compony 0.3.3 → 0.4.0

data/doc/top-level-namespace.html

@@ -102,7 +102,7 @@
 </div>
 
       <div id="footer">
-  Generated on Mon Jun  3 15:20:40 2024 by
+  Generated on Tue Jun 11 11:15:53 2024 by
   <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
   0.9.36 (ruby-3.2.2).
 </div>

data/lib/compony/component.rb

@@ -118,9 +118,9 @@ module Compony
     # @param [Symbol,String] name The name of the before_render block, defaults to `:main`
     # @param [nil,Symbol,String] before If nil, the block will be added to the bottom of the before_render chain. Otherwise, pass the name of another block.
     # @param [Proc] block The block that should be run as part of the before_render pipeline. Will run in the component's context.
-    def before_render(name = :main, before: nil, **kwargs, &block)
+    def before_render(name = :main, before: nil, **, &block)
       fail("`before_render` expects a block in #{inspect}.") unless block_given?
-      @before_render_blocks.natural_push(name, block, before:, **kwargs)
+      @before_render_blocks.natural_push(name, block, before:, **)
     end
 
     # DSL method
@@ -129,12 +129,12 @@ module Compony
     # @param [nil,Symbol,String] before If nil, the block will be added to the bottom of the content chain. Otherwise, pass the name of another block.
     # @param [Hash] kwargs If hidden is true, the content will not be rendered by default, allowing you to nest it in another content block.
     # @param [Proc] block The block that should be run as part of the content pipeline. Will run in the component's context. You can use Dyny here.
-    def content(name = :main, before: nil, **kwargs, &block)
+    def content(name = :main, before: nil, **, &block)
       # A block is required here, but if this is an override (e.g. to hide another content block), we can tolerate the missing block.
       if !block_given? && @content_blocks.find { |b| b.name == name }.nil?
         fail("`content` expects a block in #{inspect}.")
       end
-      @content_blocks.natural_push(name, block || :missing, before:, **kwargs)
+      @content_blocks.natural_push(name, block || :missing, before:, **)
     end
 
     # DSL method

data/lib/compony/component_mixins/default/standalone/standalone_dsl.rb

@@ -37,18 +37,18 @@ module Compony
           # DSL call for defining a config for a verb. The block runs within the verb DSL, positional and named arguments are passed to the verb DSL.
           # @param verb [Symbol] The HTTP verb the config is for (e.g. :get, :post etc.)
           # @see Compony::ComponentMixins::Default::Standalone::VerbDsl
-          def verb(verb, *args, **nargs, &)
+          def verb(verb, *, **nargs, &)
             verb = verb.to_sym
             verb_dsl_class = @component.resourceful? ? ResourcefulVerbDsl : VerbDsl
             if @verbs[verb]
-              @verbs[verb].deep_merge! verb_dsl_class.new(@component, verb, *args, **nargs).to_conf(provide_defaults: false, &)
+              @verbs[verb].deep_merge! verb_dsl_class.new(@component, verb, *, **nargs).to_conf(provide_defaults: false, &)
             else
               # Note about provide_defaults:
               # - We must pass false if this is the second time `standalone` was called for this component -> see @provide_defaults
               # - We musst pass false if this is the second time `verb` was called for this component -> handled by the if statement (other branch)
               # - We must pass true otherwise (handled by this branch)
               @verbs[verb] = Compony::MethodAccessibleHash.new(
-                verb_dsl_class.new(@component, verb, *args, **nargs).to_conf(provide_defaults: @provide_defaults, &)
+                verb_dsl_class.new(@component, verb, *, **nargs).to_conf(provide_defaults: @provide_defaults, &)
               )
             end
           end

data/lib/compony/components/edit.rb

@@ -30,6 +30,8 @@ module Compony
         label(:short) { |_| I18n.t('compony.components.edit.label.short') }
         icon { :pencil }
 
+        form_cancancan_action :edit
+
         action :back_to_owner do
           next if data_class.owner_model_attr.blank?
           Compony.button(:show, @data.send(data_class.owner_model_attr), icon: :xmark, color: :secondary, label: I18n.t('compony.cancel'))
@@ -47,12 +49,13 @@ module Compony
           # Validate params against the form's schema
           local_form_comp = form_comp # Capture form_comp for usage in the Schemacop call
           local_data = @data # Capture data for usage in the Schemacop call
+          local_controller = controller # Capture controller for usage in the Schemacop call
           schema = Schemacop::Schema3.new :hash, additional_properties: true do
             any_of! :id do
               str
               int cast_str: true
             end
-            hsh? local_form_comp.schema_wrapper_key_for(local_data), &local_form_comp.schema_block_for(local_data)
+            hsh? local_form_comp.schema_wrapper_key_for(local_data), &local_form_comp.schema_block_for(local_data, local_controller)
           end
           validated_params = schema.validate!(controller.request.params)
           attrs_to_assign = validated_params[form_comp.schema_wrapper_key_for(@data)]

data/lib/compony/components/form.rb

@@ -3,8 +3,9 @@ module Compony
     # @api description
     # This component is used for the _form partial in the Rails paradigm.
     class Form < Component
-      def initialize(...)
+      def initialize(*args, cancancan_action: :missing, **kwargs)
         @schema_lines_for_data = [] # Array of procs taking data returning a Schemacop proc
+        @cancancan_action = cancancan_action
         super
       end
 
@@ -12,6 +13,9 @@ module Compony
         before_render do
           # Make sure the error message is going to be nice if form_fields were not implemented
           fail "#{component.inspect} requires config.form_fields do ..." if @form_fields.nil?
+          if @cancancan_action == :missing
+            fail("Missing cancancan_action for #{component.inspect}, you must provide one (e.g. :edit) or pass nil explicitely.")
+          end
 
           # Calculate paths
           @submit_path = @comp_opts[:submit_path]
@@ -32,7 +36,7 @@ module Compony
 
         content do
           form_html = simple_form_for(data, method: @comp_opts[:submit_verb], url: @submit_path) do |f|
-            component.with_simpleform(f) do
+            component.with_simpleform(f, controller) do
               instance_exec(&form_fields)
               div class: 'compony-form-buttons' do
                 content(:buttons)
@@ -60,7 +64,7 @@ module Compony
       end
 
       # Attr reader for @schema_block with auto-calculated default
-      def schema_block_for(data)
+      def schema_block_for(data, controller)
         if @schema_block
           return @schema_block
         else
@@ -68,7 +72,8 @@ module Compony
           local_schema_lines_for_data = @schema_lines_for_data
           return proc do
             local_schema_lines_for_data.each do |schema_line|
-              instance_exec(&schema_line.call(data))
+              schema_line_proc = schema_line.call(data, controller) # This may return nil, e.g. is the user is not authorized to set a field
+              instance_exec(&schema_line_proc) unless schema_line_proc.nil?
             end
           end
         end
@@ -78,21 +83,32 @@ module Compony
       # methods from inside `form_fields`. This is a workaround required because the form does not exist when the
       # RequestContext is being built, and we want the method `field` to be available inside the `form_fields` block.
       # @todo Refactor? Could this be greatly simplified by having `form_field to |f|` ?
-      def with_simpleform(simpleform)
+      def with_simpleform(simpleform, controller)
         @simpleform = simpleform
+        @controller = controller
         @focus_given = false
         yield
         @simpleform = nil
+        @controller = nil
       end
 
       # Called inside the form_fields block. This makes the method `field` available in the block.
       # See also notes for `with_simpleform`.
       def field(name, **input_opts)
         fail("The `field` method may only be called inside `form_fields` for #{inspect}.") unless @simpleform
+        name = name.to_sym
+
+        # Check per-field authorization
+        if @cancancan_action.present? && @controller.current_ability.permitted_attributes(@cancancan_action, @simpleform.object).exclude?(name)
+          Rails.logger.debug do
+            "Skipping form field #{name.inspect} because the current user is not allowed to perform #{@cancancan_action.inspect} on #{@simpleform.object}."
+          end
+          return
+        end
 
         hidden = input_opts.delete(:hidden)
-        model_field = @simpleform.object.fields[name.to_sym]
-        fail("Field #{name.to_sym.inspect} is not defined on #{@simpleform.object.inspect} but was requested in #{inspect}.") unless model_field
+        model_field = @simpleform.object.fields[name]
+        fail("Field #{name.inspect} is not defined on #{@simpleform.object.inspect} but was requested in #{inspect}.") unless model_field
 
         if hidden
           return model_field.simpleform_input_hidden(@simpleform, self, **input_opts)
@@ -105,6 +121,28 @@ module Compony
         end
       end
 
+      # Called inside the form_fields block. This makes the method pw_field available in the block.
+      # This method should be called for the fields :password and :password_confirmation
+      # Note that :hidden is not supported here, as this would make no sense in conjunction with :password or :password_confirmation.
+      def pw_field(name, **input_opts)
+        fail("The `pw_field` method may only be called inside `form_fields` for #{inspect}.") unless @simpleform
+        name = name.to_sym
+
+        # Check for authorization
+        unless @cancancan_action.nil? || @controller.current_ability.can?(:set_password, @simpleform.object)
+          Rails.logger.debug do
+            "Skipping form pw_field #{name.inspect} because the current user is not allowed to perform :set_password on #{@simpleform.object}."
+          end
+          return
+        end
+
+        unless @focus_given || @skip_autofocus
+          input_opts[:autofocus] = true unless input_opts.key? :autofocus
+          @focus_given = true
+        end
+        return @simpleform.input name, **input_opts
+      end
+
       # Called inside the form_fields block. This makes the method `f` available in the block.
       # See also notes for `with_simpleform`.
       def f
@@ -120,19 +158,46 @@ module Compony
       protected
 
       # DSL method, adds a new line to the schema whitelisting a single param inside the schema's wrapper
+      # The block should be something like `str? :foo` and will run in a Schemacop3 context.
       def schema_line(&block)
-        @schema_lines_for_data << proc { block }
+        @schema_lines_for_data << proc { |_data, _controller| block }
       end
 
       # DSL method, adds a new field to the schema whitelisting a single field of data_class
       # This auto-generates the correct schema line for the field.
       def schema_field(field_name)
-        @schema_lines_for_data << proc do |data|
+        # This runs upon component setup.
+        @schema_lines_for_data << proc do |data, controller|
+          # This runs within a request context.
           field = data.class.fields[field_name.to_sym] || fail("No field #{field_name.to_sym.inspect} found for #{data.inspect} in #{inspect}.")
+          # Check per-field authorization
+          if @cancancan_action.present? && controller.current_ability.permitted_attributes(@cancancan_action.to_sym, data).exclude?(field.name.to_sym)
+            Rails.logger.debug do
+              "Skipping form schema_field #{field_name.inspect} because the current user is not allowed to perform #{@cancancan_action.inspect} on #{data}."
+            end
+            next nil
+          end
           next field.schema_line
         end
       end
 
+      # DSL method, adds a new password field to the schema whitelisting
+      # This checks for the permission :set_password and auto-generates the correct schema line for the field.
+      def schema_pw_field(field_name)
+        # This runs upon component setup.
+        @schema_lines_for_data << proc do |data, controller|
+          # This runs within a request context.
+          # Check per-field authorization
+          unless @cancancan_action.nil? || controller.current_ability.can?(:set_password, data)
+            Rails.logger.debug do
+              "Skipping form schema_pw_field #{name.inspect} because the current user is not allowed to perform :set_password on #{data}."
+            end
+            next nil
+          end
+          next proc { obj? field_name.to_sym }
+        end
+      end
+
       # DSL method, mass-assigns schema fields
       def schema_fields(*field_names)
         field_names.each { |field_name| schema_field(field_name) }

data/lib/compony/components/new.rb

@@ -32,6 +32,8 @@ module Compony
         label(:short) { I18n.t('compony.components.new.label.short') }
         icon { :plus }
 
+        form_cancancan_action :new
+
         content :label do
           h2 component.label
         end
@@ -43,8 +45,9 @@ module Compony
         assign_attributes do
           local_form_comp = form_comp # Capture form_comp for usage in the Schemacop call
           local_data = @data # Capture data for usage in the Schemacop call
+          local_controller = controller # Capture controller for usage in the Schemacop call
           schema = Schemacop::Schema3.new :hash, additional_properties: true do
-            hsh? local_form_comp.schema_wrapper_key_for(local_data), &local_form_comp.schema_block_for(local_data)
+            hsh? local_form_comp.schema_wrapper_key_for(local_data), &local_form_comp.schema_block_for(local_data, local_controller)
           end
           validated_params = schema.validate!(controller.request.params)
           attrs_to_assign = validated_params[form_comp.schema_wrapper_key_for(@data)]

data/lib/compony/components/with_form.rb

@@ -7,6 +7,7 @@ module Compony
       def initialize(...)
         # TODO: On the next line, use Compony.path instead? Likely, this was implemented before that method existed.
         @submit_path_block = ->(controller) { controller.helpers.send("#{Compony.path_helper_name(comp_name, family_name)}_path") }
+        @form_cancancan_action = :missing
         super
       end
 
@@ -17,7 +18,8 @@ module Compony
           self,
           submit_verb:,
           # If applicable, Rails adds the route keys automatically, thus, e.g. :id does not need to be passed here, as it comes from the request.
-          submit_path: @submit_path_block
+          submit_path:      @submit_path_block,
+          cancancan_action: form_cancancan_action
         )
       end
 
@@ -39,6 +41,15 @@ module Compony
         @form_comp_class ||= new_form_comp_class
       end
 
+      # DSL method
+      # Sets and gets the form's cancancan action (for cancancan's accessible_attributes)
+      def form_cancancan_action(new_form_cancancan_action = :missing)
+        if new_form_cancancan_action != :missing
+          @form_cancancan_action = new_form_cancancan_action
+        end
+        return @form_cancancan_action
+      end
+
       # DSL method
       # Overrides the submit path which would otherwise default to this component
       # This takes a block that will be called and given a controller

data/lib/compony/model_mixin.rb

@@ -22,7 +22,14 @@ module Compony
       def field(name, type, **extra_attrs)
         name = name.to_sym
         self.fields = fields.dup
-        fields[name] = Compony.model_field_class_for(type.to_s.camelize).new(name, self, **extra_attrs)
+        field = Compony.model_field_class_for(type.to_s.camelize).new(name, self, **extra_attrs)
+        # Handle the case where ActiveType would interfere with attribute registration
+        if defined?(ActiveType) && self <= ActiveType::Object && !include?(ActiveModel::Attributes)
+          fail "Please add `include ActiveModel::Attributes` at the top of the class #{self}, as attributes cannot be registered otherwise with ActiveType."
+        end
+        # Register the field as an attribute
+        attribute(name)
+        fields[name] = field
       end
 
       # DSL method, sets the containing model.

data/lib/compony.rb

@@ -237,7 +237,7 @@ module Compony
     end
     return_value = block.call
     # Restore previous value
-    keys_to_overwrite.each do |key, _new_value|
+    keys_to_overwrite.each_key do |key|
       RequestStore.store[:button_defaults][key] = old_values[key]
     end
     # Undefine keys that were not there previously

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: compony
 version: !ruby/object:Gem::Version
-  version: 0.3.3
+  version: 0.4.0
 platform: ruby
 authors:
 - Sandro Kalbermatter
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-06-03 00:00:00.000000000 Z
+date: 2024-06-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: yard
@@ -157,14 +157,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.4.0
+        version: 3.6.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.4.0
+        version: 3.6.1
 description:
 email:
 executables: []
@@ -323,7 +323,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 3.0.0
+      version: 3.2.2
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="