RubyGems - avo - Versions diffs - 0.2.5 → 0.4.3 - Mend

avo 0.2.5 → 0.4.3

Potentially problematic release.

This version of avo might be problematic. Click here for more details.

Files changed (88) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c0b0abad455d9c6d3f493236a57dbfecae27b20a66d076566e51bb30a22b950c
-  data.tar.gz: 0ba3c3d98c8fed9739b189b43bc07fc3395fb12b4db99e495ac09daa3f567411
+  metadata.gz: 8f63c347f186cf1a2c4810cd4dc7d7107f655eb76f77f5704115c8429bddccb2
+  data.tar.gz: eeb2633dafc77f62071967b77bf8cf125f228ad2732ab6a57373b7dfd7ee9dc5
 SHA512:
-  metadata.gz: 79ac1e0321e0bdbb3889be1813702f4802a41363f4353dc3bbaf7b90f6b496f17083ac256669feb71b59ad8541fc3f16730555fc502d90005f7521e01b9d20ad
-  data.tar.gz: 85f19424337bf1d756e29ba23e56dca58f6e5ae6408185806a0153f3a2b5b107437fe88bd0b70a80bba79ccfa128a16a874c3f8117e930e099ecae9b8a2ea8cf
+  metadata.gz: 153ffa5ed8fab64f0f13e9cfdbb00face252c65fbacd5347765b451f3cdb2ae985116a801fb45d7cd68c605d0ce1495ca279690d4a79db5a2b6398d09e7402fb
+  data.tar.gz: 8ad346a74840f6cf7a0cc04368138a8da2090993b6da7e2c6babfc944d0bf173f494895b746b08eedcf8b1ccbe6aaece999b32d9dfcf8963c6ac5944c1c6452e

data/Gemfile CHANGED

@@ -23,54 +23,51 @@ gem 'inline_svg'
 gem 'countries'
 # Authorization
-gem "pundit"
-# These are the dummy app's dependencies
-group :development, :test do
-  # Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
-  gem 'rails', '~> 6.0.2', '>= 6.0.2.2'
-  # Use postgresql as the database for Active Record
-  gem 'pg', '>= 0.18', '< 2.0'
-  # Use Puma as the app server
-  gem 'puma', '~> 4.3.5'
-  # Use SCSS for stylesheets
-  gem 'sass-rails', '>= 6'
-  # Turbolinks makes navigating your web application faster. Read more: https://github.com/turbolinks/turbolinks
-  # gem 'turbolinks', '~> 5'
-  # Build JSON APIs with ease. Read more: https://github.com/rails/jbuilder
-  gem 'jbuilder', '~> 2.7'
-  # Use Redis adapter to run Action Cable in production
-  # gem 'redis', '~> 4.0'
-  # Use Active Model has_secure_password
-  # gem 'bcrypt', '~> 3.1.7'
-  # Use Active Storage variant
-  # gem 'image_processing', '~> 1.2'
-  # Reduces boot times through caching; required in config/boot.rb
-  gem 'bootsnap', '>= 1.4.2', require: false
-  # Call 'byebug' anywhere in the code to stop execution and get a debugger console
-  gem 'byebug', platforms: [:mri, :mingw, :x64_mingw]
-  gem 'dotenv-rails'
-  # Access an interactive console on exception pages or by calling 'console' anywhere in the code.
-  gem 'web-console', '>= 3.3.0'
-  gem 'listen', '>= 3.0.5', '< 3.2'
-  # Spring speeds up development by keeping your application running in the background. Read more: https://github.com/rails/spring
-  gem 'spring'
-  gem 'spring-watcher-listen', '~> 2.0.0'
-  gem 'factory_bot_rails'
-  gem 'faker'
-  # Windows does not include zoneinfo files, so bundle the tzinfo-data gem
-  gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw, :jruby]
-  gem 'devise'
-  gem 'database_cleaner'
-  gem 'ruby-debug-ide', require: false
-  gem 'debase'
-end
+gem 'pundit'
+# Dependencies for dummy_app
+# Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
+gem 'rails', '~> 6.0.2', '>= 6.0.2.2'
+# Use postgresql as the database for Active Record
+gem 'pg', '>= 0.18', '< 2.0'
+# Use Puma as the app server
+gem 'puma', '~> 4.3.5'
+# Use SCSS for stylesheets
+gem 'sass-rails', '>= 6'
+# Turbolinks makes navigating your web application faster. Read more: https://github.com/turbolinks/turbolinks
+# gem 'turbolinks', '~> 5'
+# Build JSON APIs with ease. Read more: https://github.com/rails/jbuilder
+gem 'jbuilder', '~> 2.7'
+# Use Redis adapter to run Action Cable in production
+# gem 'redis', '~> 4.0'
+# Use Active Model has_secure_password
+# gem 'bcrypt', '~> 3.1.7'
+# Use Active Storage variant
+# gem 'image_processing', '~> 1.2'
+# Reduces boot times through caching; required in config/boot.rb
+gem 'bootsnap', '>= 1.4.2', require: false
+# Call 'byebug' anywhere in the code to stop execution and get a debugger console
+gem 'byebug', platforms: [:mri, :mingw, :x64_mingw]
+gem 'dotenv-rails'
+# Access an interactive console on exception pages or by calling 'console' anywhere in the code.
+gem 'web-console', '>= 3.3.0'
+gem 'listen', '>= 3.0.5', '< 3.2'
+# Spring speeds up development by keeping your application running in the background. Read more: https://github.com/rails/spring
+gem 'spring'
+gem 'spring-watcher-listen', '~> 2.0.0'
+gem 'factory_bot_rails'
+gem 'faker', require: false
+# Windows does not include zoneinfo files, so bundle the tzinfo-data gem
+gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw, :jruby]
+gem 'devise'
+gem 'database_cleaner'
+gem 'ruby-debug-ide', require: false
+gem 'debase'
 group :development, :test do
   gem 'rspec-rails', '~> 4.0.0'
@@ -83,6 +80,7 @@ group :development, :test do
   gem 'rubocop'
   gem 'simplecov', require: false
   gem 'simplecov-cobertura'
+  gem 'webmock'
   # Release helper
   gem 'bump', require: false
@@ -93,3 +91,9 @@ gem 'zeitwerk', '~> 2.3'
 # Pagination
 gem 'kaminari'
+gem 'httparty'
+gem 'iso'
+gem 'i18n-js'

data/Gemfile.lock CHANGED

@@ -1,10 +1,13 @@
 PATH
   remote: .
   specs:
-    avo (0.2.5)
+    avo (0.4.3)
       countries
+      httparty
+      i18n-js
       inline_svg
       kaminari
+      pundit
       rails (>= 6.0)
       webpacker
       zeitwerk
@@ -91,6 +94,7 @@ GEM
       i18n_data (~> 0.10.0)
       sixarm_ruby_unaccent (~> 1.1)
       unicode_utils (~> 1.4)
+    crack (0.4.4)
     crass (1.0.6)
     database_cleaner (1.8.5)
     debase (0.2.4.1)
@@ -123,12 +127,20 @@ GEM
     gem-release (2.1.1)
     globalid (0.4.2)
       activesupport (>= 4.2.0)
+    hashdiff (1.0.1)
+    httparty (0.18.1)
+      mime-types (~> 3.0)
+      multi_xml (>= 0.5.2)
     i18n (1.8.5)
       concurrent-ruby (~> 1.0)
+    i18n-js (3.8.0)
+      i18n (>= 0.6.6)
     i18n_data (0.10.0)
     inline_svg (1.7.1)
       activesupport (>= 3.0)
       nokogiri (>= 1.6)
+    iso (0.3.0)
+      i18n
     jbuilder (2.10.1)
       activesupport (>= 5.0.0)
     kaminari (1.2.1)
@@ -155,11 +167,15 @@ GEM
     marcel (0.3.3)
       mimemagic (~> 0.3.2)
     method_source (1.0.0)
+    mime-types (3.3.1)
+      mime-types-data (~> 3.2015)
+    mime-types-data (3.2020.0512)
     mimemagic (0.3.5)
     mini_mime (1.0.2)
     mini_portile2 (2.4.0)
     minitest (5.14.2)
     msgpack (1.3.3)
+    multi_xml (0.6.0)
     nio4r (2.5.4)
     nokogiri (1.10.10)
       mini_portile2 (~> 2.4.0)
@@ -296,6 +312,10 @@ GEM
       nokogiri (~> 1.6)
       rubyzip (>= 1.3.0)
       selenium-webdriver (>= 3.0, < 4.0)
+    webmock (3.9.3)
+      addressable (>= 2.3.6)
+      crack (>= 0.3.2)
+      hashdiff (>= 0.4.0, < 2.0.0)
     webpacker (4.3.0)
       activesupport (>= 4.2)
       rack-proxy (>= 0.6.1)
@@ -325,7 +345,10 @@ DEPENDENCIES
   faker
   fuubar
   gem-release
+  httparty
+  i18n-js
   inline_svg
+  iso
   jbuilder (~> 2.7)
   kaminari
   listen (>= 3.0.5, < 3.2)
@@ -345,6 +368,7 @@ DEPENDENCIES
   tzinfo-data
   web-console (>= 3.3.0)
   webdrivers
+  webmock
   webpacker (~> 4.0)
   zeitwerk (~> 2.3)

data/README.md CHANGED

@@ -1,10 +1,11 @@
 ![Tests](https://github.com/avo-hq/avo/workflows/Tests/badge.svg)
 ![reviewdog](https://github.com/avo-hq/avo/workflows/reviewdog/badge.svg)
 [![codecov](https://codecov.io/gh/avo-hq/avo/branch/master/graph/badge.svg?token=Q2LMFE4989)](https://codecov.io/gh/avo-hq/avo)
+[![Maintainability](https://api.codeclimate.com/v1/badges/676a0afa2cc79f03aa29/maintainability)](https://codeclimate.com/github/avo-hq/avo/maintainability)
 ![](https://avohq.io/img/logo-full-stroke-tiny-2x.png)
-Configuration-based, no-maintenance, extendable Ruby on Rails admin
+**Configuration-based, no-maintenance, extendable Ruby on Rails admin**
 Avo is a beautiful next-generation framework that empowers you, the developer, to create fantastic admin panels for your Ruby on Rails apps with the flexibility to fit your needs as you grow.
@@ -28,7 +29,7 @@ Avo is a beautiful next-generation framework that empowers you, the developer, t
   - **Custom fields***- No worries if we missed a field you need. Generate a custom field in a jiffy.
   - **Dashboard widgets and metrics*** - Customize your dashboard with the tools and analytics you need.
   - **Custom tools*** - You need to add a page with something completely new, you've got it!
-  - **Authorization*** - Leverage Pundit policies to build a robust and scalable authorization system.
+  - **Authorization** - Leverage Pundit policies to build a robust and scalable authorization system.
   - **Themable*** - Dress it up into your own colors.
   - **Localization*** - Have it available in any language you need.

data/app/controllers/avo/application_controller.rb CHANGED

@@ -5,7 +5,10 @@ module Avo
     before_action :init_app
     def init_app
-      Avo::App.init
+      Avo::App.boot if Avo::IN_DEVELOPMENT
+      Avo::App.init request
+      @license = Avo::App.license
     end
     def exception_logger(exception)
@@ -20,6 +23,20 @@ module Avo
     end
     private
+      def resource
+        eager_load_files(resource_model).find params[:id]
+      end
+      def eager_load_files(query)
+        if avo_resource.attached_file_fields.present?
+          avo_resource.attached_file_fields.map(&:id).map do |field|
+            query = query.send :"with_attached_#{field}"
+          end
+        end
+        query
+      end
       def resource_model
         avo_resource.model
       end
@@ -27,5 +44,21 @@ module Avo
       def avo_resource
         App.get_resource params[:resource_name].to_s.camelize.singularize
       end
+      def authorize_user
+        return if params[:controller] == 'avo/search'
+        model = record = avo_resource.model
+        if ['show', 'edit', 'update'].include?(params[:action]) && params[:controller] == 'avo/resources'
+          record = resource
+        end
+        return render_unauthorized unless AuthorizationService::authorize_action current_user, record, params[:action]
+      end
+      def render_unauthorized
+        render json: { message: I18n.t('avo.unauthorized') }, status: 403
+      end
   end
 end

data/app/controllers/avo/filters_controller.rb ADDED

@@ -0,0 +1,19 @@
+require_dependency 'avo/application_controller'
+module Avo
+  class FiltersController < ApplicationController
+    before_action :authorize_user
+    def index
+      filters = []
+      avo_resource.get_filters.each do |filter|
+        filters.push(filter.new.render_response)
+      end
+      render json: {
+        filters: filters,
+      }
+    end
+  end
+end

data/app/controllers/avo/relations_controller.rb ADDED

@@ -0,0 +1,34 @@
+require_dependency 'avo/application_controller'
+module Avo
+  class RelationsController < ApplicationController
+    before_action :authorize_user
+    def attach
+      resource.send(params[:attachment_name]) << attachment_model
+      render json: {
+        success: true,
+        message: I18n.t('avo.attachment_class_attached', attachment_class: attachment_class),
+      }
+    end
+    def detach
+      resource.send(params[:attachment_name]).delete attachment_model
+      render json: {
+        success: true,
+        message: I18n.t('avo.attachment_class_detached', attachment_class: attachment_class),
+      }
+    end
+    private
+      def attachment_class
+        App.get_model_class_by_name params[:attachment_name].pluralize 1
+      end
+      def attachment_model
+        resource._reflections[params[:attachment_name].to_s].klass.find params[:attachment_id]
+      end
+  end
+end

data/app/controllers/avo/resource_overview_controller.rb CHANGED

@@ -3,13 +3,16 @@ require_dependency 'avo/application_controller'
 module Avo
   class ResourceOverviewController < ApplicationController
     def index
-      resources = App.get_resources.map do |resource|
-        {
-          name: resource.name,
-          url: resource.url,
-          count: resource.model.count,
-        }
-      end
+      resources = App.get_resources
+        .select { |resource| AuthorizationService::authorize session_user, resource.model, Avo.configuration.authorization_methods.stringify_keys['index'] }
+        .sort_by(&:name)
+        .map do |resource|
+          {
+            name: resource.name,
+            url: resource.url,
+            count: resource.model.count,
+          }
+        end
       render json: {
         resources: resources,
@@ -17,5 +20,10 @@ module Avo
         hide_docs: Avo.configuration.hide_documentation_link,
       }
     end
+    private
+      def session_user
+        current_user.present? ? current_user : nil
+      end
   end
 end

data/app/controllers/avo/resources_controller.rb CHANGED

@@ -2,21 +2,26 @@ require_dependency 'avo/application_controller'
 module Avo
   class ResourcesController < ApplicationController
+    before_action :authorize_user
     def index
       params[:page] ||= 1
       params[:per_page] ||= Avo.configuration.per_page
       params[:sort_by] = params[:sort_by].present? ? params[:sort_by] : :created_at
       params[:sort_direction] = params[:sort_direction].present? ? params[:sort_direction] : :desc
-      filters = get_filters
+      query = AuthorizationService.with_policy current_user, resource_model
       if params[:via_resource_name].present? and params[:via_resource_id].present? and params[:via_relationship].present?
-        # get the reated resource (via_resource)
-        related_resource = App.get_resource_by_name(params[:via_resource_name])
-        related_model = related_resource.model
-        # fetch the entries
-        query = related_model.find(params[:via_resource_id]).public_send(params[:via_relationship])
+        # get the related resource (via_resource)
+        related_model = App.get_resource_by_name(params[:via_resource_name]).model
+        relation = related_model.find(params[:via_resource_id]).public_send(params[:via_relationship])
+        query = AuthorizationService.with_policy current_user, relation
         params[:per_page] = Avo.configuration.via_per_page
       elsif ['has_many', 'has_and_belongs_to_many'].include? params[:for_relation]
+        # has_many searchable query
         resources = resource_model.all.map do |model|
           {
             value: model.id,
@@ -27,22 +32,18 @@ module Avo
         return render json: {
           resources: resources
         }
-      else
-        query = resource_model
       end
       query = query.order("#{params[:sort_by]} #{params[:sort_direction]}")
-      if filters.present?
-        filters.each do |filter_class, filter_value|
-          query = filter_class.safe_constantize.new.apply_query request, query, filter_value
-        end
+      applied_filters.each do |filter_class, filter_value|
+        query = filter_class.safe_constantize.new.apply_query request, query, filter_value
       end
       # Eager load the attachments
       query = eager_load_files(query)
-      # Eager lood the relations
+      # Eager load the relations
       if avo_resource.includes.present?
         query = query.includes(*avo_resource.includes)
       end
@@ -51,48 +52,21 @@ module Avo
       resources_with_fields = []
       resources.each do |resource|
-        resources_with_fields << Avo::Resources::Resource.hydrate_resource(resource, avo_resource, :index)
+        resources_with_fields << Avo::Resources::Resource.hydrate_resource(model: resource, resource: avo_resource, view: :index, user: current_user)
       end
-      meta = {
-        per_page_steps: Avo.configuration.per_page_steps,
-        available_view_types: avo_resource.available_view_types,
-        default_view_type: avo_resource.default_view_type || Avo.configuration.default_view_type,
-      }
       render json: {
         success: true,
-        meta: meta,
+        meta: build_meta,
         resources: resources_with_fields,
         per_page: params[:per_page],
         total_pages: resources.total_pages,
       }
     end
-    def search
-      if params[:resource_name].present?
-        resources = add_link_to_search_results search_resource(avo_resource)
-      else
-        resources = []
-        resources_to_search_through = App.get_resources.select { |r| r.search.present? }
-        resources_to_search_through.each do |resource_model|
-          found_resources = add_link_to_search_results search_resource(resource_model)
-          resources.push({
-            label: resource_model.name,
-            resources: found_resources
-          })
-        end
-      end
-      render json: {
-        resources: resources
-      }
-    end
     def show
       render json: {
-        resource: Avo::Resources::Resource.hydrate_resource(resource, avo_resource, @view || :show),
+        resource: Avo::Resources::Resource.hydrate_resource(model: resource, resource: avo_resource, view: @view || :show, user: current_user),
       }
     end
@@ -120,8 +94,8 @@ module Avo
       render json: {
         success: true,
-        resource: Avo::Resources::Resource.hydrate_resource(resource, avo_resource, :show),
-        message: 'Resource updated',
+        resource: Avo::Resources::Resource.hydrate_resource(model: resource, resource: avo_resource, view: :show, user: current_user),
+        message: I18n.t('avo.resource_updated'),
       }
     end
@@ -143,16 +117,14 @@ module Avo
       render json: {
         success: true,
-        resource: Avo::Resources::Resource.hydrate_resource(resource, avo_resource, :create),
-        message: 'Resource created',
+        resource: Avo::Resources::Resource.hydrate_resource(model: resource, resource: avo_resource, view: :create, user: current_user),
+        message: I18n.t('avo.resource_created'),
       }
     end
-    def fields
-      resource = resource_model.new
+    def new
       render json: {
-        resource: Avo::Resources::Resource.hydrate_resource(resource, avo_resource, :create),
+        resource: Avo::Resources::Resource.hydrate_resource(model: resource_model.new, resource: avo_resource, view: :create, user: current_user),
       }
     end
@@ -160,68 +132,11 @@ module Avo
       resource.destroy!
       render json: {
-        message: 'Resource destroyed',
+        message: I18n.t('avo.resource_destroyed'),
       }
     end
-    def filters
-      avo_filters = avo_resource.get_filters
-      filters = []
-      avo_filters.each do |filter|
-        filters.push(filter.new.render_response)
-      end
-      render json: {
-        filters: filters,
-      }
-    end
-    def attach
-      attachment_class = App.get_model_class_by_name params[:attachment_name].pluralize 1
-      attachment_model = attachment_class.safe_constantize.find params[:attachment_id]
-      attached = resource.send(params[:attachment_name]) << attachment_model
-      render json: {
-        success: true,
-        message: "#{attachment_class} attached.",
-      }
-    end
-    def detach
-      attachment_class = App.get_model_class_by_name params[:attachment_name].pluralize 1
-      attachment_model = attachment_class.safe_constantize.find params[:attachment_id]
-      attached = resource.send(params[:attachment_name]).delete attachment_model
-      render json: {
-        success: true,
-        message: "#{attachment_class} attached.",
-      }
-    end
-    def cast_nullable(params)
-      fields = avo_resource.get_fields
-      nullable_fields = fields.filter { |field| field.nullable }
-                              .map { |field| [field.id, field.null_values] }
-                              .to_h
-      params.each do |key, value|
-        nullable = nullable_fields[key.to_sym]
-        if nullable.present? && value.in?(nullable)
-          params[key] = nil
-        end
-      end
-      params
-    end
     private
-      def resource
-        eager_load_files(resource_model).find params[:id]
-      end
       def permitted_params
         permitted = avo_resource.get_fields.select(&:updatable).map do |field|
           # If it's a relation
@@ -250,41 +165,6 @@ module Avo
         params.require(:resource).permit(permitted_params)
       end
-      def search_resource(avo_resource)
-        avo_resource.query_search(query: params[:q], via_resource_name: params[:via_resource_name], via_resource_id: params[:via_resource_id])
-      end
-      def add_link_to_search_results(resources)
-        resources.map do |model|
-          resource = model.as_json
-          resource[:link] = "/resources/#{model.class.to_s.singularize.underscore}/#{model.id}"
-          resource
-        end
-      end
-      def eager_load_files(query)
-        if avo_resource.attached_file_fields.present?
-          avo_resource.attached_file_fields.map(&:id).map do |field|
-            query = query.send :"with_attached_#{field}"
-          end
-        end
-        query
-      end
-      def process_file_field(field, attachment)
-        if attachment.is_a? ActionDispatch::Http::UploadedFile
-          # New file has been attached
-          field.attach attachment
-        elsif attachment.blank?
-          # File has been deleted
-          field.purge
-        elsif attachment.is_a? String
-          # Field is unchanged
-        end
-      end
       def update_file_fields
         # Pick and attach file fields
         attached_file_fields = avo_resource.attached_file_fields
@@ -322,7 +202,19 @@ module Avo
         end
       end
-      def get_filters
+      def process_file_field(field, attachment)
+        if attachment.is_a? ActionDispatch::Http::UploadedFile
+          # New file has been attached
+          field.attach attachment
+        elsif attachment.blank?
+          # File has been deleted
+          field.purge
+        elsif attachment.is_a? String
+          # Field is unchanged
+        end
+      end
+      def applied_filters
         if params[:filters].present?
           return JSON.parse(Base64.decode64(params[:filters]))
         end
@@ -332,12 +224,46 @@ module Avo
         avo_resource.get_filters.each do |filter_class|
           filter = filter_class.new
-          if filter.default_value.present?
-            filter_defaults[filter_class.to_s] = filter.default_value
+          if filter.default.present?
+            filter_defaults[filter_class.to_s] = filter.default
           end
         end
         filter_defaults
       end
+      def cast_nullable(params)
+        fields = avo_resource.get_fields
+        nullable_fields = fields.filter { |field| field.nullable }
+                                .map { |field| [field.id, field.null_values] }
+                                .to_h
+        params.each do |key, value|
+          nullable = nullable_fields[key.to_sym]
+          if nullable.present? && value.in?(nullable)
+            params[key] = nil
+          end
+        end
+        params
+      end
+      def build_meta
+        {
+          per_page_steps: [*Avo.configuration.per_page_steps, Avo.configuration.per_page.to_i].sort.uniq,
+          available_view_types: avo_resource.available_view_types,
+          default_view_type: avo_resource.default_view_type || Avo.configuration.default_view_type,
+          translation_key: avo_resource.translation_key,
+          authorization: {
+            create: AuthorizationService::authorize(current_user, avo_resource.model, Avo.configuration.authorization_methods.stringify_keys['create']),
+            edit: AuthorizationService::authorize(current_user, avo_resource.model, Avo.configuration.authorization_methods.stringify_keys['edit']),
+            update: AuthorizationService::authorize(current_user, avo_resource.model, Avo.configuration.authorization_methods.stringify_keys['update']),
+            show: AuthorizationService::authorize(current_user, avo_resource.model, Avo.configuration.authorization_methods.stringify_keys['show']),
+            destroy: AuthorizationService::authorize(current_user, avo_resource.model, Avo.configuration.authorization_methods.stringify_keys['destroy']),
+          },
+        }
+      end
   end
 end