browsercms 3.5.7 → 4.0.0.alpha

data/app/controllers/cms/passwords_controller.rb

@@ -0,0 +1,17 @@
+module Cms
+  class PasswordsController < Devise::PasswordsController
+    include Cms::AdminController
+    layout 'cms/application'
+
+    def new
+      use_page_title('Forgot Password')
+      super
+    end
+
+    def edit
+      use_page_title('Change Password')
+      super
+    end
+
+  end
+end

data/app/controllers/cms/portlet_controller.rb

@@ -2,7 +2,6 @@ module Cms
   class PortletController < Cms::ApplicationController
 
     skip_before_filter :redirect_to_cms_site
-    skip_before_filter :login_required
 
     def execute_handler
       @portlet = Portlet.find(params[:id])

data/app/controllers/cms/portlets_controller.rb

@@ -1,42 +1,35 @@
 module Cms
-class PortletsController < Cms::ContentBlockController
-  
-  protected
-    def load_blocks
-      @blocks = Portlet.search(params[:search]).paginate(
-        :page => params[:page],
-        :order => params[:order] || "name",
-        :conditions => ["deleted = ?", false]
-      )
+  class PortletsController < Cms::ContentBlockController
+
+    before_action :apply_blacklist, only: [:new, :create]
+
+    protected
+
+    # Ensure we can't create portlets on the blacklist of types.
+    # Existing instances can be edited/deleted.
+    def apply_blacklist
+       if params[:type] && Cms::Portlet.blacklisted?(params[:type].to_sym)
+         render status: :method_not_allowed
+       end
     end
-  
+
     def build_block
       if params[:type].blank?
         @block = model_class.new
       else
-        @block = params[:type].classify.constantize.new(params[params[:type]])
+        @block = params[:type].classify.constantize.new(params[:portlet])
       end
+
     end
-    
+
     def update_block
       load_block
-      @block.update_attributes(params[@block.class.name.underscore])
-    end    
-    
+      @block.update(params[:portlet])
+    end
+
     def block_form
       "portlets/portlets/form"
     end
-    
-    def new_block_path(block)
-      new_portlet_path
-    end
-  
-    def block_path(block, action=nil)
-      send("#{action ? "#{action}_" : ""}portlet_path", block)
-    end
 
-    def blocks_path
-      portlets_path
-    end
-end
+  end
 end

data/app/controllers/cms/redirects_controller.rb

@@ -1,21 +1,25 @@
 module Cms
-class RedirectsController < Cms::ResourceController 
-  layout 'cms/administration'
-  check_permissions :administrate  
-  before_filter :set_menu_section
-  protected
+  class RedirectsController < Cms::ResourceController
+    include Cms::AdminTab
+    check_permissions :administrate
+
+    def new_button_path
+      new_redirect_path
+    end
+
+    protected
     def show_url
       index_url
     end
-    
+
     def order_by_column
       "from_path, to_path"
     end
-    
-  private
+
+    private
     def set_menu_section
       @menu_section = 'redirects'
     end
 
-end
+  end
 end

data/app/controllers/cms/resource_controller.rb

@@ -4,7 +4,7 @@ module Cms
 class ResourceController < Cms::BaseController
 
   def index
-    instance_variable_set("@#{variable_name.pluralize}", resource.all(:order => order_by_column))
+    instance_variable_set("@#{variable_name.pluralize}", resource.order(order_by_column))
   end
 
   def new
@@ -12,7 +12,7 @@ class ResourceController < Cms::BaseController
   end
 
   def create
-    @object = build_object(params[variable_name])
+    @object = build_object(resource_params)
     if @object.save
       flash[:notice] = "#{resource_name.singularize.titleize} '#{object_name}' was created"
       redirect_to after_create_url
@@ -36,7 +36,7 @@ class ResourceController < Cms::BaseController
 
   def update
     @object = resource.find(params[:id])
-    if @object.update_attributes(params["#{variable_name}"])
+    if @object.update(resource_params())
       flash[:notice] = "#{resource_name.singularize.titleize} '#{object_name}' was updated"
       redirect_to after_update_url
     else
@@ -58,6 +58,17 @@ class ResourceController < Cms::BaseController
   end
 
   protected
+
+  # Returns the permitted parameters for the current resource, based on:
+  # 1. The name of the resource (i.e. :page)
+  # 2. The permitted parameters on the resource (i.e. Page.permitted_params)
+  #
+  # Resources can override permitted_params to add/remove fields as needed.
+  def resource_params
+    params.require("#{variable_name}").permit(resource.permitted_params)
+  end
+
+
   def resource_name
     controller_name
   end
@@ -84,7 +95,7 @@ class ResourceController < Cms::BaseController
   end
 
   def index_url
-    cms_index_url_for(resource_name)
+    engine_aware_path(resource)
   end
 
   def after_create_url

data/app/controllers/cms/routes_controller.rb

@@ -3,9 +3,7 @@ class RoutesController < Cms::BaseController
   
   
   def index
-  
-    @toolbar_tab = :administration
-    
+
     unless params[:path].blank?
       @path = params[:path]
       @route = Rails.application.routes.recognize_path(@path)
@@ -14,7 +12,7 @@ class RoutesController < Cms::BaseController
     @routes = Rails.application.routes.routes.collect do |route|
       name = route.name.to_s
       verb = route.verb
-      segs = route.path
+      segs = route.path.spec
       reqs = route.requirements.empty? ? "" : route.requirements.inspect
       {:name => name, :verb => verb, :segs => segs, :reqs => reqs}
     end

data/app/controllers/cms/section_nodes_controller.rb

@@ -1,55 +1,24 @@
 module Cms
   class SectionNodesController < Cms::BaseController
 
-    layout 'cms/section_nodes'
     check_permissions :publish_content, :except => [:index]
 
     def index
-      @toolbar_tab = :sitemap
       @modifiable_sections = current_user.modifiable_sections
-      @public_sections = Group.guest.sections.all # Load once here so that every section doesn't need to.
+      @public_sections = Group.guest.sections.to_a # Load once here so that every section doesn't need to.
 
       @sitemap = Section.sitemap
       @root_section_node = @sitemap.keys.first
       @section = @root_section_node.node
+      render 'show'
     end
 
-    def move_before
-      move(:before)
-    end
-
-    def move_after
-      move(:after)
-    end
-
-    def move_to_beginning
-      move_to(:beginning)
-    end
-
-    def move_to_end
-      move_to(:end)
-    end
-
-    def move_to_root
-      @section_node = SectionNode.find(params[:id])
-      @root = Section.root.find(params[:section_id])
-      @section_node.move_to(@root, 0)
-      render :json => {:success => true, :message => "'#{@section_node.node.name}' was moved to '#{@root.name}'"}
-    end
-
-    private
-    def move(to)
+    def move_to_position
       @section_node = SectionNode.find(params[:id])
-      @other_node = SectionNode.find(params[:section_node_id])
-      @section_node.send("move_#{to}", @other_node)
-      render :json => {:success => true, :message => "'#{@section_node.node.name}' was moved #{to} '#{@other_node.node.name}'"}
+      target_node = SectionNode.find(params[:target_node_id])
+      @section_node.move_to(target_node.node, params[:position].to_i)
+      render :json => {:success => true, :message => "'#{@section_node.node.name}' was moved to '#{target_node.node.name}'"}
     end
 
-    def move_to(place)
-      @section_node = SectionNode.find(params[:id])
-      @other_node = SectionNode.find(params[:section_node_id])
-      @section_node.send("move_to_#{place}", @other_node.node)
-      render :json => {:success => true, :message => "'#{@section_node.node.name}' was moved to the #{place} of '#{@other_node.node.name}'"}
-    end
   end
 end

data/app/controllers/cms/sections_controller.rb

@@ -3,11 +3,14 @@ module Cms
 
     before_filter :load_parent, :only => [:new, :create]
     before_filter :load_section, :only => [:edit, :update, :destroy, :move]
-    before_filter :set_toolbar_tab
 
     helper_method :public_groups
     helper_method :cms_groups
 
+    def resource
+      @section
+    end
+
     def index
       redirect_to cms.sitemap_path
     end
@@ -22,7 +25,7 @@ module Cms
     end
 
     def create
-      @section = Cms::Section.new(params[:section])
+      @section = Cms::Section.new(section_params)
       @section.parent = @parent
       @section.groups = @section.parent.groups unless current_user.able_to?(:administrate)
       if @section.save
@@ -38,7 +41,7 @@ module Cms
 
     def update
       params[:section].delete('group_ids') if params[:section] && !current_user.able_to?(:administrate)
-      @section.attributes = params[:section]
+      @section.attributes = section_params()
       if @section.save
         flash[:notice] = "Section '#{@section.name}' was updated"
         redirect_to @section
@@ -70,6 +73,11 @@ module Cms
     end
 
     protected
+
+    def section_params
+      params.require(:section).permit(Cms::Section.permitted_params)
+    end
+
     def load_parent
       @parent = Cms::Section.find(params[:section_id])
       raise Cms::Errors::AccessDenied unless current_user.able_to_edit?(@parent)
@@ -81,15 +89,12 @@ module Cms
     end
 
     def public_groups
-      @public_groups ||= Cms::Group.public.all(:order => "#{Cms::Group.table_name}.name")
+      @public_groups ||= Cms::Group.public.order("#{Cms::Group.table_name}.name")
     end
 
     def cms_groups
-      @cms_groups ||= Cms::Group.cms_access.all(:order => "#{Cms::Group.table_name}.name")
+      @cms_groups ||= Cms::Group.cms_access.order( "#{Cms::Group.table_name}.name")
     end
 
-    def set_toolbar_tab
-      @toolbar_tab = :sitemap
-    end
   end
 end

data/app/controllers/cms/sessions_controller.rb

@@ -1,73 +1,15 @@
-# This controller handles the login/logout function of the site.  
 module Cms
-class SessionsController < Cms::ApplicationController
+  # Handles the login/logout function of the site.
+  class SessionsController < Devise::SessionsController
+    include Cms::AdminController
+    before_filter :redirect_to_cms_site, :only => [:new]
 
-  before_filter :redirect_to_cms_site, :only => [:new]
-  layout "cms/login"
+    layout 'cms/application'
 
-  def new
-
-  end
-
-  def create
-    logout_keeping_session!
-    user = User.authenticate(params[:login], params[:password])
-    if user
-      # Protects against session fixation attacks, causes request forgery
-      # protection if user resubmits an earlier form using back
-      # button. Uncomment if you understand the tradeoffs.
-      # reset_session
-      self.current_user = user
-      new_cookie_flag = (params[:remember_me] == "1")
-      handle_remember_cookie! new_cookie_flag
-      flash[:notice] = "Logged in successfully"
-      if params[:success_url] # Coming from login portlet
-        redirect_to((!params[:success_url].blank? && params[:success_url]) || session[:return_to] || "/")
-        session[:return_to] = nil
-      else
-        redirect_back_or_default(cms.home_url)
-      end
-    else
-      note_failed_signin
-      @login       = params[:login]
-      @remember_me = params[:remember_me]
-      flash[:login_error] = "Log in failed"
-      if params[:success_url] # Coming from login portlet
-        if params[:success_url].blank?
-          success_url = session[:return_to] || "/"
-        else
-          success_url = params[:success_url]
-        end
-        flash[:login] = params[:login]
-        flash[:remember_me] = params[:remember_me]
-        flash[:success_url] = success_url
-        redirect_to request.referrer
-      else
-        render :action => "new"
-      end
+    def new
+      use_page_title 'Login'
+      super
     end
-  end
-
-  def destroy
-    logout_user
-    redirect_back_or_default("/")
-  end
-
-  protected
 
-  # Pulled this out as a separate method so that modules (like bcms_cas) can override/alias destroy and
-  # not have a redirect happen as a side effect.
-  def logout_user
-    logout_killing_session!
-    cookies.delete :openSectionNodes
-    flash[:notice] = "You have been logged out."
   end
-
-  # Track failed login attempts
-  def note_failed_signin
-    flash[:error] = "Couldn't log you in as '#{params[:login]}'"
-    logger.warn "Failed login for '#{params[:login]}' from #{request.remote_ip} at #{Time.now.utc}"
-  end
-
-end
 end

data/app/controllers/cms/sites/passwords_controller.rb

@@ -0,0 +1,27 @@
+module Cms
+  module Sites
+    class PasswordsController < Devise::PasswordsController
+      include Cms::ContentPage
+      helper AuthenticationHelper
+
+      template :default
+
+      def new
+        use_page_title('Forgot Password')
+        super
+      end
+
+      def create
+        use_page_title('Forgot Password')
+        super
+      end
+
+      protected
+
+      # @override [Devise::PasswordsController]
+      def after_sending_reset_password_instructions_path_for(resource_name)
+        main_app.new_cms_user_session_path
+      end
+    end
+  end
+end

data/app/controllers/cms/sites/sessions_controller.rb

@@ -0,0 +1,20 @@
+module Cms
+  module Sites
+
+    # Handles Sign In/Out for public site.
+    class SessionsController < Devise::SessionsController
+      include Cms::ContentPage
+      helper AuthenticationHelper
+      helper UiElementsHelper
+
+      template :default
+
+      def new
+        use_page_title 'Login'
+        super
+      end
+
+
+    end
+  end
+end