droom 0.4.3 → 0.5.3

data/app/controllers/droom/services_controller.rb

@@ -0,0 +1,50 @@
+module Droom
+  class ServicesController < Droom::EngineController
+    respond_to :js, :html
+    layout :no_layout_if_pjax
+
+    load_and_authorize_resource
+
+    def index
+      @groups = Droom::Group.all
+      @group_permissions = Droom::GroupPermission.by_group_id
+      respond_with(@services) do |format|
+        format.js { render :partial => 'droom/services/services' }
+      end
+    end
+    
+    def show
+      respond_with @service
+    end
+    
+    def new
+      respond_with @service
+    end
+    
+    def create
+      @service.update_attributes(service_params)
+      respond_with @service
+    end
+
+    def edit
+      respond_with @service
+    end
+    
+    def update
+      @service.update_attributes(service_params)
+      respond_with @service
+    end
+
+    def destroy
+      @service.destroy
+      head :ok
+    end
+
+  protected
+
+    def service_params
+      params.require(:service).permit(:name, :slug, :description)
+    end
+
+  end
+end

data/app/controllers/droom/suggestions_controller.rb

@@ -1,7 +1,9 @@
 module Droom
   class SuggestionsController < Droom::EngineController
-    respond_to :json, :js
-    before_filter :authenticate_user!
+    respond_to :html, :json, :js
+    layout false
+
+    skip_authorization_check
     before_filter :get_classes
     
     def index
@@ -12,11 +14,11 @@ module Droom
         @suggestions = []
       else
         if @types.include?('event') && fragment.length > 6 && span = Chronic.parse(fragment, :guess => false)
-          @suggestions = Droom::Event.falling_within(span).visible_to(current_user.person)
+          @suggestions = Droom::Event.falling_within(span).accessible_by(current_ability)
           @title = span.width > 86400 ? "Events in #{fragment}" : "Events on #{fragment}"
         else
           @suggestions = @klasses.collect {|klass|
-            klass.constantize.visible_to(current_user.person).matching(fragment).limit(max.to_i)
+            klass.camelize.constantize.accessible_by(current_ability).matching(fragment).limit(max.to_i)
           }.flatten.sort_by(&:name).slice(0, max.to_i)
         end
       end

data/app/controllers/droom/users/confirmations_controller.rb

@@ -0,0 +1,24 @@
+module Droom::Users
+  class ConfirmationsController < Devise::ConfirmationsController
+
+    # We used to intervene here in several steps but by encrypting the stored token 
+    # devise has made confirmation a bit of a black box. These days we just render a
+    # password-setting form if no password has been set. The form puts to users#update 
+    # in the usual way.
+    #
+    # The usual behaviour is to redirect on confirmation. We intervene here only to
+    # render instead.
+    #
+    def show
+      @resource = self.resource = resource_class.confirm_by_token(params[:confirmation_token])
+      if @resource && @resource.confirmed?
+        # the confirmation call worked, ie the token was correct
+        sign_in(resource_name, @resource)
+        render
+      else
+        render :template => "droom/users/confirmations/failure" 
+      end
+    end
+
+  end
+end

data/app/controllers/droom/users/passwords_controller.rb

@@ -0,0 +1,39 @@
+module Droom::Users
+  class PasswordsController < Devise::PasswordsController
+    respond_to :html, :json
+    before_filter :set_access_control_headers
+    skip_before_filter :require_no_authentication, only: [:completed]
+    before_filter :remember_original_destination, only: [:new]
+
+    def show
+      render
+    end
+
+    def completed
+      render
+    end
+
+    def after_resetting_password_path_for(resource)
+      droom.complete_confirmation_url
+    end
+
+    def after_sending_reset_password_instructions_path_for(resource_name)
+      droom.show_confirmation_url
+    end
+
+    def remember_original_destination
+      store_full_location_for(:user, params[:backto])
+    end
+
+
+    # Bypass the usual store_location_for because we need to keep the full URI. 
+    #
+    def store_full_location_for(resource_or_scope, location)
+      session_key = stored_location_key_for(resource_or_scope)
+      if location
+        session[session_key] = location
+      end
+    end
+    
+  end
+end

data/app/controllers/droom/users/sessions_controller.rb

@@ -0,0 +1,7 @@
+module Droom::Users
+  class SessionsController < Devise::SessionsController
+    respond_to :html, :json
+    before_filter :set_access_control_headers
+    skip_before_action :verify_authenticity_token
+  end
+end

data/app/controllers/droom/users_controller.rb

@@ -3,16 +3,50 @@ module Droom
     helper Droom::DroomHelper
     respond_to :html, :js
     layout :no_layout_if_pjax
-    before_filter :authenticate_user!
-    before_filter :require_admin!, :only => [:index, :new, :create, :destroy]
-    before_filter :get_user, :only => [:show, :edit, :update, :destroy, :welcome]
-    before_filter :require_self_or_admin!, :only => [:edit, :update]
-    before_filter :remember_token_auth
+    before_filter :set_view, only: [:show, :edit, :update]
+    load_and_authorize_resource
 
     def index
-      @everyone = Droom::Person.all + Droom::User.unpersoned
+      @users = @users.in_name_order
+      @users = @users.matching(params[:q]) unless params[:q].blank?
+      @users = paginated(@users, 50)
+      respond_with @users do |format|
+        format.js { render :partial => 'droom/users/users' }
+        format.vcf { render :vcf => @users.map(&:to_vcf) }
+      end
+    end
+        
+    def admin
+      @users = @users.in_name_order
+      if params[:q].blank?
+        @users = @users.in_any_directory_group
+      else
+        @users = @users.matching(params[:q])
+      end
+      @users = paginated(@users, 100)
+      respond_with @users
+    end
+
+    def show
+      @invitation = Droom::Invitation.find(params[:invitation_id]) if params[:invitation_id].present?
+      respond_with @user
     end
   
+    def new
+      if params[:group_id].present?
+        @user.groups << Droom::Group.find(params[:group_id])
+      end
+      if params[:organisation_id].present? && Droom.use_organisations?
+        @user.organisation = Droom::Organisation.find(params[:organisation_id])
+      end
+      respond_with @user
+    end
+
+    def create
+      @user.update_attributes(user_params)
+      respond_with @user
+    end
+
     def edit
       respond_with @user
     end
@@ -20,49 +54,37 @@ module Droom
     # This has to handle small preference updates over js and large account-management forms over html.
     #
     def update
-      if @user.update_attributes(params[:user])
-        sign_in(@user, :bypass => true) if @user == current_user        # changing the password invalidates the session unless we refresh it with the new one
-        respond_to do |format|
-          format.js { 
-            partial = params[:response_partial] || "confirmation"
-            render :partial => "droom/users/#{partial}"
-          }
-          format.html {
-            if current_user.admin? && @user != current_user
-              flash[:notice] = t(:user_updated, :name => @user.name)
-            else
-              flash[:notice] = t(:your_preferences_saved)
-            end
+      if @user.update_attributes(user_params)
+        sign_in(@user, :bypass => true) if @user == current_user        # changing the password invalidates the session
+        respond_with @user do |f|
+          f.html {
+            flash[:notice] = "Thank you. Your account has been updated."
             redirect_to droom.dashboard_url
           }
+          f.js {
+            render partial: "droom/users/show/profile"
+          }
         end
       else
-        render :edit
+        Rails.logger.warn "update failed: #{@user.errors.to_a.inspect}"
+        respond_with @user
       end
     end
 
-  protected
-
-    def get_user
-      if current_user.admin? && params[:id]
-        @user = User.find(params[:id])
-      else
-        @user = current_user
-      end
+    def destroy
+      @user.destroy
+      head :ok
     end
-  
-  private
 
-    def require_self_or_admin!
-      raise Droom::PermissionDenied unless current_user && (current_user.admin? || @user == current_user)
-    end
+  protected
 
-    def remember_token_auth
-      if params[:auth_token] && user_signed_in?
-        current_user.remember_me = true 
-        sign_in current_user
-      end
+    def user_params
+      params.require(:user).permit(:title, :family_name, :given_name, :chinese_name, :honours, :email, :password, :password_confirmation, :phone, :description, :admin, :gender, :preferences_attributes, :confirm, :old_id, :send_confirmation, :defer_confirmation, :address, :post_code, :country_code, :mobile, :organisation_id, :female, :image, group_ids: [], preferences_attributes: [:id, :_destroy, :uuid, :key, :value])
     end
 
+    def set_view
+      @view = params[:view] if %w{listed tabled profile preferences}.include?(params[:view])
+      @view ||= 'profile'
+    end
   end
 end

data/app/controllers/droom/venues_controller.rb

@@ -1,37 +1,30 @@
 module Droom
   class VenuesController < Droom::EngineController
     respond_to :json, :html
-  
-    before_filter :authenticate_user!  
-    before_filter :get_venues, :only => ["index"]
-    before_filter :get_venue, :only => [:show, :update]
+
+    load_and_authorize_resource
 
     def index
       respond_with @venues do |format|
         format.json {
-          render :json => @venues.to_json(:person => @person)
+          render :json => @venues.to_json(:user => @user)
         }
       end
     end
-    
+
     def show
       respond_with @venue
     end
-    
+
     def update
       @venue.update_attributes(params[:venue])
       respond_with @venue
     end
-    
+
   protected
   
-    def get_venues
-      @venues = Venue.all
-    end
-
-    def get_venue
-      @venue = Venue.find(params[:id])
-      @events = @venue.events.visible_to(current_person).future_and_current
+    def venue_params
+      params.require(:venue).permit(:name, :lat, :lng, :address, :post_code, :country_code)
     end
 
   end

data/app/controllers/droom/youtube_controller.rb

@@ -1,8 +1,8 @@
 module Droom
   class YoutubeController < Droom::EngineController
     respond_to :js, :json
-    before_filter :authenticate_user!
     layout nil
+    skip_authorization_check
 
     def show
       @video = Droom.yt_client.video_by(params[:yt_id])

data/app/helpers/droom/droom_helper.rb

@@ -3,18 +3,24 @@ require 'dropbox_sdk'
 module Droom
   module DroomHelper
 
+    def allowed?(permission_code)
+      current_user.admin? || current_user.permitted?(permission_code)
+    end
+
     def action_menulink(thing, html_options={})
-      classname = thing.class.to_s.downcase.underscore.split('/').last
-      html_options.reverse_merge!({
-        :class => "",
-        :data => {:menu => "#{classname}_#{thing.id}"}
-      })
-      html_options[:class] << " menu"
-      link_to t(:edit), "#", html_options if editable?(thing)
+      if can?(:edit, thing)
+        classname = thing.class.to_s.downcase.underscore.split('/').last
+        html_options.reverse_merge!({
+          :class => "",
+          :data => {:menu => "#{classname}_#{thing.id}"}
+        })
+        html_options[:class] << " menu"
+        link_to t(:edit), "#", html_options if editable?(thing)
+      end
     end
     
     def action_menu(thing, locals={})
-      if editable?(thing)
+      if can?(:edit, thing)
         type = thing.class.to_s.downcase.underscore
         classname = type.split('/').last
         locals[classname.to_sym] = thing
@@ -34,10 +40,6 @@ module Droom
       DropboxSession.new(Droom.dropbox_app_key, Droom.dropbox_app_secret)
     end
 
-    def current_person
-      current_user.person if user_signed_in?
-    end
-
     def admin?
       current_user && current_user.admin?
     end
@@ -46,17 +48,20 @@ module Droom
       controller.controller_name
     end
 
-    def preference_checkbox(key)
-      render :partial => "droom/preferences/checkbox", :locals => {:key => key}
+    def preference_checkbox(key, options={})
+      render :partial => "droom/preferences/checkbox", :locals => options.merge({:key => key})
     end
 
     def preference_radio_set(key, *values)
       render :partial => "droom/preferences/radio_set", :locals => {:key => key, :values => values}
     end
 
-    def shorten(text, length=64)
+    def shorten(text, length=64, separator=" ")
+      text = strip_tags(text)
       length = length[:length] if length.is_a?(Hash)
-      truncate(strip_tags(text), {:length => length, :separator => " "})
+      content_tag :span, class: 'shortened', title: text do
+        truncate(text, {:length => length, :separator => separator})
+      end
     end
 
     def dropbox?
@@ -91,7 +96,7 @@ module Droom
 
     def nav_link_to(name, url, options={})
       options[:class] ||= ""
-      options[:class] << "here" if (request.path == url) || (request.path =~ /^#{url}/)
+      options[:class] << "here" if (request.path == url) || (url != "/" && request.path =~ /^#{url}/)
       link_to name, url, options
     end
 

data/app/models/droom/ability.rb

@@ -0,0 +1,81 @@
+module Droom
+  class Ability
+    include CanCan::Ability
+
+    def initialize(user)
+      # invitation only:
+      # no unauthenticated access allowed.
+      
+      if user
+        if user.admin?
+          # An admin flag on the user table overrides this whole mechanism to make all things possible.
+          #
+          can :manage, :all
+
+        else
+          # Otherwise, most items are visible to all.
+          #
+          can :read, Droom::Event
+          can :read, Droom::Folder
+          can :read, Droom::Document
+          can :read, Droom::Scrap
+          can :read, Droom::Venue
+          can :read, Droom::User
+          can :read, Droom::Group
+          can :read, Droom::Organisation
+        
+          # And they can edit themselves
+          #
+          can :update, Droom::User, :id => user.id
+          cannot :edit, Droom::User
+        
+          # If someone has been allowed to create something, they are generally allowed to edit or remove it.
+          # This rule must sit after the user rules because users have no created_by_id column.
+          #
+          # can :manage, :all, :created_by_id => user.id
+
+          # Then other abilities are determined by permissions. Permissions here are relatively abstract and 
+          # not closely coupled to Cancan abilities. Here we map them onto more concrete operations.
+          #
+          if user.permitted?('droom.calendar')
+            can :create, Droom::Event
+            can :create, Droom::EventSet
+            can :create, Droom::Venue
+            can :create, Droom::Invitation
+            can :create, Droom::GroupInvitation
+            if user.permitted?('droom.attach')
+              can :create, Droom::AgendaCategory
+              can :create, Droom::Document 
+            end
+          end
+
+          if user.permitted?('droom.directory')
+            can :create, Droom::Group
+            can :create, Droom::Organisation
+            can :create, Droom::User
+          end
+        
+          if user.permitted?('droom.library')
+            can :create, Droom::Folder
+            can :create, Droom::Document
+          end
+        
+          if user.permitted?('droom.stream')
+            can :create, Droom::Scrap
+          end
+
+          if user.permitted?('droom.pages')
+            can :create, Droom::Page
+          end
+
+          # Some models are purely administrative.
+          #
+          can :create, Droom::DropboxToken
+          can :create, Droom::DropboxDocument
+          can :create, Droom::MailingListMembership
+        
+        end
+      end
+    end
+  end
+end