crudable-rails 1.2.1 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8978c74f649c14c989bad8ae160fb16544cbfbff0711d7322316aec666effa08
-  data.tar.gz: '04709d211dabd30b4daac9d5bc5b7249eff31d6eb0c5715b03ce623bd6a898b8'
+  metadata.gz: 6eb33d21180100aca344bcdc68bb1c170e28bff416b95c3bb4332fcb7c1eef16
+  data.tar.gz: a08037ec9a25220ba87697becdc928bf78400240088fb1f4c5157730dbfae162
 SHA512:
-  metadata.gz: 80c559e8bea6582bde9b75ea524311d6a1e45f89bf0e24584b260c2ef8b8636998d17fd4dbc030b405a199fcc2317ecac464e9ddef565edf1475c3fbbbb0429f
-  data.tar.gz: 28f94c76baa49ea628e281e8b83d29f23c148c956ee1d691419540db5bbee886d416d27a69ee6823f57541d637490db2bec1306ab5ba9280c91e22785dcad7a0
+  metadata.gz: ec33c0349fa255e003542bd431b5a84ea4b49ca981713409f372655944158dc9656070499d67c915d6dfb70e635136f736310ce84522bfa4e268b94bfb879896
+  data.tar.gz: 2226bedef0b794653978bfd8deab2302d2023909857de65bbec4e600df3a545a171a2c9575271a3a8ca1e6041f3fdec9b86fc1775dcf2dc6d65fd543057ccf84

data/README.md

@@ -34,17 +34,7 @@ $ gem install crudable-rails
 
 ### Controller Setup
 
-To use crudable-rails in your controllers, call the `crudable` method. You can also specify if the controller is nested by passing the `nested: true` option.
-
-```ruby
-class ProductsController < ApplicationController
-  crudable
-end
-
-class ProductSizesController < ApplicationController
-  crudable nested: true
-end
-```
+To use crudable-rails in your controllers, call the `crudable` method.
 
 ## Customizing CRUD Actions
 
@@ -137,6 +127,14 @@ This method should return a boolean value to determine if the resource should be
 
 This method should return a boolean value to determine if the resource is a singleton. Default: `false`.
 
+### `use_parent_as_scope?`
+
+This method should return a boolean value to determine if the resource should be found using the nested parent. Default: `true`.
+
+### `parent_id_param`
+
+When using nested routes, this determines which `*_id` param is treated as the parent id. If multiple `*_id` params are present (multi-level nesting), Crudable will default to the **deepest/last** `*_id` from the route path parameters.
+
 ### `finder_param`
 
 This method should return the parameter used to find the resource. Default: `:id`.
@@ -147,12 +145,38 @@ This method should return a boolean value to determine if the resource should be
 
 ### `friendly_finders?`
 
-This method should return a boolean value to determine if the resource should be found using friendly finders. Default: `true` if FriendlyId is available, otherwise `false`.
+This method should return a boolean value to determine if the resource should be found using friendly finders.
+
+Default: `true` when `FriendlyId` is available **and** the model responds to `.friendly`, otherwise `false`.
+
+### `parent_friendly_finders?`
+
+When using nested routes (e.g. `/:parent_id/:id`), this method controls whether the **parent** should be found using FriendlyId.
+
+Default: `friendly_finders?` (and additionally requires `FriendlyId` to be defined and the parent model to respond to `.friendly`).
 
 ### `skip_initialize_create?`
 
 This method should return a boolean value to determine if the resource should be initialized on create. Default: `false`.
 
+### `authorize_with_pundit?`
+
+This method controls whether Pundit authorization should be performed. By default, it returns `true` when Pundit is defined. You can override this method to customize authorization behavior based on feature flags, user roles, or other conditions.
+
+For example:
+
+```ruby
+class ProductsController < ApplicationController
+  crudable
+
+  private
+
+  def authorize_with_pundit?
+    super && current_user.present? && feature_enabled?(:authorization)
+  end
+end
+```
+
 ### `(create|update)_params`
 
 These methods should return the permitted parameters for the resource as an array. They are optional and can be defined if create and update methods need different parameters allowed.

data/Rakefile

@@ -1,3 +1,5 @@
-require "bundler/setup"
+# frozen_string_literal: true
 
-require "bundler/gem_tasks"
+require 'bundler/setup'
+
+require 'bundler/gem_tasks'

data/lib/crudable/rails/base.rb

@@ -5,46 +5,76 @@ module Crudable
     module Base
       extend ActiveSupport::Concern
 
+      # Status code for unprocessable entity (422)
+      # Rails 7.1+ uses :unprocessable_content (replaces deprecated :unprocessable_entity)
+      UNPROCESSABLE_STATUS = :unprocessable_content
+
       included do
         include Crudable::Rails::Resourceable
+        include Crudable::Rails::Nestable
 
         before_action :find_resource, only: %i[show edit update destroy]
-        after_action :authorize_resource, only: %i[new show edit] if defined?(Pundit)
 
         decorates_assigned plural_resource_var_name.to_sym, resource_var_name.to_sym if defined?(Draper)
       end
 
       def index
+        authorize_class_action if authorize_with_pundit?
         instance_variable_set("@#{plural_resource_var_name}", resource_scope)
         paginate_resource
       end
 
-      def show; end
+      def show
+        render_not_found if instance_variable_get("@#{resource_var_name}").blank?
+        authorize_resource if authorize_with_pundit?
+      end
 
       def new
-        instance_variable_set("@#{resource_var_name}", resource_class.new)
+        instance = new_instance
+        # Ensure we always set a valid instance to prevent nil model warnings in Rails 8
+        raise ActiveRecord::RecordNotFound, "Could not create new #{resource_class.name}" if instance.nil?
+
+        instance_variable_set("@#{resource_var_name}", instance)
+        authorize_resource if authorize_with_pundit?
       end
 
-      def create # rubocop:disable Metrics/MethodLength
-        instance_variable_set("@#{resource_var_name}", resource_class.new(create_params)) unless skip_initialize_create?
-        if defined?(Pundit)
+      def create
+        unless skip_initialize_create?
+          instance_variable_set("@#{resource_var_name}", new_instance)
+          instance_variable_get("@#{resource_var_name}").assign_attributes(create_params)
+        end
+        resource = instance_variable_get("@#{resource_var_name}")
+        # If skip_initialize_create? is true, resource might be nil - that's expected
+        # Only return 404 if we tried to initialize but resource is still nil
+        return render_not_found if resource.nil? && !skip_initialize_create?
+
+        # Only authorize if resource exists (skip authorization when skip_initialize_create? is true)
+        if authorize_with_pundit? && resource.present?
           before_authorize_create
           authorize_resource
           after_authorize_create
+        elsif authorize_with_pundit?
+          skip_authorization
         end
-        if instance_variable_get("@#{resource_var_name}").save
+        if resource&.save
           on_successful_create
           on_successful_create_render
         else
           on_failed_create_setup
           on_failed_create_render
         end
+      rescue ActionController::ParameterMissing
+        head :bad_request
       end
 
-      def edit; end
+      def edit
+        render_not_found if instance_variable_get("@#{resource_var_name}").blank?
+        authorize_resource if authorize_with_pundit?
+      end
 
       def update
-        if defined?(Pundit)
+        render_not_found if instance_variable_get("@#{resource_var_name}").blank?
+        if authorize_with_pundit?
           before_authorize_update
           authorize_resource
           after_authorize_update
@@ -56,10 +86,12 @@ module Crudable
           on_failed_update_setup
           on_failed_update_render
         end
+      rescue ActionController::ParameterMissing
+        head :bad_request
       end
 
       def destroy
-        authorize_resource(destroy_method) if defined?(Pundit)
+        authorize_resource(destroy_method) if authorize_with_pundit?
         if instance_variable_get("@#{resource_var_name}").send(destroy_method)
           on_successful_destroy
           on_successful_destroy_render
@@ -71,6 +103,10 @@ module Crudable
 
       private
 
+      def authorize_with_pundit?
+        defined?(Pundit)
+      end
+
       def destroy_method
         return :destroy unless defined?(Discard)
         return :destroy if params[:destroy]
@@ -84,11 +120,38 @@ module Crudable
 
       def find_resource
         resource = friendly_finders? ? resource_class.friendly : resource_class
-        instance = singleton? ? resource.first : resource.find(params[finder_param])
+        instance = find_instance(resource)
 
         return redirect_to (resource_namespace + [instance]), status: :moved_permanently if should_redirect?(instance)
 
         instance_variable_set("@#{resource_var_name}", instance)
+      rescue ActiveRecord::RecordNotFound
+        render_not_found
+      end
+
+      def find_instance(resource)
+        if singleton?
+          resource.first
+        elsif parent_resource_association.present?
+          scope = instance_variable_get("@#{parent_var_name}").send(parent_resource_association)
+          scope = scope.friendly if friendly_finders?
+          scope.find(params[finder_param])
+        else
+          resource.find(params[finder_param])
+        end
+      end
+
+      def new_instance
+        if parent_resource_association.present?
+          parent = instance_variable_get("@#{parent_var_name}")
+          # If parent is nil, it means find_parent failed - this shouldn't happen
+          # but we guard against it to prevent nil errors
+          raise ActiveRecord::RecordNotFound, "Parent #{parent_var_name} not found" if parent.nil?
+
+          parent.send(parent_resource_association).new
+        else
+          resource_class.new
+        end
       end
 
       def should_redirect?(instance)
@@ -110,7 +173,27 @@ module Crudable
       end
 
       def authorizable_scope
-        defined?(Pundit) ? policy_scope(resource_namespace + [resource_class]) : resource_class.all
+        scope = find_scope
+        return scope.all unless authorize_with_pundit?
+        # Check if Pundit::Authorization is available
+        return scope.all unless if respond_to?(:pundit_authorization_available?,
+                                               true)
+                                  pundit_authorization_available?
+                                else
+                                  self.class.included_modules.include?(Pundit::Authorization) || respond_to?(
+                                    :policy_scope, true
+                                  )
+                                end
+
+        policy_scope(resource_namespace + [scope])
+      end
+
+      def find_scope
+        if parent_resource_association.present?
+          instance_variable_get("@#{parent_var_name}").send(parent_resource_association)
+        else
+          resource_class
+        end
       end
 
       def paginate_resource?
@@ -139,6 +222,14 @@ module Crudable
       end
 
       def after_create_redirect_path
+        if respond_to?(:parent_present?) && parent_present? && instance_variable_get("@#{parent_var_name}")
+          parent = instance_variable_get("@#{parent_var_name}")
+          resource_namespace + [parent, plural_resource_var_name.to_sym]
+        else
+          resource_namespace + [plural_resource_var_name.to_sym]
+        end
+      rescue NoMethodError
+        # Fallback if parent_present? or parent_var_name methods aren't available
         resource_namespace + [plural_resource_var_name.to_sym]
       end
 
@@ -215,16 +306,24 @@ module Crudable
       def after_authorize_update; end
 
       def on_failed_create_render
+        # Ensure resource is set before rendering the new template
+        # This prevents Rails 8 deprecation warnings about nil model arguments
+        resource = instance_variable_get("@#{resource_var_name}")
+        if resource.nil?
+          # Always initialize for rendering, even if skip_initialize_create? is true
+          # The skip_initialize_create? flag only affects the create action, not rendering
+          instance_variable_set("@#{resource_var_name}", new_instance)
+        end
         respond_to do |format|
           format.turbo_stream { render_action(:new) }
-          format.html { render :new, status: :unprocessable_entity }
+          format.html { render :new, status: UNPROCESSABLE_STATUS }
         end
       end
 
       def on_failed_update_render
         respond_to do |format|
           format.turbo_stream { render_action(:edit) }
-          format.html { render :edit, status: :unprocessable_entity }
+          format.html { render :edit, status: UNPROCESSABLE_STATUS }
         end
       end
 
@@ -245,14 +344,22 @@ module Crudable
       end
 
       def render_action(default_action_name)
-        logger.debug "Rendering relevant action for #{controller_path}/#{default_action_name} as #{request.format.symbol}"
-        return render default_action_name if lookup_context.template_exists?("#{controller_path}/#{default_action_name}")
+        logger.debug "Rendering relevant action for #{controller_path}/#{default_action_name} " \
+                     "as #{request.format.symbol}"
+        if lookup_context.template_exists?("#{controller_path}/#{default_action_name}")
+          return render default_action_name
+        end
 
-        Crudable::Rails.deprecator.warn("Rendering fallback: #{action_name}, format: #{request.format.symbol}. Rename your template to #{default_action_name}")
+        Crudable::Rails.deprecator.warn("Rendering fallback: #{action_name}, format: #{request.format.symbol}. " \
+                                        "Rename your template to #{default_action_name}")
 
         logger.debug "Rendering fallback: #{action_name}"
         render
       end
+
+      def render_not_found
+        head :not_found
+      end
     end
   end
 end

data/lib/crudable/rails/controller.rb

@@ -7,9 +7,8 @@ module Crudable
       extend ActiveSupport::Concern
 
       class_methods do
-        def crudable(nested: false)
+        def crudable
           include Crudable::Rails::Base
-          include Crudable::Rails::Nestable if nested
         end
       end
     end

data/lib/crudable/rails/engine.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Crudable
   module Rails
     class Engine < ::Rails::Engine
@@ -5,7 +7,7 @@ module Crudable
         ::ActionController::Base.include Crudable::Rails::Controller
       end
 
-      initializer "crudable-rails.deprecator" do |app|
+      initializer 'crudable-rails.deprecator' do |app|
         app.deprecators[:crudable_rails] = Crudable::Rails.deprecator
       end
     end

data/lib/crudable/rails/nestable.rb

@@ -7,20 +7,89 @@ module Crudable
       extend ActiveSupport::Concern
 
       included do
-        before_action :find_parent, only: %i[index new create]
+        before_action :find_parent
       end
 
       def find_parent
-        params.each do |name, value|
-          next unless name =~ /(.+)_id$/
-
-          object_name = Regexp.last_match(1)
-          object_scope = object_name.classify.constantize
-          object_scope = object_scope.friendly if friendly_finders?
-          instance_variable_set("@#{object_name}", object_scope.find(value))
-          self.class.send(:decorates_assigned, object_name.to_sym) if defined?(Draper)
+        return unless parent_present?
+
+        parent_scope = parent_class
+        parent_scope = parent_class.friendly if parent_friendly_finders?
+        instance_variable_set("@#{parent_var_name}", parent_scope.find(params[parent_id_param]))
+        self.class.send(:decorates_assigned, parent_var_name.to_sym) if defined?(Draper)
+      rescue ActiveRecord::RecordNotFound => e
+        # Only catch and render 404 if we're in a request context
+        # Check if we have a request object (indicates we're in a request context)
+        raise e unless respond_to?(:request, true) && !request.nil?
+
+        render_not_found
+        nil # Explicitly stop execution to prevent further action execution
+      end
+
+      def parent_id_param
+        return nil unless use_parent_as_scope?
+
+        # Prefer route/path params (ordered by the route definition) over merged params
+        # (which may include query params).
+        # If multiple *_id params exist (multi-level nesting), default to the deepest/last one.
+        @parent_id_param ||= begin
+          keys = parent_id_param_keys
+          keys.map(&:to_s).grep(/(.+)_id$/).last
         end
       end
+
+      def parent_class
+        @parent_class ||= parent_var_name.classify.constantize
+      end
+
+      def parent_var_name
+        @parent_var_name ||= parent_id_param.sub(/_id$/, '').underscore
+      end
+
+      def parent_present?
+        !parent_id_param.nil?
+      end
+
+      def parent_resource_association
+        return unless parent_present?
+
+        # Handle case where resource_class is a CollectionProxy (association proxy)
+        # Extract the actual class for comparison
+        actual_resource_class = if resource_class.is_a?(ActiveRecord::Associations::CollectionProxy)
+                                  resource_class.klass
+                                else
+                                  resource_class
+                                end
+
+        association = parent_class.reflect_on_all_associations.find { |assoc| assoc.klass == actual_resource_class }
+        association&.name
+      end
+
+      # By default, if friendly finders are enabled for the resource, we will also attempt to use
+      # friendly finders for the parent (when available).
+      #
+      # Override this in your controller if you want to force parent lookup to use (or not use)
+      # FriendlyId, independently of the resource.
+      def parent_friendly_finders?
+        return false unless defined?(FriendlyId)
+        return false unless parent_class.respond_to?(:friendly)
+
+        friendly_finders?
+      end
+
+      def use_parent_as_scope?
+        true
+      end
+
+      def parent_id_param_keys
+        return request.path_parameters.keys if request_path_parameters_present?
+
+        params&.keys || []
+      end
+
+      def request_path_parameters_present?
+        request.respond_to?(:path_parameters) && request.path_parameters.present?
+      end
     end
   end
 end

data/lib/crudable/rails/resourceable.rb

@@ -31,11 +31,41 @@ module Crudable
       def resource_namespace
         namespaces = self.class.name.split('::')
         namespaces.pop
-        namespaces.map { |n| n.downcase.to_sym }
+        namespaces.map { |n| n.underscore.to_sym }
       end
 
       def authorize_resource(method = action_name)
-        authorize resource_namespace + [authorizable_resource], "#{method}?".to_sym
+        return unless defined?(Pundit)
+        # Check if Pundit::Authorization is included (check class, ancestors, and respond_to)
+        return unless pundit_authorization_available?
+
+        authorize resource_namespace + [authorizable_resource], :"#{method}?"
+      end
+
+      def authorize_class_action(method = action_name)
+        return unless defined?(Pundit)
+        # Check if Pundit::Authorization is included (check class, ancestors, and respond_to)
+        return unless pundit_authorization_available?
+
+        authorize([*resource_namespace, resource_class], :"#{method}?")
+      end
+
+      def pundit_authorization_available?
+        return false unless defined?(Pundit)
+        return false unless defined?(Pundit::Authorization)
+        # Check if included in this class
+        return true if self.class.included_modules.include?(Pundit::Authorization)
+
+        # Check if included in any ancestor (Class or Module)
+        # This handles cases where Pundit::Authorization is included in ApplicationController
+        ancestors_to_check = self.class.ancestors.select { |a| a.is_a?(Class) || a.is_a?(Module) }
+        return true if ancestors_to_check.any? { |ancestor| ancestor.included_modules.include?(Pundit::Authorization) }
+        # Fallback: check if authorize method is available (works in most cases)
+        # Use method_defined? for more reliable check than respond_to?
+        return true if self.class.method_defined?(:authorize) || self.class.private_method_defined?(:authorize)
+
+        # Last resort: respond_to check
+        respond_to?(:authorize, true)
       end
 
       def authorizable_resource

data/lib/crudable/rails/version.rb

@@ -3,6 +3,6 @@
 # Crudable Version
 module Crudable
   module Rails
-    VERSION = '1.2.1'
+    VERSION = '1.4.0'
   end
 end

data/lib/crudable-rails.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'turbo-rails'
 
 require 'crudable/rails/version'
@@ -10,7 +12,7 @@ require 'crudable/rails/nestable'
 module Crudable
   module Rails
     def self.deprecator
-      @deprecator ||= ActiveSupport::Deprecation.new("2.0", "Crudable::Rails")
+      @deprecator ||= ActiveSupport::Deprecation.new('2.0', 'Crudable::Rails')
     end
   end
 end

data/lib/generators/crudable/scaffold/USAGE

@@ -0,0 +1,13 @@
+Description:
+    Generates a Rails scaffold and replaces the generated controller with a Crudable controller.
+
+Example:
+    bin/rails generate crudable:scaffold Thing
+
+    This will create:
+        It will generate a rails scaffold with a Crudable controller.
+
+Notes:
+    Nested routing is automatically supported: if a parent `*_id` param is present and an association
+    exists between the parent and resource, collections and resources will be scoped through the parent.
+    Override `use_parent_as_scope?` in your controller to disable parent scoping.

data/lib/generators/crudable/scaffold/scaffold_generator.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module Crudable
+  class ScaffoldGenerator < Rails::Generators::NamedBase
+    include Rails::Generators::ResourceHelpers
+
+    source_root File.expand_path('templates', __dir__)
+
+    argument :attributes, type: :array, default: [], banner: 'field:type field:type'
+
+    hook_for :scaffold_controller, in: :rails
+
+    def crudable
+      template 'crudable_controller.rb',
+               File.join('app/controllers', controller_class_path, "#{controller_file_name}_controller.rb"), force: true
+    end
+
+    private
+
+    def permitted_params
+      attachments, others = attributes_names.partition { |name| attachments?(name) }
+      params = others.map { |name| ":#{name}" }
+      params += attachments.map { |name| "#{name}: []" }
+      params.join(', ')
+    end
+
+    def attachments?(name)
+      attribute = attributes.find { |attr| attr.name == name }
+      attribute&.attachments?
+    end
+  end
+end

data/lib/generators/crudable/scaffold/templates/crudable_controller.rb.tt

@@ -0,0 +1,164 @@
+<% module_namespacing do -%>
+class <%= controller_class_name %>Controller < ApplicationController
+  crudable
+
+  private
+
+  # ---------------------------------------------------------------------------
+  # Optional overrides (self-documenting hooks)
+  #
+  # `crudable` mixes in `Crudable::Rails::Base` (which includes `Nestable`),
+  # which provides the REST actions and calls these hooks. Uncomment and tailor
+  # any of the following as needed.
+  # ---------------------------------------------------------------------------
+  #
+  # # If this resource is singular (e.g. SettingsController), return true.
+  # def singleton?
+  #   false
+  # end
+  #
+  # # Which param key to use when finding a member resource (default :id).
+  # # Common examples: :slug, :uuid
+  # def finder_param
+  #   :id
+  # end
+  #
+  # # Enable FriendlyId finders/redirects (default false).
+  # def friendly_finders?
+  #   false
+  # end
+  #
+  # # Nested parent lookup: use FriendlyId for the parent (defaults to friendly_finders?).
+  # # This is only applied when FriendlyId is available and the parent model responds to `.friendly`.
+  # def parent_friendly_finders?
+  #   friendly_finders?
+  # end
+  #
+  # # Enable pagination (requires Kaminari) (default true when Kaminari is defined).
+  # def paginate_resource?
+  #   super
+  # end
+  #
+  # # Customize the scope used for index. This is the primary hook for filtering.
+  # # (HasScope is applied automatically if present.)
+  # def authorizable_scope
+  #   super
+  # end
+  #
+  # # Full scope used for index (after HasScope, Pundit, etc).
+  # def resource_scope
+  #   super
+  # end
+  #
+  # # Skip initializing a new instance in create (useful for custom create flows).
+  # def skip_initialize_create?
+  #   false
+  # end
+  #
+  # # Discard/soft-delete support (requires Discard). When true, destroy will
+  # # choose discard vs destroy based on record state and params.
+  # def discard?
+  #   false
+  # end
+  #
+  # # Control whether Pundit authorization should be performed.
+  # # Override this to customize authorization behavior (e.g., feature flags, user roles).
+  # # Default: returns true when Pundit is defined.
+  # def authorize_with_pundit?
+  #   super
+  # end
+  #
+  # # Authorization lifecycle hooks (called inside create/update).
+  # def before_authorize_create; end
+  # def after_authorize_create; end
+  # def before_authorize_update; end
+  # def after_authorize_update; end
+  #
+  # # Post-success hooks (side-effects, instrumentation, etc).
+  # def on_successful_create; end
+  # def on_successful_update; end
+  #
+  # # Failure setup hooks (e.g., rebuild form collections).
+  # def on_failed_create_setup; end
+  # def on_failed_update_setup; end
+  #
+  # # Customize success redirects/flash messages.
+  # def after_create_redirect_path
+  #   super
+  # end
+  #
+  # def after_create_notice
+  #   super
+  # end
+  #
+  # def after_update_redirect_path
+  #   super
+  # end
+  #
+  # def after_update_notice
+  #   super
+  # end
+  #
+  # def after_destroy_redirect_path
+  #   super
+  # end
+  #
+  # def after_failed_destroy_redirect_path
+  #   super
+  # end
+  #
+  # def after_destroy_notice
+  #   super
+  # end
+  #
+  # def after_failed_destroy_alert
+  #   super
+  # end
+  #
+  # # Customize rendering for failed creates/updates (Turbo/HTML).
+  # def on_failed_create_render
+  #   super
+  # end
+  #
+  # def on_failed_update_render
+  #   super
+  # end
+  #
+  # # Customize rendering for destroy outcomes.
+  # def on_successful_destroy_render
+  #   super
+  # end
+  #
+  # def on_failed_destroy_render
+  #   super
+  # end
+  #
+  # # Nested resources: parent scoping is automatic when a `*_id` param is present.
+  # # Override `use_parent_as_scope?` to disable parent scoping.
+  # def find_parent
+  #   super
+  # end
+  #
+  # def use_parent_as_scope?
+  #   true
+  # end
+  #
+  # # Nested resources: customize which `*_id` param is treated as the parent id.
+  # # Useful for multi-level nesting or non-standard param names.
+  # def parent_id_param
+  #   super
+  # end
+  #
+  # Strong params used by `create` (and by default `update` via `update_params`).
+  # Adjust the permitted attributes to match your model and nested params shape.
+  def create_params
+    <%- if attributes_names.empty? -%>
+    params.fetch(:<%= singular_table_name %>, {})
+    <%- else -%>
+    params.expect(<%= singular_table_name %>: [ <%= permitted_params %> ])
+    <%- end -%>
+  end
+  # By default, updates permit the same attributes as creates.
+  alias update_params create_params
+end
+<% end -%>

data/lib/generators/scaffold_controller/USAGE

@@ -0,0 +1,13 @@
+Description:
+    Extends the Rails scaffold controller generator with an option to generate a Crudable controller.
+
+Example:
+    bin/rails generate scaffold Thing
+
+    This will create:
+         It will invoke the rails scaffold controller with an optional Crudable controller (use `--crudable`).
+
+Notes:
+    Nested routing is automatically supported: if a parent `*_id` param is present and an association
+    exists between the parent and resource, collections and resources will be scoped through the parent.
+    Override `use_parent_as_scope?` in your controller to disable parent scoping.

data/lib/generators/scaffold_controller/scaffold_controller_generator.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+class ScaffoldControllerGenerator < Rails::Generators::NamedBase
+  include Rails::Generators::ResourceHelpers
+
+  source_root File.expand_path('templates', __dir__)
+
+  class_exclusive do
+    class_option :crudable, type: :boolean, desc: 'Generate with crudable controller'
+  end
+
+  argument :attributes, type: :array, default: [], banner: 'field:type field:type'
+
+  hook_for :scaffold_controller, in: :rails
+
+  def crudable
+    return unless options.crudable?
+
+    template 'crudable_controller.rb',
+             File.join('app/controllers', controller_class_path, "#{controller_file_name}_controller.rb"), force: true
+  end
+
+  private
+
+  def permitted_params
+    attachments, others = attributes_names.partition { |name| attachments?(name) }
+    params = others.map { |name| ":#{name}" }
+    params += attachments.map { |name| "#{name}: []" }
+    params.join(', ')
+  end
+
+  def attachments?(name)
+    attribute = attributes.find { |attr| attr.name == name }
+    attribute&.attachments?
+  end
+end

data/lib/generators/scaffold_controller/templates/crudable_controller.rb.tt

@@ -0,0 +1,164 @@
+<% module_namespacing do -%>
+class <%= controller_class_name %>Controller < ApplicationController
+  crudable
+
+  private
+
+  # ---------------------------------------------------------------------------
+  # Optional overrides (self-documenting hooks)
+  #
+  # `crudable` mixes in `Crudable::Rails::Base` (which includes `Nestable`),
+  # which provides the REST actions and calls these hooks. Uncomment and tailor
+  # any of the following as needed.
+  # ---------------------------------------------------------------------------
+  #
+  # # If this resource is singular (e.g. SettingsController), return true.
+  # def singleton?
+  #   false
+  # end
+  #
+  # # Which param key to use when finding a member resource (default :id).
+  # # Common examples: :slug, :uuid
+  # def finder_param
+  #   :id
+  # end
+  #
+  # # Enable FriendlyId finders/redirects (default false).
+  # def friendly_finders?
+  #   false
+  # end
+  #
+  # # Nested parent lookup: use FriendlyId for the parent (defaults to friendly_finders?).
+  # # This is only applied when FriendlyId is available and the parent model responds to `.friendly`.
+  # def parent_friendly_finders?
+  #   friendly_finders?
+  # end
+  #
+  # # Enable pagination (requires Kaminari) (default true when Kaminari is defined).
+  # def paginate_resource?
+  #   super
+  # end
+  #
+  # # Customize the scope used for index. This is the primary hook for filtering.
+  # # (HasScope is applied automatically if present.)
+  # def authorizable_scope
+  #   super
+  # end
+  #
+  # # Full scope used for index (after HasScope, Pundit, etc).
+  # def resource_scope
+  #   super
+  # end
+  #
+  # # Skip initializing a new instance in create (useful for custom create flows).
+  # def skip_initialize_create?
+  #   false
+  # end
+  #
+  # # Discard/soft-delete support (requires Discard). When true, destroy will
+  # # choose discard vs destroy based on record state and params.
+  # def discard?
+  #   false
+  # end
+  #
+  # # Control whether Pundit authorization should be performed.
+  # # Override this to customize authorization behavior (e.g., feature flags, user roles).
+  # # Default: returns true when Pundit is defined.
+  # def authorize_with_pundit?
+  #   super
+  # end
+  #
+  # # Authorization lifecycle hooks (called inside create/update).
+  # def before_authorize_create; end
+  # def after_authorize_create; end
+  # def before_authorize_update; end
+  # def after_authorize_update; end
+  #
+  # # Post-success hooks (side-effects, instrumentation, etc).
+  # def on_successful_create; end
+  # def on_successful_update; end
+  #
+  # # Failure setup hooks (e.g., rebuild form collections).
+  # def on_failed_create_setup; end
+  # def on_failed_update_setup; end
+  #
+  # # Customize success redirects/flash messages.
+  # def after_create_redirect_path
+  #   super
+  # end
+  #
+  # def after_create_notice
+  #   super
+  # end
+  #
+  # def after_update_redirect_path
+  #   super
+  # end
+  #
+  # def after_update_notice
+  #   super
+  # end
+  #
+  # def after_destroy_redirect_path
+  #   super
+  # end
+  #
+  # def after_failed_destroy_redirect_path
+  #   super
+  # end
+  #
+  # def after_destroy_notice
+  #   super
+  # end
+  #
+  # def after_failed_destroy_alert
+  #   super
+  # end
+  #
+  # # Customize rendering for failed creates/updates (Turbo/HTML).
+  # def on_failed_create_render
+  #   super
+  # end
+  #
+  # def on_failed_update_render
+  #   super
+  # end
+  #
+  # # Customize rendering for destroy outcomes.
+  # def on_successful_destroy_render
+  #   super
+  # end
+  #
+  # def on_failed_destroy_render
+  #   super
+  # end
+  #
+  # # Nested resources: parent scoping is automatic when a `*_id` param is present.
+  # # Override `use_parent_as_scope?` to disable parent scoping.
+  # def find_parent
+  #   super
+  # end
+  #
+  # def use_parent_as_scope?
+  #   true
+  # end
+  #
+  # # Nested resources: customize which `*_id` param is treated as the parent id.
+  # # Useful for multi-level nesting or non-standard param names.
+  # def parent_id_param
+  #   super
+  # end
+  #
+  # Strong params used by `create` (and by default `update` via `update_params`).
+  # Adjust the permitted attributes to match your model and nested params shape.
+  def create_params
+    <%- if attributes_names.empty? -%>
+    params.fetch(:<%= singular_table_name %>, {})
+    <%- else -%>
+    params.expect(<%= singular_table_name %>: [ <%= permitted_params %> ])
+    <%- end -%>
+  end
+  # By default, updates permit the same attributes as creates.
+  alias update_params create_params
+end
+<% end -%>

data/lib/tasks/crudable_tasks.rake

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # desc "Explaining what the task does"
 # task :crudable do
 #   # Task goes here

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: crudable-rails
 version: !ruby/object:Gem::Version
-  version: 1.2.1
+  version: 1.4.0
 platform: ruby
 authors:
 - Tomislav Simnett
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-02-20 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -16,7 +15,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '7.0'
+        version: 7.1.0
     - - "<"
       - !ruby/object:Gem::Version
         version: 9.0.0
@@ -26,7 +25,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '7.0'
+        version: 7.1.0
     - - "<"
       - !ruby/object:Gem::Version
         version: 9.0.0
@@ -45,45 +44,45 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 2.0.0
 - !ruby/object:Gem::Dependency
-  name: rubocop
+  name: mocha
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '1.50'
+        version: '2.6'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: 3.0.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '1.50'
+        version: '2.6'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: 3.0.0
 - !ruby/object:Gem::Dependency
-  name: mocha
+  name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '2.6'
+        version: '1.50'
     - - "<"
       - !ruby/object:Gem::Version
-        version: 3.0.0
+        version: '2.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '2.6'
+        version: '1.50'
     - - "<"
       - !ruby/object:Gem::Version
-        version: 3.0.0
+        version: '2.0'
 description: Crudable Rails provides everything needed to quickly build fully functional
   CRUD-based controllers in a Rails application. It streamlines resource management,
   reduces boilerplate, and enforces best practices for handling requests, responses,
@@ -106,12 +105,18 @@ files:
 - lib/crudable/rails/nestable.rb
 - lib/crudable/rails/resourceable.rb
 - lib/crudable/rails/version.rb
+- lib/generators/crudable/scaffold/USAGE
+- lib/generators/crudable/scaffold/scaffold_generator.rb
+- lib/generators/crudable/scaffold/templates/crudable_controller.rb.tt
+- lib/generators/scaffold_controller/USAGE
+- lib/generators/scaffold_controller/scaffold_controller_generator.rb
+- lib/generators/scaffold_controller/templates/crudable_controller.rb.tt
 - lib/tasks/crudable_tasks.rake
 homepage: https://gitlab.com/initforthe/crudable-rails
 licenses:
 - MIT
-metadata: {}
-post_install_message:
+metadata:
+  rubygems_mfa_required: 'true'
 rdoc_options: []
 require_paths:
 - lib
@@ -126,8 +131,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.9
-signing_key:
+rubygems_version: 4.0.12
 specification_version: 4
 summary: CRUD operations for Rails controllers
 test_files: []