easy-admin-rails 0.1.14 → 0.2.0

data/app/components/easy_admin/permissions/user_role_permissions_component.rb

@@ -0,0 +1,186 @@
+module EasyAdmin
+  module Permissions
+    class UserRolePermissionsComponent < EasyAdmin::BaseComponent
+      def initialize(user:)
+        @user = user
+        # Use direct role association for role info
+        if user && user.respond_to?(:role)
+          user.reload if user.persisted? 
+          @current_role = user.role
+        else
+          @current_role = nil
+        end
+        
+        # Get actual permissions from permissions_cache
+        @user_permissions = get_user_permissions_from_cache(user)
+        @all_permissions = EasyAdmin::Permissions::Permission.all.order(:resource_type, :action)
+        
+        Rails.logger.debug "UserRolePermissionsComponent: user=#{@user&.id}, role=#{@current_role&.name}, cached_permissions=#{@user_permissions.size}"
+      end
+
+      def view_template
+        div(class: "space-y-6") do
+          # Current Role Section
+          render_current_role_section
+          
+          # Individual Permissions Section (from cache)
+          render_permissions_section
+        end
+      end
+
+      private
+
+      def render_current_role_section
+        div(class: "bg-white border border-gray-200 rounded-lg p-6") do
+          div(class: "flex items-center justify-between mb-4") do
+            h3(class: "text-lg font-medium text-gray-900") { "Current Role" }
+            
+            if @current_role
+              span(class: "inline-flex items-center px-3 py-1 rounded-full text-sm font-medium bg-blue-100 text-blue-800") do
+                @current_role.name
+              end
+            else
+              span(class: "inline-flex items-center px-3 py-1 rounded-full text-sm font-medium bg-gray-100 text-gray-800") do
+                "No role assigned"
+              end
+            end
+          end
+
+          if @current_role
+            if @current_role.description.present?
+              p(class: "text-gray-600 mb-4") { @current_role.description }
+            end
+            
+            div(class: "grid grid-cols-3 gap-4 text-sm") do
+              div do
+                span(class: "font-medium text-gray-500") { "Role Slug:" }
+                p(class: "text-gray-900 font-mono") { @current_role.slug }
+              end
+              
+              div do
+                span(class: "font-medium text-gray-500") { "Permissions Count:" }
+                p(class: "text-gray-900") { @current_role.permissions.count.to_s }
+              end
+              
+              div do
+                span(class: "font-medium text-gray-500") { "Status:" }
+                p(class: "text-green-600 font-medium") { @current_role.active? ? "Active" : "Inactive" }
+              end
+            end
+          else
+            p(class: "text-gray-500 italic") do
+              "This user has not been assigned any role yet."
+            end
+          end
+        end
+      end
+
+      def render_permissions_section
+        div(class: "bg-white border border-gray-200 rounded-lg p-6") do
+          div(class: "mb-4") do
+            h3(class: "text-lg font-medium text-gray-900 mb-2") { "Individual Permissions" }
+            p(class: "text-sm text-gray-600") do
+              "The following permissions have been specifically assigned to this user:"
+            end
+          end
+
+          # Get permissions that are granted (true) from cache
+          granted_permission_names = @user_permissions.select { |name, granted| granted == "true" }.keys
+          granted_permissions = @all_permissions.select { |p| granted_permission_names.include?(p.name) }
+          
+          if granted_permissions.any?
+            # Group permissions by resource type
+            grouped_permissions = granted_permissions.group_by(&:resource_type)
+            
+            div(class: "space-y-6") do
+              grouped_permissions.each do |resource_type, resource_permissions|
+                render_resource_permissions_group(resource_type, resource_permissions, granted: true)
+              end
+            end
+          else
+            render_no_permissions
+          end
+        end
+      end
+
+      def render_resource_permissions_group(resource_type, permissions, granted: true)
+        div(class: "border border-gray-200 rounded-lg p-4") do
+          # Resource header
+          div(class: "flex items-center mb-3") do
+            h4(class: "text-md font-medium text-gray-900 capitalize") { resource_type.humanize }
+            span(class: "ml-2 inline-flex items-center px-2 py-1 rounded-full text-xs font-medium bg-gray-100 text-gray-700") do
+              "#{permissions.count} permissions"
+            end
+          end
+
+          # Permissions grid
+          div(class: "grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-3") do
+            permissions.each do |permission|
+              render_permission_card(permission)
+            end
+          end
+        end
+      end
+
+      def render_permission_card(permission)
+        div(class: "flex items-start p-3 bg-green-50 border border-green-200 rounded-lg") do
+          # Permission icon
+          div(class: "flex-shrink-0 mr-3") do
+            unsafe_raw '<svg class="w-5 h-5 text-green-500 mt-0.5" fill="currentColor" viewBox="0 0 20 20"><path fill-rule="evenodd" d="M16.707 5.293a1 1 0 010 1.414l-8 8a1 1 0 01-1.414 0l-4-4a1 1 0 011.414-1.414L8 12.586l7.293-7.293a1 1 0 011.414 0z" clip-rule="evenodd"></path></svg>'
+          end
+
+          # Permission details
+          div(class: "flex-1 min-w-0") do
+            div(class: "flex items-center mb-1") do
+              span(class: "text-sm font-medium text-gray-900 capitalize") { permission.action.humanize }
+              span(class: "ml-2 inline-flex items-center px-2 py-1 rounded text-xs font-medium bg-green-100 text-green-800") do
+                permission.action
+              end
+            end
+            
+            if permission.description.present?
+              p(class: "text-xs text-gray-600 leading-relaxed") { permission.description }
+            end
+            
+            # Permission name (technical)
+            p(class: "text-xs text-gray-500 font-mono mt-1") { permission.name }
+          end
+        end
+      end
+
+      def render_no_permissions
+        div(class: "text-center py-8") do
+          unsafe_raw '<svg class="w-12 h-12 text-gray-400 mx-auto mb-4" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 15v2m-6 4h12a2 2 0 002-2v-6a2 2 0 00-2-2H6a2 2 0 00-2 2v6a2 2 0 002 2zm10-10V7a4 4 0 00-8 0v4h8z"></path></svg>'
+          h3(class: "text-lg font-medium text-gray-900 mb-2") { "No Permissions" }
+          p(class: "text-gray-600") { "This role has no permissions assigned." }
+        end
+      end
+
+      def render_no_role_assigned
+        div(class: "text-center py-12 bg-gray-50 border border-gray-200 rounded-lg") do
+          unsafe_raw '<svg class="w-16 h-16 text-gray-400 mx-auto mb-4" fill="none" stroke="currentColor" viewBox="0 0 24 24"><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M16 7a4 4 0 11-8 0 4 4 0 018 0zM12 14a7 7 0 00-7 7h14a7 7 0 00-7-7z"></path></svg>'
+          h3(class: "text-lg font-medium text-gray-900 mb-2") { "No Role Assigned" }
+          p(class: "text-gray-600 mb-4") { "This user needs to be assigned a role to view their permissions." }
+          
+          div(class: "text-sm text-gray-500") do
+            p { "Available roles: super_admin, admin, editor, moderator, viewer" }
+          end
+        end
+      end
+
+      # Helper method to extract permissions from permissions_cache JSON field
+      def get_user_permissions_from_cache(user)
+        return {} unless user&.permissions_cache.present?
+        
+        case user.permissions_cache
+        when Hash
+          user.permissions_cache
+        when String
+          JSON.parse(user.permissions_cache) rescue {}
+        else
+          {}
+        end
+      end
+    end
+  end
+end

data/app/components/easy_admin/resources/index_component.rb

@@ -28,10 +28,7 @@ module EasyAdmin
       div(class: "mb-6") do
         div(class: "sm:flex sm:items-center") do
           div(class: "sm:flex-auto") do
-            h1(class: "text-2xl font-bold leading-6 text-gray-900") { @resource_class.title }
-            p(class: "mt-2 text-sm text-gray-700") do
-              "A list of all #{@resource_class.title.downcase} in your account."
-            end
+            # Title now handled by navbar via content_for in ERB template
           end
           div(class: "mt-4 sm:ml-16 sm:mt-0 sm:flex-none") do
             render_new_resource_link

data/app/components/easy_admin/sidebar_component.rb

@@ -1,8 +1,9 @@
 module EasyAdmin
   class SidebarComponent < Phlex::HTML
-    def initialize(items: nil, current_path: nil)
+    def initialize(items: nil, current_path: nil, current_user: nil)
       @items = items || EasyAdmin.configuration.sidebar_items
       @current_path = current_path
+      @current_user = current_user
     end
 
     def view_template
@@ -51,7 +52,7 @@ module EasyAdmin
           # Navigation menu
           nav(class: "flex-1 px-4 py-6 overflow-y-auto") do
             ul(class: "space-y-2") do
-              @items.each do |item|
+              filtered_items.each do |item|
                 render_sidebar_item(item)
               end
             end
@@ -170,5 +171,69 @@ module EasyAdmin
         end
       end
     end
+
+    # Filter items based on permissions
+    def filtered_items
+      return @items unless @current_user
+
+      @items.filter_map do |item|
+        if item[:children]&.any?
+          # This is a group/parent item
+          filtered_children = filter_children(item[:children])
+          
+          # Hide group if no accessible children
+          next if filtered_children.empty?
+          
+          # Return group with filtered children
+          item.merge(children: filtered_children)
+        else
+          # This is a simple item - check if user has access
+          can_access_item?(item) ? item : nil
+        end
+      end
+    end
+
+    def filter_children(children)
+      return [] unless children
+
+      children.filter_map do |child|
+        if child[:children]&.any?
+          # Nested group
+          filtered_nested = filter_children(child[:children])
+          next if filtered_nested.empty?
+          child.merge(children: filtered_nested)
+        else
+          # Simple child item
+          can_access_item?(child) ? child : nil
+        end
+      end
+    end
+
+    def can_access_item?(item)
+      # Allow non-resource items (like Dashboard, Settings, etc.)
+      return true unless item[:resource]
+
+      # For resource items, check permission
+      resource_name = item[:resource]
+      # Convert complex resource names to permission format
+      permission_resource_name = convert_resource_to_permission_name(resource_name)
+      permission_name = "#{permission_resource_name}:read"
+      
+      EasyAdmin::Permissions.authorized?(@current_user, permission_name)
+    end
+
+    def convert_resource_to_permission_name(resource_name)
+      # Handle complex resource names like "Catalog::PaymentMethod" -> "payment_methods"
+      if resource_name.include?('::')
+        # Get the last part and convert to snake_case plural
+        resource_name.split('::').last.underscore.pluralize
+      elsif resource_name.start_with?('EasyAdmin::')
+        # Handle EasyAdmin resources like "EasyAdmin::AdminUser" -> "admin_users"
+        resource_name.sub('EasyAdmin::', '').underscore.pluralize
+      else
+        # Simple resource names, just pluralize
+        resource_name.underscore.pluralize
+      end
+    end
   end
 end

data/app/components/easy_admin/versions/diff_modal_component.rb

@@ -283,9 +283,13 @@ module EasyAdmin
         changes = {}
         current_attrs = current_item.attributes
         
-        (old_attrs.keys + current_attrs.keys).uniq.each do |key|
+        # Only check fields that exist in the old_attrs (were tracked by Paper Trail)
+        old_attrs.keys.each do |key|
           next if %w[id updated_at].include?(key.to_s)
           
+          # Skip if field wasn't tracked in this version
+          next unless old_attrs.has_key?(key)
+          
           old_val = normalize_value_for_comparison(old_attrs[key])
           new_val = normalize_value_for_comparison(current_attrs[key])
           

data/app/controllers/easy_admin/application_controller.rb

@@ -1,6 +1,7 @@
 module EasyAdmin
   class ApplicationController < ActionController::Base
     include Pagy::Backend
+    include ActionPolicy::Controller
     
     helper EasyAdmin::FieldsHelper
     helper EasyAdmin::PagyHelper
@@ -10,6 +11,18 @@ module EasyAdmin
     before_action :set_feature_toggles
     before_action :set_paper_trail_whodunnit
     
+    # ActionPolicy authorization context
+    authorize :user, through: :current_admin_user
+
+    # Handle ActionPolicy authorization failures
+    rescue_from ActionPolicy::Unauthorized, with: :handle_authorization_failure
+    
+    # Configure ActionPolicy to use ApplicationPolicy as default for all models
+    def policy_for(record:, **opts)
+      # Always use ApplicationPolicy for all models (EasyAdmin and regular models)
+      ApplicationPolicy.new(record, **authorization_context, **opts)
+    end
+    
     protected
     
     def authenticate_easy_admin_admin_user!
@@ -69,6 +82,123 @@ module EasyAdmin
       end
     end
 
-    helper_method :current_admin_user, :admin_user_signed_in?
+    helper_method :current_admin_user, :admin_user_signed_in?, :flash_type_to_notification_type
+    
+    private
+    
+    def handle_authorization_failure(exception)
+      Rails.logger.warn "🚫 Authorization failed: #{exception.message}"
+      Rails.logger.warn "🚫 User: #{current_admin_user&.email} (Role: #{current_admin_user&.role&.name || 'None'})"
+      Rails.logger.warn "🚫 Action: #{action_name} on #{params[:resource_name]}"
+      
+      # Extract meaningful error details
+      action_name = extract_action_from_exception(exception)
+      resource_name = extract_resource_from_exception(exception)
+      
+      error_message = build_authorization_error_message(action_name, resource_name)
+      
+      # Store data for templates
+      @error_message = error_message
+      @action_name = action_name
+      @resource_name = resource_name
+      
+      respond_to do |format|
+        format.html do
+          flash[:alert] = error_message
+          
+          # Try to redirect back, fallback to dashboard
+          redirect_path = request.referer&.start_with?(request.base_url) ? request.referer : easy_admin.root_path
+          redirect_to redirect_path
+        end
+        
+        format.turbo_stream do
+          render template: 'easy_admin/application/authorization_failure'
+        end
+        
+        format.json do
+          render json: {
+            error: "Access Denied",
+            message: error_message,
+            user_role: current_admin_user&.role&.name
+          }, status: :forbidden
+        end
+      end
+    end
+    
+    def extract_action_from_exception(exception)
+      # Try to extract action from exception message
+      case exception.message
+      when /index\?/
+        "view"
+      when /show\?/
+        "view details of"
+      when /create\?/
+        "create"
+      when /update\?/
+        "update"
+      when /destroy\?/
+        "delete"
+      when /batch_action\?/
+        "perform batch actions on"
+      when /row_action\?/
+        "perform actions on"
+      when /manage_versions\?/
+        "manage versions of"
+      else
+        "access"
+      end
+    end
+    
+    def extract_resource_from_exception(exception)
+      # Try to extract resource name from exception message or current context
+      if defined?(@resource_class) && @resource_class
+        # Get the model class name and clean it up for display
+        model_name = @resource_class.model_class.name
+        
+        # Handle namespaced models (e.g., "Catalog::PaymentMethod" -> "Payment Methods")
+        if model_name.include?('::')
+          model_name.split('::').last.underscore.humanize.pluralize.downcase
+        else
+          model_name.underscore.humanize.pluralize.downcase
+        end
+      elsif params[:resource_name]
+        # Clean up resource name from params (e.g., "catalog/payment_methods" -> "payment methods")
+        if params[:resource_name].include?('/')
+          params[:resource_name].split('/').last.humanize.downcase
+        else
+          params[:resource_name].humanize.downcase
+        end
+      else
+        "this resource"
+      end
+    end
+    
+    def build_authorization_error_message(action_name, resource_name)
+      case action_name
+      when "view"
+        "Access denied: You cannot view #{resource_name}."
+      when "create"
+        "Access denied: You cannot create new #{resource_name}."
+      when "update"
+        "Access denied: You cannot edit #{resource_name}."
+      when "delete"
+        "Access denied: You cannot delete #{resource_name}."
+      else
+        "Access denied: You cannot #{action_name} #{resource_name}."
+      end
+    end
+    
+    def flash_type_to_notification_type(flash_type)
+      case flash_type.to_s
+      when 'alert', 'error'
+        :error
+      when 'notice', 'success'
+        :success
+      when 'warning'
+        :warning
+      else
+        :info
+      end
+    end
   end
 end

data/app/controllers/easy_admin/batch_actions_controller.rb

@@ -2,6 +2,7 @@ module EasyAdmin
   class BatchActionsController < ApplicationController
     before_action :set_resource_class
     before_action :set_selected_records, only: [:execute, :form]
+    before_action :authorize_batch_action!, only: [:execute, :form]
     
     def execute
       action_class_name = params[:action_class]
@@ -162,5 +163,31 @@ module EasyAdmin
         submit_url: submit_url
       )
     end
+    
+    def authorize_batch_action!
+      action_class_name = params[:action_class]
+      
+      # Basic permission: user must be able to update records for this resource
+      @selected_records.each do |record|
+        authorize! record, to: :update?
+      end
+      
+      # Additional permission: user must have batch action permission for this resource
+      authorize! @resource_class.model_class, to: :batch_action?
+      
+      # Specific batch action authorization if the action defines it
+      if action_class_name.present?
+        begin
+          action_class = action_class_name.constantize
+          action_permission = "#{@resource_class.resource_name}:#{action_class.name.underscore.split('/').last}"
+          
+          unless current_admin_user && EasyAdmin::Permissions.authorized?(current_admin_user, action_permission)
+            raise ActionPolicy::Unauthorized, "Not authorized to perform #{action_class.name} batch action"
+          end
+        rescue NameError
+          # Action class doesn't exist, will be handled in the main action
+        end
+      end
+    end
   end
 end