comfortable_mexican_sofa 1.12.2 → 1.12.3

data/app/controllers/comfy/admin/cms/base_controller.rb

@@ -1,31 +1,34 @@
 class Comfy::Admin::Cms::BaseController < ComfortableMexicanSofa.config.base_controller.to_s.constantize
 
-  protect_from_forgery
-
-  # Authentication module must have #authenticate method
+  # Authentication module must have `authenticate` method
   include ComfortableMexicanSofa.config.admin_auth.to_s.constantize
 
+  # Authorization module must have `authorize` method
+  include ComfortableMexicanSofa.config.admin_authorization.to_s.constantize
+
+  protect_from_forgery
+
   before_action :authenticate,
                 :load_admin_site,
                 :set_locale,
                 :load_fixtures,
                 :except => :jump
-  
+
   layout 'comfy/admin/cms'
-  
+
   if ComfortableMexicanSofa.config.admin_cache_sweeper.present?
     cache_sweeper *ComfortableMexicanSofa.config.admin_cache_sweeper
   end
-  
+
   def jump
     path = ComfortableMexicanSofa.config.admin_route_redirect
     return redirect_to(path) unless path.blank?
     load_admin_site
     redirect_to comfy_admin_cms_site_pages_path(@site) if @site
   end
-  
+
 protected
-  
+
   def load_admin_site
     if @site = ::Comfy::Cms::Site.find_by_id(params[:site_id] || session[:site_id]) || ::Comfy::Cms::Site.first
       session[:site_id] = @site.id

data/app/controllers/comfy/admin/cms/categories_controller.rb

@@ -1,37 +1,38 @@
 class Comfy::Admin::Cms::CategoriesController < Comfy::Admin::Cms::BaseController
-  
+
   before_action :load_category,  :only => [:edit, :update, :destroy]
-  
+  before_action :authorize
+
   def edit
     render
   end
-  
+
   def create
     @category = @site.categories.create!(category_params)
   rescue ActiveRecord::RecordInvalid
     render :nothing => true
   end
-  
+
   def update
     @category.update_attributes!(category_params)
   rescue ActiveRecord::RecordInvalid
     render :nothing => true
   end
-  
+
   def destroy
     @category.destroy
   end
-  
+
 protected
-  
+
   def load_category
     @category = @site.categories.find(params[:id])
   rescue ActiveRecord::RecordNotFound
     render :nothing => true
   end
-  
+
   def category_params
     params.fetch(:category, {}).permit!
   end
-  
+
 end

data/app/controllers/comfy/admin/cms/files_controller.rb

@@ -1,77 +1,52 @@
 class Comfy::Admin::Cms::FilesController < Comfy::Admin::Cms::BaseController
-  
+
   skip_before_action :load_fixtures
-  
+
   before_action :build_file,  :only => [:new, :create]
   before_action :load_file,   :only => [:edit, :update, :destroy]
-  
+  before_action :authorize
+
   def index
-    @files = @site.files.not_page_file.includes(:categories).for_category(params[:category]).order('comfy_cms_files.position')
-    
-    if params[:ajax]
-      if params[:not_images]
-        files = @files.not_images.collect do |file|
-          { :label    => file.label,
-            :filename => file.file_file_name,
-            :url      => file.file.url }
-        end
-      else
-        files = @files.images.collect do |file|
-          { :thumb  => file.file.url(:cms_thumb),
-            :image  => file.file.url }
-        end
-      end
-      render :json => files
-    else
-      return redirect_to :action => :new if @site.files.count == 0
-    end
+    @files = @site.files.not_page_file.includes(:categories).for_category(params[:category])
+      .order('comfy_cms_files.position').page(params[:page]).per(50)
   end
-  
+
   def new
     render
   end
 
   def create
-    @files = []
-    
-    files = [file_params[:file]].flatten
-    files.each_with_index do |file, i|
-      label = (files.size > 1 && file_params[:label].present?) ? 
-        "#{file_params[:label]} #{i + 1}" :
-        file_params[:label]
-      @file = @site.files.create!(file_params.except(:file, :label).merge(
-        :file         => file, 
-        :label        => label
-      ))
-      @files << @file
+    respond_to do |format|
+      if @file.save
+        format.html do
+          flash[:success] = I18n.t('comfy.admin.cms.files.created')
+          redirect_to :action => :edit, :id => @file
+        end
+        format.plupload do
+          render :text => render_to_string(:partial => 'file', :object => @file, :formats => [:html])
+        end
+      else
+        format.html do
+          flash.now[:danger] = I18n.t('comfy.admin.cms.files.creation_failure')
+          render :action => :new
+        end
+        format.plupload do
+          render :text => @file.errors.full_messages.to_sentence, :status => :unprocessable_entity
+        end
+      end
     end
-    
-    if params[:ajax]
-      view = render_to_string(:partial => 'comfy/admin/cms/files/file', :collection => @files, :layout => false)
-      render :json => {:filelink => @file.file.url, :filename => @file.file_file_name, :view => view.gsub("\n", '')}
-    else
-      flash[:success] = I18n.t('comfy.admin.cms.files.created')
+  end
+
+  def update
+    if @file.update(file_params)
+      flash[:success] = I18n.t('comfy.admin.cms.files.updated')
       redirect_to :action => :edit, :id => @file
-    end
-    
-  rescue ActiveRecord::RecordInvalid
-    if params[:ajax]
-      render :nothing => true, :status => :unprocessable_entity
     else
-      flash.now[:danger] = I18n.t('comfy.admin.cms.files.creation_failure')
-      render :action => :new
+      flash.now[:danger] = I18n.t('comfy.admin.cms.files.update_failure')
+      render :action => :edit
     end
   end
-  
-  def update
-    @file.update_attributes!(file_params)
-    flash[:success] = I18n.t('comfy.admin.cms.files.updated')
-    redirect_to :action => :edit, :id => @file
-  rescue ActiveRecord::RecordInvalid
-    flash.now[:danger] = I18n.t('comfy.admin.cms.files.update_failure')
-    render :action => :edit
-  end
-  
+
   def destroy
     @file.destroy
     respond_to do |format|
@@ -82,7 +57,7 @@ class Comfy::Admin::Cms::FilesController < Comfy::Admin::Cms::BaseController
       end
     end
   end
-  
+
   def reorder
     (params[:comfy_cms_file] || []).each_with_index do |id, index|
       if (cms_file = ::Comfy::Cms::File.find_by_id(id))
@@ -91,27 +66,21 @@ class Comfy::Admin::Cms::FilesController < Comfy::Admin::Cms::BaseController
     end
     render :nothing => true
   end
-  
+
 protected
 
   def build_file
-    @file = @site.files.new
+    @file = @site.files.new(file_params)
   end
-  
+
   def load_file
     @file = @site.files.find(params[:id])
   rescue ActiveRecord::RecordNotFound
     flash[:danger] = I18n.t('comfy.admin.cms.files.not_found')
     redirect_to :action => :index
   end
-  
+
   def file_params
-    # single file upload
-    unless (file = params[:file]).is_a?(Hash)
-      params[:file] = { }
-      params[:file][:file] = [file]
-    end
     params.fetch(:file, {}).permit!
   end
-  
 end

data/app/controllers/comfy/admin/cms/layouts_controller.rb

@@ -2,6 +2,7 @@ class Comfy::Admin::Cms::LayoutsController < Comfy::Admin::Cms::BaseController
 
   before_action :build_layout,  :only => [:new, :create]
   before_action :load_layout,   :only => [:edit, :update, :destroy]
+  before_action :authorize
 
   def index
     return redirect_to :action => :new if @site.layouts.count == 0
@@ -39,7 +40,7 @@ class Comfy::Admin::Cms::LayoutsController < Comfy::Admin::Cms::BaseController
     flash[:success] = I18n.t('comfy.admin.cms.layouts.deleted')
     redirect_to :action => :index
   end
-  
+
   def reorder
     (params[:comfy_cms_layout] || []).each_with_index do |id, index|
       ::Comfy::Cms::Layout.where(:id => id).update_all(:position => index)
@@ -62,9 +63,9 @@ protected
     flash[:danger] = I18n.t('comfy.admin.cms.layouts.not_found')
     redirect_to :action => :index
   end
-  
+
   def layout_params
     params.fetch(:layout, {}).permit!
   end
-  
+
 end

data/app/controllers/comfy/admin/cms/pages_controller.rb

@@ -3,12 +3,14 @@ class Comfy::Admin::Cms::PagesController < Comfy::Admin::Cms::BaseController
   before_action :check_for_layouts, :only => [:new, :edit]
   before_action :build_cms_page,    :only => [:new, :create]
   before_action :load_cms_page,     :only => [:edit, :update, :destroy]
+  before_action :authorize
   before_action :preview_cms_page,  :only => [:create, :update]
-  before_action :build_file,        :only => [:new, :edit]
 
   def index
-    return redirect_to :action => :new if @site.pages.count == 0
-    @pages_by_parent = @site.pages.includes(:categories).group_by(&:parent_id)
+    return redirect_to :action => :new if site_has_no_pages?
+
+    @pages_by_parent = pages_grouped_by_parent
+
     if params[:category].present?
       @pages = @site.pages.includes(:categories).for_category(params[:category]).order('label')
     else
@@ -54,7 +56,7 @@ class Comfy::Admin::Cms::PagesController < Comfy::Admin::Cms::BaseController
   end
 
   def toggle_branch
-    @pages_by_parent = @site.pages.includes(:categories).group_by(&:parent_id)
+    @pages_by_parent = pages_grouped_by_parent
     @page = @site.pages.find(params[:id])
     s   = (session[:cms_page_tree] ||= [])
     id  = @page.id.to_s
@@ -72,6 +74,14 @@ class Comfy::Admin::Cms::PagesController < Comfy::Admin::Cms::BaseController
 
 protected
 
+  def site_has_no_pages?
+    @site.pages.count == 0
+  end
+
+  def pages_grouped_by_parent
+    @site.pages.includes(:categories).group_by(&:parent_id)
+  end
+
   def check_for_layouts
     if @site.layouts.count == 0
       flash[:danger] = I18n.t('comfy.admin.cms.pages.layout_not_found')
@@ -85,10 +95,6 @@ protected
     @page.layout ||= (@page.parent && @page.parent.layout || @site.layouts.first)
   end
 
-  def build_file
-    @file = Comfy::Cms::File.new
-  end
-
   def load_cms_page
     @page = @site.pages.find(params[:id])
     @page.attributes = page_params
@@ -104,14 +110,14 @@ protected
       @cms_site   = @page.site
       @cms_layout = @page.layout
       @cms_page   = @page
-      
+
       # Chrome chokes on content with iframes. Issue #434
       response.headers['X-XSS-Protection'] = '0'
-      
+
       render :inline => @page.render, :layout => layout, :content_type => 'text/html'
     end
   end
-  
+
   def page_params
     params.fetch(:page, {}).permit!
   end

data/app/controllers/comfy/admin/cms/revisions_controller.rb

@@ -1,12 +1,13 @@
 class Comfy::Admin::Cms::RevisionsController < Comfy::Admin::Cms::BaseController
-  
+
   before_action :load_record
   before_action :load_revision, :except => :index
-  
+  before_action :authorize
+
   def index
     redirect_to :action => :show, :id => @record.revisions.first.try(:id) || 0
   end
-  
+
   def show
     case @record
     when Comfy::Cms::Page
@@ -17,15 +18,15 @@ class Comfy::Admin::Cms::RevisionsController < Comfy::Admin::Cms::BaseController
       @versioned_content  = @record.revision_fields.inject({}){|c, f| c[f] = @revision.data[f]; c }
     end
   end
-  
+
   def revert
     @record.restore_from_revision(@revision)
     flash[:success] = I18n.t('comfy.admin.cms.revisions.reverted')
     redirect_to_record
   end
-  
+
 protected
-  
+
   def load_record
     @record = if params[:layout_id]
       ::Comfy::Cms::Layout.find(params[:layout_id])
@@ -38,14 +39,14 @@ protected
     flash[:danger] = I18n.t('comfy.admin.cms.revisions.record_not_found')
     redirect_to comfy_admin_cms_path
   end
-  
+
   def load_revision
     @revision = @record.revisions.find(params[:id])
   rescue ActiveRecord::RecordNotFound
     flash[:danger] = I18n.t('comfy.admin.cms.revisions.not_found')
     redirect_to_record
   end
-  
+
   def redirect_to_record
     redirect_to case @record
       when ::Comfy::Cms::Layout  then edit_comfy_admin_cms_site_layout_path(@site, @record)
@@ -53,5 +54,5 @@ protected
       when ::Comfy::Cms::Snippet then edit_comfy_admin_cms_site_snippet_path(@site, @record)
     end
   end
-  
+
 end

data/app/controllers/comfy/admin/cms/sites_controller.rb

@@ -5,6 +5,7 @@ class Comfy::Admin::Cms::SitesController < Comfy::Admin::Cms::BaseController
 
   before_action :build_site,  :only => [:new, :create]
   before_action :load_site,   :only => [:edit, :update, :destroy]
+  before_action :authorize
 
   def index
     return redirect_to :action => :new if ::Comfy::Cms::Site.count == 0
@@ -58,7 +59,7 @@ protected
     flash[:danger] = I18n.t('comfy.admin.cms.sites.not_found')
     redirect_to :action => :index
   end
-  
+
   def site_params
     params.fetch(:site, {}).permit!
   end

data/app/controllers/comfy/admin/cms/snippets_controller.rb

@@ -2,6 +2,7 @@ class Comfy::Admin::Cms::SnippetsController < Comfy::Admin::Cms::BaseController
 
   before_action :build_snippet, :only => [:new, :create]
   before_action :load_snippet,  :only => [:edit, :update, :destroy]
+  before_action :authorize
 
   def index
     return redirect_to :action => :new if @site.snippets.count == 0
@@ -39,7 +40,7 @@ class Comfy::Admin::Cms::SnippetsController < Comfy::Admin::Cms::BaseController
     flash[:success] = I18n.t('comfy.admin.cms.snippets.deleted')
     redirect_to :action => :index
   end
-  
+
   def reorder
     (params[:comfy_cms_snippet] || []).each_with_index do |id, index|
       ::Comfy::Cms::Snippet.where(:id => id).update_all(:position => index)
@@ -59,7 +60,7 @@ protected
     flash[:danger] = I18n.t('comfy.admin.cms.snippets.not_found')
     redirect_to :action => :index
   end
-  
+
   def snippet_params
     params.fetch(:snippet, {}).permit!
   end

data/app/controllers/comfy/cms/assets_controller.rb

@@ -2,29 +2,37 @@ class Comfy::Cms::AssetsController < Comfy::Cms::BaseController
   
   skip_before_action :verify_authenticity_token
   
-  before_action :load_cms_layout
+  before_action :load_cms_layout,
+                :use_null_session
+                
+  after_action :set_cache_control_header
   
   def render_css
     render :text => @cms_layout.css, :content_type => 'text/css'
-    cache_control_header
   end
 
   def render_js
     render :text => @cms_layout.js, :content_type => 'application/javascript'
-    cache_control_header
   end
 
 protected
 
-  def cache_control_header
-    if params[:cache_buster].present?
-      response.headers['Cache-Control'] = "public, max-age=#{1.year.to_i}"
-    end
-  end
-
   def load_cms_layout
     @cms_layout = @cms_site.layouts.find_by_identifier!(params[:identifier])
   rescue ActiveRecord::RecordNotFound
     render :nothing => true, :status => 404
   end
+  
+  # null_session avoids cookies and flash updates
+  def use_null_session
+    ActionController::RequestForgeryProtection::ProtectionMethods::NullSession.new(self)
+      .handle_unverified_request
+  end
+
+  def set_cache_control_header
+    if params[:cache_buster].present?
+      response.headers['Cache-Control'] = "public, max-age=#{1.year.to_i}"
+    end
+  end
+  
 end