decidim-access_requests 0.15.0

data/README.md

@@ -0,0 +1,105 @@
+# Decidim::AccessRequests
+
+A [Decidim](https://github.com/decidim/decidim) module that provides a new
+verification method that allows system administrators to define new verification
+workflows where the admins can provide access to specific users.
+
+This module does not itself register any verification workflows because these
+access request workflows are generally specific to the system in question. For
+example, if the admins want to provide access only for specific users to add
+new proposals in a specific participatory space, they can define a new workflow
+for that.
+
+The access request workflow works as follows:
+
+- User requests access against the registered workflow
+- An admin will review the request
+- Admin will either approve or reject the access request
+- The user will get notified that their access request has been either approved
+  or rejected
+
+Alternatively, the admins can also provide access directly to specific users
+from the admin panel. This way, the users won't have to create the access
+requests themselves and they are automatically granted the access once the admin
+has given it.
+
+The gem has been developed by [Mainio Tech](https://www.mainiotech.fi/).
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'decidim-access_requests', :git => 'git@github.com:mainio/decidim-module-access_requests.git'
+```
+
+And then execute:
+
+```bash
+$ bundle
+```
+
+After installation, add this to your verifications initializer:
+
+```ruby
+# config/initializers/decidim_verifications.rb
+Decidim::Verifications.register_workflow(:your_requests) do |workflow|
+  workflow.engine = Decidim::AccessRequests::Verification::Engine
+  workflow.admin_engine = Decidim::AccessRequests::Verification::AdminEngine
+end
+```
+
+And finally, add these lines to your localization files to describe the workflow
+you just registered:
+
+```yaml
+en:
+  decidim:
+    authorization_handlers:
+      your_requests:
+        explanation: An admin will approve or deny access
+        name: Your access requests
+```
+
+## Usage
+
+TODO
+
+## Contributing
+
+See [Decidim](https://github.com/decidim/decidim).
+
+### Testing
+
+To run the tests run the following in the gem development path:
+
+```bash
+$ bundle
+$ DATABASE_USERNAME=<username> DATABASE_PASSWORD=<password> bundle exec rake test_app
+$ DATABASE_USERNAME=<username> DATABASE_PASSWORD=<password> bundle exec rspec
+```
+
+Note that the database user has to have rights to create and drop a database in
+order to create the dummy test app database.
+
+In case you are using [rbenv](https://github.com/rbenv/rbenv) and have the
+[rbenv-vars](https://github.com/rbenv/rbenv-vars) plugin installed for it, you
+can add these environment variables to the root directory of the project in a
+file named `.rbenv-vars`. In this case, you can omit defining these in the
+commands shown above.
+
+### Test code coverage
+
+If you want to generate the code coverage report for the tests, you can use
+the `SIMPLECOV=1` environment variable in the rspec command as follows:
+
+```bash
+SIMPLECOV=1 bundle exec rspec
+```
+
+This will generate a folder named `coverage` in the project root which contains
+the code coverage report.
+
+## License
+
+See [LICENSE-AGPLv3.txt](LICENSE-AGPLv3.txt).

data/Rakefile

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require "decidim/dev/common_rake"
+
+desc "Generates a dummy app for testing"
+task test_app: "decidim:generate_external_test_app"
+
+desc "Generates a development app."
+task development_app: "decidim:generate_external_development_app"
+
+# Run all tests, include all
+RSpec::Core::RakeTask.new(:spec) do |t, task_args|
+  t.verbose = false
+end
+
+# Run both by default
+task default: [:spec]

data/app/assets/config/decidim_access_requests_manifest.css

@@ -0,0 +1,3 @@
+/*
+ *= link decidim/access_requests/verification.scss
+ */

data/app/assets/stylesheets/decidim/access_requests/verification.scss

@@ -0,0 +1,4 @@
+@import "decidim/variables";
+@import "decidim/utils/settings";
+@import "decidim/access_requests/verification/variables";
+@import "decidim/access_requests/verification/step-bullets";

data/app/assets/stylesheets/decidim/access_requests/verification/_step-bullets.scss

@@ -0,0 +1,30 @@
+.step-bullets{
+  margin-bottom: 3rem;
+}
+
+.step-bullet{
+  &.completed{
+    .step-bullet__icon{
+      border-color: $step-completed-color;
+      color: $step-completed-color;
+    }
+  }
+
+  .step-bullet__icon{
+    position: relative;
+    width: 6em;
+    height: 6em;
+    margin: 0 auto 1rem;
+    border: 4px solid $step-pending-color;
+    border-radius: 50%;
+    color: $step-pending-color;
+
+    .icon{
+      position: relative;
+      top: 50%;
+      transform: translateY(-50%);
+      width: 3em;
+      height: 3em;
+    }
+  }
+}

data/app/assets/stylesheets/decidim/access_requests/verification/_variables.scss

@@ -0,0 +1,2 @@
+$step-pending-color: $medium-gray !default;
+$step-completed-color: $body-font-color !default;

data/app/commands/decidim/access_requests/verification/admin/confirm_user_access_request.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+module Decidim
+  module AccessRequests
+    module Verification
+      module Admin
+        # A command to confirm a previous partial authorization.
+        # This is just a wrapper class to call the ConfirmUserAuthorization
+        # command because we add the email notifications here.
+        class ConfirmUserAccessRequest < Rectify::Command
+          # Public: Initializes the command.
+          #
+          # authorization - An Authorization to be confirmed.
+          # form - A form object with the verification data to confirm it.
+          def initialize(authorization, form)
+            @authorization = authorization
+            @form = form
+          end
+
+          # Executes the command. Broadcasts these events:
+          #
+          # - :ok when everything is valid.
+          # - :invalid if the handler wasn't valid and we couldn't proceed.
+          #
+          # Returns nothing.
+          def call
+            parent = self
+
+            Decidim::Verifications::ConfirmUserAuthorization.call(authorization, form) do
+              on(:ok) do
+                send_notification
+                parent.send(:broadcast, :ok)
+              end
+
+              on(:invalid) do
+                parent.send(:broadcast, :invalid)
+              end
+
+              on(:already_confirmed) do
+                parent.send(:broadcast, :invalid)
+              end
+            end
+          end
+
+          private
+
+          attr_reader :authorization, :form
+
+          def send_notification
+            Decidim::EventsManager.publish(
+              event: "decidim.events.access_requests.confirmed",
+              event_class: AccessRequestConfirmedEvent,
+              resource: authorization,
+              # affected_users: [authorization.user], # 0.16+
+              recipient_ids: [authorization.user.id],
+              extra: {
+                user_name: authorization.user.name,
+                user_nickname: authorization.user.nickname,
+                handler_name: authorization.name
+              }
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/app/commands/decidim/access_requests/verification/admin/destroy_authorization.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module Decidim
+  module AccessRequests
+    module Verification
+      module Admin
+        # A command to destroy an authorization.
+        class DestroyAuthorization < Rectify::Command
+          # Public: Initializes the command.
+          #
+          # authorization - The authorization object to destroy.
+          def initialize(authorization)
+            @authorization = authorization
+          end
+
+          # Executes the command. Broadcasts these events:
+          #
+          # - :ok when everything is valid.
+          # - :invalid if the authorization couldn't be destroyed.
+          #
+          # Returns nothing.
+          def call
+            return broadcast(:invalid) unless authorization
+
+            destroy_authorization
+            broadcast(:ok)
+          end
+
+          private
+
+          attr_reader :authorization
+
+          def destroy_authorization
+            authorization.destroy!
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/concerns/decidim/access_requests/verification/detectable_verification_manifest.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Decidim
+  module AccessRequests
+    module Verification
+      module DetectableVerificationManifest
+        include ActiveSupport::Concern
+
+        def verification_manifest
+          if verification_manifest_handle
+            Decidim::Verifications.workflows.to_a.find do |verification|
+              verification.name == verification_manifest_handle
+            end
+          end
+        end
+
+        def verification_manifest_handle
+          request.path.split("/")[2] if request.path =~ %r{^/admin/}
+        end
+      end
+    end
+  end
+end

data/app/controllers/decidim/access_requests/verification/admin/granted_authorizations_controller.rb

@@ -0,0 +1,117 @@
+# frozen_string_literal: true
+
+module Decidim
+  module AccessRequests
+    module Verification
+      module Admin
+        class GrantedAuthorizationsController < Decidim::Admin::ApplicationController
+          include DetectableVerificationManifest
+
+          layout "decidim/admin/users"
+
+          helper Decidim::Messaging::ConversationHelper
+
+          before_action :check_verification_manifest
+          before_action :load_user, only: [:create]
+          before_action :load_authorization, only: [:create]
+
+          def index
+            enforce_permission_to :index, :authorization
+
+            @granted_authorizations = AuthorizationPresenter.for_collection(
+              granted_authorizations
+            )
+          end
+
+          def new
+            enforce_permission_to :read, :authorization
+            @query = params[:q]
+            @state = params[:state]
+
+            authorized_user_ids = granted_authorizations.pluck(:decidim_user_id)
+
+            @users =
+              Decidim::Admin::UserFilter.for(
+                current_organization.users.not_deleted
+                  .where.not(
+                    id: authorized_user_ids
+                  ),
+                @query,
+                @state
+              )
+                                        .page(params[:page])
+                                        .per(15)
+          end
+
+          def create
+            enforce_permission_to :create, :authorization, authorization: @authorization
+
+            @form = RequestForm.new(
+              handler_handle: verification_manifest.name
+            ).with_context(current_organization: current_organization)
+
+            ConfirmUserAccessRequest.call(authorization, @form) do
+              on(:ok) do
+                flash[:notice] = t("pending_authorizations.update.success", scope: "decidim.access_requests.verification.admin")
+                redirect_to granted_authorizations_path
+              end
+
+              on(:invalid) do
+                flash[:alert] = t("pending_authorizations.update.error", scope: "decidim.access_requests.verification.admin")
+                redirect_to granted_authorizations_path
+              end
+            end
+          end
+
+          def destroy
+            enforce_permission_to :destroy, :authorization, authorization: authorization
+
+            DestroyAuthorization.call(authorization) do
+              on(:ok) do
+                flash[:notice] = t("granted_authorizations.destroy.success", scope: "decidim.access_requests.verification.admin")
+                redirect_to granted_authorizations_path
+              end
+
+              on(:invalid) do
+                flash[:alert] = t("granted_authorizations.destroy.error", scope: "decidim.access_requests.verification.admin")
+                redirect_to granted_authorizations_path
+              end
+            end
+          end
+
+          private
+
+          def check_verification_manifest
+            redirect_to decidim_admin.users_path if verification_manifest.nil?
+          end
+
+          def granted_authorizations
+            Decidim::Verifications::Authorizations.new(
+              organization: current_organization,
+              name: verification_manifest.name,
+              granted: true
+            )
+          end
+
+          def authorization
+            @authorization ||= Authorization.find_by(
+              id: params[:id],
+              name: verification_manifest.name
+            )
+          end
+
+          def load_authorization
+            @authorization = Authorization.find_or_initialize_by(
+              user: @user,
+              name: verification_manifest.name
+            )
+          end
+
+          def load_user
+            @user = User.find(params[:user_id])
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/decidim/access_requests/verification/admin/pending_authorizations_controller.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+module Decidim
+  module AccessRequests
+    module Verification
+      module Admin
+        class PendingAuthorizationsController < Decidim::Admin::ApplicationController
+          include DetectableVerificationManifest
+
+          layout "decidim/admin/users"
+
+          def index
+            enforce_permission_to :index, :authorization
+
+            @pending_authorizations = AuthorizationPresenter.for_collection(
+              pending_authorizations
+            )
+          end
+
+          def update
+            enforce_permission_to :edit, :authorization, authorization: authorization
+
+            @form = RequestForm.new(
+              handler_handle: verification_manifest.name
+            ).with_context(current_organization: current_organization)
+
+            ConfirmUserAccessRequest.call(authorization, @form) do
+              on(:ok) do
+                flash[:notice] = t("pending_authorizations.update.success", scope: "decidim.access_requests.verification.admin")
+                redirect_to pending_authorizations_path
+              end
+
+              on(:invalid) do
+                flash.now[:alert] = t("pending_authorizations.update.error", scope: "decidim.access_requests.verification.admin")
+                redirect_to pending_authorizations_path
+              end
+            end
+          end
+
+          def destroy
+            enforce_permission_to :destroy, :authorization, authorization: authorization
+
+            DestroyAuthorization.call(authorization) do
+              on(:ok) do
+                flash[:notice] = t("pending_authorizations.destroy.success", scope: "decidim.access_requests.verification.admin")
+                redirect_to pending_authorizations_path
+              end
+
+              on(:invalid) do
+                flash.now[:alert] = t("pending_authorizations.destroy.error", scope: "decidim.access_requests.verification.admin")
+                redirect_to pending_authorizations_path
+              end
+            end
+          end
+
+          private
+
+          def pending_authorizations
+            Decidim::Verifications::Authorizations.new(
+              organization: current_organization,
+              name: verification_manifest.name,
+              granted: false
+            )
+          end
+
+          def authorization
+            @authorization ||= Authorization.find_by(
+              id: params[:id],
+              name: verification_manifest.name
+            )
+          end
+        end
+      end
+    end
+  end
+end