RubyGems - avo - Versions diffs - 0.2.1 → 0.3.1 - Mend

avo 0.2.1 → 0.3.1

Potentially problematic release.

This version of avo might be problematic. Click here for more details.

Files changed (67) hide show

data/app/views/partials/_header.html.erb CHANGED

	@@ -1 +1 @@
1	- <%= link_to Avo.configuration.app_name, ~~main_app.root_path~~, class: 'text-green-600 font-semibold', target: :_blank %>
1	+ <%= link_to Avo.configuration.app_name, '/', class: 'text-green-600 font-semibold', target: :_blank %>

data/avo.gemspec CHANGED

@@ -8,22 +8,36 @@ Gem::Specification.new do |spec|
   spec.name        = 'avo'
   spec.version     = Avo::VERSION
   spec.authors     = ['Adrian Marin', 'Mihai Marin']
-  spec.email       = ['adrian@avohq.io']
+  spec.email       = ['avo@avohq.io']
   spec.homepage    = 'https://avohq.io'
-  spec.summary     = 'Configuration based, no-maintenance, extendable Ruby on Rails admin.'
+  spec.summary     = 'Configuration-based, no-maintenance, extendable Ruby on Rails admin.'
   spec.description = 'Avo is a beautiful next-generation framework that empowers you, the developer, to create fantastic admin panels for your Ruby on Rails apps with the flexibility to fit your needs as you grow.'
-  spec.license     = 'MIT'
+  spec.license     = 'Commercial'
   # Prevent pushing this gem to RubyGems.org. To allow pushes either set the 'allowed_push_host'
   # to allow pushing to a single host or delete this section to allow pushing to any host.
+  if spec.respond_to?(:metadata)
+    spec.metadata['bug_tracker_uri'] = 'https://github.com/avo-hq/avo/issues'
+    spec.metadata['changelog_uri'] = 'https://avohq.io/releases'
+    spec.metadata['documentation_uri'] = 'https://docs.avohq.io'
+    spec.metadata['homepage_uri'] = 'https://avohq.io'
+    spec.metadata['source_code_uri'] = 'https://github.com/avo-hq/avo'
+  else
+    raise 'RubyGems 2.0 or newer is required to protect against ' \
+      'public gem pushes.'
+  end
+  spec.post_install_message = "Thank you for using Avo! Docs are available at https://docs.avohq.io"
   spec.files = Dir['{bin,app,config,db,lib,public}/**/*', 'MIT-LICENSE', 'Rakefile', 'README.md', 'avo.gemspec', 'Gemfile', 'Gemfile.lock']
     .reject { |file| file.start_with? 'app/frontend' }
-  spec.add_dependency 'rails', '~> 6.0.2', '>= 6.0.2.1'
+  spec.add_dependency 'rails', '>= 6.0'
   spec.add_dependency 'kaminari'
   spec.add_dependency 'zeitwerk'
   spec.add_dependency 'inline_svg'
   spec.add_dependency 'webpacker'
   spec.add_dependency 'countries'
+  spec.add_dependency 'pundit'
+  spec.add_dependency 'httparty'
 end

data/config/credentials.yml.enc ADDED

@@ -0,0 +1 @@

+ u5m9Je6F3j/LCnOwcN7cXW37M63Bs0KNZC1fHRObWx4YQkV9DJl1k9H9+mlvV3irAC7NZB9H0BExhxquReVe2N0v6s3E3EvOWY8wfZhFONJpK8V0qerYJIhJvCOOPv0hfS/HQdcvUQx/i1faXEgr8QVR7nGVBHUzulwgab0lUBSAV0jjEbT6o+amTojFudelgtw0zmlZW9JL7OZ/IwZ7zxbi8/yoWB52lU4VKOxZV7AEWAVDzL/0ZogLRG12BsTSmqC0jS5ocdnOgV0X7oNeYL9HINqLLM5suBB+BOf3xL6vgngu7UDRAAQ/mN2TDGsvklF8bwVz0dDVQ0RuvdeQ9TWEeM75hhzGKG6wPKBjh4ebrKp7g9TT76F6omLe/hG30MbohGxaLVHIJjyJixfKlLlYwdNWeOjXwYsn--7CEWrUIlraWa8R0S--ia1zVj/2AXISMmbinw6S7g==

data/config/routes.rb CHANGED

@@ -1,20 +1,24 @@
 Avo::Engine.routes.draw do
   root 'home#index'
-  get '/avo-api/search',                  to: 'resources#search'
-  get '/avo-api/:resource_name/search',   to: 'resources#search'
-  get '/avo-api/:resource_name',          to: 'resources#index'
-  get '/avo-api/:resource_name/filters',  to: 'resources#filters'
+  get '/avo-api/:resource_name/filters',  to: 'filters#index'
   get '/avo-api/:resource_name/actions',  to: 'actions#index'
   post '/avo-api/:resource_name/actions', to: 'actions#handle'
+  get '/avo-api/search',                  to: 'search#index'
+  get '/avo-api/:resource_name/search',   to: 'search#resource'
+  get '/avo-api/:resource_name',          to: 'resources#index'
   post '/avo-api/:resource_name',         to: 'resources#create'
-  get '/avo-api/:resource_name/fields',   to: 'resources#fields'
+  get '/avo-api/:resource_name/new',      to: 'resources#new'
   get '/avo-api/:resource_name/:id',      to: 'resources#show'
   get '/avo-api/:resource_name/:id/edit', to: 'resources#edit'
   put '/avo-api/:resource_name/:id',      to: 'resources#update'
   delete '/avo-api/:resource_name/:id',   to: 'resources#destroy'
-  post '/avo-api/:resource_name/:id/attach/:attachment_name/:attachment_id', to: 'resources#attach'
-  post '/avo-api/:resource_name/:id/detach/:attachment_name/:attachment_id', to: 'resources#detach'
+  post '/avo-api/:resource_name/:id/attach/:attachment_name/:attachment_id', to: 'relations#attach'
+  post '/avo-api/:resource_name/:id/detach/:attachment_name/:attachment_id', to: 'relations#detach'
   # Tools
   get '/avo-tools/resource-overview', to: 'resource_overview#index'

data/lib/avo.rb CHANGED

@@ -11,6 +11,8 @@ require_relative 'avo/app/filters/select_filter'
 require_relative 'avo/app/resource'
+require_relative 'avo/app/licensing/license_manager'
 module Avo
   ROOT_PATH = Pathname.new(File.join(__dir__, '..'))

data/lib/avo/app/app.rb CHANGED

@@ -4,37 +4,35 @@ require_relative 'filters/select_filter'
 require_relative 'filters/boolean_filter'
 require_relative 'resource'
 require_relative 'tool'
+require_relative 'authorization_service'
 module Avo
   class App
     @@app = {
       root_path: '',
-      tools: [],
-      tool_classes: [],
       resources: [],
       field_names: {},
     }
+    @@license = nil
     class << self
-      def init
+      def boot
         @@app[:root_path] = Pathname.new(File.join(__dir__, '..', '..'))
-        # get_tools
-        # init_tools
         init_fields
+      end
+      def init(current_request = nil)
         init_resources
+        @@license = LicenseManager.new(HQ.new(current_request).response).license
       end
       def app
         @@app
       end
-      # def tools
-      #   @@app[:tools]
-      # end
-      # def get_tools
-      #   @@app[:tool_classes] = ToolsManager.get_tools
-      # end
+      def license
+        @@license
+      end
       # This method will take all fields available in the Avo::Fields namespace and create a method for them.
       #
@@ -129,23 +127,14 @@ module Avo
         name.to_s.camelize.singularize
       end
-      # def init_tools
-      #   @@app[:tool_classes].each do |tool_class|
-      #     @@app[:tools].push tool_class.new
-      #   end
-      # end
-      # def render_navigation
-      #   navigation = []
-      #   @@app[:tools].each do |tool|
-      #     navigation.push(tool.render_navigation) if tool.class.method_defined?(:render_navigation)
-      #   end
-      #   navigation.join('')
-      # end
-      def get_resources_navigation
-        App.get_resources.map { |resource| { label: resource.resource_name_plural.humanize, resource_name: resource.url.pluralize } }.to_json.to_s.html_safe
+      def get_resources_navigation(user)
+        App.get_resources
+          .select { |resource| AuthorizationService::authorize user, resource.model, Avo.configuration.authorization_methods.stringify_keys['index'] }
+          .map { |resource| { label: resource.resource_name_plural.humanize, resource_name: resource.url.pluralize } }
+          .reject { |i| i.blank? }
+          .to_json
+          .to_s
+          .html_safe
       end
     end
   end

data/lib/avo/app/authorization_service.rb ADDED

@@ -0,0 +1,40 @@
+module Avo
+  class AuthorizationService
+    class << self
+      def authorize(user, record, action)
+        return true if skip_authorization
+        begin
+          if Pundit.policy user, record
+            Pundit.authorize user, record, action
+          end
+          true
+        rescue Pundit::NotAuthorizedError => error
+          false
+        end
+      end
+      def authorize_action(user, record, action)
+        action = Avo.configuration.authorization_methods.stringify_keys[action.to_s]
+        return true if action.nil?
+        authorize user, record, action
+      end
+      def with_policy(user, model)
+        return model if skip_authorization
+        begin
+          Pundit.policy_scope! user, model
+        rescue => exception
+          model
+        end
+      end
+      def skip_authorization
+        Avo::App.license.lacks :authorization
+      end
+    end
+  end
+end

data/lib/avo/app/fields/has_and_belongs_to_many.rb CHANGED

@@ -27,6 +27,7 @@ module Avo
         fields[:relation_class] = target_resource.class.to_s
         fields[:path] = target_resource.url
         fields[:relationship] = :has_and_belongs_to_many
+        fields[:relationship_model] = target_resource.model.name
         fields
       end

data/lib/avo/app/fields/has_many.rb CHANGED

@@ -27,6 +27,7 @@ module Avo
         fields[:relation_class] = target_resource.class.to_s
         fields[:path] = target_resource.url
         fields[:relationship] = :has_many
+        fields[:relationship_model] = target_resource.model.name
         fields
       end

data/lib/avo/app/fields/id_field.rb CHANGED

@@ -1,14 +1,14 @@
 module Avo
   module Fields
     class IdField < Field
-      DEFAULT_VALUE = 'id'
       def initialize(name, **args, &block)
+        default_value = 'id'
         if name.nil?
-          @name = name = DEFAULT_VALUE
+          @name = name = default_value
         elsif !name.is_a? String and !name.is_a? Symbol
           args_copy = name
-          @name = name = DEFAULT_VALUE
+          @name = name = default_value
           args = args_copy
         end

data/lib/avo/app/licensing/community_license.rb ADDED

@@ -0,0 +1,4 @@
+module Avo
+  class CommunityLicense < License
+  end
+end

data/lib/avo/app/licensing/hq.rb ADDED

@@ -0,0 +1,85 @@
+module Avo
+  class HQ
+    attr_accessor :current_request
+    ENDPOINT = 'https://avohq.io/api/v1/licenses/check'
+    CACHE_KEY = 'avo.hq.response'
+    REQUEST_TIMEOUT = 5 # seconds
+    def initialize(current_request)
+      @current_request = current_request
+    end
+    def response
+      @hq_response or request
+    end
+    private
+      def request
+        return cached_response if has_cached_response
+        begin
+          perform_and_cache_request
+        rescue HTTParty::Error => exception
+          cache_and_return_error 'HTTP client error.', exception.message
+        rescue Net::OpenTimeout => exception
+          cache_and_return_error 'Request timeout.', exception.message
+        rescue SocketError => exception
+          cache_and_return_error 'Connection error.', exception.message
+        end
+      end
+      def perform_and_cache_request
+        hq_response = perform_request
+        return cache_and_return_error 'Avo HQ Internal server error.', hq_response.body if hq_response.code == 500
+        cache_response 1.hour.to_i, hq_response.parsed_response if hq_response.code == 200
+      end
+      def cache_response(time, response)
+        response.merge!(
+          expiry: time,
+          **payload,
+        ).stringify_keys!
+        Rails.cache.write(CACHE_KEY, response, expires_in: time)
+        @hq_response = response
+        response
+      end
+      def perform_request
+        puts 'Performing request to avohq.io API to check license availability.'.inspect if Rails.env.development?
+        HTTParty.post ENDPOINT, body: payload.to_json, headers: { 'Content-type': 'application/json' }, timeout: REQUEST_TIMEOUT
+      end
+      def payload
+        {
+          license: Avo.configuration.license,
+          license_key: Avo.configuration.license_key,
+          avo_version: Avo::VERSION,
+          rails_version: Rails::VERSION::STRING,
+          ruby_version: RUBY_VERSION,
+          environment: Rails.env,
+          ip: current_request.ip,
+          host: current_request.host,
+          port: current_request.port,
+        }
+      end
+      def cache_and_return_error(error, exception_message = '')
+        cache_response 5.minutes.to_i, { error: error, exception_message: exception_message }.stringify_keys
+      end
+      def has_cached_response
+        Rails.cache.exist? CACHE_KEY
+      end
+      def cached_response
+        Rails.cache.read CACHE_KEY
+      end
+  end
+end

data/lib/avo/app/licensing/license.rb ADDED

@@ -0,0 +1,48 @@
+module Avo
+  class License
+    attr_accessor :id
+    attr_accessor :response
+    attr_accessor :valid
+    def initialize(response)
+      @response = response
+      @id = response['id']
+      @valid = response['valid']
+    end
+    def valid?
+      valid
+    end
+    def invalid?
+      !valid?
+    end
+    def pro?
+      id == 'pro'
+    end
+    def error
+      @response['error']
+    end
+    def properties
+      @response.slice 'valid', 'id', 'error'
+    end
+    def abilities
+      []
+    end
+    def can(ability)
+      abilities.include? ability
+    end
+    def cant(ability)
+      !can ability
+    end
+    alias_method :has, :can
+    alias_method :lacks, :cant
+  end
+end

data/lib/avo/app/licensing/license_manager.rb ADDED

@@ -0,0 +1,25 @@
+require_relative 'license'
+require_relative 'community_license'
+require_relative 'pro_license'
+require_relative 'null_license'
+module Avo
+  class LicenseManager
+    def initialize(hq_response)
+      @hq_response = hq_response
+    end
+    def license
+      return NullLicense.new if Rails.env.test? and ENV['RUN_WITH_NULL_LICENSE'] == '1'
+      case @hq_response['id']
+      when 'community'
+        CommunityLicense.new @hq_response
+      when 'pro'
+        ProLicense.new @hq_response
+      else
+        NullLicense.new @hq_response
+      end
+    end
+  end
+end

data/lib/avo/app/licensing/null_license.rb ADDED

@@ -0,0 +1,12 @@
+module Avo
+  class NullLicense < License
+    def initialize(response = nil)
+      response ||= {
+        id: 'community',
+        valid: true,
+      }
+      super(response)
+    end
+  end
+end

data/lib/avo/app/licensing/pro_license.rb ADDED

@@ -0,0 +1,9 @@
+module Avo
+  class ProLicense < License
+    def abilities
+      [
+        :authorization,
+      ]
+    end
+  end
+end

data/lib/avo/app/resource.rb CHANGED

@@ -12,11 +12,12 @@ module Avo
       attr_reader :default_view_type
       class << self
-        def hydrate_resource(model, resource, view = :index)
+        def hydrate_resource(model:, resource:, view: :index, user:)
           default_panel_name = "#{resource.name} details"
           resource_with_fields = {
             id: model.id,
+            authorization: get_authorization(user, model),
             resource_name_singular: resource.resource_name_singular,
             resource_name_plural: resource.resource_name_plural,
             title: model[resource.title],
@@ -39,6 +40,8 @@ module Avo
             furnished_field = field.fetch_for_resource(model, resource, view)
+            next unless field_resource_authorized field, furnished_field, user
             next if furnished_field.blank?
             furnished_field[:panel_name] = default_panel_name
@@ -74,6 +77,22 @@ module Avo
           "/resources/#{url}"
         end
+        def get_authorization(user, model)
+          [:create, :update, :show, :destroy].map do |action|
+            [action, AuthorizationService::authorize_action(user, model, action)]
+          end.to_h
+        end
+        def field_resource_authorized(field, furnished_field, user)
+          if [Avo::Fields::HasManyField, Avo::Fields::HasAndBelongsToManyField].include? field.class
+            return true if furnished_field[:relationship_model].nil?
+            AuthorizationService.authorize user, furnished_field[:relationship_model].safe_constantize, Avo.configuration.authorization_methods.stringify_keys['index']
+          else
+            true
+          end
+        end
       end
       def name
@@ -138,26 +157,26 @@ module Avo
         @search
       end
-      def query_search(query: '', via_resource_name: , via_resource_id:)
-        db_query = self.model
+      def query_search(query: '', via_resource_name: , via_resource_id:, user:)
+        model_class = self.model
+        db_query = AuthorizationService.with_policy(user, model_class)
         if via_resource_name.present?
-          related_resource = App.get_resource_by_name(via_resource_name)
-          related_model = related_resource.model
+          related_model = App.get_resource_by_name(via_resource_name).model
           db_query = related_model.find(via_resource_id).public_send(self.resource_name_plural.downcase)
         end
+        new_query = []
         [self.search].flatten.each_with_index do |search_by, index|
-          query_string = "text(#{search_by}) ILIKE '%#{query}%'"
+          new_query.push 'or' if index != 0
-          if index == 0
-            db_query = db_query.where query_string
-          else
-            db_query = db_query.or(self.model.where query_string)
-          end
+          new_query.push "text(#{search_by}) ILIKE '%#{query}%'"
         end
-        db_query.select("#{:id}, #{title} as \"name\"")
+        db_query.where(new_query.join(' '))
       end
       def model