erp_tech_svcs 3.0.12 → 3.1.0

data/lib/erp_tech_svcs/extensions/active_record/has_capability_accessors.rb

@@ -77,8 +77,7 @@ module ErpTechSvcs
 
           # pass in (capability_type_iid, klass) or (capability) object
           def add_capability(*capability)
-            capability_type_iid = capability.first.is_a?(Symbol) ? capability.first.to_s : capability.first
-            capability = capability_type_iid.is_a?(String) ? get_or_create_capability(capability_type_iid, capability.second) : capability.first
+            capability = capability.first.is_a?(String) ? get_or_create_capability(capability.first, capability.second) : capability.first
             ca = CapabilityAccessor.find_or_create_by_capability_accessor_record_type_and_capability_accessor_record_id_and_capability_id(get_superclass, self.id, capability.id)
             self.reload
             ca
@@ -90,12 +89,8 @@ module ErpTechSvcs
 
           def get_or_create_capability(capability_type_iid, klass)
             capability_type = convert_capability_type(capability_type_iid)
-            if klass.is_a?(String)
-              scope_type = ScopeType.find_by_internal_identifier('class')
-              Capability.find_or_create_by_capability_resource_type_and_capability_type_id_and_scope_type_id(klass, capability_type.id, scope_type.id)
-            else
-              klass.add_capability(capability_type_iid) # create instance capability
-            end
+            scope_type = ScopeType.find_by_internal_identifier('class')
+            Capability.find_or_create_by_capability_resource_type_and_capability_type_id_and_scope_type_id(klass, capability_type.id, scope_type.id)
           end
 
           def get_capability(capability_type_iid, klass)
@@ -106,8 +101,7 @@ module ErpTechSvcs
 
           # pass in (capability_type_iid, klass) or (capability) object
           def remove_capability(*capability)
-            capability_type_iid = capability.first.is_a?(Symbol) ? capability.first.to_s : capability.first
-            capability = capability_type_iid.is_a?(String) ? get_or_create_capability(capability_type_iid, capability.second) : capability.first
+            capability = capability.first.is_a?(String) ? get_or_create_capability(capability.first, capability.second) : capability.first
             ca = capability_accessors.where(:capability_accessor_record_type => get_superclass, :capability_accessor_record_id => self.id, :capability_id => capability.id).first
             ca.destroy unless ca.nil?
             self.reload

data/lib/erp_tech_svcs/extensions/active_record/has_security_roles.rb

@@ -14,6 +14,8 @@ module ErpTechSvcs
 
 				module ClassMethods
 				  def has_security_roles
+            has_and_belongs_to_many :security_roles
+
 				    extend HasSecurityRoles::SingletonMethods
     				include HasSecurityRoles::InstanceMethods
 				  end

data/lib/erp_tech_svcs/extensions/active_record/protected_with_capabilities.rb

@@ -9,24 +9,15 @@ module ErpTechSvcs
 
 				module ClassMethods
 
-				  def protected_with_capabilities(options = {})
+				  def protected_with_capabilities
 				    extend ProtectedByCapabilities::SingletonMethods
     				include ProtectedByCapabilities::InstanceMethods
-
-            has_many :capabilities, :as => :capability_resource
     				
-            # protect all instance of this class by default
-            class_attribute :protect_all_instances
-            self.protect_all_instances = (options[:protect_all_instances].nil? ? false : options[:protect_all_instances])
-
-            # Get records filtered via query scope capabilities
-            # By default Compass AE treats query scopes as restrictions
-            # A user will see all records unless the user has a capability accessor with a query scope
-            # If you set :protect_all_instances => true it is honored via with_user_security & with_instance_security but NOT with_query_security
-            # arguments: user, capability_type_iids 
-            # capability_type_iids is optional and can be a single string or an array of strings
-            # Example: which files can this user download? FileAsset.with_query_security(user, 'download').all
-            # Example: which website sections can this user either view or edit? WebsiteSection.with_query_security(user, ['view','edit']).all
+            has_many :capabilities, :as => :capability_resource
+
+            # get records filtered via query scope capabilities
+            # by default Compass AE treats query scopes as restrictions
+            # a user will see all records unless the user has a capability accessor with a query scope
             scope :with_query_security, lambda{|*args|
               raise ArgumentError if args.empty? || args.size > 2
               user = args.first
@@ -34,11 +25,11 @@ module ErpTechSvcs
               capability_type_iids = [capability_type_iids] if capability_type_iids.is_a?(String)
 
               scope_type = ScopeType.find_by_internal_identifier('query')
-              granted_capabilities = user.all_capabilities.where(:scope_type_id => scope_type.id).where(:capability_resource_type => self.name)
+              granted_capabilities = user.all_capabilities.collect{|c| c if c.scope_type_id == scope_type.id and c.capability_resource_type == self.name }.compact
 
               unless capability_type_iids.empty?
                 capability_type_ids = capability_type_iids.collect{|type| convert_capability_type(type).id }
-                granted_capabilities = granted_capabilities.where("capability_type_id IN (?)", capability_type_ids.join(','))
+                granted_capabilities = granted_capabilities.collect{|c| c if capability_type_ids.include?(c.capability_type_id)}.compact
               end
 
               query = nil
@@ -48,45 +39,34 @@ module ErpTechSvcs
               query
             }
 
-            # Get records for this model permitted via instance capabilities
-            # If :protect_all_instances => true return only instances user has explicitly been granted access to
-            # If :protect_all_instances => false return instances without capabilities or that user is granted access to (default)
+            # get records for this model without capabilities or that are not in a list of denied capabilities
+            scope :with_instance_security, lambda{|denied_capabilities|
+                                    query = joins("LEFT JOIN capabilities AS c ON c.capability_resource_id = #{self.table_name}.id AND c.capability_resource_type = '#{self.name}'").
+                                            group(columns.collect{|c| "#{self.table_name}.#{c.name}" })
+                                    query = (denied_capabilities.empty? ? query.where("c.id IS NULL OR c.id = c.id") : query.where("c.id IS NULL OR c.id NOT IN (?)", denied_capabilities.collect{|c| c.id }))
+                                    query                                    
+                                  }
+
+            # get records for this model that the given user has access to
             # arguments: user, capability_type_iids 
             # capability_type_iids is optional and can be a single string or an array of strings
-            # Example: which files can this user download? FileAsset.with_instance_security(user, 'download').all
-            # Example: which website sections can this user either view or edit? WebsiteSection.with_instance_security(user, ['view','edit']).all
-            scope :with_instance_security, lambda{|*args|
+            # Example: which files can this user download? FileAsset.with_user_security(user, 'download').all
+            # Example: which website sections can this user either view or edit? WebsiteSection.with_user_security(user, ['view','edit']).all
+            scope :with_user_security, lambda{|*args|
               raise ArgumentError if args.empty? || args.size > 2
               user = args.first
               capability_type_iids = args.second || []
               capability_type_iids = [capability_type_iids] if capability_type_iids.is_a?(String)
 
               scope_type = ScopeType.find_by_internal_identifier('instance')
-              granted_capabilities = user.all_capabilities.where(:scope_type_id => scope_type.id).where(:capability_resource_type => self.name)
+              granted_capabilities = user.all_capabilities.collect{|c| c if c.scope_type_id == scope_type.id and c.capability_resource_type == self.name }.compact
 
               unless capability_type_iids.empty?
                 capability_type_ids = capability_type_iids.collect{|type| convert_capability_type(type).id }
-                granted_capabilities = granted_capabilities.where("capability_type_id IN (#{capability_type_ids.join(',')})")
+                granted_capabilities = granted_capabilities.collect{|c| c if capability_type_ids.include?(c.capability_type_id)}.compact
               end
-
-              denied_capabilities = instance_capabilities.select('capabilities.id').where("capabilities.id NOT IN (#{granted_capabilities.select('capabilities.id').to_sql})")
-              deny_count = denied_capabilities.count
-
-              join_type = (self.protect_all_instances ? 'JOIN' : 'LEFT JOIN')
-              query = joins("#{join_type} capabilities AS c ON c.capability_resource_id = #{self.table_name}.id AND c.capability_resource_type = '#{self.name}'").
-                      group(columns.collect{|c| "#{self.table_name}.#{c.name}" })
-              query = (deny_count == 0 ? query.where("c.id IS NULL OR c.id = c.id") : query.where("c.id IS NULL OR c.id NOT IN (#{denied_capabilities.to_sql})"))
-              query
-            }
-
-            # Get records for this model that the given user has access to
-            # arguments: user, capability_type_iids 
-            # capability_type_iids is optional and can be a single string or an array of strings
-            # Example: which files can this user download? FileAsset.with_user_security(user, 'download').all
-            # Example: which website sections can this user either view or edit? WebsiteSection.with_user_security(user, ['view','edit']).all
-            scope :with_user_security, lambda{|*args|
-              raise ArgumentError if args.empty? || args.size > 2              
-              with_instance_security(*args).with_query_security(*args)
+              
+              with_query_security(*args).with_instance_security(instance_capabilities - granted_capabilities) 
             }
 				  end
 				end
@@ -122,9 +102,9 @@ module ErpTechSvcs
             capabilities.where(:scope_type_id => scope_type.id)
           end
 
-          # return unique roles on capabilities for this model
+          # collect unique roles on capabilities
           def capability_roles
-            SecurityRole.joins(:capability_accessors => :capability).where(:capability_accessors => {:capabilities => {:capability_resource_type => get_superclass(self.name) }}).all.uniq
+            capabilities.collect{|c| c.roles }.flatten.uniq
           end
 
           # add a class level capability (capability_resource_id will be NULL)
@@ -167,11 +147,6 @@ module ErpTechSvcs
 						
 				module InstanceMethods
 
-          # convenience method to access class method
-          def protect_all_instances
-            self.class.protect_all_instances
-          end
-
           def add_capability(capability_type_iid)
             capability_type = convert_capability_type(capability_type_iid)
             scope_type = ScopeType.find_by_internal_identifier('instance')
@@ -190,11 +165,11 @@ module ErpTechSvcs
           end   
 
           def protected_with_capability?(capability_type_iid)
-            !get_capability(capability_type_iid).nil? or protect_all_instances
+            !get_capability(capability_type_iid).nil?
           end
 
           def allow_access?(user, capability_type_iid)
-            if (!self.protect_all_instances and !self.protected_with_capability?(capability_type_iid.to_s)) or (user and user.has_capability?(capability_type_iid.to_s, self))
+            if !self.protected_with_capability?(capability_type_iid.to_s) or (user and user.has_capability?(capability_type_iid.to_s, self))
               return true
             else
               return false

data/lib/erp_tech_svcs/extensions/railties/action_view/base.rb

@@ -0,0 +1,8 @@
+#require all ActionView helper files
+Dir.entries(File.join(File.dirname(__FILE__),"helpers")).delete_if{|name| name =~ /^\./}.each do |file|
+  require "erp_tech_svcs/extensions/railties/action_view/helpers/#{file}"
+end
+
+ActionView::Base.class_eval do
+  include ErpTechSvcs::Extensions::Railties::ActionView::Helpers::IncludeHelper
+end

data/lib/erp_tech_svcs/extensions/railties/action_view/helpers/include_helper.rb

@@ -0,0 +1,28 @@
+module ErpTechSvcs
+  module Extensions
+    module Railties
+      module ActionView
+        module Helpers
+          module IncludeHelper
+
+            def set_max_file_upload
+              raw "<script type='text/javascript'>Ext.ns('ErpTechSvcs.Config'); ErpTechSvcs.Config.max_file_size_in_mb = #{ErpTechSvcs::Config.max_file_size_in_mb};</script>"
+            end
+
+            def set_email_regex
+              raw "<script type='text/javascript'>ErpTechSvcs.Config.email_regex = \"#{ErpTechSvcs::Config.email_regex}\";</script>"
+            end
+
+            def set_file_upload_types
+              raw "<script type='text/javascript'>ErpTechSvcs.Config.file_upload_types = \"#{ErpTechSvcs::Config.file_upload_types}\";</script>"
+            end
+            
+            def set_erp_tech_config_vars
+              raw "#{set_max_file_upload} #{set_email_regex} #{set_file_upload_types}"
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/erp_tech_svcs/extensions.rb

@@ -1,3 +1,6 @@
+#railties
+require 'erp_tech_svcs/extensions/railties/action_view/base'
+
 #active record extensions
 require 'erp_tech_svcs/extensions/active_record/base'
 require 'erp_tech_svcs/extensions/active_record/has_file_assets'

data/lib/erp_tech_svcs/file_support/railties/s3_resolver.rb

@@ -19,7 +19,7 @@ module ActionView
     def cached(key, path_info, details, locals) #:nodoc:
       file_support = ErpTechSvcs::FileSupport::Base.new(:storage => :s3)
       name, prefix, partial = path_info
-      locals = sort_locals(locals)
+      locals = locals.map { |x| x.to_s }.sort!
 
       if key && caching?
         if @cached[key][name][prefix][partial][locals].nil? or @cached[key][name][prefix][partial][locals].empty?

data/lib/erp_tech_svcs/sms_wrapper/clickatell.rb

@@ -20,6 +20,6 @@ module ErpTechSvcs
         result
       end
 
-    end
-  end
-end
+    end #Clickatell
+  end #SmsWrapper
+end #ErpTechSvcs

data/lib/erp_tech_svcs/utils/compass_access_negotiator.rb

@@ -13,17 +13,15 @@ module ErpTechSvcs
                                   where(:capability_resource_type => klass).
                                   where(:scope_type_id => scope_type.id).
                                   where(:capability_types => {:internal_identifier => capability_type_iid}).first
-          return nil if capability.nil? # capability not found so return nil
         else
           scope_type = ScopeType.find_by_internal_identifier('instance')
           capability = klass.capabilities.joins(:capability_type).
                               where(:scope_type_id => scope_type.id).
                               where(:capability_types => {:internal_identifier => capability_type_iid}).first
-          # if capability not found, we see if all instances are protected
-          # if all instance are protected, return false, otherwise true
-          return !klass.protect_all_instances if capability.nil?
+          return true if capability.nil? # object is not secured, so return true
         end
-        all_capabilities.include?(capability)
+        result = all_capabilities.find{|c| c == capability }
+        result.nil? ? false : true
       end
 
       # pass in (capability_type_iid, class name or any class instance, a block of code)
@@ -52,7 +50,7 @@ module ErpTechSvcs
           end
         end
 
-        class CapabilityAlreadytExists < StandardError
+        class CapabilityAlreadyExists < StandardError
           def to_s
             "Capability already exists."
           end

data/lib/erp_tech_svcs/version.rb

@@ -1,8 +1,8 @@
 module ErpTechSvcs
   module VERSION #:nodoc:
     MAJOR = 3
-    MINOR = 0
-    TINY  = 12
+    MINOR = 1
+    TINY  = 0
 
     STRING = [MAJOR, MINOR, TINY].compact.join('.')
   end

data/lib/erp_tech_svcs.rb

@@ -4,14 +4,15 @@ require 'erp_base_erp_svcs'
 require 'paperclip'
 require 'delayed_job'
 require 'delayed_job_active_record'
+require 'mail_alternatives_with_attachments'
 require 'sorcery'
 require 'pdfkit'
+require 'aws'
 require "erp_tech_svcs/version"
 require "erp_tech_svcs/utils/compass_logger"
 require "erp_tech_svcs/utils/default_nested_set_methods"
 require "erp_tech_svcs/utils/compass_access_negotiator"
 require "erp_tech_svcs/extensions"
-require 'aws'
 require 'erp_tech_svcs/file_support'
 require 'erp_tech_svcs/sms_wrapper'
 require "erp_tech_svcs/config"

data/spec/dummy/config/application.rb

@@ -38,6 +38,12 @@ module Dummy
 
     # Enable the asset pipeline
     config.assets.enabled = true
+
+    # Enforce whitelist mode for mass assignment.
+    # This will create an empty whitelist of attributes available for mass-assignment for all models
+    # in your app. As such, your models will need to explicitly whitelist or blacklist accessible
+    # parameters by using an attr_accessible or attr_protected declaration.
+    config.active_record.whitelist_attributes = true    
   end
 end
 

data/spec/dummy/config/environments/spec.rb

@@ -1,6 +1,9 @@
 Dummy::Application.configure do
   # Settings specified here will take precedence over those in config/application.rb
 
+  # Raise exception on mass assignment protection for Active Record models
+  config.active_record.mass_assignment_sanitizer = :strict
+
   # In the development environment your application's code is reloaded on
   # every request.  This slows down response time but is perfect for development
   # since you don't have to restart the web server when you make code changes.

data/spec/dummy/config/s3.yml

@@ -0,0 +1,23 @@
+common: &common
+  access_key_id: AKIAIK3DDLVVJUWSHVPQ
+  secret_access_key: VkU48NcDxPLIXGu+oOgIzCTnW89AdHIuFkRGl4Va
+    
+production:
+  <<: *common
+  bucket: terralab
+
+development:
+  <<: *common
+  bucket: terralabdev
+
+test:
+  <<: *common
+  bucket: terralabtest
+
+spec:
+  <<: *common
+  bucket: terralabtest
+
+adam:
+  <<: *common
+  bucket: terralab

data/spec/dummy/db/data_migrations/20120109173616_create_download_capability_type.erp_tech_svcs.rb

@@ -0,0 +1,14 @@
+# This migration comes from erp_tech_svcs (originally 20120109173616)
+class CreateDownloadCapabilityType
+  
+  def self.up
+    CapabilityType.create(:internal_identifier => 'download', :description => 'Download')
+    Role.create(:description => 'File Downloader', :internal_identifier => 'file_downloader')
+  end
+  
+  def self.down
+    CapabilityType.where("internal_identifier = 'download'").first.destroy unless Role.where("internal_identifier = 'download'").first.nil?
+    Role.where("internal_identifier = 'file_downloader'").first.destroy  unless Role.where("internal_identifier = 'file_downloader'").first.nil?
+  end
+
+end

data/spec/dummy/db/schema.rb

@@ -11,7 +11,7 @@
 #
 # It's strongly recommended to check this file into your version control system.
 
-ActiveRecord::Schema.define(:version => 20130105133960) do
+ActiveRecord::Schema.define(:version => 20130107214450) do
 
   create_table "attribute_types", :force => true do |t|
     t.string   "internal_identifier"