cccux 0.1.0 → 0.3.0

data/app/controllers/cccux/roles_controller.rb

@@ -1,11 +1,13 @@
 module Cccux
   class RolesController < CccuxController
-    # Ensure only Role Managers can access role management
-    before_action :ensure_role_manager
     # Skip authorization for model_columns since it's just a helper endpoint
     skip_authorization_check only: [:model_columns]
 
-    before_action :set_role, only: [:show, :edit, :update, :destroy]
+    # Add load_and_authorize_resource to automatically load roles
+    load_and_authorize_resource class: Cccux::Role
+
+    # Remove manual set_role - let load_and_authorize_resource handle it
+    # before_action :set_role, only: [:show, :edit, :update, :destroy]
     
     def index
       @roles = Cccux::Role.includes(:ability_permissions, :users)
@@ -25,7 +27,8 @@ module Cccux
       @role = Cccux::Role.new(role_params)
       
       respond_to do |format|
-        if @role.save
+        format.html { redirect_to cccux.role_path(@role), notice: 'Role was successfully created.' } if @role.save
+        if defined?(Turbo::StreamsChannel) && @role.save
           format.turbo_stream do
             render turbo_stream: [
               turbo_stream.update("new_role_form", ""),
@@ -33,13 +36,15 @@ module Cccux
               turbo_stream.update("flash", partial: "flash", locals: { notice: "Role was successfully created." })
             ]
           end
-          format.html { redirect_to cccux.role_path(@role), notice: 'Role was successfully created.' }
-        else
-          format.turbo_stream do
-            render turbo_stream: turbo_stream.update("new_role_form", 
-              partial: "form", locals: { role: @role })
-          end
+        end
+        unless @role.save
           format.html { render :new, status: :unprocessable_entity }
+          if defined?(Turbo::StreamsChannel)
+            format.turbo_stream do
+              render turbo_stream: turbo_stream.update("new_role_form", 
+                partial: "form", locals: { role: @role })
+            end
+          end
         end
       end
     end
@@ -65,18 +70,22 @@ module Cccux
     def destroy
       respond_to do |format|
         if @role.users.any?
-          format.turbo_stream do
-            render turbo_stream: turbo_stream.update("flash", 
-              partial: "flash", locals: { alert: "Cannot delete role that has users assigned to it." })
+          if defined?(Turbo::StreamsChannel)
+            format.turbo_stream do
+              render turbo_stream: turbo_stream.update("flash", 
+                partial: "flash", locals: { alert: "Cannot delete role that has users assigned to it." })
+            end
           end
           format.html { redirect_to cccux.roles_path, alert: 'Cannot delete role that has users assigned to it.' }
         else
           @role.destroy
-          format.turbo_stream do
-            render turbo_stream: [
-              turbo_stream.remove("role_#{@role.id}"),
-              turbo_stream.update("flash", partial: "flash", locals: { notice: "Role was successfully deleted." })
-            ]
+          if defined?(Turbo::StreamsChannel)
+            format.turbo_stream do
+              render turbo_stream: [
+                turbo_stream.remove("role_#{@role.id}"),
+                turbo_stream.update("flash", partial: "flash", locals: { notice: "Role was successfully deleted." })
+              ]
+            end
           end
           format.html { redirect_to cccux.roles_path, notice: 'Role was successfully deleted.' }
         end
@@ -126,9 +135,10 @@ module Cccux
     
     private
     
-    def set_role
-      @role = Cccux::Role.find(params[:id])
-    end
+    # Remove set_role method - load_and_authorize_resource handles this
+    # def set_role
+    #   @role = Cccux::Role.find(params[:id])
+    # end
     
     def build_permission_matrix
       subjects = Cccux::AbilityPermission.distinct.pluck(:subject).sort
@@ -200,15 +210,7 @@ module Cccux
             conditions["user_key"] = ownership_user_key[permission.id.to_s]
           end
           
-          if conditions.any?
-            role_ability.ownership_conditions = conditions.to_json
-          else
-            role_ability.ownership_conditions = nil
-          end
-        else
-          # Clear ownership configuration for non-owned access types
-          role_ability.ownership_source = nil
-          role_ability.ownership_conditions = nil
+          role_ability.ownership_conditions = conditions.to_json if conditions.any?
         end
         
         role_ability.save!
@@ -218,73 +220,60 @@ module Cccux
     def role_params
       params.require(:role).permit(:name, :description, :active, :priority)
     end
-
+    
     def discover_application_models
       models = []
-      begin
-        # Direct approach: Get models from database tables (bypasses all autoloading issues)
-        application_tables = ActiveRecord::Base.connection.tables.reject do |table|
-          # Skip Rails internal tables and CCCUX tables
-          table.start_with?('schema_migrations', 'ar_internal_metadata', 'cccux_') ||
-          skip_table?(table)
-        end
-        application_tables.each do |table|
-          # Convert table name to model name
-          model_name = table.singularize.camelize
-          # Verify the model exists and is valid
-          begin
-            if Object.const_defined?(model_name)
-              model_class = Object.const_get(model_name)
-              if model_class.respond_to?(:table_name) && 
-                 model_class.table_name == table &&
-                 !skip_model_by_name?(model_name)
-                models << model_name
-              end
-            else
-              # Model constant doesn't exist yet, but table does - likely a valid model
-              unless skip_model_by_name?(model_name)
-                models << model_name
-              end
-            end
-          rescue => e
-            # Ignore
-          end
-        end
-        # Always include CCCUX engine models for management (but not User since host app owns it)
-        cccux_models = %w[Cccux::Role Cccux::AbilityPermission Cccux::UserRole Cccux::RoleAbility]
-        models += cccux_models
-      rescue => e
-        Rails.logger.warn "Error discovering models: #{e.message}"
-        Rails.logger.warn e.backtrace.join("\n")
+      
+      # Eager load all models to ensure they're available
+      Rails.application.eager_load!
+      
+      # Get all ActiveRecord models from the application
+      ActiveRecord::Base.descendants.each do |model|
+        model_name = model.name
+        
+        # Skip if model should be excluded
+        next if skip_model_by_name?(model_name)
+        
+        # Skip if table doesn't exist or should be excluded
+        table_name = model.table_name
+        next if table_name.blank? || skip_table?(table_name)
+        
+        models << model_name
       end
-      models.uniq.sort
+      
+      # Sort by name for consistency
+      models.sort
     end
-
+    
     def skip_model_by_name?(model_name)
       excluded_patterns = [
-        /^ActiveRecord::/,
-        /^ActiveStorage::/,
-        /^ActionText::/,
-        /^ActionMailbox::/,
-        /^ApplicationRecord$/,
-        /Version$/,
-        /Schema/,
-        /Migration/
+        /^HABTM_/,           # Has and belongs to many join tables
+        /^ActiveRecord::/,    # ActiveRecord internal classes
+        /^ActionText::/,      # ActionText models
+        /^ActiveStorage::/,   # ActiveStorage models
+        /^ActionMailbox::/,   # ActionMailbox models
+        /^Cccux::/,          # CCCUX engine models (we'll handle these separately)
+        /^ApplicationRecord$/, # Base application record
+        /^ApplicationController$/, # Controllers
+        /^ApplicationHelper$/,    # Helpers
+        /^ApplicationMailer$/     # Mailers
       ]
+      
       excluded_patterns.any? { |pattern| model_name.match?(pattern) }
     end
-
+    
     def skip_table?(table_name)
       excluded_tables = [
+        'schema_migrations',
+        'ar_internal_metadata',
         'active_storage_blobs',
         'active_storage_attachments',
-        'active_storage_variant_records',
         'action_text_rich_texts',
         'action_mailbox_inbound_emails',
-        'versions'
+        'action_mailbox_routing_rules'
       ]
-      excluded_tables.include?(table_name) ||
-      table_name.end_with?('_versions')
+      
+      excluded_tables.include?(table_name) || table_name.start_with?('active_storage_') || table_name.start_with?('action_text_')
     end
   end
 end

data/app/controllers/cccux/users_controller.rb

@@ -1,11 +1,15 @@
 class Cccux::UsersController < Cccux::CccuxController
-  # Ensure only Role Managers can access user management
-  before_action :ensure_role_manager
+  # Restore load_and_authorize_resource for User
+  load_and_authorize_resource class: User
   
-  before_action :set_user, only: [:show, :edit, :update, :destroy]
+  # Add simple authentication check - user must be signed in
+  before_action :require_authentication
+  
+  # Remove manual set_user - let load_and_authorize_resource handle it
+  # before_action :set_user, only: [:show, :edit, :update, :destroy]
   
   def index
-    @users = User.includes(:cccux_roles).order(:email)
+    # Do not override @users, let load_and_authorize_resource scope it
     @roles = Cccux::Role.active.order(:name)
   end
   
@@ -102,11 +106,22 @@ class Cccux::UsersController < Cccux::CccuxController
   
   private
   
-  def set_user
-    @user = User.find(params[:id])
+  def require_authentication
+    unless user_signed_in?
+      respond_to do |format|
+        format.html { render plain: "Access denied", status: :forbidden }
+        format.json { render json: { error: 'Access denied' }, status: :forbidden }
+      end
+      return
+    end
   end
   
+  # Remove set_user method - load_and_authorize_resource handles this
+  # def set_user
+  #   @user = User.find(params[:id])
+  # end
+  
   def user_params
-    params.require(:user).permit(:email, :password, :password_confirmation)
+    params.require(:user).permit(:email, :password, :password_confirmation, :first_name, :last_name)
   end
 end 

data/app/controllers/concerns/cccux/application_controller_concern.rb

@@ -13,12 +13,16 @@ module Cccux
       
       # Handle CanCanCan authorization errors gracefully
       rescue_from CanCan::AccessDenied do |exception|
-        redirect_to root_path, alert: 'Access denied.'
+        if Rails.env.test?
+          render plain: "Access denied", status: :forbidden
+        else
+          redirect_to cccux.root_path, alert: 'Access denied.'
+        end
       end
       
       # Handle 404 errors gracefully
       rescue_from ActiveRecord::RecordNotFound do |exception|
-        redirect_to root_path, alert: 'The requested resource was not found.'
+        redirect_to cccux.root_path, alert: 'The requested resource was not found.'
       end
     end
 

data/app/helpers/cccux/authorization_helper.rb

@@ -1,67 +1,79 @@
 module Cccux
   module AuthorizationHelper
     # Link helpers for common actions
+    def link_if_can_with_wrapper(action, subject, text, path, **opts)
+      prepend = opts.delete(:prepend)
+      append = opts.delete(:append)
+      if can?(action, subject)
+        "#{prepend}#{link_to(text, path, **opts)}#{append}".html_safe
+      elsif opts.delete(:show_text)
+        text
+      else
+        ""
+      end
+    end
+
     def link_if_can_index(subject, text, path, **opts)
-      link_to(text, path, **opts) if can?(:index, subject)
+      link_if_can_with_wrapper(:index, subject, text, path, **opts)
     end
 
     def link_if_can_show(subject, text, path, **opts)
-      link_to(text, path, **opts) if can?(:show, subject)
+      link_if_can_with_wrapper(:show, subject, text, path, **opts)
     end
 
     def link_if_can_create(subject, text, path, **opts)
-      link_to(text, path, **opts) if can?(:create, subject)
+      link_if_can_with_wrapper(:create, subject, text, path, **opts)
     end
 
     def link_if_can_edit(subject, text, path, **opts)
-      link_to(text, path, **opts) if can?(:edit, subject)
+      link_if_can_with_wrapper(:edit, subject, text, path, **opts)
     end
 
     def link_if_can_update(subject, text, path, **opts)
-      link_to(text, path, **opts) if can?(:update, subject)
+      link_if_can_with_wrapper(:update, subject, text, path, **opts)
     end
 
     def link_if_can_destroy(subject, text, path, **opts)
-      link_to(text, path, **opts) if can?(:destroy, subject)
+      link_if_can_with_wrapper(:destroy, subject, text, path, **opts)
     end
 
     # Button helpers for common actions
     def button_if_can_index(subject, text, path, **opts)
-      button_to(text, path, **opts) if can?(:index, subject)
+      can?(:index, subject) ? button_to(text, path, **opts) : ""
     end
 
     def button_if_can_show(subject, text, path, **opts)
-      button_to(text, path, **opts) if can?(:show, subject)
+      can?(:show, subject) ? button_to(text, path, **opts) : ""
     end
 
     def button_if_can_create(subject, text, path, **opts)
-      button_to(text, path, **opts) if can?(:create, subject)
+      can?(:create, subject) ? button_to(text, path, **opts) : ""
     end
 
     def button_if_can_edit(subject, text, path, **opts)
-      button_to(text, path, **opts) if can?(:edit, subject)
+      can?(:edit, subject) ? button_to(text, path, **opts) : ""
     end
 
     def button_if_can_update(subject, text, path, **opts)
-      button_to(text, path, **opts) if can?(:update, subject)
+      can?(:update, subject) ? button_to(text, path, **opts) : ""
     end
 
     def button_if_can_destroy(subject, text, path, **opts)
-      button_to(text, path, **opts) if can?(:destroy, subject)
+      can?(:destroy, subject) ? button_to(text, path, **opts) : ""
     end
 
     # Generic action helpers
     def link_if_can(action, subject, text, path, **opts)
-      link_to(text, path, **opts) if can?(action, subject)
+      can?(action, subject) ? link_to(text, path, **opts) : ""
     end
 
     def button_if_can(action, subject, text, path, **opts)
-      button_to(text, path, **opts) if can?(action, subject)
+      can?(action, subject) ? button_to(text, path, **opts) : ""
     end
 
     # Content helpers for conditional rendering
     def content_if_can(action, subject, &block)
-      capture(&block) if can?(action, subject)
+      can?(action, subject) ? capture(&block) : ""
     end
 
     def content_if_can_index(subject, &block)
@@ -90,15 +102,11 @@ module Cccux
 
     # Icon helpers (useful for action buttons)
     def icon_link_if_can(action, subject, icon_class, text, path, **opts)
-      link_to(path, **opts) do
-        content_tag(:i, '', class: icon_class) + ' ' + text
-      end if can?(action, subject)
+      can?(action, subject) ? link_to(path, **opts) { content_tag(:i, '', class: icon_class) + ' ' + text } : ""
     end
 
     def icon_button_if_can(action, subject, icon_class, text, path, **opts)
-      button_to(path, **opts) do
-        content_tag(:i, '', class: icon_class) + ' ' + text
-      end if can?(action, subject)
+      can?(action, subject) ? button_to(path, **opts) { content_tag(:i, '', class: icon_class) + ' ' + text } : ""
     end
 
     # Common action button helpers with icons

data/app/models/cccux/ability.rb

@@ -2,9 +2,9 @@
 
 module Cccux
   class Ability
-    include CanCan::Ability
+  include CanCan::Ability
 
-    def initialize(user, context = nil)
+  def initialize(user, context = nil)
       user ||= User.new # guest user (not logged in)
       @context = context || {}
       
@@ -60,24 +60,33 @@ module Cccux
     def apply_access_ability(role_ability, permission, model_class, user)
       action = permission.action.to_sym
       
+      # Handle action aliases (read includes show and index)
+      actions_to_grant = case action
+      when :read
+        [:read, :show, :index]
+      when :update
+        [:update, :edit]
+      when :create
+        [:create, :new]
+      when :destroy
+        [:destroy, :delete]
+      else
+        [action]
+      end
+      
       # For User resource, keep owned logic for now
       if permission.subject == 'User'
-        if role_ability.context == 'owned' || (role_ability.owned && user&.persisted?)
-          apply_owned_ability(action, model_class, user, role_ability)
+        if role_ability.context == 'owned' || role_ability.owned
+          actions_to_grant.each { |act| apply_owned_ability(act, model_class, user, role_ability) }
         else
-          can action, model_class
+          actions_to_grant.each { |act| can act, model_class }
         end
       else
-        # For all other resources, use global/owned (contextual is now handled by owned with configuration)
-        case role_ability.access_type
-        when 'global'
-          can action, model_class
-        when 'owned'
-          apply_owned_ability(action, model_class, user, role_ability)
+        # For all other resources, use global/owned logic based on context field
+        if role_ability.context == 'owned' || role_ability.owned
+          actions_to_grant.each { |act| apply_owned_ability(act, model_class, user, role_ability) }
         else
-          # Default: deny access if access_type is not recognized
-          Rails.logger.warn "CCCUX: Unknown access_type '#{role_ability.access_type}' for #{model_class.name}, denying access"
-          # Don't grant any permissions - CanCanCan denies by default
+          actions_to_grant.each { |act| can act, model_class }
         end
       end
     end
@@ -89,13 +98,31 @@ module Cccux
         if ownership_model && user&.persisted?
           # Parse conditions (should be a JSON string or nil)
           conditions = role_ability.ownership_conditions.present? ? JSON.parse(role_ability.ownership_conditions) : {}
-          foreign_key = conditions["foreign_key"] || (model_class.name.foreign_key)
+          foreign_key = conditions["foreign_key"]
           user_key = conditions["user_key"] || "user_id"
-          # Find all records owned by user via the join model
-          owned_ids = ownership_model.where(user_key => user.id).pluck(foreign_key)
-          can action, model_class, id: owned_ids if owned_ids.any?
+          
+          # Require foreign_key to be explicitly specified when using ownership model
+          if foreign_key.present?
+            # Find all records owned by user via the join model
+            owned_ids = ownership_model.where(user_key => user.id).pluck(foreign_key)
+            if owned_ids.any?
+              # Check if the target model has the foreign key column
+              if model_class.column_names.include?(foreign_key)
+                # Direct ownership: model has the foreign key (e.g., Comment has post_id)
+                can action, model_class, foreign_key.to_sym => owned_ids
+              else
+                # Indirect ownership: model doesn't have the foreign key, use primary key
+                # This means the foreign key in the join table refers to the target model's primary key
+                can action, model_class, id: owned_ids
+              end
+            else
+              can action, model_class, id: []
+            end
+          else
+            # Fall back to no access if foreign_key is not specified
+            can action, model_class, id: []
+          end
         else
-          Rails.logger.warn "CCCUX: Invalid ownership_source #{role_ability.ownership_source} for #{model_class.name}"
           can action, model_class, id: []
         end
       # 2. Model custom owned_by?
@@ -112,30 +139,54 @@ module Cccux
         else
           can action, model_class, scoped_records
         end
-      # 4. Standard user_id
+      # 4. Special case for User model (self-ownership)
+      elsif model_class == User
+        can action, model_class, id: user.id
+      # 5. Standard user_id
       elsif model_class.column_names.include?('user_id')
         can action, model_class, user_id: user.id
-      # 5. Standard creator_id
+      # 6. Standard creator_id
       elsif model_class.column_names.include?('creator_id')
         can action, model_class, creator_id: user.id
+      # 7. Dynamic ownership check for individual records
       else
-        # Default: deny access when no ownership pattern is found
-        Rails.logger.warn "CCCUX: No ownership pattern found for #{model_class.name}, denying access"
-        # Don't grant any permissions - CanCanCan denies by default
+        # For cases where we need to check individual record attributes
+        can action, model_class do |record|
+          if record.respond_to?(:creator_id)
+            record.creator_id == user.id
+          elsif record.respond_to?(:user_id)
+            record.user_id == user.id
+          else
+            false
+          end
+        end
       end
     end
 
     def resolve_model_class(subject)
-      # Handle namespaced models
-      if subject.include?('::')
-        subject.constantize
+      # Try to resolve the model class in a robust way
+      candidates = []
+      if subject.include?("::")
+        candidates << subject
+        candidates << subject.split("::").last
       else
-        # Try to find the model in the host app
-        Object.const_get(subject)
+        candidates << subject
+        candidates << "Cccux::#{subject}"
+      
+      end
+      
+      # Add more candidates for common patterns
+      candidates << subject.split("::").last if subject.include?("::")
+      candidates << subject.gsub("Cccux::", "") if subject.start_with?("Cccux::")
+      
+      candidates.each do |candidate|
+        begin
+          klass = candidate.constantize
+          return klass
+        rescue NameError => e
+          next
+        end
       end
-    rescue NameError
-      # If the model doesn't exist, we can't define permissions for it
-      Rails.logger.warn "CCCUX: Model '#{subject}' not found, skipping permission"
       nil
     end
   end

data/app/models/cccux/ability_permission.rb

@@ -12,6 +12,9 @@ module Cccux
     scope :for_subject, ->(subject) { where(subject: subject) }
     scope :for_action, ->(action) { where(action: action) }
     
+    # Ensure all permissions are created as active by default
+    before_create :ensure_active
+    
     def display_name
       "#{action.humanize} #{subject}"
     end
@@ -57,5 +60,11 @@ module Cccux
       klass.column_names.include?('user_id') ||
       klass.column_names.include?('creator_id')
     end
+    
+    private
+    
+    def ensure_active
+      self.active = true if active.nil?
+    end
   end
 end

data/app/models/cccux/post.rb

@@ -0,0 +1,5 @@
+module Cccux
+  class Post < ApplicationRecord
+    belongs_to :user
+  end
+end

data/app/models/cccux/role.rb

@@ -9,10 +9,11 @@ module Cccux
     has_many :role_abilities, dependent: :destroy, class_name: 'Cccux::RoleAbility'
     has_many :ability_permissions, through: :role_abilities, class_name: 'Cccux::AbilityPermission'
     
-    validates :name, presence: true, uniqueness: true
+    validates :name, presence: true
     validates :priority, presence: true, numericality: { only_integer: true, greater_than: 0 }
     
     after_initialize :set_default_priority, if: :new_record?
+    validate :name_uniqueness_case_insensitive
     
     scope :active, -> { where(active: true) }
     scope :ordered, -> { order(:priority, :name) }
@@ -81,6 +82,23 @@ module Cccux
       end
     end
     
+    # Generate slug from name
+    def slug
+      name.parameterize.underscore if name.present?
+    end
+    
+    # Case insensitive name validation
+    def name_uniqueness_case_insensitive
+      return unless name.present?
+      
+      existing_role = self.class.where('LOWER(name) = ?', name.downcase)
+      existing_role = existing_role.where.not(id: id) if persisted?
+      
+      if existing_role.exists?
+        errors.add(:name, 'has already been taken')
+      end
+    end
+    
     private
     
     def set_default_priority

data/app/models/cccux/role_ability.rb

@@ -5,6 +5,9 @@ module Cccux
     belongs_to :role, class_name: 'Cccux::Role'
     belongs_to :ability_permission, class_name: 'Cccux::AbilityPermission'
     
+    # Delegate methods to ability_permission
+    delegate :action, :subject, :active?, to: :ability_permission, allow_nil: true
+    
     # Simplified access types: global, owned
     ACCESS_TYPES = %w[global owned].freeze
     

data/app/models/concerns/cccux/user_concern.rb

@@ -9,13 +9,16 @@ module Cccux
       has_many :cccux_user_roles, class_name: 'Cccux::UserRole', dependent: :destroy
       has_many :cccux_roles, through: :cccux_user_roles, source: :role, class_name: 'Cccux::Role'
       
+      # Alias for easier access
+      alias_method :roles, :cccux_roles
+      
       # Automatically assign Basic User role to new users
       after_create :assign_default_role
     end
 
     # Instance methods for user authorization
     def has_role?(role_name)
-      cccux_roles.active.exists?(name: role_name)
+      cccux_user_roles.active.joins(:role).where(cccux_roles: { name: role_name }).exists?
     end
 
     def has_any_role?(*role_names)
@@ -59,7 +62,7 @@ module Cccux
     end
 
     def role_names
-      cccux_roles.active.pluck(:name)
+      cccux_user_roles.active.joins(:role).pluck('cccux_roles.name')
     end
 
     def highest_priority_role