easy-admin-rails 0.1.15 → 0.2.1

data/lib/easy_admin/permissions/resource_permissions.rb

@@ -0,0 +1,231 @@
+module EasyAdmin
+  module Permissions
+    class ResourcePermissions
+      # Standard EasyAdmin actions that every resource supports
+      STANDARD_ACTIONS = %w[create read update delete].freeze
+      
+      # Additional administrative actions
+      ADMIN_ACTIONS = %w[manage_versions batch_actions row_actions].freeze
+      
+      # Legacy mapping for backwards compatibility
+      ACTION_MAPPING = {
+        'index' => 'read',
+        'show' => 'read',
+        'new' => 'create',
+        'edit' => 'update',
+        'destroy' => 'delete'
+      }.freeze
+      
+      class << self
+        # Discover all EasyAdmin resources and their permissions
+        def discover_all_permissions
+          discovered_permissions = []
+          
+          all_resource_classes.each do |resource_class|
+            resource_name = extract_resource_name(resource_class)
+            
+            # Add standard CRUD permissions
+            STANDARD_ACTIONS.each do |action|
+              discovered_permissions << {
+                name: "#{resource_name}:#{action}",
+                resource_type: resource_name,
+                action: action,
+                description: generate_permission_description(resource_name, action)
+              }
+            end
+            
+            # Add administrative permissions
+            ADMIN_ACTIONS.each do |action|
+              discovered_permissions << {
+                name: "#{resource_name}:#{action}",
+                resource_type: resource_name,
+                action: action,
+                description: generate_permission_description(resource_name, action)
+              }
+            end
+            
+            # Add any custom actions defined in the resource
+            custom_actions = extract_custom_actions(resource_class)
+            custom_actions.each do |action|
+              discovered_permissions << {
+                name: "#{resource_name}:#{action}",
+                resource_type: resource_name,
+                action: action,
+                description: generate_permission_description(resource_name, action)
+              }
+            end
+          end
+          
+          discovered_permissions
+        end
+        
+        # Get all available resource names
+        def available_resources
+          all_resource_classes.map { |resource_class| extract_resource_name(resource_class) }
+        end
+        
+        # Get all actions for a specific resource
+        def actions_for_resource(resource_name)
+          resource_class = find_resource_class(resource_name)
+          return STANDARD_ACTIONS if resource_class.nil?
+          
+          STANDARD_ACTIONS + extract_custom_actions(resource_class)
+        end
+        
+        # Seed permissions into database
+        def seed_permissions!
+          Rails.logger.info "🔐 Seeding EasyAdmin resource permissions..."
+          
+          permissions_data = discover_all_permissions
+          created_count = 0
+          
+          permissions_data.each do |permission_data|
+            permission = EasyAdmin::Permissions::Permission.find_or_create_by(
+              name: permission_data[:name]
+            ) do |p|
+              p.resource_type = permission_data[:resource_type]
+              p.action = permission_data[:action]
+              p.description = permission_data[:description]
+            end
+            
+            created_count += 1 if permission.saved_change_to_id?
+          end
+          
+          Rails.logger.info "✅ Seeded #{created_count} new permissions (#{permissions_data.size} total)"
+          permissions_data.size
+        end
+        
+        private
+        
+        # Get all EasyAdmin resource classes
+        def all_resource_classes
+          # First try the ResourceRegistry if available
+          if defined?(EasyAdmin::ResourceRegistry)
+            registry_resources = EasyAdmin::ResourceRegistry.all_resources.values
+            return registry_resources if registry_resources.any?
+          end
+          
+          # Fallback: scan for resource classes in the app
+          discover_resource_classes_from_filesystem
+        end
+        
+        # Discover resource classes by scanning the filesystem
+        def discover_resource_classes_from_filesystem
+          resource_classes = []
+          
+          # Check standard Rails app structure
+          resource_paths = [
+            Rails.root.join("app", "easy_admin", "resources"),
+            Rails.root.join("app", "admin", "resources")
+          ]
+          
+          resource_paths.each do |path|
+            next unless path.exist?
+            
+            Dir.glob(path.join("**", "*_resource.rb")).each do |file|
+              # Extract class name from file path
+              relative_path = file.gsub("#{path}/", "").gsub(".rb", "")
+              class_name = relative_path.camelize
+              
+              begin
+                resource_class = class_name.constantize
+                resource_classes << resource_class if resource_class < EasyAdmin::Resource
+              rescue NameError => e
+                Rails.logger.warn "Could not load resource class #{class_name}: #{e.message}"
+              end
+            end
+          end
+          
+          resource_classes
+        end
+        
+        # Extract resource name from class (e.g., UserResource -> "user")
+        def extract_resource_name(resource_class)
+          resource_class.name.demodulize.gsub(/Resource$/, '').underscore
+        end
+        
+        # Find resource class by name
+        def find_resource_class(resource_name)
+          class_name = "#{resource_name.camelize}Resource"
+          
+          # Try direct constantize first
+          begin
+            return class_name.constantize
+          rescue NameError
+            # Not found
+          end
+          
+          # Try with common namespaces
+          ["", "Admin::", "EasyAdmin::"].each do |namespace|
+            begin
+              full_class_name = "#{namespace}#{class_name}"
+              return full_class_name.constantize
+            rescue NameError
+              next
+            end
+          end
+          
+          nil
+        end
+        
+        # Extract custom actions from resource class
+        def extract_custom_actions(resource_class)
+          custom_actions = []
+          
+          # Look for custom controller actions by examining routes or method definitions
+          # This is a simplified approach - could be expanded based on EasyAdmin's routing
+          
+          # Check if resource has custom action definitions
+          if resource_class.respond_to?(:custom_actions)
+            custom_actions.concat(resource_class.custom_actions)
+          end
+          
+          # Look for batch actions
+          if resource_class.respond_to?(:batch_actions) && resource_class.batch_actions.any?
+            custom_actions << "batch_actions"
+          end
+          
+          custom_actions.uniq
+        end
+        
+        # Generate human-readable description for permission
+        def generate_permission_description(resource_name, action)
+          resource_humanized = resource_name.humanize.downcase
+          
+          case action
+          when 'index'
+            "View list of #{resource_humanized.pluralize}"
+          when 'show', 'read'
+            "View #{resource_humanized} details"
+          when 'new'
+            "Access new #{resource_humanized} form"
+          when 'create'
+            "Create new #{resource_humanized.pluralize}"
+          when 'edit'
+            "Access #{resource_humanized} edit form"
+          when 'update'
+            "Update existing #{resource_humanized.pluralize}"
+          when 'destroy', 'delete'
+            "Delete #{resource_humanized.pluralize}"
+          when 'export'
+            "Export #{resource_humanized} data"
+          when 'import'
+            "Import #{resource_humanized} data"
+          when 'batch_update'
+            "Batch update multiple #{resource_humanized.pluralize}"
+          when 'batch_delete'
+            "Batch delete multiple #{resource_humanized.pluralize}"
+          when 'batch_actions'
+            "Perform batch actions on #{resource_humanized.pluralize}"
+          when 'row_actions'
+            "Execute row actions on #{resource_humanized.pluralize}"
+          when 'manage_versions'
+            "Manage version history for #{resource_humanized.pluralize}"
+          else
+            "#{action.humanize} #{resource_humanized.pluralize}"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/easy_admin/permissions/role_definition.rb

@@ -0,0 +1,45 @@
+module EasyAdmin
+  module Permissions
+    class RoleDefinition
+      attr_reader :name, :slug, :description, :permissions
+      
+      def initialize(name, slug: nil, description: nil)
+        @name = name
+        @slug = slug || name.parameterize
+        @description = description
+        @permissions = {}
+      end
+      
+      # Grant permissions for a resource
+      def can(actions, resource)
+        Array(actions).each do |action|
+          permission_key = "#{resource}:#{action}"
+          @permissions[permission_key] = true
+        end
+      end
+      
+      # Deny permissions for a resource (explicit)
+      def cannot(actions, resource)
+        Array(actions).each do |action|
+          permission_key = "#{resource}:#{action}"
+          @permissions[permission_key] = false
+        end
+      end
+      
+      # Grant all CRUD permissions for a resource
+      def manage(resource)
+        can([:read, :create, :update, :delete], resource)
+      end
+      
+      # Check if role has a specific permission
+      def has_permission?(permission_key)
+        @permissions[permission_key] == true
+      end
+      
+      # Get all granted permissions
+      def granted_permissions
+        @permissions.select { |_, granted| granted == true }.keys
+      end
+    end
+  end
+end

data/lib/easy_admin/permissions/role_denied_component.rb

@@ -0,0 +1,159 @@
+module EasyAdmin
+  module Permissions
+    class RoleDeniedComponent < EasyAdmin::BaseComponent
+      def initialize(role:, user: nil, context: nil)
+        @role = role
+        @user = user
+        @context = context
+      end
+
+      def view_template
+        div(class: "min-h-96 flex items-center justify-center p-8") do
+          div(class: "text-center max-w-md mx-auto") do
+            # Icon
+            div(class: "mb-6") do
+              svg(class: "w-20 h-20 mx-auto text-amber-400", fill: "currentColor", viewBox: "0 0 24 24") do
+                path(d: "M5 16L3 14L5 12L3 10L5 8L11 14L5 16ZM19 8L21 10L19 12L21 14L19 16L13 10L19 8ZM12 2L15.09 8.26L22 9L17 14L18.18 21L12 17.77L5.82 21L7 14L2 9L8.91 8.26L12 2Z")
+              end
+            end
+
+            # Title
+            h2(class: "text-3xl font-bold text-gray-900 mb-4") { "Role Required" }
+
+            # Description
+            div(class: "text-gray-600 mb-6 space-y-2") do
+              p { "You need a specific role to access this resource." }
+              if @role
+                div(class: "text-sm bg-amber-50 px-3 py-2 rounded-lg border border-amber-200") do
+                  span(class: "text-gray-500") { "Required role: " }
+                  span(class: "text-amber-700 font-semibold") { @role.to_s.humanize }
+                end
+              end
+              if @context
+                div(class: "text-sm text-gray-500") do
+                  span { "Context: " }
+                  span(class: "font-medium") { @context.to_s }
+                end
+              end
+            end
+
+            # User info (if available)
+            if @user
+              div(class: "text-sm text-gray-600 mb-6 p-3 bg-gray-50 rounded-lg") do
+                p do
+                  span { "Signed in as: " }
+                  span(class: "font-medium text-gray-700") { @user.email || @user.name || "User ##{@user.id}" }
+                end
+                
+                # Show current roles
+                if @user.respond_to?(:roles)
+                  current_roles = @user.roles.active
+                  if current_roles.any?
+                    p(class: "mt-2") do
+                      span { "Your current roles: " }
+                      current_roles.each do |role|
+                        span(class: "inline-flex items-center px-2 py-1 rounded-full text-xs bg-green-100 text-green-800 mr-1") do
+                          role.name
+                        end
+                      end
+                    end
+                  else
+                    p(class: "mt-2 text-gray-500 italic") { "No roles assigned" }
+                  end
+                end
+
+                # Show what the required role would give access to
+                if show_role_benefits?
+                  div(class: "mt-3 pt-3 border-t border-gray-200") do
+                    p(class: "text-xs text-gray-500 mb-2") { "The #{@role.to_s.humanize} role includes:" }
+                    div(class: "text-xs text-gray-600 space-y-1") do
+                      role_permissions.each do |permission|
+                        div(class: "flex items-center") do
+                          span(class: "text-green-500 mr-1") { "✓" }
+                          span { permission.humanize }
+                        end
+                      end
+                    end
+                  end
+                end
+              end
+            end
+
+            # Actions
+            div(class: "space-y-3") do
+              # Go back button
+              button(
+                onclick: "history.back()",
+                class: "w-full px-6 py-3 bg-amber-600 text-white rounded-lg hover:bg-amber-700 transition-colors font-medium"
+              ) do
+                "← Go Back"
+              end
+
+              # Request role access (if configured)
+              if role_request_available?
+                a(
+                  href: role_request_url,
+                  class: "inline-block text-sm text-amber-600 hover:text-amber-800 transition-colors"
+                ) do
+                  "Request #{@role.to_s.humanize} role access"
+                end
+              end
+            end
+
+            # Additional info
+            div(class: "mt-8 pt-6 border-t border-gray-200 text-xs text-gray-400") do
+              p { "Contact your administrator to request the required role." }
+              if Rails.env.development?
+                div(class: "mt-2 p-2 bg-yellow-50 rounded text-yellow-700 text-left font-mono text-xs") do
+                  p { "Dev info:" }
+                  p { "Required role: #{@role}" }
+                  p { "Context: #{@context}" } if @context
+                  p { "User ID: #{@user&.id}" }
+                  p { "Current roles: #{@user&.roles&.pluck(:name)&.join(', ')}" } if @user&.respond_to?(:roles)
+                  p { "Time: #{Time.current}" }
+                end
+              end
+            end
+          end
+        end
+      end
+
+      private
+
+      def show_role_benefits?
+        role_permissions.any? && Rails.env.development?
+      end
+
+      def role_permissions
+        return [] unless defined?(EasyAdmin::Permissions::Role)
+        
+        @role_permissions ||= begin
+          role_record = EasyAdmin::Permissions::Role.find_by(slug: @role.to_s) || 
+                       EasyAdmin::Permissions::Role.find_by(name: @role.to_s.humanize)
+          role_record&.permissions&.limit(5)&.pluck(:description) || []
+        end
+      end
+
+      def role_request_available?
+        respond_to?(:admin_email) || 
+        defined?(Rails.application.config.admin_email) ||
+        defined?(EasyAdmin.configuration&.support_email)
+      end
+
+      def role_request_url
+        email_subject = "Role%20Access%20Request%20-%20#{@role.to_s.humanize}"
+        email_body = "Hello,%0D%0A%0D%0AI%20would%20like%20to%20request%20access%20to%20the%20#{@role.to_s.humanize}%20role.%0D%0A%0D%0AThank%20you"
+        
+        if respond_to?(:admin_email)
+          "mailto:#{admin_email}?subject=#{email_subject}&body=#{email_body}"
+        elsif defined?(Rails.application.config.admin_email)
+          "mailto:#{Rails.application.config.admin_email}?subject=#{email_subject}&body=#{email_body}"
+        elsif defined?(EasyAdmin.configuration&.support_email)
+          "mailto:#{EasyAdmin.configuration.support_email}?subject=#{email_subject}&body=#{email_body}"
+        else
+          "#"
+        end
+      end
+    end
+  end
+end

data/lib/easy_admin/permissions/role_dsl.rb

@@ -0,0 +1,73 @@
+module EasyAdmin
+  module Permissions
+    class RoleDSL
+      attr_reader :roles
+      
+      def initialize
+        @roles = {}
+      end
+      
+      # Define a role with permissions
+      def role(name, slug: nil, description: nil, &block)
+        role_def = RoleDefinition.new(name, slug: slug, description: description)
+        
+        if block_given?
+          RolePermissionDSL.new(role_def).instance_eval(&block)
+        end
+        
+        @roles[role_def.slug] = role_def
+        role_def
+      end
+      
+      # Get role by slug
+      def get_role(slug)
+        @roles[slug.to_s]
+      end
+      
+      # Get all role slugs
+      def role_slugs
+        @roles.keys
+      end
+      
+      # Get all roles
+      def all_roles
+        @roles.values
+      end
+    end
+    
+    class RolePermissionDSL
+      def initialize(role_definition)
+        @role = role_definition
+      end
+      
+      # Grant permissions
+      def can(actions, resource)
+        @role.can(actions, resource)
+      end
+      
+      # Deny permissions 
+      def cannot(actions, resource)
+        @role.cannot(actions, resource)
+      end
+      
+      # Grant all CRUD permissions
+      def manage(resource)
+        @role.manage(resource)
+      end
+      
+      # Grant permissions for all registered EasyAdmin resources
+      def manage_all_resources
+        EasyAdmin::Permissions.available_resources.each do |resource|
+          manage(resource)
+        end
+      end
+      
+      # Grant read-only access to all resources
+      def read_all_resources
+        EasyAdmin::Permissions.available_resources.each do |resource|
+          can(:read, resource)
+        end
+      end
+    end
+  end
+end

data/lib/easy_admin/permissions/user_extensions.rb

@@ -0,0 +1,129 @@
+module EasyAdmin
+  module Permissions
+    module UserExtensions
+      extend ActiveSupport::Concern
+
+      included do
+        has_many :user_roles, class_name: 'EasyAdmin::Permissions::UserRole', foreign_key: 'user_id', dependent: :destroy
+        has_many :roles, through: :user_roles, class_name: 'EasyAdmin::Permissions::Role'
+        has_many :permissions, through: :roles, class_name: 'EasyAdmin::Permissions::Permission'
+
+        # Cache for computed permissions (JSON columns handle serialization automatically)
+      end
+
+      # Check if user has specific permission
+      def has_permission?(permission_name, context: nil)
+        return false unless EasyAdmin::Permissions.enabled?
+        return false unless respond_to?(:permissions_cache)
+        return false unless permissions_cache.present?
+
+        # For now, ignore context and just use flat permission structure
+        permission_value = permissions_cache[permission_name.to_s]
+        
+        # Check if permission exists in cache (handle both string and boolean values)
+        return true if permission_value == "true" || permission_value == true
+        return false if permission_value == "false" || permission_value == false
+        
+        # If not explicitly set, default to false
+        false
+      end
+
+      # Check if user has specific role
+      def has_role?(role_name, context: nil)
+        user_roles.active.includes(:role).any? do |user_role|
+          next false if context && user_role.context != context
+          user_role.role.slug == role_name.to_s || user_role.role.name == role_name.to_s
+        end
+      end
+
+      # Get all user permissions for a context
+      def calculate_permissions(context: nil)
+        return [] unless EasyAdmin::Permissions.enabled?
+        return [] unless respond_to?(:permissions_cache)
+        return [] unless permissions_cache.present?
+
+        # Return only permissions that are explicitly set to true
+        permissions_cache.select { |k, v| v == "true" || v == true }.keys
+      end
+
+      # Set user permissions directly in cache
+      def set_permission(permission_name, value = true, context: nil)
+        return false unless EasyAdmin::Permissions.enabled?
+        return false unless respond_to?(:permissions_cache=)
+
+        context_key = context&.cache_key || 'global'
+        current_cache = permissions_cache || {}
+        
+        if context
+          current_cache[context_key] ||= {}
+          current_cache[context_key][permission_name.to_s] = value.to_s
+        else
+          current_cache[permission_name.to_s] = value.to_s
+        end
+        
+        if persisted?
+          update_column(:permissions_cache, current_cache)
+        else
+          self.permissions_cache = current_cache
+        end
+        
+        true
+      end
+
+      # Remove permission from cache  
+      def remove_permission(permission_name, context: nil)
+        return false unless EasyAdmin::Permissions.enabled?
+        return false unless respond_to?(:permissions_cache=)
+
+        context_key = context&.cache_key || 'global'
+        current_cache = permissions_cache || {}
+        
+        if context && current_cache[context_key]
+          current_cache[context_key].delete(permission_name.to_s)
+        else
+          current_cache.delete(permission_name.to_s)
+        end
+        
+        if persisted?
+          update_column(:permissions_cache, current_cache)
+        else
+          self.permissions_cache = current_cache
+        end
+        
+        true
+      end
+
+      # Get all roles for user in specific context
+      def roles_for_context(context = nil)
+        if context
+          user_roles.active.for_context(context).includes(:role).map(&:role)
+        else
+          user_roles.active.global.includes(:role).map(&:role)
+        end
+      end
+
+      # Clear permission cache
+      def clear_permissions_cache!
+        if respond_to?(:permissions_cache=)
+          if persisted?
+            update_column(:permissions_cache, {})
+          else
+            self.permissions_cache = {}
+          end
+        end
+      end
+
+      private
+
+      def find_role(role_identifier)
+        if role_identifier.is_a?(String) || role_identifier.is_a?(Symbol)
+          EasyAdmin::Permissions::Role.find_by(slug: role_identifier.to_s) ||
+          EasyAdmin::Permissions::Role.find_by(name: role_identifier.to_s)
+        else
+          role_identifier
+        end
+      end
+
+    end
+  end
+end