collavre 0.16.0 → 0.20.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d6bf5cb5904041bc150792f274d44ce65f7b659bebf346a0f27dc00a1cbc0067
-  data.tar.gz: 33a8b19ecb1e5e2a02a8144ef7038d825c8d0d2cc9cd7195ea7fdc21230f9cd3
+  metadata.gz: 85ccc8b054af6b7b505ec32e773367299bc72d4cc3dd0d13fc345048b358470b
+  data.tar.gz: 1ebb968d3a1db4f5fe72bb67afca30154d705a0c0e682cbc2aea1a830e092c4f
 SHA512:
-  metadata.gz: 95e7f7877a88161151e55b26d9a46503a3889ed940443ba9436dc7fff063fc75cdd7ae554bc6a5c144bd5246dbf1822476fde15a925663d040ae6b54e59b6af3
-  data.tar.gz: 443e491e30ec68060e75b18a4f3abce13b764ce23d049b0f9be4081f322b99964313f29d46cb4d477f93aa75275bfb8dec7870bfb56dc74699fea747cb9e160c
+  metadata.gz: a6a9b9f7068b3f9f14eb680ee758e35031fef2e406994b462ce0ca22609bb59a6f96d956d51c0e28041f9ee46205a4b8360145fba434942103b819d50e63e9f2
+  data.tar.gz: 6354dc440494f9f7c1753de7909ce7d04ec24dc7d2d9557f0180dfdd09deaa6171af0c1c96e9d5abb21a4164c55ab7e3efa0293e3a4d6a280c54e479b6ed8cdd

data/app/assets/stylesheets/collavre/comments_popup.css

@@ -2,7 +2,7 @@
     display: none;
     position: fixed;
     right: 2em;
-    /* top: 10em; */
+    top: 10em;
     z-index: var(--layer-modal);
     width: 420px;
     height: 640px;
@@ -19,12 +19,20 @@
     flex-direction: column;
     transition: top 0.25s ease, left 0.25s ease, width 0.25s ease, height 0.25s ease,
                 right 0.25s ease, bottom 0.25s ease, border-radius 0.25s ease,
-                box-shadow 0.25s ease, padding 0.25s ease;
+                box-shadow 0.25s ease, padding 0.25s ease, opacity 0.3s ease;
     max-width: calc(100vw - 0.5em) !important;
     overscroll-behavior: contain;
     overflow: hidden;
 }
 
+#comments-popup.editor-behind {
+    opacity: 0.15;
+}
+
+#comments-popup.editor-behind:hover {
+    opacity: 1;
+}
+
 body.chat-fullscreen {
     overflow: hidden;
 }
@@ -918,6 +926,32 @@ body.chat-fullscreen {
     display: none;
 }
 
+.comment-stop-btn {
+    background: var(--surface-btn);
+    border: 1px solid var(--border-color);
+    border-radius: var(--radius-2);
+    cursor: pointer;
+    padding: var(--space-px-1) var(--space-px-2);
+    font-size: var(--text-00);
+    color: var(--color-danger);
+    line-height: 1;
+    white-space: nowrap;
+    display: inline-flex;
+    align-items: center;
+    gap: var(--space-px-1);
+    transition: background 0.15s, color 0.15s;
+}
+
+.comment-stop-btn:hover {
+    background: var(--color-danger);
+    color: var(--text-on-btn);
+}
+
+.comment-stop-btn:disabled {
+    opacity: 0.5;
+    cursor: not-allowed;
+}
+
 .comment-copy-notice {
     position: absolute;
     right: 0.2em;
@@ -1069,10 +1103,36 @@ body.chat-fullscreen {
     color: var(--color-text);
 }
 
+#typing-indicator-row {
+    display: flex;
+    align-items: center;
+    min-height: var(--space-px-5);
+    margin: 0.3em 0;
+    gap: var(--space-1);
+}
+
+.scroll-prev-msg-btn {
+    background: none;
+    border: 1px solid var(--border-color);
+    border-radius: var(--radius-2);
+    color: var(--text-muted);
+    cursor: pointer;
+    font-size: var(--text-1);
+    line-height: 1;
+    padding: var(--space-px-1) var(--space-2);
+    flex-shrink: 0;
+    transition: background 0.15s, color 0.15s;
+}
+
+.scroll-prev-msg-btn:hover {
+    background: var(--color-section-bg);
+    color: var(--color-text);
+}
+
 #typing-indicator {
     font-style: italic;
-    margin: 0.3em 0;
-    min-height: 24px;
+    flex: 1;
+    min-height: var(--space-px-5);
     display: flex;
     align-items: center;
 }
@@ -1101,7 +1161,7 @@ body.chat-fullscreen {
     background: var(--surface-btn);
     border: 1px solid var(--border-color);
     border-radius: var(--radius-2);
-    color: var(--text-muted);
+    color: var(--color-danger);
     cursor: pointer;
     font-size: var(--text-00);
     padding: var(--space-px-1) var(--space-px-2);

data/app/assets/stylesheets/collavre/creatives.css

@@ -364,13 +364,15 @@ creative-tree-row.show-edit .creative-row {
 
     .creative-row:hover .progress-toggle-wrap .creative-progress-complete,
     .creative-row:hover .progress-toggle-wrap .creative-progress-incomplete {
-        display: none;
+        visibility: hidden;
     }
 
     .creative-row:hover .progress-toggle-checkbox {
         visibility: visible;
         opacity: 1;
-        position: relative;
+        position: absolute;
+        inset: 0;
+        margin: auto;
         pointer-events: auto;
         accent-color: var(--color-brand);
     }
@@ -1040,3 +1042,4 @@ creative-tree-row.is-being-edited .creative-tree {
     justify-content: center;
     box-shadow: var(--shadow-2);
 }
+

data/app/controllers/collavre/admin/settings_controller.rb

@@ -21,6 +21,9 @@ module Collavre
         # Session timeout settings
         @session_timeout_minutes = SystemSetting.session_timeout_minutes
 
+        # LLM settings
+        @llm_request_timeout_seconds = SystemSetting.llm_request_timeout_seconds
+
         # Rate limiting settings
         @password_reset_rate_limit = SystemSetting.password_reset_rate_limit
         @password_reset_rate_period_minutes = SystemSetting.password_reset_rate_period_minutes
@@ -143,6 +146,11 @@ module Collavre
           api_period = SystemSetting::DEFAULT_API_RATE_PERIOD_MINUTES if api_period < 1
           SystemSetting.find_or_initialize_by(key: "api_rate_period_minutes").tap { |s| s.value = api_period.to_s; s.save! }
 
+          # LLM Settings
+          llm_timeout = params[:llm_request_timeout_seconds].to_i
+          llm_timeout = SystemSetting::DEFAULT_LLM_REQUEST_TIMEOUT_SECONDS if llm_timeout < 30
+          SystemSetting.find_or_initialize_by(key: "llm_request_timeout_seconds").tap { |s| s.value = llm_timeout.to_s; s.save! }
+
           # Auth Providers
           auth_providers = Array(params[:auth_providers]).reject(&:blank?)
           if auth_providers.empty?
@@ -171,6 +179,7 @@ module Collavre
         @password_reset_rate_period_minutes = params[:password_reset_rate_period_minutes].to_i.positive? ? params[:password_reset_rate_period_minutes].to_i : SystemSetting::DEFAULT_PASSWORD_RESET_RATE_PERIOD_MINUTES
         @api_rate_limit = params[:api_rate_limit].to_i.positive? ? params[:api_rate_limit].to_i : SystemSetting::DEFAULT_API_RATE_LIMIT
         @api_rate_period_minutes = params[:api_rate_period_minutes].to_i.positive? ? params[:api_rate_period_minutes].to_i : SystemSetting::DEFAULT_API_RATE_PERIOD_MINUTES
+        @llm_request_timeout_seconds = params[:llm_request_timeout_seconds].to_i.positive? ? params[:llm_request_timeout_seconds].to_i : SystemSetting::DEFAULT_LLM_REQUEST_TIMEOUT_SECONDS
         @enabled_auth_providers = params[:auth_providers] || []
         render :index, status: :unprocessable_entity
       end

data/app/controllers/collavre/attachments_controller.rb

@@ -12,7 +12,7 @@ module Collavre
       head :no_content
     rescue ActiveRecord::RecordNotFound
       head :not_found
-    rescue => e
+    rescue StandardError => e
       Rails.logger.error("Failed to delete attachment: #{e.message}")
       head :internal_server_error
     end

data/app/controllers/collavre/comment_read_pointers_controller.rb

@@ -44,11 +44,11 @@ module Collavre
     end
 
     def find_nearest_public_comment_id(creative, comment_id)
-      creative.comments.where(private: false).where("id <= ?", comment_id).maximum(:id)
+      creative.comments.public_only.where("id <= ?", comment_id).maximum(:id)
     end
 
     def fetch_users_on_effective_id(creative, effective_id)
-      next_public_id = creative.comments.where(private: false).where("id > ?", effective_id).minimum(:id)
+      next_public_id = creative.comments.public_only.where("id > ?", effective_id).minimum(:id)
 
       query = CommentReadPointer.where(creative: creative)
                                 .where("last_read_comment_id >= ?", effective_id)

data/app/controllers/collavre/comments/snapshots_controller.rb

@@ -3,6 +3,8 @@
 module Collavre
   module Comments
     class SnapshotsController < ApplicationController
+      include Collavre::Comments::CommentScoping
+
       before_action :set_creative
       before_action :set_snapshot, only: [ :restore ]
 
@@ -29,13 +31,6 @@ module Collavre
 
       private
 
-      def set_creative
-        @creative = Creative.find(params[:creative_id]).effective_origin
-        unless @creative.has_permission?(Current.user, :read)
-          render json: { error: I18n.t("collavre.creatives.errors.no_permission") }, status: :forbidden
-        end
-      end
-
       def set_snapshot
         @snapshot = @creative.comment_snapshots.find(params[:id])
       end

data/app/controllers/collavre/comments_controller.rb

@@ -28,7 +28,7 @@ module Collavre
       limit = 20
 
       visible_scope = @creative.comments.visible_to(Current.user)
-      scope = visible_scope.with_attached_images.includes(:topic, :comment_reactions, :comment_versions, :snapshot_as_result)
+      scope = visible_scope.with_attached_images.includes(:task, :topic, :comment_reactions, :comment_versions, :snapshot_as_result)
 
       if params[:search].present?
         words = params[:search].to_s.strip.downcase.split(/\s+/)
@@ -128,7 +128,7 @@ module Collavre
         # Fetch all visible IDs for correct read-receipt placement transparency
         # Only map read receipts to PUBLIC comments.
         # Users who read private comments will appear on the nearest preceding public comment.
-        public_ids = @creative.comments.where(private: false).order(id: :asc).pluck(:id)
+        public_ids = @creative.comments.public_only.order(id: :asc).pluck(:id)
 
         pointers.each do |pointer|
           effective_id = pointer.effective_comment_id(public_ids)
@@ -169,9 +169,7 @@ module Collavre
 
       @comment = @creative.comments.build(comment_attributes)
 
-      if @comment.topic_id.present? && !@creative.topics.where(id: @comment.topic_id).exists?
-        render json: { error: I18n.t("collavre.comments.invalid_topic") }, status: :unprocessable_entity and return
-      end
+      validate_topic_id!(@comment.topic_id) or return
 
       @comment.user = Current.user
       @comment.images.attach(image_attachments) if image_attachments.present?
@@ -193,11 +191,13 @@ module Collavre
     end
 
     def update
+      if github_synced_content_comment?(@comment)
+        render json: { error: I18n.t("collavre.comments.github_synced_readonly") }, status: :forbidden and return
+      end
+
       if @comment.user == Current.user
         safe_params = comment_params.except(:quoted_comment_id, :quoted_text)
-        if safe_params[:topic_id].present? && !@creative.topics.where(id: safe_params[:topic_id]).exists?
-          render json: { error: I18n.t("collavre.comments.invalid_topic") }, status: :unprocessable_entity and return
-        end
+        validate_topic_id!(safe_params[:topic_id]) or return
 
         if @comment.update(safe_params)
           @comment = Comment.with_attached_images.includes(:comment_reactions, :comment_versions, :selected_version).find(@comment.id)
@@ -211,6 +211,10 @@ module Collavre
     end
 
     def destroy
+      if github_synced_content_comment?(@comment)
+        render json: { error: I18n.t("collavre.comments.github_synced_readonly") }, status: :forbidden and return
+      end
+
       # @comment is set by before_action
       is_owner = @comment.user == Current.user
       is_admin = @creative.has_permission?(Current.user, :admin)
@@ -258,17 +262,7 @@ module Collavre
     def participants
       users = [ @creative.user ].compact + @creative.all_shared_users(:feedback).map(&:user)
       users = users.uniq
-      user_data = users.map do |u|
-        {
-          id: u.id,
-          email: u.email,
-          name: u.display_name,
-          avatar_url: view_context.user_avatar_url(u, size: 20),
-          default_avatar: !u.avatar.attached? && u.avatar_url.blank?,
-          initial: u.display_name[0].upcase,
-          ai_user: u.ai_user?
-        }
-      end
+      user_data = users.map { |u| view_context.user_json(u, email: true, ai_user: true) }
       response.headers["Cache-Control"] = "no-store"
       response.headers["Pragma"] = "no-cache"
       response.headers["Expires"] = "0"
@@ -286,7 +280,7 @@ module Collavre
         head :forbidden and return
       end
 
-      render json: CommandMenuService.new(user: Current.user).items
+      render json: CommandMenuService.new(user: Current.user, creative: @creative).items
     end
 
     def download_images
@@ -345,11 +339,9 @@ module Collavre
 
     private
 
-    def set_creative
-      @creative = Creative.find(params[:creative_id]).effective_origin
-      unless @creative.has_permission?(Current.user, :read)
-        render json: { error: I18n.t("collavre.creatives.errors.no_permission") }, status: :forbidden
-      end
+    def github_synced_content_comment?(comment)
+      return false unless comment.topic&.name == Collavre::Creative::CONTENT_TOPIC_NAME
+      comment.creative&.github_markdown?
     end
 
     def comment_params
@@ -359,5 +351,11 @@ module Collavre
     def current_topic_context
       params[:topic_id].presence || params.dig(:comment, :topic_id).presence
     end
+
+    def validate_topic_id!(topic_id)
+      return true if topic_id.blank? || @creative.topics.where(id: topic_id).exists?
+      render json: { error: I18n.t("collavre.comments.invalid_topic") }, status: :unprocessable_entity
+      false
+    end
   end
 end

data/app/controllers/collavre/creatives_controller.rb

@@ -4,12 +4,14 @@ module Collavre
     include Collavre::Concerns::Exportable
     include Collavre::Concerns::TreeManageable
     include Collavre::Concerns::Shareable
+    include Collavre::CreativePermissionGuard
 
     # TODO: for not for security reasons for this Collavre app, we don't expose to public, later it should be controlled by roles for each Creatives
     # Removed unauthenticated access to index and show actions
     allow_unauthenticated_access only: %i[ index children export_markdown show slide_view ]
     before_action :enforce_creatives_login_policy, only: %i[ index children export_markdown show slide_view ]
     before_action :set_creative, only: %i[ show edit update destroy parent_suggestions slide_view request_permission unconvert contexts update_contexts update_metadata archive unarchive trigger_action ]
+    before_action :require_creative_write!, only: %i[archive unarchive]
 
     def index
       respond_to do |format|
@@ -195,6 +197,10 @@ module Collavre
     end
 
     def parent_suggestions
+      unless @creative.has_permission?(Current.user, :read)
+        render json: { error: t("collavre.creatives.errors.no_permission") }, status: :forbidden and return
+      end
+
       suggestions = ::GeminiParentRecommender.new.recommend(@creative)
       render json: suggestions
     end
@@ -276,13 +282,17 @@ module Collavre
     end
 
     def contexts
+      unless @creative.has_permission?(Current.user, :read)
+        render json: { error: t("collavre.creatives.errors.no_permission") }, status: :forbidden and return
+      end
+
       creative = @creative.effective_origin(Set.new)
       own_ids = creative.context_ids - [ creative.id ]
       inherited_ids = (creative.effective_context_ids - own_ids - [ creative.id ]).uniq
       own_creatives = Creative.where(id: own_ids).index_by(&:id)
       inherited_creatives = Creative.where(id: inherited_ids).index_by(&:id)
 
-      disabled_ids = Array(creative.data&.dig("disabled_context_ids"))
+      disabled_ids = creative.effective_disabled_context_ids
 
       own = own_ids.filter_map do |cid|
         c = own_creatives[cid]
@@ -314,8 +324,13 @@ module Collavre
 
       current_data = (creative.data || {}).dup
       current_data["context_ids"] = Array(params[:context_ids]).map(&:to_i) if params.key?(:context_ids)
-      current_data["disabled_context_ids"] = Array(params[:disabled_context_ids]).map(&:to_i) if params.key?(:disabled_context_ids)
-      current_data.delete("disabled_context_ids") if current_data["disabled_context_ids"]&.empty?
+      if params.key?(:disabled_context_ids)
+        requested_disabled = Array(params[:disabled_context_ids]).map(&:to_i)
+        parent_disabled = creative.parent&.effective_disabled_context_ids || []
+        inherited_only = parent_disabled - creative.disabled_context_ids
+        current_data["disabled_context_ids"] = requested_disabled - inherited_only
+        current_data.delete("disabled_context_ids") if current_data["disabled_context_ids"].empty?
+      end
       if params.key?(:disabled_self_context)
         if ActiveModel::Type::Boolean.new.cast(params[:disabled_self_context])
           current_data["disabled_self_context"] = true
@@ -440,19 +455,11 @@ module Collavre
     end
 
     def archive
-      unless @creative.has_permission?(Current.user, :write) || @creative.user == Current.user
-        render json: { error: t("collavre.creatives.errors.no_permission") }, status: :forbidden and return
-      end
-
       @creative.archive!
       head :ok
     end
 
     def unarchive
-      unless @creative.has_permission?(Current.user, :write) || @creative.user == Current.user
-        render json: { error: t("collavre.creatives.errors.no_permission") }, status: :forbidden and return
-      end
-
       @creative.unarchive!
       head :ok
     end
@@ -487,6 +494,10 @@ module Collavre
         @creative = Creative.find(params[:id])
       end
 
+      def creative_permission_denied_message
+        t("collavre.creatives.errors.no_permission")
+      end
+
       def creative_params
         params.require(:creative).permit(:description, :progress, :parent_id, :sequence, :origin_id)
       end

data/app/controllers/collavre/emails_controller.rb

@@ -1,5 +1,7 @@
 module Collavre
   class EmailsController < ApplicationController
+    before_action :require_system_admin!
+
     def index
       @emails = Email.order(created_at: :desc).limit(50)
     end

data/app/controllers/collavre/google_auth_controller.rb

@@ -33,7 +33,7 @@ module Collavre
       # Ensure app calendar exists if the granted scope allows creating an app calendar
       begin
         ::GoogleCalendarService.new(user: user).ensure_app_calendar!
-      rescue => e
+      rescue StandardError => e
         Rails.logger.error("Post-login calendar setup failed: #{e.message}")
       end
 

data/app/controllers/collavre/inbox_items_controller.rb

@@ -58,7 +58,7 @@ module Collavre
     private
 
     def set_inbox_item
-      @inbox_item = InboxItem.find(params[:id])
+      @inbox_item = InboxItem.where(owner: Current.user).find(params[:id])
     end
   end
 end

data/app/controllers/collavre/invites_controller.rb

@@ -5,6 +5,9 @@ module Collavre
 
     def create
       creative = Creative.find(params[:creative_id]).effective_origin
+      unless creative.has_permission?(Current.user, :admin)
+        return head :forbidden
+      end
       permission = params[:permission] || :read
       invitation = Invitation.create!(inviter: Current.user,
                                       creative: creative,

data/app/controllers/collavre/tasks_controller.rb

@@ -10,7 +10,7 @@ module Collavre
         return head :forbidden
       end
 
-      unless %w[running pending queued].include?(task.status)
+      unless %w[running pending queued pending_approval].include?(task.status)
         return head :unprocessable_entity
       end