today.year %> AvoHQ · v<%= Avo::VERSION %>
 </div>