fat_free_crm 0.13.0 → 0.13.1

data/app/helpers/application_helper.rb

@@ -302,7 +302,6 @@ module ApplicationHelper
     args = { :class => 'gravatar', :size => :large }.merge(args)
 
     if model.respond_to?(:avatar) and model.avatar.present?
-      Avatar
       image_tag(model.avatar.image.url(args[:size]), args)
     else
       args = Avatar.size_from_style!(args) # convert size format :large => '75x75'
@@ -400,7 +399,6 @@ module ApplicationHelper
     check_box_tag("#{name}[]", value, checked, :id => value, :onclick => onclick)
   end
 
-
   # Create a column in the 'asset_attributes' table.
   #----------------------------------------------------------------------------
   def col(title, value, last = false, email = false)
@@ -493,5 +491,4 @@ module ApplicationHelper
     end
   end
 
-
 end

data/app/helpers/campaigns_helper.rb

@@ -33,4 +33,3 @@ module CampaignsHelper
     "#{t(campaign.status)}, " << [ status, metrics ].map { |str| strip_tags(str) }.join(' ').gsub("\n", '')
   end
 end
-

data/app/helpers/leads_helper.rb

@@ -53,16 +53,6 @@ module LeadsHelper
     end
   end
 
-  # Returns default permissions intro for leads.
-  #----------------------------------------------------------------------------
-  def get_lead_default_permissions_intro(access)
-    case access
-      when "Private" then t(:lead_permissions_intro_private, t(:opportunity_small))
-      when "Public"  then t(:lead_permissions_intro_public,  t(:opportunity_small))
-      when "Shared"  then t(:lead_permissions_intro_shared,  t(:opportunity_small))
-    end
-  end
-
   # Do not offer :converted status choice if we are creating a new lead or
   # editing existing lead that hasn't been converted before.
   #----------------------------------------------------------------------------
@@ -93,4 +83,3 @@ module LeadsHelper
     summary.join(', ')
   end
 end
-

data/app/helpers/opportunities_helper.rb

@@ -31,4 +31,3 @@ module OpportunitiesHelper
     summary.compact.join(', ')
   end
 end
-

data/app/helpers/tags_helper.rb

@@ -28,12 +28,4 @@ module TagsHelper
     end.html_safe
   end
 
-  # Generate tag links for the asset landing page (shown on a sidebar).
-  #----------------------------------------------------------------------------
-  def tags_for_show(model)
-    model.tag_list.inject([]) do |arr, tag|
-      arr << link_to(tag, url_for(:action => "tagged", :id => tag), :title => tag)
-    end.join(" ").html_safe
-  end
-
 end

data/app/helpers/versions_helper.rb

@@ -8,7 +8,7 @@ module VersionsHelper
   # Parse the changes for each version
   #----------------------------------------------------------------------------
   def parse_version(attr_name, change)
-    if attr_name =~ /^cf_/ and (field = CustomField.where(:name => attr_name).first).present?
+    if attr_name =~ /\Acf_/ and (field = CustomField.where(:name => attr_name).first).present?
       label = field.label
       first = field.render(change.first)
       second = field.render(change.second)

data/app/models/entities/account_contact.rb

@@ -21,7 +21,7 @@ class AccountContact < ActiveRecord::Base
 
   has_paper_trail :meta => { :related => :contact }, :ignore => [ :id, :created_at, :updated_at, :contact_id ]
 
-  validates :account_id, :presence => true
+  validates_presence_of :account_id, :contact_id
 
   ActiveSupport.run_load_hooks(:fat_free_crm_account_contact, self)
 end

data/app/models/entities/campaign.rb

@@ -32,7 +32,7 @@
 class Campaign < ActiveRecord::Base
   belongs_to  :user
   belongs_to  :assignee, :class_name => "User", :foreign_key => :assigned_to
-  has_many    :tasks, :as => :asset, :dependent => :destroy#, :order => 'created_at DESC'
+  has_many    :tasks, :as => :asset, :dependent => :destroy
   has_many    :leads, :dependent => :destroy, :order => "id DESC"
   has_many    :opportunities, :dependent => :destroy, :order => "id DESC"
   has_many    :emails, :as => :mediator
@@ -42,8 +42,8 @@ class Campaign < ActiveRecord::Base
   scope :state, ->(filters) {
     where('status IN (?)' + (filters.delete('other') ? ' OR status IS NULL' : ''), filters)
   }
-  scope :created_by,  ->(user) { where('user_id = ?' , user.id) }
-  scope :assigned_to, ->(user) { where('assigned_to = ?', user.id) }
+  scope :created_by,  ->(user) { where( user_id: user.id ) }
+  scope :assigned_to, ->(user) { where( assigned_to: user.id ) }
 
   scope :text_search, ->(query) { search('name_cont' => query).result }
 

data/app/models/entities/contact.rb

@@ -45,7 +45,7 @@ class Contact < ActiveRecord::Base
   has_one     :account, :through => :account_contact
   has_many    :contact_opportunities, :dependent => :destroy
   has_many    :opportunities, :through => :contact_opportunities, :uniq => true, :order => "opportunities.id DESC"
-  has_many    :tasks, :as => :asset, :dependent => :destroy#, :order => 'created_at DESC'
+  has_many    :tasks, :as => :asset, :dependent => :destroy
   has_one     :business_address, :dependent => :destroy, :as => :addressable, :class_name => "Address", :conditions => "address_type = 'Business'"
   has_many    :addresses, :dependent => :destroy, :as => :addressable, :class_name => "Address" # advanced search uses this
   has_many    :emails, :as => :mediator
@@ -59,8 +59,8 @@ class Contact < ActiveRecord::Base
 
   accepts_nested_attributes_for :business_address, :allow_destroy => true, :reject_if => proc {|attributes| Address.reject_address(attributes)}
 
-  scope :created_by,  ->(user) { where("user_id = ?", user.id) }
-  scope :assigned_to, ->(user) { where("assigned_to = ?", user.id) }
+  scope :created_by,  ->(user) { where( user_id: user.id ) }
+  scope :assigned_to, ->(user) { where( assigned_to: user.id ) }
 
   scope :text_search, ->(query) {
     t = Contact.arel_table

data/app/models/entities/lead.rb

@@ -41,7 +41,7 @@ class Lead < ActiveRecord::Base
   belongs_to  :campaign
   belongs_to  :assignee, :class_name => "User", :foreign_key => :assigned_to
   has_one     :contact, :dependent => :nullify # On destroy keep the contact, but nullify its lead_id
-  has_many    :tasks, :as => :asset, :dependent => :destroy#, :order => 'created_at DESC'
+  has_many    :tasks, :as => :asset, :dependent => :destroy
   has_one     :business_address, :dependent => :destroy, :as => :addressable, :class_name => "Address", :conditions => "address_type='Business'"
   has_many    :addresses, :dependent => :destroy, :as => :addressable, :class_name => "Address" # advanced search uses this
   has_many    :emails, :as => :mediator
@@ -53,10 +53,10 @@ class Lead < ActiveRecord::Base
   scope :state, ->(filters) {
     where([ 'status IN (?)' + (filters.delete('other') ? ' OR status IS NULL' : ''), filters ])
   }
-  scope :converted, -> { where(:status => 'converted') }
-  scope :for_campaign, ->(id) { where('campaign_id = ?', id) }
-  scope :created_by, ->(user) { where('user_id = ?' , user.id) }
-  scope :assigned_to, ->(user) { where('assigned_to = ?' , user.id) }
+  scope :converted,    ->       { where( status: 'converted' ) }
+  scope :for_campaign, ->(id)   { where( campaign_id: id ) }
+  scope :created_by,   ->(user) { where( user_id: user.id ) }
+  scope :assigned_to,  ->(user) { where( assigned_to: user.id ) }
 
   scope :text_search, ->(query) { search('first_name_or_last_name_or_company_or_email_cont' => query).result }
 

data/app/models/entities/opportunity.rb

@@ -51,9 +51,7 @@ class Opportunity < ActiveRecord::Base
 
   # Search by name OR id
   scope :text_search, ->(query) {
-    # postgresql does not like to compare string to integer field
-    if query =~ /^\d+$/
-      query = query.gsub(/[^\w\s\-\.'\p{L}]/u, '').strip
+    if query =~ /\A\d+\z/
       where('upper(name) LIKE upper(:name) OR opportunities.id = :id', :name => "%#{query}%", :id => query)
     else
       search('name_cont' => query).result

data/app/models/fields/field_group.rb

@@ -46,6 +46,7 @@ class FieldGroup < ActiveRecord::Base
   end
 
   private
+
   # Can't delete default field group
   def not_default_field_group
     name != "custom_fields"

data/app/models/list.rb

@@ -9,7 +9,8 @@ class List < ActiveRecord::Base
 
   # Parses the controller from the url
   def controller
-    (url || "").sub(/^\//,'').split(/\/|\?/).first
+    (url || "").sub(/\A\//,'').split(/\/|\?/).first
   end
+
   ActiveSupport.run_load_hooks(:fat_free_crm_list, self)
 end

data/app/models/polymorphic/avatar.rb

@@ -45,7 +45,7 @@ class Avatar < ActiveRecord::Base
     if options[:width] && options[:height]
       options[:size] = [:width, :height].map{|d| options[d]}.join("x")
     elsif Avatar::STYLES.keys.include?(options[:size])
-      options[:size] = Avatar::STYLES[options[:size]].sub(/\#$/,'')
+      options[:size] = Avatar::STYLES[options[:size]].sub(/\#\z/,'')
     end
     options
   end

data/app/models/polymorphic/task.rb

@@ -27,6 +27,7 @@
 
 class Task < ActiveRecord::Base
   attr_accessor :calendar
+  ALLOWED_VIEWS = %w(pending assigned completed)
 
   belongs_to :user
   belongs_to :assignee, :class_name => "User", :foreign_key => :assigned_to
@@ -46,8 +47,8 @@ class Task < ActiveRecord::Base
     limit(options[:limit]) # nil selects all records
   }
 
-  scope :created_by,  ->(user) { where(:user_id => user.id) }
-  scope :assigned_to, ->(user) { where(:assigned_to => user.id) }
+  scope :created_by,  ->(user) { where( user_id: user.id ) }
+  scope :assigned_to, ->(user) { where( assigned_to: user.id ) }
 
   # Tasks assigned by the user to others. That's what we see on Tasks/Assigned.
   scope :assigned_by, ->(user) {
@@ -62,8 +63,8 @@ class Task < ActiveRecord::Base
     where('user_id = ? OR assigned_to = ?', user.id, user.id)
   }
 
+  # Show opportunities which either belong to the user and are unassigned, or are assigned to the user
   scope :visible_on_dashboard, ->(user) {
-    # Show opportunities which either belong to the user and are unassigned, or are assigned to the user
     where('(user_id = :user_id AND assigned_to IS NULL) OR assigned_to = :user_id', :user_id => user.id).where('completed_at IS NULL')
   }
 
@@ -171,6 +172,7 @@ class Task < ActiveRecord::Base
   # Returns list of tasks grouping them by due date as required by tasks/index.
   #----------------------------------------------------------------------------
   def self.find_all_grouped(user, view)
+    return {} unless ALLOWED_VIEWS.include?(view)
     settings = (view == "completed" ? Setting.task_completed : Setting.task_bucket)
     Hash[
       settings.map do |key, value|
@@ -182,7 +184,7 @@ class Task < ActiveRecord::Base
   # Returns bucket if it's empty (i.e. we have to hide it), nil otherwise.
   #----------------------------------------------------------------------------
   def self.bucket_empty?(bucket, user, view = "pending")
-    return false if bucket.blank?
+    return false if bucket.blank? or !ALLOWED_VIEWS.include?(view)
     if view == "assigned"
       assigned_by(user).send(bucket).pending.count
     else
@@ -193,6 +195,7 @@ class Task < ActiveRecord::Base
   # Returns task totals for each of the views as needed by tasks sidebar.
   #----------------------------------------------------------------------------
   def self.totals(user, view = "pending")
+    return {} unless ALLOWED_VIEWS.include?(view)
     settings = (view == "completed" ? Setting.task_completed : Setting.task_bucket)
     settings.inject({ :all => 0 }) do |hash, key|
       hash[key] = (view == "assigned" ? assigned_by(user).send(key).pending.count : my(user).send(key).send(view).count)

data/app/models/setting.rb

@@ -71,7 +71,6 @@ class Setting < ActiveRecord::Base
       end
     end
 
-
     # Set setting value
     #-------------------------------------------------------------------
     def []=(name, value)
@@ -82,7 +81,6 @@ class Setting < ActiveRecord::Base
       cache[name] = value
     end
 
-
     # Unrolls [ :one, :two ] settings array into [[ "One", :one ], [ "Two", :two ]]
     # picking symbol translations from locale. If setting is not a symbol but
     # string it gets copied without translation.
@@ -98,7 +96,6 @@ class Setting < ActiveRecord::Base
       table_exists? rescue false
     end
 
-
     # Loads settings from YAML files
     def load_settings_from_yaml(file)
       settings = YAML.load_file(file)

data/app/models/users/ability.rb

@@ -9,11 +9,22 @@ class Ability
   include CanCan::Ability
 
   def initialize(user)
+
+    # handle signup
+    can(:create, User) if User.can_signup?
+
     if user.present?
       entities = [Account, Campaign, Contact, Lead, Opportunity]
 
-      can :create, :all
-      can :read, [User] # for search autocomplete
+      # User
+      can :manage, User, id: user.id # can do any action on themselves
+
+      # Tasks
+      can :create, Task
+      can :manage, Task, user: user.id
+      can :manage, Task, assigned_to: user.id
+
+      # Entities
       can :manage, entities, :access => 'Public'
       can :manage, entities + [Task], :user_id => user.id
       can :manage, entities + [Task], :assigned_to => user.id

data/app/models/users/user.rb

@@ -61,7 +61,6 @@ class User < ActiveRecord::Base
 
   has_paper_trail :ignore => [:last_request_at, :perishable_token]
 
-  # For some reason this does not play nice with has_paper_trail when set as default scope
   scope :by_id, -> { order('id DESC') }
   scope :except, ->(user) { where('id != ?', user.id).by_name }
   scope :by_name, -> { order('first_name, last_name, email') }
@@ -188,6 +187,10 @@ class User < ActiveRecord::Base
       Ability.new(User.current_user)
     end
 
+    def can_signup?
+      [ :allowed, :needs_approval ].include? Setting.user_signup
+    end
+
   end
 
   ActiveSupport.run_load_hooks(:fat_free_crm_user, self)

data/app/views/home/index.html.haml

@@ -44,7 +44,3 @@
 
 
 #export= render "shared/export"
-/
-  Check out HTML source to view the output of the hook if you have sample plugin installed
-  http://github.com/michaeldv/crm_sample_plugin/tree/master
-  = hook(:home_view, self, :hello => "world!", :welcome => "home")

data/app/views/layouts/application.html.haml

@@ -21,13 +21,15 @@
 
     :javascript
       crm.language = "#{I18n.locale}"
-      #{yield :javascript}
-      var _ffcrm_users = [
-      #{User.all.map{|u| "\"#{u.full_name} (@#{u.username})\"" }.join(",\n")}
-      ];
-
       window.controller = "#{controller.controller_name}"
 
+    - if current_user.present?
+      :javascript
+        #{yield :javascript}
+        var _ffcrm_users = [
+        #{User.all.map{|u| "\"#{u.full_name} (@#{u.username})\"" }.join(",\n")}
+        ];
+
     <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">
     <link rel="icon" href="/favicon.ico" type="image/x-icon">
 

data/app/views/leads/_contact.html.haml

@@ -33,6 +33,3 @@
             .check_box
               = f.check_box :do_not_call, {}, true
               #{t :do_not_call}
-
-
-

data/app/views/lists/_personal_sidebar.html.haml

@@ -8,8 +8,8 @@
     - else
       - @personal_lists.sort.each_with_index do |list, i|
         %li[list]{ :class => i < @personal_lists.size - 1 ? "" : "last" }
-          %dt= link_to(truncate(list.name, :length => 25), list.url, :title => list.name)
-          %tt 
+          %dt= link_to(truncate(list.name, :length => 25), h(list.url), :title => list.name)
+          %tt
             = link_to(url_for(list), :method => :delete, :confirm => 'Are you sure?', :remote => true, :class => "list_icon delete_on_hover") do
               %i.fa{:"data-controller" => list.controller, class: get_icon(list.controller)}
 

data/app/views/lists/_sidebar.html.haml

@@ -8,8 +8,8 @@
     - else
       - @global_lists.sort.each_with_index do |list, i|
         %li[list]{ :class => i < @global_lists.size - 1 ? "" : "last" }
-          %dt= link_to(truncate(list.name, :length => 25), list.url, :title => list.name)
-          %tt 
+          %dt= link_to(truncate(list.name, :length => 25), h(list.url), :title => list.name)
+          %tt
             = link_to(url_for(list), :method => :delete, :confirm => 'Are you sure?', :remote => true, :class => "list_icon delete_on_hover") do
               %i.fa{:"data-controller" => list.controller, class: get_icon(list.controller)}
 

data/config/application.rb

@@ -28,7 +28,7 @@ module FatFreeCRM
     config.autoload_paths += Dir[Rails.root.join("app/models/**")] +
                              Dir[Rails.root.join("app/controllers/entities")]
 
-    # Prevent Field class from being reloading more than once as this clears registered customfields
+    # Prevent Field class from being reloaded more than once as this clears registered customfields
     config.autoload_once_paths += [File.expand_path("../app/models/fields/field.rb", __FILE__)]
 
     # Activate observers that should always be running.
@@ -62,7 +62,7 @@ module FatFreeCRM
     config.encoding = "utf-8"
 
     # Configure sensitive parameters which will be filtered from the log file.
-    config.filter_parameters += [:password]
+    config.filter_parameters += [:password, :password_hash, :password_salt, :password_confirmation]
 
     # Use SQL instead of Active Record's schema dumper when creating the database.
     # This is necessary if your schema can't be completely dumped by the schema dumper,

data/config/environments/development.rb

@@ -19,6 +19,8 @@ if defined?(FatFreeCRM::Application)
     config.consider_all_requests_local       = true
     config.action_controller.perform_caching = false
 
+    config.action_mailer.delivery_method = :file
+
     # Don't care if the mailer can't send
     config.action_mailer.raise_delivery_errors = true
 

data/config/environments/production.rb

@@ -10,9 +10,8 @@ if defined?(FatFreeCRM::Application)
     # Code is not reloaded between requests
     config.cache_classes = true
 
-    # Full error reports are enabled, since this is an internal application.
-    config.consider_all_requests_local       = true
-    # Caching is turned on
+    # Full error reports are disabled and caching is turned on.
+    config.consider_all_requests_local       = false
     config.action_controller.perform_caching = true
 
     # Disable Rails's static asset server (Apache or nginx will already do this)

data/config/initializers/secret_token.rb

@@ -1 +1,25 @@
-FatFreeCRM::Application.config.secret_token = 'be17625f6b1d92df0ed33a3ea57905ed321ef6089c213f23b2dff44a9b236d836b854451068ae030741b182d29ac25c5dbd075c993cabfd624d825e66e073071'
+# Copyright (c) 2008-2013 Michael Dvorkin and contributors.
+#
+# Fat Free CRM is freely distributable under the terms of MIT license.
+# See MIT-LICENSE file or http://www.opensource.org/licenses/mit-license.php
+#------------------------------------------------------------------------------
+
+# Be sure to restart your server when you modify this file.
+
+# Your secret key is used for verifying the integrity of signed cookies.
+# If you change this key, all old signed cookies will become invalid!
+
+# Make sure the secret is at least 30 characters and all random,
+# no regular words or you'll be exposed to dictionary attacks.
+# You can use `rake secret` to generate a secure secret key.
+
+# Make sure your secret_key_base is kept private
+# if you're sharing your code publicly.
+
+#
+# We should setup a secret token if FFCRM is running in application mode but NOT in engine mode.
+# This functionality has been extracted to lib so it can be tested.
+if FatFreeCRM.application?
+  require 'fat_free_crm/secret_token_generator'
+  FatFreeCRM::SecretTokenGenerator.setup!
+end