cccux 0.1.0

data/app/models/cccux/ability.rb

@@ -0,0 +1,142 @@
+# frozen_string_literal: true
+
+module Cccux
+  class Ability
+    include CanCan::Ability
+
+    def initialize(user, context = nil)
+      user ||= User.new # guest user (not logged in)
+      @context = context || {}
+      
+      # Track which permissions have been defined to avoid conflicts
+      @defined_permissions = Set.new
+      
+      if user.persisted?
+        # Authenticated user - use their assigned roles in priority order
+        user_roles = Cccux::UserRole.active.for_user(user).includes(:role).joins(:role).order('cccux_roles.priority DESC')
+        user_roles.each do |user_role|
+          role = user_role.role
+          apply_role_abilities(role, user)
+        end
+      else
+        # Guest user (not logged in) - use "Guest" role permissions
+        guest_role = Cccux::Role.find_by(name: 'Guest')
+        if guest_role
+          apply_role_abilities(guest_role, user)
+        end
+      end
+    end
+
+    private
+
+    def apply_role_abilities(role, user)
+      return unless role
+
+      # Get all abilities for this role
+      role_abilities = Cccux::RoleAbility.includes(:ability_permission)
+                                        .where(role: role)
+                                        .joins(:ability_permission)
+                                        .where(cccux_ability_permissions: { active: true })
+      
+      role_abilities.each do |role_ability|
+        permission = role_ability.ability_permission
+        
+        # Determine the model class
+        model_class = resolve_model_class(permission.subject)
+        next unless model_class
+        
+        # Check if this permission has already been defined by a higher priority role
+        permission_key = "#{permission.action}:#{permission.subject}:#{role_ability.context}"
+        next if @defined_permissions.include?(permission_key)
+        
+        # Mark this permission as defined
+        @defined_permissions.add(permission_key)
+        
+        # Define the ability based on context and ownership
+        apply_access_ability(role_ability, permission, model_class, user)
+      end
+    end
+    
+    def apply_access_ability(role_ability, permission, model_class, user)
+      action = permission.action.to_sym
+      
+      # For User resource, keep owned logic for now
+      if permission.subject == 'User'
+        if role_ability.context == 'owned' || (role_ability.owned && user&.persisted?)
+          apply_owned_ability(action, model_class, user, role_ability)
+        else
+          can action, model_class
+        end
+      else
+        # For all other resources, use global/owned (contextual is now handled by owned with configuration)
+        case role_ability.access_type
+        when 'global'
+          can action, model_class
+        when 'owned'
+          apply_owned_ability(action, model_class, user, role_ability)
+        else
+          # Default: deny access if access_type is not recognized
+          Rails.logger.warn "CCCUX: Unknown access_type '#{role_ability.access_type}' for #{model_class.name}, denying access"
+          # Don't grant any permissions - CanCanCan denies by default
+        end
+      end
+    end
+    
+    def apply_owned_ability(action, model_class, user, role_ability = nil)
+      # 1. Dynamic ownership configuration
+      if role_ability && role_ability.ownership_source.present?
+        ownership_model = role_ability.ownership_source.constantize rescue nil
+        if ownership_model && user&.persisted?
+          # Parse conditions (should be a JSON string or nil)
+          conditions = role_ability.ownership_conditions.present? ? JSON.parse(role_ability.ownership_conditions) : {}
+          foreign_key = conditions["foreign_key"] || (model_class.name.foreign_key)
+          user_key = conditions["user_key"] || "user_id"
+          # Find all records owned by user via the join model
+          owned_ids = ownership_model.where(user_key => user.id).pluck(foreign_key)
+          can action, model_class, id: owned_ids if owned_ids.any?
+        else
+          Rails.logger.warn "CCCUX: Invalid ownership_source #{role_ability.ownership_source} for #{model_class.name}"
+          can action, model_class, id: []
+        end
+      # 2. Model custom owned_by?
+      elsif model_class.respond_to?(:owned_by?)
+        can action, model_class do |record|
+          record.owned_by?(user)
+        end
+      # 3. Model custom scoped_for_user
+      elsif model_class.respond_to?(:scoped_for_user)
+        scoped_records = model_class.scoped_for_user(user)
+        if scoped_records.is_a?(ActiveRecord::Relation)
+          ids = scoped_records.pluck(:id)
+          can action, model_class, id: ids if ids.any?
+        else
+          can action, model_class, scoped_records
+        end
+      # 4. Standard user_id
+      elsif model_class.column_names.include?('user_id')
+        can action, model_class, user_id: user.id
+      # 5. Standard creator_id
+      elsif model_class.column_names.include?('creator_id')
+        can action, model_class, creator_id: user.id
+      else
+        # Default: deny access when no ownership pattern is found
+        Rails.logger.warn "CCCUX: No ownership pattern found for #{model_class.name}, denying access"
+        # Don't grant any permissions - CanCanCan denies by default
+      end
+    end
+
+    def resolve_model_class(subject)
+      # Handle namespaced models
+      if subject.include?('::')
+        subject.constantize
+      else
+        # Try to find the model in the host app
+        Object.const_get(subject)
+      end
+    rescue NameError
+      # If the model doesn't exist, we can't define permissions for it
+      Rails.logger.warn "CCCUX: Model '#{subject}' not found, skipping permission"
+      nil
+    end
+  end
+end

data/app/models/cccux/ability_permission.rb

@@ -0,0 +1,61 @@
+module Cccux
+  class AbilityPermission < ApplicationRecord
+    self.table_name = 'cccux_ability_permissions'
+    
+    has_many :role_abilities, dependent: :destroy, class_name: 'Cccux::RoleAbility'
+    has_many :roles, through: :role_abilities, class_name: 'Cccux::Role'
+    
+    validates :action, presence: true
+    validates :subject, presence: true
+    validates :action, uniqueness: { scope: :subject }
+    
+    scope :for_subject, ->(subject) { where(subject: subject) }
+    scope :for_action, ->(action) { where(action: action) }
+    
+    def display_name
+      "#{action.humanize} #{subject}"
+    end
+    
+    def role_count
+      roles.count
+    end
+    
+    # Determine if this permission supports ownership controls
+    def supports_ownership?
+      # CCCUX system models don't support ownership
+      return false if subject.start_with?('Cccux::')
+      
+      # You could add more sophisticated logic here:
+      # - Check if the model has ownership methods (owned_by?, scoped_for_user)
+      # - Check against a configuration list
+      # - Check if the model is in a specific namespace
+      
+      true
+    end
+    
+    # Get the model class for this permission
+    def model_class
+      return nil unless subject.present?
+      
+      if subject.include?('::')
+        subject.constantize
+      else
+        Object.const_get(subject)
+      end
+    rescue NameError
+      nil
+    end
+    
+    # Check if the model has ownership capabilities
+    def model_supports_ownership?
+      klass = model_class
+      return false unless klass
+      
+      # Check if model has ownership methods
+      klass.respond_to?(:owned_by?) || 
+      klass.respond_to?(:scoped_for_user) ||
+      klass.column_names.include?('user_id') ||
+      klass.column_names.include?('creator_id')
+    end
+  end
+end

data/app/models/cccux/application_record.rb

@@ -0,0 +1,5 @@
+module Cccux
+  class ApplicationRecord < ActiveRecord::Base
+    self.abstract_class = true
+  end
+end

data/app/models/cccux/role.rb

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+
+module Cccux
+  class Role < ApplicationRecord
+    self.table_name = 'cccux_roles'
+    
+    has_many :user_roles, dependent: :destroy, class_name: 'Cccux::UserRole'
+    has_many :users, through: :user_roles, class_name: 'User'
+    has_many :role_abilities, dependent: :destroy, class_name: 'Cccux::RoleAbility'
+    has_many :ability_permissions, through: :role_abilities, class_name: 'Cccux::AbilityPermission'
+    
+    validates :name, presence: true, uniqueness: true
+    validates :priority, presence: true, numericality: { only_integer: true, greater_than: 0 }
+    
+    after_initialize :set_default_priority, if: :new_record?
+    
+    scope :active, -> { where(active: true) }
+    scope :ordered, -> { order(:priority, :name) }
+    
+    def self.default_roles
+      [
+        { name: 'Guest', description: 'Unauthenticated users', priority: 100 },
+        { name: 'Basic User', description: 'Standard authenticated users', priority: 50 },
+        { name: 'Role Manager', description: 'Can manage roles and permissions', priority: 25 },
+        { name: 'Administrator', description: 'Full system access', priority: 1 }
+      ]
+    end
+    
+    def assign_permission(permission)
+      return false unless permission.is_a?(Cccux::AbilityPermission)
+      
+      Cccux::RoleAbility.find_or_create_by(role: self, ability_permission: permission)
+    end
+    
+    def remove_permission(permission)
+      return false unless permission.is_a?(Cccux::AbilityPermission)
+      
+      role_abilities.where(ability_permission: permission).destroy_all
+    end
+    
+    def has_permission?(permission)
+      return false unless permission.is_a?(Cccux::AbilityPermission)
+      
+      role_abilities.exists?(ability_permission: permission)
+    end
+    
+    def permission_names
+      ability_permissions.pluck(:action, :subject).map { |action, subject| "#{action} #{subject}" }
+    end
+    
+    def user_count
+      users.count
+    end
+    
+    def display_name
+      "#{name} (#{user_count} users)"
+    end
+    
+    # Check if role has access to all records for a given subject
+    def has_all_records_access?(subject)
+      role_abilities.joins(:ability_permission)
+                   .where(cccux_ability_permissions: { subject: subject }, owned: false)
+                   .exists?
+    end
+    
+    # Check if role has access to only owned records for a given subject  
+    def has_owned_records_access?(subject)
+      role_abilities.joins(:ability_permission)
+                   .where(cccux_ability_permissions: { subject: subject }, owned: true)
+                   .exists?
+    end
+    
+    # Get ownership scope for a subject ('all', 'owned', or nil if no permissions)
+    def ownership_scope_for(subject)
+      if has_all_records_access?(subject)
+        'all'
+      elsif has_owned_records_access?(subject)
+        'owned'
+      else
+        nil
+      end
+    end
+    
+    private
+    
+    def set_default_priority
+      self.priority ||= 50
+    end
+  end
+end 

data/app/models/cccux/role_ability.rb

@@ -0,0 +1,49 @@
+module Cccux
+  class RoleAbility < ApplicationRecord
+    self.table_name = 'cccux_role_abilities'
+    
+    belongs_to :role, class_name: 'Cccux::Role'
+    belongs_to :ability_permission, class_name: 'Cccux::AbilityPermission'
+    
+    # Simplified access types: global, owned
+    ACCESS_TYPES = %w[global owned].freeze
+    
+    validates :role_id, presence: true
+    validates :ability_permission_id, presence: true
+    validates :context, inclusion: { in: %w[global owned], allow_nil: true }
+    validates :owned, inclusion: { in: [true, false] }
+    
+    # Ensure unique combinations of role, permission, ownership scope, and context
+    validates :ability_permission_id, uniqueness: { 
+      scope: [:role_id, :owned, :context], 
+      message: "already exists for this role, ownership scope, and context" 
+    }
+    
+    scope :global_access, -> { where(context: 'global') }
+    scope :owned_access, -> { where(owned: true) }
+    
+    # Simplified access types: global, owned
+    def access_type
+      if owned
+        'owned'
+      else
+        'global'
+      end
+    end
+    
+    def display_name
+      "#{role.name} - #{ability_permission.display_name}"
+    end
+
+    def access_description
+      case access_type
+      when 'global'
+        "Global access to all records"
+      when 'owned'
+        "Access to owned records or records via configured ownership relationship"
+      else
+        "Unknown access"
+      end
+    end
+  end
+end 

data/app/models/cccux/user_role.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+module Cccux
+  class UserRole < ApplicationRecord
+    self.table_name = 'cccux_user_roles'
+    
+    belongs_to :user, class_name: 'User', foreign_key: 'user_id'
+    belongs_to :role, class_name: 'Cccux::Role'
+    
+    validates :user_id, presence: true
+    validates :role_id, presence: true
+    validates :user_id, uniqueness: { scope: :role_id, message: 'already has this role' }
+    
+    scope :active, -> { joins(:role).where(cccux_roles: { active: true }) }
+    scope :for_user, ->(user) { where(user: user) }
+    scope :with_role, ->(role) { where(role: role) }
+
+    def self.assign_role_to_user(user, role)
+      find_or_create_by(user: user, role: role)
+    end
+
+    def self.remove_role_from_user(user, role)
+      where(user: user, role: role).destroy_all
+    end
+
+    def self.user_has_role?(user, role)
+      exists?(user: user, role: role)
+    end
+
+    def self.roles_for_user(user)
+      joins(:role).where(user: user).pluck('cccux_roles.name')
+    end
+
+    def self.users_with_role(role)
+      joins(:user).where(role: role).pluck('users.email')
+    end
+
+    def display_name
+      "#{user.email} - #{role.name}"
+    end
+  end
+end 

data/app/models/concerns/cccux/authorizable.rb

@@ -0,0 +1,25 @@
+module Cccux
+  module Authorizable
+    extend ActiveSupport::Concern
+    
+    class_methods do
+      # Convenience scope for authorized access (shorter than accessible_by(current_ability))
+      # Requires an explicit ability parameter for reliability
+      # 
+      # Usage:
+      #   User.owned(current_ability)  # In controllers
+      #   User.owned(ability)          # When you have an ability object
+      #
+      # This ensures proper authorization regardless of thread context
+      def owned(ability)
+        if ability
+          accessible_by(ability)
+        else
+          # Fallback: return all records (this should be overridden in specific models if needed)
+          Rails.logger.warn "CCCUX: No ability provided for #{self.name}.owned scope, returning all records"
+          all
+        end
+      end
+    end
+  end
+end 

data/app/models/concerns/cccux/scoped_ownership.rb

@@ -0,0 +1,183 @@
+# frozen_string_literal: true
+
+module Cccux
+  module ScopedOwnership
+    extend ActiveSupport::Concern
+
+    included do
+      # Ensure the model includes Cccux::Authorizable
+      include Cccux::Authorizable unless included_modules.include?(Cccux::Authorizable)
+    end
+
+    class_methods do
+      # Configure scoped ownership for models with multiple ownership patterns
+      # Example: scoped_ownership owner: :user, parent: :store, manager_through: :store_managers
+      def scoped_ownership(owner: :user, parent: nil, manager_through: nil, through: nil)
+        owner_association = owner
+        parent_association = parent
+        manager_through_association = manager_through
+        through_association = through
+
+        # Define ownership method
+        define_method :owned_by? do |user|
+          return false unless user&.persisted?
+          
+          # Direct owner ownership
+          owner_owned = respond_to?("#{owner_association}_id") && 
+                       send("#{owner_association}_id") == user.id
+          
+          # Parent management ownership (if configured)
+          parent_owned = if parent_association && manager_through_association
+                          if through_association
+                            # Indirect parent relationship (e.g., through order)
+                            related_record = send(through_association)
+                            parent_record = related_record&.send(parent_association)
+                            parent_record&.send(manager_through_association)&.exists?(user: user)
+                          else
+                            # Direct parent relationship
+                            parent_record = send(parent_association)
+                            parent_record&.send(manager_through_association)&.exists?(user: user)
+                          end
+                        else
+                          false
+                        end
+          
+          owner_owned || parent_owned
+        end
+
+        # Define scoped_for_user class method
+        define_singleton_method :scoped_for_user do |user|
+          return none unless user&.persisted?
+          
+          # Get records owned by user
+          owner_records = where("#{owner_association}_id" => user.id)
+          
+          # Get records from parents managed by user (if configured)
+          if parent_association && manager_through_association
+            if through_association
+              # Indirect parent relationship
+              parent_records = joins(through_association => parent_association)
+                              .where("#{parent_association.to_s.pluralize}" => { 
+                                id: user.send(manager_through_association).select("#{parent_association}_id")
+                              })
+            else
+              # Direct parent relationship
+              parent_records = joins(parent_association)
+                              .where("#{table_name}.#{parent_association}_id" => 
+                                user.send(manager_through_association).select("#{parent_association}_id"))
+            end
+            
+            # Combine with UNION for efficiency
+            owner_ids = owner_records.pluck(:id)
+            parent_ids = parent_records.pluck(:id)
+            where(id: (owner_ids + parent_ids).uniq)
+          else
+            # Only owner records if no parent management configured
+            owner_records
+          end
+        end
+
+        # Define context scope method
+        define_singleton_method :in_current_scope? do |record, user, context|
+          # Check each context key for matches
+          context.each do |context_key, context_value|
+            association_name = context_key.to_s.sub(/_id$/, '')
+            
+            if through_association
+              # Indirect relationship - check through association
+              related_record = record.send(through_association)
+              if related_record&.respond_to?("#{association_name}_id")
+                return true if related_record.send("#{association_name}_id")&.to_s == context_value.to_s
+              end
+            else
+              # Direct relationship - check direct association
+              if record.respond_to?("#{association_name}_id")
+                return true if record.send("#{association_name}_id")&.to_s == context_value.to_s
+              end
+            end
+          end
+          
+          false
+        end
+      end
+
+      # For models that only have owner ownership (no parent relationship)
+      def owner_ownership(owner: :user)
+        owner_association = owner
+
+        define_method :owned_by? do |user|
+          return false unless user&.persisted?
+          send("#{owner_association}_id") == user.id
+        end
+
+        define_singleton_method :scoped_for_user do |user|
+          return none unless user&.persisted?
+          where("#{owner_association}_id" => user.id)
+        end
+
+        define_singleton_method :in_current_scope? do |record, user, context|
+          context.each do |context_key, context_value|
+            association_name = context_key.to_s.sub(/_id$/, '')
+            if association_name == owner_association.to_s
+              return true if record.send("#{owner_association}_id")&.to_s == context_value.to_s
+            end
+          end
+          false
+        end
+      end
+
+      # For models that only have parent ownership (no direct owner relationship)
+      def parent_ownership(parent: :parent, manager_through: :managers, through: nil)
+        parent_association = parent
+        manager_through_association = manager_through
+        through_association = through
+
+        define_method :owned_by? do |user|
+          return false unless user&.persisted?
+          
+          if through_association
+            related_record = send(through_association)
+            parent_record = related_record&.send(parent_association)
+            parent_record&.send(manager_through_association)&.exists?(user: user)
+          else
+            parent_record = send(parent_association)
+            parent_record&.send(manager_through_association)&.exists?(user: user)
+          end
+        end
+
+        define_singleton_method :scoped_for_user do |user|
+          return none unless user&.persisted?
+          
+          if through_association
+            joins(through_association => parent_association)
+              .where("#{parent_association.to_s.pluralize}" => { 
+                id: user.send(manager_through_association).select("#{parent_association}_id")
+              })
+          else
+            joins(parent_association)
+              .where("#{table_name}.#{parent_association}_id" => 
+                user.send(manager_through_association).select("#{parent_association}_id"))
+          end
+        end
+
+        define_singleton_method :in_current_scope? do |record, user, context|
+          context.each do |context_key, context_value|
+            association_name = context_key.to_s.sub(/_id$/, '')
+            
+            if through_association
+              related_record = record.send(through_association)
+              if related_record&.respond_to?("#{association_name}_id")
+                return true if related_record.send("#{association_name}_id")&.to_s == context_value.to_s
+              end
+            else
+              if association_name == parent_association.to_s
+                return true if record.send("#{parent_association}_id")&.to_s == context_value.to_s
+              end
+            end
+          end
+          false
+        end
+      end
+    end
+  end
+end 

data/app/models/concerns/cccux/user_concern.rb

@@ -0,0 +1,87 @@
+# frozen_string_literal: true
+
+module Cccux
+  module UserConcern
+    extend ActiveSupport::Concern
+
+    included do
+      # CCCUX associations
+      has_many :cccux_user_roles, class_name: 'Cccux::UserRole', dependent: :destroy
+      has_many :cccux_roles, through: :cccux_user_roles, source: :role, class_name: 'Cccux::Role'
+      
+      # Automatically assign Basic User role to new users
+      after_create :assign_default_role
+    end
+
+    # Instance methods for user authorization
+    def has_role?(role_name)
+      cccux_roles.active.exists?(name: role_name)
+    end
+
+    def has_any_role?(*role_names)
+      cccux_roles.active.where(name: role_names).exists?
+    end
+
+    def has_all_roles?(*role_names)
+      role_names.all? { |role_name| has_role?(role_name) }
+    end
+
+    def can?(action, subject)
+      # Use CanCan's ability system
+      ability = Cccux::Ability.new(self)
+      ability.can?(action, subject)
+    end
+
+    def cannot?(action, subject)
+      !can?(action, subject)
+    end
+
+    def assign_role(role)
+      return false unless role.is_a?(Cccux::Role) || role.is_a?(String)
+      
+      if role.is_a?(String)
+        role = Cccux::Role.find_by(name: role)
+        return false unless role
+      end
+      
+      Cccux::UserRole.find_or_create_by(user: self, role: role)
+    end
+
+    def remove_role(role)
+      return false unless role.is_a?(Cccux::Role) || role.is_a?(String)
+      
+      if role.is_a?(String)
+        role = Cccux::Role.find_by(name: role)
+        return false unless role
+      end
+      
+      cccux_user_roles.where(role: role).destroy_all
+    end
+
+    def role_names
+      cccux_roles.active.pluck(:name)
+    end
+
+    def highest_priority_role
+      cccux_roles.active.order(:priority).first
+    end
+
+    def admin?
+      has_role?('Administrator')
+    end
+
+    def role_manager?
+      has_role?('Role Manager')
+    end
+
+    private
+
+    def assign_default_role
+      # Only assign if user has no roles yet
+      if cccux_roles.empty?
+        basic_user_role = Cccux::Role.find_by(name: 'Basic User')
+        assign_role(basic_user_role) if basic_user_role
+      end
+    end
+  end
+end