cccux 0.1.0

data/app/controllers/cccux/roles_controller.rb

@@ -0,0 +1,290 @@
+module Cccux
+  class RolesController < CccuxController
+    # Ensure only Role Managers can access role management
+    before_action :ensure_role_manager
+    # Skip authorization for model_columns since it's just a helper endpoint
+    skip_authorization_check only: [:model_columns]
+
+    before_action :set_role, only: [:show, :edit, :update, :destroy]
+    
+    def index
+      @roles = Cccux::Role.includes(:ability_permissions, :users)
+                         .order(:priority, :name)
+    end
+    
+    def show
+      @permission_matrix = build_permission_matrix
+      @users_with_role = @role.users
+    end
+    
+    def new
+      @role = Cccux::Role.new(priority: 50)
+    end
+    
+    def create
+      @role = Cccux::Role.new(role_params)
+      
+      respond_to do |format|
+        if @role.save
+          format.turbo_stream do
+            render turbo_stream: [
+              turbo_stream.update("new_role_form", ""),
+              turbo_stream.append("roles_list", partial: "role", locals: { role: @role }),
+              turbo_stream.update("flash", partial: "flash", locals: { notice: "Role was successfully created." })
+            ]
+          end
+          format.html { redirect_to cccux.role_path(@role), notice: 'Role was successfully created.' }
+        else
+          format.turbo_stream do
+            render turbo_stream: turbo_stream.update("new_role_form", 
+              partial: "form", locals: { role: @role })
+          end
+          format.html { render :new, status: :unprocessable_entity }
+        end
+      end
+    end
+    
+    def edit
+      @permission_matrix = build_permission_matrix
+      @available_permissions = Cccux::AbilityPermission.all.group_by(&:subject)
+      @available_ownership_models = discover_application_models
+    end
+    
+    def update
+      @available_ownership_models = discover_application_models
+      if @role.update(role_params)
+        update_permissions
+        redirect_to cccux.roles_path, notice: 'Role was successfully updated.'
+      else
+        @permission_matrix = build_permission_matrix
+        @available_permissions = Cccux::AbilityPermission.all.group_by(&:subject)
+        render :edit, status: :unprocessable_entity
+      end
+    end
+    
+    def destroy
+      respond_to do |format|
+        if @role.users.any?
+          format.turbo_stream do
+            render turbo_stream: turbo_stream.update("flash", 
+              partial: "flash", locals: { alert: "Cannot delete role that has users assigned to it." })
+          end
+          format.html { redirect_to cccux.roles_path, alert: 'Cannot delete role that has users assigned to it.' }
+        else
+          @role.destroy
+          format.turbo_stream do
+            render turbo_stream: [
+              turbo_stream.remove("role_#{@role.id}"),
+              turbo_stream.update("flash", partial: "flash", locals: { notice: "Role was successfully deleted." })
+            ]
+          end
+          format.html { redirect_to cccux.roles_path, notice: 'Role was successfully deleted.' }
+        end
+      end
+    end
+    
+    def permissions
+      @permission_matrix = build_permission_matrix
+    end
+    
+    def reorder
+      role_ids = params[:role_ids]
+      
+      if role_ids.present?
+        # Update priorities based on order (first item gets priority 1, second gets 10, etc.)
+        role_ids.each_with_index do |role_id, index|
+          role = Cccux::Role.find(role_id)
+          new_priority = (index + 1) * 10  # 10, 20, 30, 40, etc.
+          role.update!(priority: new_priority)
+        end
+        
+        render json: { success: true, message: 'Role priorities updated successfully' }
+      else
+        render json: { success: false, error: 'No role order provided' }, status: :bad_request
+      end
+    rescue StandardError => e
+      render json: { success: false, error: e.message }, status: :unprocessable_entity
+    end
+    
+    def model_columns
+      model_name = params[:model]
+      Rails.logger.info "CCCUX: Fetching columns for model: #{model_name}"
+      
+      begin
+        model_class = model_name.constantize
+        columns = model_class.column_names
+        Rails.logger.info "CCCUX: Found columns for #{model_name}: #{columns.inspect}"
+        render json: { columns: columns }
+      rescue NameError => e
+        Rails.logger.warn "CCCUX: Model not found: #{model_name}"
+        render json: { columns: [], error: "Model '#{model_name}' not found" }, status: 422
+      rescue => e
+        Rails.logger.error "CCCUX: Error fetching columns for #{model_name}: #{e.message}"
+        render json: { columns: [], error: e.message }, status: 422
+      end
+    end
+    
+    private
+    
+    def set_role
+      @role = Cccux::Role.find(params[:id])
+    end
+    
+    def build_permission_matrix
+      subjects = Cccux::AbilityPermission.distinct.pluck(:subject).sort
+      actions = Cccux::AbilityPermission.distinct.pluck(:action).sort
+      
+      matrix = {}
+      subjects.each do |subject|
+        matrix[subject] = {}
+        actions.each do |action|
+          permission = Cccux::AbilityPermission.find_by(action: action, subject: subject)
+          matrix[subject][action] = {
+            permission: permission,
+            granted: permission && @role.ability_permissions.include?(permission)
+          }
+        end
+      end
+      matrix
+    end
+    
+    def update_permissions
+      permission_ids = params[:role][:ability_permission_ids] || []
+      permission_access_type = params[:role][:permission_access_type] || {}
+      ownership_source = params[:role][:ownership_source] || {}
+      ownership_foreign_key = params[:role][:ownership_foreign_key] || {}
+      ownership_user_key = params[:role][:ownership_user_key] || {}
+      
+      # Get selected permissions
+      selected_permissions = Cccux::AbilityPermission.where(id: permission_ids)
+      
+      # Remove permissions that are no longer selected
+      @role.role_abilities.where.not(ability_permission: selected_permissions).destroy_all
+      
+      # Update or create role abilities with access type settings
+      selected_permissions.each do |permission|
+        # Determine access type for this specific permission
+        # Default to 'global' for backward compatibility
+        access_type = permission_access_type[permission.id.to_s] || 'global'
+        
+        # Convert access_type to owned/context attributes
+        case access_type
+        when 'owned'
+          is_owned = true
+          context_value = 'owned'
+        else # 'global'
+          is_owned = false
+          context_value = 'global'
+        end
+        
+        # Find existing role ability or create new one
+        role_ability = @role.role_abilities.find_or_initialize_by(ability_permission: permission)
+        role_ability.owned = is_owned
+        role_ability.context = context_value
+        
+        # Handle ownership configuration for 'owned' access type
+        if access_type == 'owned'
+          # Set ownership source if provided
+          if ownership_source[permission.id.to_s].present?
+            role_ability.ownership_source = ownership_source[permission.id.to_s]
+          else
+            role_ability.ownership_source = nil
+          end
+          
+          # Build ownership conditions JSON
+          conditions = {}
+          if ownership_foreign_key[permission.id.to_s].present?
+            conditions["foreign_key"] = ownership_foreign_key[permission.id.to_s]
+          end
+          if ownership_user_key[permission.id.to_s].present?
+            conditions["user_key"] = ownership_user_key[permission.id.to_s]
+          end
+          
+          if conditions.any?
+            role_ability.ownership_conditions = conditions.to_json
+          else
+            role_ability.ownership_conditions = nil
+          end
+        else
+          # Clear ownership configuration for non-owned access types
+          role_ability.ownership_source = nil
+          role_ability.ownership_conditions = nil
+        end
+        
+        role_ability.save!
+      end
+    end
+    
+    def role_params
+      params.require(:role).permit(:name, :description, :active, :priority)
+    end
+
+    def discover_application_models
+      models = []
+      begin
+        # Direct approach: Get models from database tables (bypasses all autoloading issues)
+        application_tables = ActiveRecord::Base.connection.tables.reject do |table|
+          # Skip Rails internal tables and CCCUX tables
+          table.start_with?('schema_migrations', 'ar_internal_metadata', 'cccux_') ||
+          skip_table?(table)
+        end
+        application_tables.each do |table|
+          # Convert table name to model name
+          model_name = table.singularize.camelize
+          # Verify the model exists and is valid
+          begin
+            if Object.const_defined?(model_name)
+              model_class = Object.const_get(model_name)
+              if model_class.respond_to?(:table_name) && 
+                 model_class.table_name == table &&
+                 !skip_model_by_name?(model_name)
+                models << model_name
+              end
+            else
+              # Model constant doesn't exist yet, but table does - likely a valid model
+              unless skip_model_by_name?(model_name)
+                models << model_name
+              end
+            end
+          rescue => e
+            # Ignore
+          end
+        end
+        # Always include CCCUX engine models for management (but not User since host app owns it)
+        cccux_models = %w[Cccux::Role Cccux::AbilityPermission Cccux::UserRole Cccux::RoleAbility]
+        models += cccux_models
+      rescue => e
+        Rails.logger.warn "Error discovering models: #{e.message}"
+        Rails.logger.warn e.backtrace.join("\n")
+      end
+      models.uniq.sort
+    end
+
+    def skip_model_by_name?(model_name)
+      excluded_patterns = [
+        /^ActiveRecord::/,
+        /^ActiveStorage::/,
+        /^ActionText::/,
+        /^ActionMailbox::/,
+        /^ApplicationRecord$/,
+        /Version$/,
+        /Schema/,
+        /Migration/
+      ]
+      excluded_patterns.any? { |pattern| model_name.match?(pattern) }
+    end
+
+    def skip_table?(table_name)
+      excluded_tables = [
+        'active_storage_blobs',
+        'active_storage_attachments',
+        'active_storage_variant_records',
+        'action_text_rich_texts',
+        'action_mailbox_inbound_emails',
+        'versions'
+      ]
+      excluded_tables.include?(table_name) ||
+      table_name.end_with?('_versions')
+    end
+  end
+end

data/app/controllers/cccux/simple_controller.rb

@@ -0,0 +1,7 @@
+module Cccux
+  class SimpleController < ApplicationController
+    def index
+      render plain: "CCCUX Engine is working! Time: #{Time.current}"
+    end
+  end
+end 

data/app/controllers/cccux/users_controller.rb

@@ -0,0 +1,112 @@
+class Cccux::UsersController < Cccux::CccuxController
+  # Ensure only Role Managers can access user management
+  before_action :ensure_role_manager
+  
+  before_action :set_user, only: [:show, :edit, :update, :destroy]
+  
+  def index
+    @users = User.includes(:cccux_roles).order(:email)
+    @roles = Cccux::Role.active.order(:name)
+  end
+  
+  def show
+    @user_roles = @user.cccux_roles.includes(:ability_permissions)
+    @available_roles = Cccux::Role.active.where.not(id: @user.cccux_roles.pluck(:id))
+  end
+  
+  def new
+    @user = User.new
+    @roles = Cccux::Role.active.order(:name)
+  end
+  
+  def create
+    @user = User.new(user_params)
+    
+    if @user.save
+      # Assign selected roles
+      if params[:user][:role_ids].present?
+        params[:user][:role_ids].reject(&:blank?).each do |role_id|
+          role = Cccux::Role.find(role_id)
+          @user.assign_role(role)
+        end
+      end
+      
+      redirect_to cccux.user_path(@user), notice: 'User was successfully created.'
+    else
+      @roles = Cccux::Role.active.order(:name)
+      render :new, status: :unprocessable_entity
+    end
+  end
+  
+  def edit
+    @available_roles = Cccux::Role.active.order(:name)
+    @user_role_ids = @user.cccux_roles.pluck(:id)
+  end
+  
+  def update
+    # Handle password updates - remove blank password fields
+    update_params = user_params
+    if update_params[:password].blank?
+      update_params = update_params.except(:password, :password_confirmation)
+    end
+    
+    if @user.update(update_params)
+      # Update role assignments
+      if params[:user][:role_ids]
+        # Remove all current roles
+        @user.cccux_user_roles.destroy_all
+        
+        # Add selected roles
+        params[:user][:role_ids].reject(&:blank?).each do |role_id|
+          role = Cccux::Role.find(role_id)
+          @user.assign_role(role)
+        end
+      end
+      
+      redirect_to cccux.user_path(@user), notice: 'User was successfully updated.'
+    else
+      @available_roles = Cccux::Role.active.order(:name)
+      @user_role_ids = @user.cccux_roles.pluck(:id)
+      render :edit, status: :unprocessable_entity
+    end
+  end
+  
+  def destroy
+    @user.destroy
+    redirect_to cccux.users_path, notice: 'User was successfully deleted.'
+  end
+  
+  # AJAX endpoint for role assignment
+  def assign_role
+    @user = User.find(params[:id])
+    role = Cccux::Role.find(params[:role_id])
+    
+    if @user.assign_role(role)
+      render json: { status: 'success', message: "#{role.name} role assigned to #{@user.email}" }
+    else
+      render json: { status: 'error', message: 'Failed to assign role' }
+    end
+  end
+  
+  # AJAX endpoint for role removal
+  def remove_role
+    @user = User.find(params[:id])
+    role = Cccux::Role.find(params[:role_id])
+    
+    if @user.remove_role(role)
+      render json: { status: 'success', message: "#{role.name} role removed from #{@user.email}" }
+    else
+      render json: { status: 'error', message: 'Failed to remove role' }
+    end
+  end
+  
+  private
+  
+  def set_user
+    @user = User.find(params[:id])
+  end
+  
+  def user_params
+    params.require(:user).permit(:email, :password, :password_confirmation)
+  end
+end 

data/app/controllers/concerns/cccux/application_controller_concern.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module Cccux
+  module ApplicationControllerConcern
+    extend ActiveSupport::Concern
+
+    included do
+      # CanCanCan integration for authorization
+      include CanCan::ControllerAdditions
+      
+      # Include CCCUX helpers for views
+      helper Cccux::AuthorizationHelper
+      
+      # Handle CanCanCan authorization errors gracefully
+      rescue_from CanCan::AccessDenied do |exception|
+        redirect_to root_path, alert: 'Access denied.'
+      end
+      
+      # Handle 404 errors gracefully
+      rescue_from ActiveRecord::RecordNotFound do |exception|
+        redirect_to root_path, alert: 'The requested resource was not found.'
+      end
+    end
+
+    protected
+    
+    # Override current_ability to use CCCUX Ability class
+    def current_ability
+      @current_ability ||= Cccux::Ability.new(current_user)
+    end
+  end
+end 

data/app/helpers/cccux/application_helper.rb

@@ -0,0 +1,4 @@
+module Cccux
+  module ApplicationHelper
+  end
+end

data/app/helpers/cccux/authorization_helper.rb

@@ -0,0 +1,228 @@
+module Cccux
+  module AuthorizationHelper
+    # Link helpers for common actions
+    def link_if_can_index(subject, text, path, **opts)
+      link_to(text, path, **opts) if can?(:index, subject)
+    end
+
+    def link_if_can_show(subject, text, path, **opts)
+      link_to(text, path, **opts) if can?(:show, subject)
+    end
+
+    def link_if_can_create(subject, text, path, **opts)
+      link_to(text, path, **opts) if can?(:create, subject)
+    end
+
+    def link_if_can_edit(subject, text, path, **opts)
+      link_to(text, path, **opts) if can?(:edit, subject)
+    end
+
+    def link_if_can_update(subject, text, path, **opts)
+      link_to(text, path, **opts) if can?(:update, subject)
+    end
+
+    def link_if_can_destroy(subject, text, path, **opts)
+      link_to(text, path, **opts) if can?(:destroy, subject)
+    end
+
+    # Button helpers for common actions
+    def button_if_can_index(subject, text, path, **opts)
+      button_to(text, path, **opts) if can?(:index, subject)
+    end
+
+    def button_if_can_show(subject, text, path, **opts)
+      button_to(text, path, **opts) if can?(:show, subject)
+    end
+
+    def button_if_can_create(subject, text, path, **opts)
+      button_to(text, path, **opts) if can?(:create, subject)
+    end
+
+    def button_if_can_edit(subject, text, path, **opts)
+      button_to(text, path, **opts) if can?(:edit, subject)
+    end
+
+    def button_if_can_update(subject, text, path, **opts)
+      button_to(text, path, **opts) if can?(:update, subject)
+    end
+
+    def button_if_can_destroy(subject, text, path, **opts)
+      button_to(text, path, **opts) if can?(:destroy, subject)
+    end
+
+    # Generic action helpers
+    def link_if_can(action, subject, text, path, **opts)
+      link_to(text, path, **opts) if can?(action, subject)
+    end
+
+    def button_if_can(action, subject, text, path, **opts)
+      button_to(text, path, **opts) if can?(action, subject)
+    end
+
+    # Content helpers for conditional rendering
+    def content_if_can(action, subject, &block)
+      capture(&block) if can?(action, subject)
+    end
+
+    def content_if_can_index(subject, &block)
+      content_if_can(:index, subject, &block)
+    end
+
+    def content_if_can_show(subject, &block)
+      content_if_can(:show, subject, &block)
+    end
+
+    def content_if_can_create(subject, &block)
+      content_if_can(:create, subject, &block)
+    end
+
+    def content_if_can_edit(subject, &block)
+      content_if_can(:edit, subject, &block)
+    end
+
+    def content_if_can_update(subject, &block)
+      content_if_can(:update, subject, &block)
+    end
+
+    def content_if_can_destroy(subject, &block)
+      content_if_can(:destroy, subject, &block)
+    end
+
+    # Icon helpers (useful for action buttons)
+    def icon_link_if_can(action, subject, icon_class, text, path, **opts)
+      link_to(path, **opts) do
+        content_tag(:i, '', class: icon_class) + ' ' + text
+      end if can?(action, subject)
+    end
+
+    def icon_button_if_can(action, subject, icon_class, text, path, **opts)
+      button_to(path, **opts) do
+        content_tag(:i, '', class: icon_class) + ' ' + text
+      end if can?(action, subject)
+    end
+
+    # Common action button helpers with icons
+    def new_button_if_can(subject, text = "New #{subject.name.underscore.humanize}", path = nil, **opts)
+      path ||= "new_#{subject.name.underscore}_path"
+      icon_button_if_can(:create, subject, 'fas fa-plus', text, path, **opts)
+    end
+
+    def edit_button_if_can(subject, text = "Edit", path = nil, **opts)
+      path ||= "edit_#{subject.name.underscore}_path(subject)"
+      icon_button_if_can(:edit, subject, 'fas fa-edit', text, path, **opts)
+    end
+
+    def delete_button_if_can(subject, text = "Delete", path = nil, **opts)
+      path ||= "#{subject.name.underscore}_path(subject)"
+      opts[:method] ||= :delete
+      opts[:data] ||= {}
+      opts[:data][:confirm] ||= "Are you sure?"
+      icon_button_if_can(:destroy, subject, 'fas fa-trash', text, path, **opts)
+    end
+
+    def view_button_if_can(subject, text = "View", path = nil, **opts)
+      path ||= "#{subject.name.underscore}_path(subject)"
+      icon_button_if_can(:show, subject, 'fas fa-eye', text, path, **opts)
+    end
+
+    # Table action helpers
+    def table_actions_if_can(subject, record, **opts)
+      content_if_can(:show, subject) do
+        content_tag(:div, class: 'table-actions') do
+          safe_join([
+            view_button_if_can(subject, "View", "#{subject.name.underscore}_path(record)", **opts),
+            edit_button_if_can(subject, "Edit", "edit_#{subject.name.underscore}_path(record)", **opts),
+            delete_button_if_can(subject, "Delete", "#{subject.name.underscore}_path(record)", **opts)
+          ].compact)
+        end
+      end
+    end
+
+    # Permission check helpers
+    def can_index?(subject)
+      can?(:index, subject)
+    end
+
+    def can_show?(subject)
+      can?(:show, subject)
+    end
+
+    def can_create?(subject)
+      can?(:create, subject)
+    end
+
+    def can_edit?(subject)
+      can?(:edit, subject)
+    end
+
+    def can_update?(subject)
+      can?(:update, subject)
+    end
+
+    def can_destroy?(subject)
+      can?(:destroy, subject)
+    end
+
+    # Check if user can perform action on resource in global context
+    def can_in_global_context?(action, resource)
+      current_ability.can?(action, resource) && 
+        has_context_permission?(action, resource.class, 'global')
+    end
+    
+    # Check if user can perform action on resource in owned context
+    def can_in_owned_context?(action, resource)
+      current_ability.can?(action, resource) && 
+        has_context_permission?(action, resource.class, 'owned')
+    end
+    
+    # Check if user can perform action on resource in scoped context
+    def can_in_scoped_context?(action, resource)
+      current_ability.can?(action, resource) && 
+        has_context_permission?(action, resource.class, 'scoped')
+    end
+    
+    # Check if user can access the current route context
+    def can_access_current_context?(action, resource_class)
+      context = determine_current_context
+      case context
+      when 'global'
+        can_in_global_context?(action, resource_class)
+      when 'owned'
+        can_in_owned_context?(action, resource_class)
+      when 'scoped'
+        can_in_scoped_context?(action, resource_class)
+      else
+        current_ability.can?(action, resource_class)
+      end
+    end
+    
+    # Determine the current route context
+    def determine_current_context
+      # Check if we're in a nested route (e.g., /store/1/orders)
+      if params[:store_id].present?
+        'scoped'
+      elsif params[:user_id].present?
+        'owned'
+      else
+        'global'
+      end
+    end
+    
+    private
+    
+    def has_context_permission?(action, resource_class, context)
+      return false unless current_user&.persisted?
+      
+      # Check if user has the permission in the specified context
+      user_roles = Cccux::UserRole.active.for_user(current_user).includes(:role)
+      
+      user_roles.any? do |user_role|
+        role = user_role.role
+        role.role_abilities.joins(:ability_permission)
+            .where(cccux_ability_permissions: { action: action, subject: resource_class.name, active: true })
+            .where(context: context)
+            .exists?
+      end
+    end
+  end
+end 

data/app/jobs/cccux/application_job.rb

@@ -0,0 +1,4 @@
+module Cccux
+  class ApplicationJob < ActiveJob::Base
+  end
+end

data/app/mailers/cccux/application_mailer.rb

@@ -0,0 +1,6 @@
+module Cccux
+  class ApplicationMailer < ActionMailer::Base
+    default from: "from@example.com"
+    layout "mailer"
+  end
+end