edgarj 0.01.12

data/app/controllers/edgarj/edgarj_controller.rb

@@ -0,0 +1,535 @@
+require 'csv'
+
+module Edgarj
+  # Generic CRUD(Create/Read/Update/Delte) controller with Ajax.
+  #
+  # === EdgarjController v.s. ApplicationController
+  # When concreate controller (e.g. CustomersController) inherits
+  # EdgarjController, it has the following features:
+  #
+  # * CRUD with default form on Ajax
+  #   * form can be customized.
+  # * QBE (Query By Example) search form
+  # * popup-selection on 'belongs_to' column
+  # * sort on list
+  # * saving search-conditions and reuse it
+  #
+  # If these are not necessary, just inherits ApplicationController.
+  #
+  # === Tasks when adding new model which is handled under EdgarjController
+  # For example, when want to add Post model:
+  # 1. generate edgarj:scaffold:
+  #     rails generate edgarj:scaffold post name:string body:text published:boolean
+  # 2. add controller entry to CONTROLLER_MENU (config/initializers/edgarj.rb)
+  #
+  # It will take about ~3 min.
+  #
+  # For the detail of customization, please see:
+  #   http://sourceforge.net/apps/trac/jjedgarj/wiki/customize
+  #
+  # === Architecture
+  # see {architecture}[link:../architecture.odp] (OpenOffice Presentation)
+  #
+  # === Access Control
+  # There are two dimentions of access control:
+  # 1. Page level (Controller level) access control.
+  #    * Edgarj::UserGroup with kind==ROLE and Edgarj::ModelPermission
+  #       represents access control on each controller.
+  #    * Admin user, who belongs to 'admin' user_group, can access any page.
+  #    * When a user belongs to a user_group (kind==ROLE) and 
+  #      a model_permission belongs to the user_group, the user can
+  #      access the controller which model is the model in model_permission.
+  #    * More precisely, 4 kind of access controls, CREATE,
+  #      READ, UPDATE, and DELETE can be set with any conbination on the
+  #      controller.
+  #    * See Edgarj::ModelPermission for more detail.
+  # 1. Data scope.
+  #    * data scope access is controlled by 'user_scoped(user, context)'
+  #      scope defined at each model.
+  #    * Where, user is currently accessing person to the model.
+  #    * context is any kind of 2nd parameter.  Default is session object of
+  #      Edgarj::Sssn, but it can be overwritten 'scope_context' method
+  #      at the target controller.
+  #    * See Author.user_scoped as an example.
+  #
+  # == Naming Convention
+  #
+  # * 'record' is an instance of 'Model'.
+  # * 'drawer' is an instance of 'Drawer' class.
+  #
+  # === Implementation Note
+  # Why not to choose mixin rather than class is because
+  # it is easier to use edgarj's view at client controller.  For example,
+  # AuthorsController, which inherits from EdgarjController, can
+  # automatically use edgarj's view by rails view-selection feature.
+  #
+  # === SEE ALSO
+  # PopupController::  'belongs_to' popup for EdgarjController
+  # 
+  class EdgarjController < ApplicationController
+    include ControllerMixinCommon
+    include PermissionMixin
+   #include TopicPathControllerMixin
+
+    helper_method :model, :model_name, :drawer,
+        :draw_flash, :csv_proc
+
+    READ_ACTIONS = %w(
+        index show clear search search_clear search_save search_load
+        zip_complete csv_download file_download map page_info_save)
+
+    before_filter :require_create_permission, only: :create
+    before_filter :require_read_permission,   only: READ_ACTIONS
+    before_filter :require_update_permission, only: :update
+    before_filter :require_delete_permission, only: :destroy
+    before_filter :require_other_permission,  except: READ_ACTIONS + %w(
+      create update destroy top)
+   #after_filter  :log_topic_path
+    after_filter  :enum_cache_stat
+
+    # This page is for following purposes:
+    #
+    # * top page which contain latest info (TBD)
+    # * any error message on HTML format access
+    #   * on Ajax access, rather edgarj_error_popup is used
+    def top
+      render :action => 'top'
+    end
+
+    # draw search result in whole page.
+    # default update DOM id and template is as follows:
+    #
+    # DOM id::   'edgarj_list'
+    # template:: 'edgarj/list'
+    #
+    # However, these can be replaced by params[:update] and params[:template]
+    #
+    # === Permission
+    # ModelPermission::READ on this controller is required.
+    #
+    # === SEE ALSO
+    # popup():: draw popup
+    def index
+      page_info
+
+      # update @page_info.page when page is specified.
+      # Otherwise, reset page to 1.
+      #
+      # Just set, not save.  It will be done later when saving sssn with
+      # 'has_many page_infos ... autosave: true'
+      @page_info.page = (params[:page] || 1)
+
+     #clear_topic_path
+      prepare_list
+
+      @search = page_info.record
+      @record = model.new
+    end
+
+    # save new record
+    #
+    # === Permission
+    # ModelPermission::CREATE on this controller is required.
+    #
+    def create
+      upsert do
+        # NOTE: create!() is not used because assign to @record to draw form.
+        # Otherwise, @record would be in nil so failure at edgarj/_form rendering.
+        #
+        # NOTE2: valid? after create() calls validate_on_update.  This is not
+        # an expected behavior.  So, new, valid?, then save.
+        @record = model.new(permitted_params(:create))
+        on_upsert
+       #upsert_files
+        raise ActiveRecord::RecordNotSaved if !@record.valid?
+        @record.save
+
+        # clear @record values for next data-entry
+        @record = model.new
+      end
+    end
+
+    # Show detail of one record.  Format of html & js should be supported.
+    #
+    # === Permission
+    # ModelPermission::READ on this controller is required.
+    #
+    def show
+      @record = user_scoped.find(params[:id])
+     #add_topic_path
+      respond_to do |format|
+        format.html {
+          prepare_list
+          @search = page_info.record
+          render :action=>'index'
+        }
+        format.js
+      end
+    end
+
+    # save existence modified record
+    #
+    # === Permission
+    # ModelPermission::UPDATE on this controller is required.
+    #
+    def update
+      upsert do
+        # NOTE:
+        # 1. update ++then++ valid to set new values in @record to draw form.
+        # 1. user_scoped may have joins so that record could be
+        #    ActiveRecord::ReadOnlyRecord so that's why access again from
+        #    model.
+        @record  = model.find(user_scoped.find(params[:id]).id)
+       #upsert_files
+        if !@record.update_attributes(permitted_params(:update))
+          raise ActiveRecord::RecordInvalid.new(@record)
+        end
+      end
+    end
+
+    # === Permission
+    # ModelPermission::DELETE on this controller is required.
+    def destroy
+      m = model.find(user_scoped.find(params[:id]).id)
+      m.destroy
+
+      prepare_list
+      @record = model.new
+      @flash_notice = t('delete_ok')
+    end
+
+    # Ajax method to clear form
+    #
+    # === Permission
+    # ModelPermission::READ on this controller is required.
+    #
+    def clear
+      @record = model.new
+    end
+
+    # Ajax method to execute search
+    #
+    # Actually, this doesn't execute search.  Rather, this just saves
+    # condition.  Search will be executed at any listing action
+    # like 'index', 'create', or 'update'.
+    #
+    # === Permission
+    # ModelPermission::READ on this controller is required.
+    #
+    def search
+      pi        = page_info
+      pi.record = SearchForm.new(model, params[:edgarj_search_form])
+      pi.page = 1
+      pi.save!
+      @search   = pi.record
+      prepare_list if @search.valid?
+    end
+
+    # Ajax method to clear search conditions
+    #
+    # === Permission
+    # ModelPermission::READ on this controller is required.
+    #
+    def search_clear
+      @search   = SearchForm.new(model)
+    end
+
+    # Ajax method to save search conditions
+    #
+    # === call flow
+    #  Edgarj.SearchSavePopup.open() (javascript)
+    #   (show $('search_save_popup'))
+    #    Edgarj.SearchSavePopup.submit() (javascript)
+    #     (copy entered name into $('saved_page_info_name') in form)
+    #      call :action=>'search_save'
+    #
+    # ==== TRICKY PART
+    # There are two requirements:
+    # 1. use modal-dialog to enter name to decrese busy in search form.
+    # 1. send Search Form with name to server.
+    #
+    # To comply these, Edgarj.SearchSavePopup copies the entered name to
+    # 'saved_page_info_name' hidden field and then sends the form which includes
+    # the copied name.
+    #
+    # === Permission
+    # ModelPermission::READ on this controller is required.
+    #
+    def search_save
+      svc = SavedVcontext.save(current_user, nil,
+                               params[:saved_page_info_name], page_info)
+
+      render :update do |page|
+        page << "Edgarj.SearchSavePopup.close();"
+        page.replace 'edgarj_load_condition_menu',
+           :partial=>'edgarj/load_condition_menu'
+      end
+    rescue ActiveRecord::ActiveRecordError => ex
+      app_rescue
+      render :update do |page|
+        page.replace_html 'search_save_popup_flash_error', :text=>t('save_fail')
+      end
+    end
+
+    # Ajax method to load search condition, lines, order_by, dir, and page.
+    #
+    def search_load
+      @search = current_user.saved_page_infos.find(params[:id]).load(@sssn).model
+      draw_search_form
+    end
+
+    # zip -> address completion
+    #
+    # === INPUTS
+    # params[:zip]::          key to find address info. hyphen is supported.
+    # params[:adrs_prefix]::  address fields DOM id prefix. e.g. 'org_adrs_0_'
+    #
+    # === call flow
+    # ==== on drawing
+    #   EdgarjHelper.draw_adrs()       app/helpers/edgarj_helper.rb
+    #                                 app/views/edgarj/_address.html.erb
+    #       Example:
+    #           :
+    #       <input type=text name='org[adrs_0_zip]'>
+    #           :
+    #
+    # ==== on clicking zip->address button
+    #   Edgarj.zip_complete()          public/javascripts/edgarj.js
+    #    Ajax.Request()
+    #     EdgarjController.zip_complete  app/controllers/edgarj_controller.rb
+    #      inline RJS to fill address info
+    #
+=begin
+    def zip_complete
+      zip           = params[:zip].gsub(/\D/, '')
+      @address      = ZipAddress.find_by_zip(zip) || ZipAddress.new(
+                        :prefecture => '?',
+                        :city       => '',
+                        :other      => '')
+
+      # sanitize
+      @adrs_prefix  = params[:adrs_prefix].gsub(/[^a-zA-Z_0-9]/, '')
+    end
+=end
+
+    # download model under current condition
+    #
+    # <tt>respond_to...format.csv</tt> approach was not used since
+    # \@list is different as follows:
+    # * csv returns all of records under the conditions
+    # * HTML returns *just* in specified 'page'.
+    #
+    # === Permission
+    # ModelPermission::READ on this controller is required.
+    #
+    # FIXME: file.close(true) deletes files *BEFORE* actually send file
+    # so that comment it out.  Need to clean these work files.
+    def csv_download
+      filename    = sprintf("%s-%s.csv",
+                        model_name,
+                        Time.now.strftime("%Y%m%d-%H%M%S"))
+      file        = Tempfile.new(filename, Settings.edgarj.csv_dir)
+      csv_visitor = EdgarjHelper::CsvVisitor.new(view_context)
+      cond        = {:conditions=>page_info.record.conditions}
+      file.write CSV.generate_line(model.columns.map{|c| c.name})
+      for rec in user_scoped.where(page_info.record.conditions).
+          order(
+            page_info.order_by.blank? ?
+              nil :
+              page_info.order_by + ' ' + page_info.dir) do
+        array = []
+        for col in model.columns do
+          array << csv_visitor.visit_column(rec, col)
+        end
+        file.write CSV.generate_line(array)
+      end
+      file.close 
+      send_file(file.path, {
+          type:     'text/csv',
+          filename: filename})
+     #file.close(true)
+    end
+
+    # To prevent unassociated file access, do:
+    #
+    # 1. check if it is in model object
+    # 1. check if it is a edgarj_file column
+    #
+    # === Permission
+    # ModelPermission::READ on this controller is required.
+    def file_download
+      if !model.edgarj_file?(params[:column])
+        flash[:error] = t('edgarj_file.no_assoc')
+        return
+      end
+
+      file_info_id = user_scoped.find(params[:id]).send(params[:column])
+      if file_info_id
+        file_info = FileInfo.find(file_info_id)
+        if file_info
+          send_file(file_info.full_filename, :filename => file_info.filename)
+          return
+        end
+      end
+      logger.warn 'invalid file_info'
+    end
+
+    # draw Google map.
+    #
+    # === Permission
+    # ModelPermission::READ on this controller is required.
+    #
+    def map
+      render :template=>'edgarj/map', :layout=>false
+    end
+
+  private
+    # derive model class from this controller.
+    #
+    # If controller cannot guess model class, overwrite this.
+    #
+    # === Examples:
+    # * AuthorsController   -> Author
+    # * UsersController     -> User
+    def model
+      @_model ||=
+        if self.class == Edgarj::EdgarjController
+          # dummy model for 'top' action:
+          Edgarj::Sssn
+        else
+          self.class.name.gsub(/Controller$/, '').singularize.constantize
+        end
+    end
+
+    # return model name.
+    #
+    # if each concreate controller cannot guess model name from its
+    # controller name, overwrite this.
+    #
+    # === Examples:
+    # * UsersController     -> 'edgarj_user'
+    # * AuthorsController   -> 'author'
+    # 
+    def model_name
+      @_model_name ||= ActiveModel::Naming.param_key(model.new)
+    end
+
+    # return permitted params.  Default is all.
+    #
+    # Derived Controller *MUST* customize this.
+    def permitted_params(action, kind=nil)
+      params.require(model_name).permit!
+    end
+
+    # return search-form object.
+    #
+    # called from page_info
+    def search_form
+      SearchForm.new(model)
+    end
+
+    # derive drawer class from this controller.
+    #
+    # If controller cannot guess drawer class, overwrite this.
+    #
+    # === Examples:
+    # * AuthorsController   -> AuthorDrawer
+    # * UsersController     -> UserDrawer
+    def drawer_class
+      @_drawer_cache ||=
+        if self.class == Edgarj::EdgarjController
+          Edgarj::Drawer::Normal
+        else
+          (self.class.name.gsub(/Controller$/, '').singularize +
+              'Drawer').constantize
+        end
+    end
+
+    # set drawer instance as drawer for later use on rendering view
+    def set_drawer
+      @drawer = drawer_class.new(view_context, params, page_info, model)
+    end
+
+    def drawer
+      @drawer
+    end
+
+    # additional behavior on upsert (default does nothing).
+    #
+    # Derived controller may overwrite this method if necessary, for example:
+    # * to upsert protected attributes.
+    # * to upsert server-side calculated values
+    def on_upsert
+      #
+    end
+
+    # update/insert common
+    def upsert(&block)
+      ActiveRecord::Base.transaction do
+        yield
+        @flash_notice = t('save_ok')
+      end
+      prepare_list
+    rescue ActiveRecord::RecordNotSaved, ActiveRecord::RecordInvalid => ex
+      logger.info "#{ex.class.to_s}: #{@record.class.to_s}: #{@record.errors.full_messages.join(' / ')}"
+      app_rescue
+      @flash_error = t('save_fail')
+    end
+
+    # At public action, just set any message into @flash_notice and/or
+    # \@flash_error.  Then, any render in EdgarjController will display it
+    # by calling draw_flash().
+    #
+    # draw_flash() must be a helper because it is called in render block, which
+    # is a kind of view.
+    def draw_flash(page)
+      page.replace_html 'flash_notice', :text=>@flash_notice
+      page.replace_html 'flash_error',  :text=>@flash_error
+    end
+
+    # insert/update uploaded file and point to it via file_NN column
+=begin
+    def upsert_files
+     #@record.upsert_files(params[:file_info], params[model_name])
+    end
+
+    # Since 'render :text=>proc...' cannot be tested at functional test
+    # (see http://lightyearsoftware.com/2009/10/rails-bug-with-render-text-proc-in-tests/),
+    # move the logic inside the proc here to test
+    def csv_proc(output)
+      csv_visitor = EdgarjHelper::CsvVisitor.new(@template)
+      find_args = {:conditions=>page_info.record.conditions}
+      if !page_info.order_by.blank?
+        find_args.merge!(:order => page_info.order_by + ' ' + page_info.dir)
+      end
+      output.write CSV.generate_line(model.columns.map{|c| c.name}) + "\n"
+      for rec in model.find(:all, find_args) do
+        array = []
+        for col in model.columns do
+          array << csv_visitor.visit_column(rec, col)
+        end
+        output.write CSV.generate_line(array) + "\n"
+      end
+    end
+=end
+
+    # This works as:
+    #
+    #   before_render :set_drawer
+    #
+    # to set drawer just before rendering.
+    #
+    # See http://stackoverflow.com/questions/9281224/filter-to-execute-before-render-but-after-controller
+    #
+    def render(*args)
+      # set_drawer should be called only when finishing before_filters.
+      set_drawer if current_user
+      super
+    end
+
+    def enum_cache_stat
+      logger.debug 'EnumCache stat (hit/out/out_of_enum): ' +
+          EnumCache.instance.stat.inspect
+    end
+  end
+end

data/app/controllers/edgarj/model_permissions_controller.rb

@@ -0,0 +1,8 @@
+module Edgarj
+  class ModelPermissionsController < EdgarjController
+  private
+    def drawer_class
+      ModelPermissionsHelper::ModelPermissionDrawer
+    end
+  end
+end

data/app/controllers/edgarj/permission_mixin.rb

@@ -0,0 +1,84 @@
+# permission check before-filters
+#
+# authorization('require_login' before_filter) should be prior to this.
+module Edgarj
+  module PermissionMixin
+    def self.included(klass)
+      klass.helper_method(
+          :current_user_roles,
+          :current_model_permissions
+      )
+    end
+
+  private
+    def respond_to_permission_error
+      respond_to do |format|
+        format.html {
+          flash[:error] = v('permission_no')
+
+          # FIXME: flash[:error] is not passed at redirected page
+          # so taht set it to parmas[:error].
+          # However, this change causes the test failure so that
+          # this change is applied *ONLY* on dev. & prod.
+          if Rails.env=='test'
+            redirect_to main_app.top_path
+          else
+            redirect_to main_app.top_path(error: v('permission_no'))
+          end
+        }
+        format.js {
+          flash.now[:error] = v('permission_no')
+          render 'message_popup'
+        }
+      end
+    end
+
+    def current_user_roles
+      @_edgarj_current_user_roles ||= Edgarj::UserGroup.joins(:user_group_users).
+          where(
+              'edgarj_user_groups.kind'        => Edgarj::UserGroup::Kind::ROLE,
+              'edgarj_user_group_users.user_id'=> current_user.id)
+    end
+
+    def current_model_permissions
+      @_edgarj_current_model_permissions ||= Edgarj::ModelPermission.
+          joins(user_group: :user_group_users).
+          where(
+              'model'                         => model.to_s,
+              'edgarj_user_groups.kind'        => Edgarj::UserGroup::Kind::ROLE,
+              'edgarj_user_group_users.user_id'=> current_user.id)
+    end
+
+    # common method for all of 'require_*_permission' before_filter
+    def require_x_permission(flag)
+      if current_user && current_user_roles.any?{|ug| ug.admin?}
+        # if role is admin, then ok
+      elsif current_user && current_model_permissions.any?{|cp| cp.permitted?(flag)}
+        # if enough permission, then ok
+      else
+        respond_to_permission_error
+      end
+    end
+
+    def require_create_permission
+      require_x_permission(Edgarj::ModelPermission::FlagsBitset::CREATE)
+    end
+
+    def require_read_permission
+      require_x_permission(Edgarj::ModelPermission::FlagsBitset::READ)
+    end
+
+    def require_update_permission
+      require_x_permission(Edgarj::ModelPermission::FlagsBitset::UPDATE)
+    end
+
+    def require_delete_permission
+      require_x_permission(Edgarj::ModelPermission::FlagsBitset::DELETE)
+    end
+
+    # fallback to catch public action which permisson is not declared
+    def require_other_permission
+      respond_to_permission_error
+    end
+  end
+end