card-mod-account 0.15.6 → 0.17.0

data/README.md

@@ -3,4 +3,108 @@
 -->
 # Account mod
 
-Create and manage accounts with cards. 
+_Create and manage accounts with cards._ 
+
+Like everything else in Decko, accounts are encoded using cards. A high-level
+introduction to account handling in Decko is available at https://decko.org/account
+
+## Sets
+
+|           name            |           important fields            |
+|:-------------------------:|:-------------------------------------:|
+| [accounted card]+:account | :email, :password, :salt, and :status |
+
+Accounts themselves are stored in `+:account` cards. While it is most common
+(and best supported) for `User` cards to have accounts, it is possible for any
+card to have an account, if they include the `Card::Set::Abstract::Accountable` set.
+This can be useful for decks on which it is desirable 
+to assign accounts to, for example, companies or robots, but it is not desirable
+to treat such entities as "users."
+
+Because (in the wiki tradition) Decko attributes changes to community members who make
+them, it is typically important not to delete cards of former users, lest their changes 
+be unattributed, creating confusing, misleading, or potentially even malicious gaps in
+the record.
+
+However, it is possible to delete the _account_ without deleting the _accounted_ card.
+For example, if `Malik` is a user and wishes to have his account deleted, this can be
+achieved by deleting `Malik+:account`. The email and passwords associated with the 
+account will be deleted, but Malik's name will remain in the system so that his 
+edits can still be attributed.
+
+A new default deck comes with the following two cards:
+
+- **Anonymous** - Edits made by people who are not signed in are credited to Anonymous
+- **Decko Bot** - A fully permissioned card to which many generic actions are attributed.
+
+### Account fields
+
+All account fields include the `Card::Set::Abstract::AccountField` set, which 
+makes content editable by the account owner
+
+|  name   |  type   |   content    |
+|:-------:|:-------:|:------------:|
+| +:email | phrase  | email string |
+
+Email cards are validated as valid email strings.
+
+
+|    name    |  type   |     content     |
+|:----------:|:-------:|:---------------:|
+| +:password | phrase  | password string |
+
+Password cards are validated as valid password strings.
+
+
+### Other types
+
+| name |   type   |      important fields      |
+|:----:|:--------:|:--------------------------:|
+| Role | Cardtype | :members (those with role) |
+
+Roles are tools for grouping accounted cards for the sake of assigning permissions. 
+Each Role card can have a *List* of members.
+
+The account mod comes with several built-in roles:
+
+Two have implicit member handling:
+
+- **Anyone** - Every accounted card automatically has this role. A permission given to 
+  *Anyone* is unrestricted.
+- **Anyone Signed In** - Everyone signed in has this role
+
+Another has implicit permission handling:
+- **Administrator** - Can create, read, or update any card
+
+And others have no special code attached to them, but they come with handy default
+settings:
+- **Eagle** - typically used for content editors
+- **Shark** - typically used for those editing rules, like structure, defaults, styling,
+  etc.
+- **Help Desk** - someone who can assign roles and edit user permissions.
+
+
+|  name   | codename |   type    | important fields |
+|:-------:|:--------:|:---------:|:----------------:|
+| Sign Up |  signup  | Cardtype  |     :account     |
+|  User   |   user   | Cardtype  |     :account     |  
+
+When you sign up for Decko, you create a new `Sign Up` card. A successful signup is 
+then converted into a User card (as in, its type changes from `Sign Up` to `User`.)
+
+Permissions on these cards determines how accounts are created:
+
+- If Anyone can create a Sign Up card, then anyone can sign up. 
+- If Anyone can create a User card, then users can verify their own accounts (via email)
+- If NOT Anyone can create a User card, then accounts must be approved by an existing user
+  who has the permission to create a User card.
+
+### Other special cards
+
+- Signing in and out is performed using the `:signin` card. Signing in works by initiating
+an update action on the card, and signing out works by initiating a delete action. (In
+neither case is the `:signin` card actually altered; the action is aborted once
+the authentication takes place)
+
+- The `:account_settings` card can be appended to any accounted card to provide UI
+  for various account-related content.

data/assets/script/toggle_visibility.js.coffee

@@ -0,0 +1,11 @@
+$ ->
+  $("body").on "click", "._toggle-pw-visibility", (event) ->
+    passwordField = $("._pw-input")
+    togglePassword = $("._pw-text-area")
+
+    if passwordField.prop("type") is "password"
+      passwordField.prop "type", "text"
+      togglePassword.find("i").text "visibility"
+    else
+      passwordField.prop "type", "password"
+      togglePassword.find("i").text "visibility_off"

data/assets/style/account.scss

@@ -50,6 +50,14 @@
   display: inline;
 }
 
+._toggle-pw-visibility {
+  float: right;
+  margin-right: 0.6rem;
+  margin-top: -1.95rem;
+  position: relative;
+  z-index: 2;
+}
+
 // FIXME - decko should handle better
 //#my-card-link {
 //  padding-right: 0.6em;

data/config/admin.yml

@@ -0,0 +1,4 @@
+cardtypes:
+  admin:
+    - role
+    - signup

data/config/locales/de.yml

@@ -98,7 +98,13 @@ de:
   account_invite: Einladen
   account_missing_account: "FEHLER: Registrierkarte ohne Konto"
   account_or_sign_up: '...oder registrieren!'
-  account_password_length: muss mindestens 4 Zeichen lang sein
+  account_password_length: muss mindestens %{num_char} Zeichen lang sein
+  account_password_requirements: muss %{char_type} enthalten
+  account_password_requirement_upper: einen Grossbuchstaben
+  account_password_requirement_lower: einene Kleinbuchstaben
+  account_password_requirement_special_char: ein Sonderzeichen (wie !@$%&#)
+  account_password_requirement_number: eine Zahl
+  account_password_requirement_letter: einen Buchstaben
   account_password_missing: Passwort muss angegeben werden
   account_private_data: Private Daten
   account_reset_password: Password Zurücksetzen

data/config/locales/en.yml

@@ -17,7 +17,13 @@ en:
   account_invite: Invite
   account_missing_account: "ERROR: signup card missing account"
   account_or_sign_up: '...or sign up!'
-  account_password_length: must be at least 4 characters
+  account_password_length: must be %{num_char} characters or longer
+  account_password_requirements: must contain %{char_type}
+  account_password_requirement_upper: an upper case letter
+  account_password_requirement_lower: a lower case letter
+  account_password_requirement_special_char: a special character (like !@$%&#)
+  account_password_requirement_number: a number
+  account_password_requirement_letter: a letter
   account_password_missing: password can't be blank
   account_private_data: Private data
   account_reset_password: Reset password
@@ -27,4 +33,4 @@ en:
   account_sign_out: Sign out
   account_sign_up: Sign up
   account_sorry_email_reset:
-    Sorry, %{error_msg}. Please check your email for a new password reset link.
+    Sorry, %{error_msg}. Please check your email for a new password reset link.

data/data/files/mod_account_script_asset_output/file.js

@@ -0,0 +1,2 @@
+// toggle_visibility.js.coffee
+(function(){$(function(){return $("body").on("click","._toggle-pw-visibility",function(){var i,t;return i=$("._pw-input"),t=$("._pw-text-area"),"password"===i.prop("type")?(i.prop("type","text"),t.find("i").text("visibility")):(i.prop("type","password"),t.find("i").text("visibility_off"))})})}).call(this);

data/data/real.yml

@@ -77,17 +77,21 @@
     - :type_plus_right
     - :update
   :content:
-    Help Desk
+    - :help_desk
 
 - :name: "*account"
   :codename: account
   :fields:
     :right:
       :fields:
-        :create: Administrator
-        :read: Help Desk
-        :update: Help Desk
-        :delete: Help Desk
+        :create:
+          - :administrator
+        :read:
+          - :help_desk
+        :update:
+          - :help_desk
+        :delete:
+          - :help_desk
   :content: |-
     <div>When someone signs up, they create a [[Sign up]] card...</div>
     <blockquote>
@@ -119,31 +123,41 @@
   :fields:
     :right:
       :fields:
-        :update: Help Desk
-        :delete: Help Desk
-        :read: Help Desk
+        :read:
+          - :help_desk
+        :update:
+          - :help_desk
+        :delete:
+          - :help_desk
 - :name: "*password"
   :codename: password
   :fields:
     :right:
       :fields:
-        :update: Help Desk
-        :delete: Help Desk
-        :read: Help Desk
+        :read:
+          - :help_desk
+        :update:
+          - :help_desk
+        :delete:
+          - :help_desk
 - :name: "*salt"
   :codename: salt
   :fields:
     :right:
       :fields:
-        :read: Help Desk
+        :read:
+          - :help_desk
 - :name: "*status"
   :codename: status
   :fields:
     :right:
       :fields:
-        :update: Help Desk
-        :delete: Help Desk
-        :read: Help Desk
+        :read:
+          - :help_desk
+        :update:
+          - :help_desk
+        :delete:
+          - :help_desk
 
 - :name: "*account settings"
   :codename: account_settings

data/{db/migrate_core_cards → data/transform}/20220815112551_move_roles.rb

@@ -1,6 +1,6 @@
 # -*- encoding : utf-8 -*-
 
-class  MoveRoles < Cardio::Migration
+class MoveRoles < Cardio::Migration::Transform
   def up
     remove_member_structure_rule
     change_existing_member_cards_to_lists

data/data/transform/20240510141851_member_ids.rb

@@ -0,0 +1,7 @@
+# -*- encoding : utf-8 -*-
+
+class MemberIds < Cardio::Migration::Transform
+  def up
+    Card.search(right: :members).each &:save!
+  end
+end

data/lib/card/mod/account.rb

@@ -0,0 +1,4 @@
+Cardio::Railtie.config.tap do |config|
+  config.account_password_length = 8
+  config.account_password_requirements = %i[lower upper special_char number]
+end

data/set/abstract/account_field.rb

@@ -1,11 +1,19 @@
-delegate :accounted, to: :account_card
+# -*- encoding : utf-8 -*-
 
 def account_card
-  left
+  left.tap { |l| return nil unless l.right_id == AccountID }
+end
+
+def accounted
+  account_card&.accounted
+end
+
+def own_account?
+  account_card&.own_account?
 end
 
 # allow account owner to update account field content
-def ok_to_update
+def ok_to_update?
   (own_account? && !name_changed? && !type_id_changed?) || super
 end
 

data/set/abstract/account_holder.rb

@@ -0,0 +1,152 @@
+event :validate_account_holder_name_change, :validate, on: :update, changed: :name do
+  return unless account? && !Card::Auth.as_card.account_manager?
+
+  errors.add :name, "cannot rename Account Holder"
+end
+
+def account
+  fetch :account, new: {}
+end
+
+def account?
+  account.real?
+end
+
+def own_account?
+  key == Auth.as_card.key
+end
+
+def default_account_status
+  "active"
+end
+
+def current_account?
+  id && Auth.current_id == id
+end
+
+def parties
+  @parties ||= (all_enabled_roles << id).flatten.reject(&:blank?)
+end
+
+def among? ok_ids
+  ok_ids.any? do |ok_id|
+    ok_id == AnyoneID ||
+      # (ok_id == AnyoneWithRoleID && all_enabled_roles.size > 1) ||
+      parties.member?(ok_id)
+  end
+end
+
+def all_enabled_roles
+  @all_enabled_roles ||= (id == AnonymousID ? [] : enabled_role_ids)
+end
+
+def all_roles
+  @all_roles ||= (id == AnonymousID ? [] : fetch_roles)
+end
+
+def read_rules
+  @read_rules ||= fetch_read_rules
+end
+
+def read_rules_hash
+  @read_rules_hash ||= read_rules.each_with_object({}) { |id, h| h[id] = true }
+end
+
+def clear_roles
+  @parties = @all_roles = @all_enabled_roles = @read_rules = nil
+end
+
+def ok_to_update?
+  (own_account? && !type_id_changed?) || super
+end
+
+def admin?
+  role? AdministratorID
+end
+
+def role? role_mark
+  all_enabled_roles.include? role_mark.card_id
+end
+
+def account_manager?
+  own_account? || parties.member?(HelpDeskID)
+end
+
+private
+
+def enabled_role_ids
+  with_enabled_roles do |enabled|
+    enabled.virtual? ? enabled.item_ids : fetch_roles
+  end
+end
+
+def with_enabled_roles
+  Auth.as_bot do
+    Card::Codename.exists?(:enabled_roles) ? yield(enabled_roles_card) : fetch_roles
+  end
+end
+
+def enabled_roles_card
+  fetch :enabled_roles, eager_cache: true, new: { type_id: SessionID }
+end
+
+def role_ids_from_role_member_cards
+  Self::Role.role_ids id
+end
+
+def fetch_roles
+  [AnyoneSignedInID] + role_ids_from_role_member_cards
+end
+
+def fetch_read_rules
+  return [] if id == WagnBotID # always_ok, so not needed
+
+  ([AnyoneID] + parties).each_with_object([]) do |party_id, rule_ids|
+    next unless (cache = Card::Rule.read_rule_cache[party_id])
+
+    rule_ids.concat cache
+  end
+end
+
+format :html do
+  def default_board_tab
+    card.current_account? ? :account_tab : super
+  end
+
+  view :account_tab do
+    board_pill_sections "Account" do
+      [["Settings", account_details_items],
+       ["Content", account_content_items]]
+    end
+  end
+
+  def show_account_tab?
+    card.account?
+  end
+
+  def account_formgroups
+    Auth.as_bot do
+      subformat(card.account)._render :content_formgroups, structure: true
+    end
+  end
+
+  def account_details_items
+    [
+      ["Email and Password", :account,
+       { path: { slot: { hide: %i[help_link board_link] } } }],
+      ["Roles", :roles,
+       { path:  { view: :content } }],
+      ["Notifications", :follow],
+      # FIXME: this should be added in api_key mod!
+      ["API", :account,
+       { path: { view: :api_key,
+                 items: { view: :content },
+                 slot: { hide: %i[help_link board_link] } } }]
+    ]
+  end
+
+  def account_content_items
+    [["Created", :created],
+     ["Edited", :edited]]
+  end
+end

data/set/all/account.rb

@@ -5,92 +5,11 @@ module ClassMethods
 end
 
 def account
-  fetch :account
+  nil
 end
 
-def parties
-  @parties ||= (all_enabled_roles << id).flatten.reject(&:blank?)
-end
-
-def among? ok_ids
-  ok_ids.any? do |ok_id|
-    ok_id == AnyoneID ||
-      # (ok_id == AnyoneWithRoleID && all_enabled_roles.size > 1) ||
-      parties.member?(ok_id)
-  end
-end
-
-def own_account?
-  # card is +*account card of signed_in user.
-  name.part_names[0].key == Auth.as_card.key &&
-    name.part_names[1].key == Card[:account].key
-end
-
-def read_rules
-  @read_rules ||= fetch_read_rules
-end
-
-def read_rules_hash
-  @read_rules_hash ||= read_rules.each_with_object({}) { |id, h| h[id] = true }
-end
-
-def fetch_read_rules
-  return [] if id == WagnBotID # always_ok, so not needed
-
-  ([AnyoneID] + parties).each_with_object([]) do |party_id, rule_ids|
-    next unless (cache = Card::Rule.read_rule_cache[party_id])
-
-    rule_ids.concat cache
-  end
-end
-
-def clear_roles
-  @parties = @all_roles = @all_active_roles = @read_rules = nil
-end
-
-# def with_clear_roles
-#   a = @parties
-#   b = @all_roles
-#   c = @all_active_roles
-#   d = @read_rules
-#   yield
-# ensure
-#   @parties = a
-#   @all_roles = b
-#   @all_active_roles = c
-#   @read_rules = d
-# end
-
-def all_enabled_roles
-  @all_active_roles ||= (id == AnonymousID ? [] : enabled_role_ids)
-end
-
-def all_roles
-  @all_roles ||= (id == AnonymousID ? [] : fetch_roles)
-end
-
-def enabled_role_ids
-  with_enabled_roles do |enabled|
-    enabled.virtual? ? enabled.item_ids : fetch_roles
-  end
-end
-
-def with_enabled_roles
-  Auth.as_bot do
-    Card::Codename.exists?(:enabled_roles) ? yield(enabled_roles_card) : fetch_roles
-  end
-end
-
-def enabled_roles_card
-  fetch :enabled_roles, eager_cache: true, new: { type_id: SessionID }
-end
-
-def fetch_roles
-  [AnyoneSignedInID] + role_ids_from_role_member_cards
-end
-
-def role_ids_from_role_member_cards
-  Self::Role.role_ids id
+def account?
+  false
 end
 
 event :generate_token do

data/set/all/password_input.haml

@@ -0,0 +1,6 @@
+
+= password_field :content, class: "d0-card-content _pw-input",
+                           placeholder: "Password",
+                           autocomplete: "off"
+%span._toggle-password.visibility-icon._pw-text-area
+  = icon_tag :hide_password, class: "_toggle-pw-visibility"

data/set/all/password_input.rb

@@ -0,0 +1,5 @@
+format :html do
+  def password_input
+    haml :password_input
+  end
+end

data/set/right/account/events.rb

@@ -54,7 +54,7 @@ end
 def verifying_token success, failure
   requiring_token do |token|
     result = Auth::Token.decode token
-    if result.is_a?(String)
+    if result.is_a?(String) || (result[:user_id] != accounted_id)
       send failure, result
     else
       send success

data/set/right/account.rb

@@ -1,5 +1,7 @@
 # -*- encoding : utf-8 -*-
 
+delegate :own_account?, to: :accounted
+
 card_accessor :email
 card_accessor :password
 card_accessor :salt
@@ -15,12 +17,12 @@ def accounted_id
   left_id
 end
 
-def ok_to_read
+def ok_to_read?
   own_account? || super
 end
 
 # allow account owner to update account field content
-def ok_to_update
+def ok_to_update?
   (own_account? && !name_changed? && !type_id_changed?) || super
 end
 

data/set/right/email.rb

@@ -36,7 +36,7 @@ def email_required?
   !left&.left&.codename == :wagn_bot
 end
 
-def ok_to_read
+def ok_to_read?
   if own_email? || Auth.always_ok?
     true
   else