easy-admin-rails 0.1.15 → 0.2.1

data/lib/easy_admin/permissions/component.rb

@@ -0,0 +1,168 @@
+module EasyAdmin
+  module Permissions
+    module Component
+      extend ActiveSupport::Concern
+
+      # Check if current user has permission
+      def current_user_can?(permission_name, context: nil)
+        current_user = helpers.current_user if helpers.respond_to?(:current_user)
+        EasyAdmin::Permissions.authorized?(current_user, permission_name, context: context)
+      end
+
+      # Check if current user has role
+      def current_user_has_role?(role_name, context: nil)
+        current_user = helpers.current_user if helpers.respond_to?(:current_user)
+        EasyAdmin::Permissions.has_role?(current_user, role_name, context: context)
+      end
+
+      # Render content only if user has permission
+      def if_can(permission_name, context: nil, &block)
+        if current_user_can?(permission_name, context: context)
+          block.call if block_given?
+        end
+      end
+
+      # Render content only if user has role
+      def if_has_role(role_name, context: nil, &block)
+        if current_user_has_role?(role_name, context: context)
+          block.call if block_given?
+        end
+      end
+
+      # Render content if user DOESN'T have permission
+      def unless_can(permission_name, context: nil, &block)
+        unless current_user_can?(permission_name, context: context)
+          block.call if block_given?
+        end
+      end
+
+      # Render content if user DOESN'T have role
+      def unless_has_role(role_name, context: nil, &block)
+        unless current_user_has_role?(role_name, context: context)
+          block.call if block_given?
+        end
+      end
+
+      # Conditional CSS classes based on permissions
+      def permission_classes(permission_name, enabled_classes: "", disabled_classes: "opacity-50 cursor-not-allowed", context: nil)
+        if current_user_can?(permission_name, context: context)
+          enabled_classes
+        else
+          disabled_classes
+        end
+      end
+
+      # Conditional attributes based on permissions
+      def permission_attrs(permission_name, enabled_attrs: {}, disabled_attrs: {}, context: nil)
+        if current_user_can?(permission_name, context: context)
+          enabled_attrs
+        else
+          disabled_attrs
+        end
+      end
+
+      # Generate link with permission check
+      def permission_link(text, href, permission_name, context: nil, **attrs, &block)
+        if current_user_can?(permission_name, context: context)
+          a(href: href, **attrs) do
+            if block_given?
+              block.call
+            else
+              text
+            end
+          end
+        else
+          span(class: "text-gray-400 cursor-not-allowed", **attrs.except(:href, :data)) do
+            if block_given?
+              block.call
+            else
+              text
+            end
+          end
+        end
+      end
+
+      # Generate button with permission check
+      def permission_button(text = nil, permission_name:, context: nil, disabled_class: "opacity-50 cursor-not-allowed", **attrs, &block)
+        can_access = current_user_can?(permission_name, context: context)
+        
+        button_attrs = attrs.dup
+        button_attrs[:disabled] = true unless can_access
+        button_attrs[:class] = [button_attrs[:class], disabled_class].compact.join(" ") unless can_access
+
+        button(**button_attrs) do
+          if block_given?
+            block.call
+          elsif text
+            text
+          end
+        end
+      end
+
+      # Render form field only if user can edit
+      def permission_field(permission_name, context: nil, readonly_class: "bg-gray-100", &block)
+        can_edit = current_user_can?(permission_name, context: context)
+        
+        if can_edit
+          block.call if block_given?
+        else
+          # Render read-only version
+          div(class: readonly_class) do
+            block.call if block_given?
+          end
+        end
+      end
+
+      # Show different content based on multiple permission checks
+      def permission_case(context: nil, &block)
+        permission_case_builder = PermissionCaseBuilder.new(self, context)
+        permission_case_builder.instance_eval(&block) if block_given?
+        permission_case_builder.render
+      end
+
+      private
+
+      # Helper class for building conditional permission rendering
+      class PermissionCaseBuilder
+        def initialize(component, context)
+          @component = component
+          @context = context
+          @cases = []
+          @else_block = nil
+        end
+
+        def when_can(permission_name, &block)
+          @cases << { type: :permission, name: permission_name, block: block }
+          self
+        end
+
+        def when_has_role(role_name, &block)
+          @cases << { type: :role, name: role_name, block: block }
+          self
+        end
+
+        def otherwise(&block)
+          @else_block = block
+          self
+        end
+
+        def render
+          @cases.each do |case_item|
+            case case_item[:type]
+            when :permission
+              if @component.current_user_can?(case_item[:name], context: @context)
+                return case_item[:block].call if case_item[:block]
+              end
+            when :role
+              if @component.current_user_has_role?(case_item[:name], context: @context)
+                return case_item[:block].call if case_item[:block]
+              end
+            end
+          end
+
+          @else_block&.call
+        end
+      end
+    end
+  end
+end

data/lib/easy_admin/permissions/configuration.rb

@@ -0,0 +1,37 @@
+module EasyAdmin
+  module Permissions
+    class Configuration
+      attr_accessor :enabled,
+                    :cache_duration,
+                    :admin_bypass,
+                    :user_model,
+                    :context_types
+
+      def initialize
+        @enabled = false
+        @cache_duration = 1.hour
+        @admin_bypass = true
+        @user_model = 'User'
+        @context_types = [] # e.g., ['Organization', 'Project']
+      end
+
+      # Define available permission contexts
+      def contexts(*types)
+        @context_types = types.map(&:to_s)
+      end
+
+      # Set the user model class
+      def user_class(klass = nil)
+        if klass
+          @user_model = klass.to_s
+        else
+          @user_model.constantize
+        end
+      end
+
+      def user_class_name
+        @user_model
+      end
+    end
+  end
+end

data/lib/easy_admin/permissions/controller.rb

@@ -0,0 +1,164 @@
+module EasyAdmin
+  module Permissions
+    module Controller
+      extend ActiveSupport::Concern
+
+      included do
+        # Include Action Policy authorization
+        include ActionPolicy::Controller if defined?(ActionPolicy)
+        
+        # Set up authorization context for Action Policy
+        if respond_to?(:authorize)
+          authorize :user, through: :current_user
+        end
+      end
+
+      # Check if current user has permission
+      def current_user_can?(permission_name, context: nil)
+        EasyAdmin::Permissions.authorized?(current_user, permission_name, context: context)
+      end
+
+      # Check if current user has role
+      def current_user_has_role?(role_name, context: nil)
+        EasyAdmin::Permissions.has_role?(current_user, role_name, context: context)
+      end
+
+      # Require permission or show 403 error
+      def require_permission!(permission_name, context: nil)
+        unless current_user_can?(permission_name, context: context)
+          handle_permission_denied(permission_name)
+        end
+      end
+
+      # Require role or show 403 error  
+      def require_role!(role_name, context: nil)
+        unless current_user_has_role?(role_name, context: context)
+          handle_role_denied(role_name)
+        end
+      end
+
+      # Before action to check permissions for CRUD operations
+      def check_permissions_for_action
+        action = action_name.to_s
+        resource_name = controller_name
+        
+        permission_map = {
+          'index' => "#{resource_name}:read",
+          'show' => "#{resource_name}:read", 
+          'new' => "#{resource_name}:create",
+          'create' => "#{resource_name}:create",
+          'edit' => "#{resource_name}:update",
+          'update' => "#{resource_name}:update",
+          'destroy' => "#{resource_name}:delete"
+        }
+        
+        if permission_name = permission_map[action]
+          require_permission!(permission_name)
+        end
+      end
+
+      # Get current user's permissions for view helpers
+      def current_user_permissions(context: nil)
+        return [] unless current_user
+        EasyAdmin::Permissions.user_permissions(current_user, context: context)
+      end
+
+      # Check permission in views (helper method)
+      def can?(permission_name, context: nil)
+        current_user_can?(permission_name, context: context)
+      end
+
+      # Check role in views (helper method)
+      def has_role?(role_name, context: nil)
+        current_user_has_role?(role_name, context: context)
+      end
+
+      private
+
+      def handle_permission_denied(permission_name)
+        respond_to do |format|
+          format.html do
+            if request.xhr? || request.headers['Content-Type'] == 'text/html'
+              render plain: permission_denied_component(permission_name).call, status: :forbidden
+            else
+              redirect_to root_path, alert: "Permission denied: #{permission_name}"
+            end
+          end
+          format.json { render json: { error: "Permission denied: #{permission_name}" }, status: :forbidden }
+          format.turbo_stream { render turbo_stream: turbo_stream.replace("main", permission_denied_component(permission_name).call) }
+        end
+      end
+
+      def handle_role_denied(role_name)
+        respond_to do |format|
+          format.html do
+            if request.xhr? || request.headers['Content-Type'] == 'text/html'
+              render plain: role_denied_component(role_name).call, status: :forbidden
+            else
+              redirect_to root_path, alert: "Role required: #{role_name}"
+            end
+          end
+          format.json { render json: { error: "Role required: #{role_name}" }, status: :forbidden }
+          format.turbo_stream { render turbo_stream: turbo_stream.replace("main", role_denied_component(role_name).call) }
+        end
+      end
+
+      def permission_denied_component(permission_name)
+        if defined?(EasyAdmin::Permissions::PermissionDeniedComponent)
+          EasyAdmin::Permissions::PermissionDeniedComponent.new(permission: permission_name, user: current_user)
+        else
+          # Fallback component
+          BasicPermissionDeniedComponent.new(permission: permission_name)
+        end
+      end
+
+      def role_denied_component(role_name)
+        if defined?(EasyAdmin::Permissions::RoleDeniedComponent)
+          EasyAdmin::Permissions::RoleDeniedComponent.new(role: role_name, user: current_user)
+        else
+          # Fallback component
+          BasicRoleDeniedComponent.new(role: role_name)
+        end
+      end
+
+      # Basic fallback components for when full components aren't defined
+      class BasicPermissionDeniedComponent
+        def initialize(permission:)
+          @permission = permission
+        end
+
+        def call
+          <<~HTML
+            <div class="flex items-center justify-center min-h-96">
+              <div class="text-center">
+                <div class="text-6xl text-gray-400 mb-4">🔒</div>
+                <h2 class="text-2xl font-bold text-gray-900 mb-2">Permission Denied</h2>
+                <p class="text-gray-600">You need the '#{@permission}' permission to access this resource.</p>
+                <a href="javascript:history.back()" class="inline-block mt-4 px-4 py-2 bg-blue-500 text-white rounded hover:bg-blue-600">Go Back</a>
+              </div>
+            </div>
+          HTML
+        end
+      end
+
+      class BasicRoleDeniedComponent
+        def initialize(role:)
+          @role = role
+        end
+
+        def call
+          <<~HTML
+            <div class="flex items-center justify-center min-h-96">
+              <div class="text-center">
+                <div class="text-6xl text-gray-400 mb-4">👑</div>
+                <h2 class="text-2xl font-bold text-gray-900 mb-2">Role Required</h2>
+                <p class="text-gray-600">You need the '#{@role}' role to access this resource.</p>
+                <a href="javascript:history.back()" class="inline-block mt-4 px-4 py-2 bg-blue-500 text-white rounded hover:bg-blue-600">Go Back</a>
+              </div>
+            </div>
+          HTML
+        end
+      end
+    end
+  end
+end

data/lib/easy_admin/permissions/dsl.rb

@@ -0,0 +1,160 @@
+module EasyAdmin
+  module Permissions
+    class DSL
+      def initialize
+        @permissions = []
+        @roles = []
+      end
+
+      # Define a permission
+      def permission(resource_type, action, description: nil, conditions: {})
+        name = "#{resource_type}:#{action}"
+        
+        @permissions << {
+          name: name,
+          resource_type: resource_type.to_s,
+          action: action.to_s,
+          description: description || "#{action.to_s.humanize} #{resource_type.to_s.humanize}",
+          conditions: conditions
+        }
+      end
+
+      # Define a role with permissions
+      def role(name, slug: nil, description: nil, permissions: [], active: true, metadata: {})
+        @roles << {
+          name: name.to_s.humanize,
+          slug: slug&.to_s || name.to_s.parameterize,
+          description: description,
+          permissions: permissions.map(&:to_s),
+          active: active,
+          metadata: metadata
+        }
+      end
+
+      # Shortcut methods for common permission patterns
+      def crud_permissions(resource_type, description_prefix: nil)
+        prefix = description_prefix || resource_type.to_s.humanize
+        
+        permission resource_type, :read, description: "View #{prefix.downcase}"
+        permission resource_type, :create, description: "Create new #{prefix.downcase.singularize}"
+        permission resource_type, :update, description: "Edit existing #{prefix.downcase}"
+        permission resource_type, :delete, description: "Delete #{prefix.downcase}"
+      end
+
+      def admin_permissions(resource_type, description_prefix: nil)
+        crud_permissions(resource_type, description_prefix: description_prefix)
+        permission resource_type, :manage, description: "Full management of #{(description_prefix || resource_type.to_s.humanize).downcase}"
+      end
+
+      # Resource shortcuts
+      def resource(resource_type, actions: [:read, :create, :update, :delete], description_prefix: nil)
+        prefix = description_prefix || resource_type.to_s.humanize
+        
+        actions.each do |action|
+          case action
+          when :read
+            permission resource_type, :read, description: "View #{prefix.downcase}"
+          when :create
+            permission resource_type, :create, description: "Create new #{prefix.downcase.singularize}"
+          when :update
+            permission resource_type, :update, description: "Edit existing #{prefix.downcase}"
+          when :delete
+            permission resource_type, :delete, description: "Delete #{prefix.downcase}"
+          else
+            permission resource_type, action, description: "#{action.to_s.humanize} #{prefix.downcase}"
+          end
+        end
+      end
+
+      # EasyAdmin resource shortcuts using actual resource discovery
+      def easy_admin_resource(resource_name, actions: nil)
+        available_actions = EasyAdmin::Permissions::ResourcePermissions.actions_for_resource(resource_name)
+        actions_to_create = actions || available_actions
+        
+        actions_to_create.each do |action|
+          next unless available_actions.include?(action.to_s)
+          
+          permission_data = EasyAdmin::Permissions::ResourcePermissions.discover_all_permissions
+                              .find { |p| p[:resource_type] == resource_name.to_s && p[:action] == action.to_s }
+          
+          if permission_data
+            permission resource_name, action, description: permission_data[:description]
+          else
+            permission resource_name, action
+          end
+        end
+      end
+
+      # Auto-discover and create permissions for all EasyAdmin resources
+      def auto_discover_resources(actions: nil)
+        EasyAdmin::Permissions::ResourcePermissions.available_resources.each do |resource_name|
+          easy_admin_resource(resource_name, actions: actions)
+        end
+      end
+
+      # Enhanced role definition with EasyAdmin resource support
+      def easy_admin_role(name, slug: nil, description: nil, resources: {}, permissions: [], active: true, metadata: {})
+        # Convert resources hash to permission names
+        resource_permissions = []
+        
+        resources.each do |resource_name, resource_actions|
+          Array(resource_actions).each do |action|
+            resource_permissions << "#{resource_name}:#{action}"
+          end
+        end
+        
+        # Combine with manual permissions
+        all_permissions = resource_permissions + permissions.map(&:to_s)
+        
+        role(name, slug: slug, description: description, permissions: all_permissions, active: active, metadata: metadata)
+      end
+
+      # Execute the DSL block and return the collected data
+      def self.evaluate(&block)
+        dsl = new
+        dsl.instance_eval(&block) if block_given?
+        {
+          permissions: dsl.instance_variable_get(:@permissions),
+          roles: dsl.instance_variable_get(:@roles)
+        }
+      end
+
+      # Create roles in the database (simplified - no permissions table)
+      def self.seed_database(data)
+        # Skip if tables don't exist yet (during migrations or first setup)
+        return unless ActiveRecord::Base.connection.table_exists?(:easy_admin_roles)
+
+        # Defer execution until Rails is fully initialized
+        if defined?(Rails) && Rails.application && !Rails.application.initialized?
+          Rails.application.config.after_initialize do
+            # Check if models are available (avoid loading during initialization)
+            begin
+              role_class = "EasyAdmin::Permissions::Role".constantize
+            rescue NameError => e
+              Rails.logger.debug "EasyAdmin::Permissions models not yet loaded: #{e.message}"
+              return
+            end
+
+            ActiveRecord::Base.transaction do
+              # Create roles only (permissions are managed via JSON field)
+              data[:roles].each do |role_data|
+                role = role_class.find_or_initialize_by(slug: role_data[:slug])
+                role.assign_attributes(
+                  name: role_data[:name],
+                  description: role_data[:description],
+                  )
+                role.save! if role.changed?
+              end
+            end
+          end
+        end
+      end
+    end
+
+    # Main method to define permissions and roles
+    def self.define(&block)
+      data = DSL.evaluate(&block)
+      DSL.seed_database(data)
+    end
+  end
+end

data/lib/easy_admin/permissions/models.rb

@@ -0,0 +1,44 @@
+module EasyAdmin
+  module Permissions
+    module Models
+      extend ActiveSupport::Concern
+
+      # Include this in your Role model
+      module Role
+        extend ActiveSupport::Concern
+
+        included do
+          has_many :user_roles, class_name: 'EasyAdmin::Permissions::UserRole', dependent: :destroy
+          has_many :users, through: :user_roles, class_name: EasyAdmin::Permissions.configuration.user_class_name
+
+          validates :name, presence: true, uniqueness: true
+          validates :slug, presence: true, uniqueness: true
+
+          before_validation :generate_slug, if: -> { slug.blank? }
+
+          scope :active, -> { where(active: true) }
+        end
+
+        private
+
+        def generate_slug
+          self.slug = name&.parameterize
+        end
+      end
+
+      # Include this in your UserRole model (join table)
+      module UserRole
+        extend ActiveSupport::Concern
+
+        included do
+          belongs_to :user, class_name: EasyAdmin::Permissions.configuration.user_class_name, foreign_key: 'user_id'
+          belongs_to :role, class_name: 'EasyAdmin::Permissions::Role'
+
+          validates :user_id, uniqueness: { scope: :role_id }
+
+          scope :active, -> { where(active: true) }
+        end
+      end
+    end
+  end
+end

data/lib/easy_admin/permissions/permission_denied_component.rb

@@ -0,0 +1,121 @@
+module EasyAdmin
+  module Permissions
+    class PermissionDeniedComponent < EasyAdmin::BaseComponent
+      def initialize(permission:, user: nil, context: nil)
+        @permission = permission
+        @user = user
+        @context = context
+      end
+
+      def view_template
+        div(class: "min-h-96 flex items-center justify-center p-8") do
+          div(class: "text-center max-w-md mx-auto") do
+            # Icon
+            div(class: "mb-6") do
+              svg(class: "w-20 h-20 mx-auto text-gray-400", fill: "none", stroke: "currentColor", viewBox: "0 0 24 24") do
+                path(stroke_linecap: "round", stroke_linejoin: "round", stroke_width: "2", 
+                     d: "M12 15v2m-6 4h12a2 2 0 002-2v-6a2 2 0 00-2-2H6a2 2 0 00-2 2v6a2 2 0 002 2zm10-10V7a4 4 0 00-8 0v4h8z")
+              end
+            end
+
+            # Title
+            h2(class: "text-3xl font-bold text-gray-900 mb-4") { "Access Denied" }
+
+            # Description
+            div(class: "text-gray-600 mb-6 space-y-2") do
+              p { "You don't have permission to access this resource." }
+              if @permission
+                div(class: "text-sm bg-gray-100 px-3 py-2 rounded-lg font-mono") do
+                  span(class: "text-gray-500") { "Required permission: " }
+                  span(class: "text-red-600 font-semibold") { @permission }
+                end
+              end
+              if @context
+                div(class: "text-sm text-gray-500") do
+                  span { "Context: " }
+                  span(class: "font-medium") { @context.to_s }
+                end
+              end
+            end
+
+            # User info (if available)
+            if @user
+              div(class: "text-sm text-gray-500 mb-6 p-3 bg-gray-50 rounded-lg") do
+                p do
+                  span { "Signed in as: " }
+                  span(class: "font-medium text-gray-700") { @user.email || @user.name || "User ##{@user.id}" }
+                end
+                if @user.respond_to?(:roles) && @user.roles.any?
+                  p(class: "mt-2") do
+                    span { "Your roles: " }
+                    @user.roles.active.each_with_index do |role, index|
+                      span(class: "inline-flex items-center px-2 py-1 rounded-full text-xs bg-blue-100 text-blue-800 mr-1") do
+                        role.name
+                      end
+                    end
+                  end
+                end
+              end
+            end
+
+            # Actions
+            div(class: "space-y-3") do
+              # Go back button
+              button(
+                onclick: "history.back()",
+                class: "w-full px-6 py-3 bg-blue-600 text-white rounded-lg hover:bg-blue-700 transition-colors font-medium"
+              ) do
+                "← Go Back"
+              end
+
+              # Contact admin link (if configured)
+              if support_contact_available?
+                a(
+                  href: support_contact_url,
+                  class: "inline-block text-sm text-blue-600 hover:text-blue-800 transition-colors"
+                ) do
+                  "Contact administrator for access"
+                end
+              end
+            end
+
+            # Additional info
+            div(class: "mt-8 pt-6 border-t border-gray-200 text-xs text-gray-400") do
+              p { "If you believe this is an error, please contact your administrator." }
+              if Rails.env.development?
+                div(class: "mt-2 p-2 bg-yellow-50 rounded text-yellow-700 text-left font-mono text-xs") do
+                  p { "Dev info:" }
+                  p { "Permission: #{@permission}" }
+                  p { "Context: #{@context}" } if @context
+                  p { "User ID: #{@user&.id}" }
+                  p { "Time: #{Time.current}" }
+                end
+              end
+            end
+          end
+        end
+      end
+
+      private
+
+      def support_contact_available?
+        # Check if there's a support contact configured
+        respond_to?(:admin_email) || 
+        defined?(Rails.application.config.admin_email) ||
+        defined?(EasyAdmin.configuration&.support_email)
+      end
+
+      def support_contact_url
+        if respond_to?(:admin_email)
+          "mailto:#{admin_email}?subject=Access%20Request&body=I%20need%20access%20to%20#{@permission}"
+        elsif defined?(Rails.application.config.admin_email)
+          "mailto:#{Rails.application.config.admin_email}?subject=Access%20Request"
+        elsif defined?(EasyAdmin.configuration&.support_email)
+          "mailto:#{EasyAdmin.configuration.support_email}?subject=Access%20Request"
+        else
+          "#"
+        end
+      end
+    end
+  end
+end