forest_liana 7.0.0.beta.4 → 7.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0bf8bedca443e88f415a14995d430f5ba021cfe846d8471588680c5f35e619eb
-  data.tar.gz: f68ffb4494911b3b674965b3370988c4505be91673f7d67e194482b0975226e2
+  metadata.gz: 66ccf63de4bb8113b724cd22c63957431d50f53b5b5db53d1f48c8d9aa2e6b06
+  data.tar.gz: 134e434c2ad58ba2fa80253625e770b1b0c541f33784c9f184d666c14a75c77a
 SHA512:
-  metadata.gz: 97aeec5fc463e97cc3b8475c0f09228ea131a322d458104f2cf28306d390b904fd433a78e2a53b7baf34aaf05c6f66d7783e15a36b1f464790ab78bc5bd60ea6
-  data.tar.gz: 9339a84947baea79f91ebb48716760eee7f8e2acee6fc473b881904001c7f3f6bd6f1a1de6603df63eeba15967fcf6d982a60a7f42c049f007b958d60ff9732e
+  metadata.gz: e45967d23524fa78600a52fbe2407d7c076cb3fea24d89c4705ca22ba9836cad534eeafc0a506e061279b57fb3529069f2ffe64c1d3c1a63ca44296e41f63db1
+  data.tar.gz: afc9d99afc6d83b3fed291fd9ccf508104bb30c0631506f174a367e1a762868fc2568fb42369b141b28c47b72c9b774a2068aad38ed5d3523497f1babb244501

data/app/controllers/forest_liana/actions_controller.rb

@@ -1,5 +1,5 @@
 module ForestLiana
-  class ActionsController < ForestLiana::BaseController
+  class ActionsController < ApplicationController
 
     def get_smart_action_hook_request
       begin
@@ -17,7 +17,7 @@ module ForestLiana
     def get_action(collection_name)
       collection = get_collection(collection_name)
       begin
-         collection.actions.find {|action| ActiveSupport::Inflector.parameterize(action.name) == params[:action_name]}
+        collection.actions.find {|action| ActiveSupport::Inflector.parameterize(action.name) == params[:action_name]}
       rescue => error
         FOREST_LOGGER.error "Smart Action get action retrieval error: #{error}"
         nil

data/app/controllers/forest_liana/associations_controller.rb

@@ -10,7 +10,7 @@ module ForestLiana
 
     def index
       begin
-        getter = HasManyGetter.new(@resource, @association, params)
+        getter = HasManyGetter.new(@resource, @association, params, forest_user)
         getter.perform
 
         respond_to do |format|
@@ -25,7 +25,7 @@ module ForestLiana
 
     def count
       begin
-        getter = HasManyGetter.new(@resource, @association, params)
+        getter = HasManyGetter.new(@resource, @association, params, forest_user)
         getter.count
 
         render serializer: nil, json: { count: getter.records_count }

data/app/controllers/forest_liana/resources_controller.rb

@@ -29,7 +29,7 @@ module ForestLiana
           return head :forbidden unless checker.is_authorized?
         end
 
-        getter = ForestLiana::ResourcesGetter.new(@resource, params)
+        getter = ForestLiana::ResourcesGetter.new(@resource, params, forest_user)
         getter.perform
 
         respond_to do |format|
@@ -63,7 +63,7 @@ module ForestLiana
         )
         return head :forbidden unless checker.is_authorized?
 
-        getter = ForestLiana::ResourcesGetter.new(@resource, params)
+        getter = ForestLiana::ResourcesGetter.new(@resource, params, forest_user)
         getter.count
 
         render serializer: nil, json: { count: getter.records_count }
@@ -89,10 +89,12 @@ module ForestLiana
         checker = ForestLiana::PermissionsChecker.new(@resource, 'readEnabled', @rendering_id, user_id: forest_user['id'])
         return head :forbidden unless checker.is_authorized?
 
-        getter = ForestLiana::ResourceGetter.new(@resource, params)
+        getter = ForestLiana::ResourceGetter.new(@resource, params, forest_user)
         getter.perform
 
         render serializer: nil, json: render_record_jsonapi(getter.record)
+      rescue ActiveRecord::RecordNotFound
+        render serializer: nil, json: { status: 404 }, status: :not_found
       rescue => error
         FOREST_LOGGER.error "Record Show error: #{error}\n#{format_stacktrace(error)}"
         internal_server_error
@@ -127,7 +129,7 @@ module ForestLiana
         checker = ForestLiana::PermissionsChecker.new(@resource, 'editEnabled', @rendering_id, user_id: forest_user['id'])
         return head :forbidden unless checker.is_authorized?
 
-        updater = ForestLiana::ResourceUpdater.new(@resource, params)
+        updater = ForestLiana::ResourceUpdater.new(@resource, params, forest_user)
         updater.perform
 
         if updater.errors
@@ -149,7 +151,14 @@ module ForestLiana
       checker = ForestLiana::PermissionsChecker.new(@resource, 'deleteEnabled', @rendering_id, user_id: forest_user['id'])
       return head :forbidden unless checker.is_authorized?
 
-      @resource.destroy(params[:id]) if @resource.exists?(params[:id])
+      collection_name = ForestLiana.name_for(@resource)
+      scoped_records = ForestLiana::ScopeManager.apply_scopes_on_records(@resource, forest_user, collection_name, params[:timezone])
+
+      unless scoped_records.exists?(params[:id])
+        return render serializer: nil, json: { status: 404 }, status: :not_found
+      end
+
+      scoped_records.destroy(params[:id])
 
       head :no_content
     rescue => error
@@ -161,7 +170,7 @@ module ForestLiana
       checker = ForestLiana::PermissionsChecker.new(@resource, 'deleteEnabled', @rendering_id, user_id: forest_user['id'])
       return head :forbidden unless checker.is_authorized?
 
-      ids = ForestLiana::ResourcesGetter.get_ids_from_request(params)
+      ids = ForestLiana::ResourcesGetter.get_ids_from_request(params, forest_user)
       @resource.destroy(ids) if ids&.any?
 
       head :no_content

data/app/controllers/forest_liana/scopes_controller.rb

@@ -0,0 +1,20 @@
+module ForestLiana
+  class ScopesController < ForestLiana::ApplicationController
+    def invalidate_scope_cache
+      begin
+        rendering_id = params[:renderingId]
+
+        unless rendering_id
+          FOREST_LOGGER.error 'Missing renderingId'
+          return render serializer: nil, json: { status: 400 }, status: :bad_request
+        end
+
+        ForestLiana::ScopeManager.invalidate_scope_cache(rendering_id)
+        return render serializer: nil, json: { status: 200 }, status: :ok
+      rescue => error
+        FOREST_LOGGER.error "Error during scope cache invalidation: #{error.message}"
+        render serializer: nil, json: {status: 500 }, status: :internal_server_error
+      end
+    end
+  end
+end

data/app/controllers/forest_liana/smart_actions_controller.rb

@@ -1,9 +1,9 @@
 module ForestLiana
   class SmartActionsController < ForestLiana::ApplicationController
     if Rails::VERSION::MAJOR < 4
-      before_filter :check_permission_for_smart_route
+      before_filter :smart_action_pre_perform_checks
     else
-      before_action :check_permission_for_smart_route
+      before_action :smart_action_pre_perform_checks
     end
 
     private
@@ -17,6 +17,41 @@ module ForestLiana
       end
     end
 
+    def smart_action_pre_perform_checks
+      check_permission_for_smart_route
+      ensure_record_ids_in_scope
+    end
+
+    def ensure_record_ids_in_scope
+      begin
+        attributes = get_smart_action_request
+
+        # if performing a `selectAll` let the `get_ids_from_request` handle the scopes
+        return if attributes[:all_records]
+
+        resource = find_resource(attributes[:collection_name])
+
+        # user is using the composite_primary_keys gem
+        if resource.primary_key.kind_of?(Array)
+          # TODO: handle primary keys
+          return
+        end
+
+        filter = JSON.generate({ 'field' => resource.primary_key, 'operator' => 'in', 'value' => attributes[:ids] })
+
+        resources_getter = ForestLiana::ResourcesGetter.new(resource, { :filters => filter, :timezone => attributes[:timezone] }, forest_user)
+
+        # resources getter will return records inside the scope. if the length differs then ids are out of scope
+        return if resources_getter.count == attributes[:ids].length
+
+        # target records are out of scope
+        render serializer: nil, json: { error: 'Smart Action: target record not found' }, status: :bad_request
+      rescue => error
+        FOREST_LOGGER.error "Smart Action: #{error}\n#{format_stacktrace(error)}"
+        render serializer: nil, json: { error: 'Smart Action: failed to evaluate permissions' }, status: :internal_server_error
+      end
+    end
+
     def check_permission_for_smart_route
       begin
 
@@ -58,7 +93,8 @@ module ForestLiana
     # smart action permissions are retrieved from the action's endpoint and http_method
     def get_smart_action_request_info
       {
-        endpoint: request.fullpath,
+        # trim query params to get the endpoint
+        endpoint: request.fullpath.split('?').first,
         http_method: request.request_method
       }
     end

data/app/controllers/forest_liana/stats_controller.rb

@@ -27,15 +27,15 @@ module ForestLiana
     def get
       case params[:type]
       when CHART_TYPE_VALUE
-        stat = ValueStatGetter.new(@resource, params)
+        stat = ValueStatGetter.new(@resource, params, forest_user)
       when CHART_TYPE_PIE
-        stat = PieStatGetter.new(@resource, params)
+        stat = PieStatGetter.new(@resource, params, forest_user)
       when CHART_TYPE_LINE
-        stat = LineStatGetter.new(@resource, params)
+        stat = LineStatGetter.new(@resource, params, forest_user)
       when CHART_TYPE_OBJECTIVE
-        stat = ObjectiveStatGetter.new(@resource, params)
+        stat = ObjectiveStatGetter.new(@resource, params, forest_user)
       when CHART_TYPE_LEADERBOARD
-        stat = LeaderboardStatGetter.new(@resource, params)
+        stat = LeaderboardStatGetter.new(@resource, params, forest_user)
       end
 
       stat.perform

data/app/services/forest_liana/filters_parser.rb

@@ -109,14 +109,7 @@ module ForestLiana
       parsed_value = parse_value(operator, value)
       field_and_operator = "#{parsed_field} #{parsed_operator}"
 
-      if Rails::VERSION::MAJOR < 5
-        "#{field_and_operator} #{ActiveRecord::Base.sanitize(parsed_value)}"
-      # NOTICE: sanitize method as been removed in Rails 5.1 and sanitize_sql introduced in Rails 5.2.
-      elsif Rails::VERSION::MAJOR == 5 && Rails::VERSION::MINOR == 1
-        "#{field_and_operator} #{ActiveRecord::Base.connection.quote(parsed_value)}"
-      else
-        ActiveRecord::Base.sanitize_sql(["#{field_and_operator} ?", parsed_value])
-      end
+      sanitize_condition(field_and_operator, operator, parsed_value)
     end
 
     def parse_aggregation_operator(aggregator_operator)
@@ -147,6 +140,8 @@ module ForestLiana
         'IS'
       when 'present'
         'IS NOT'
+      when 'in'
+        'IN'
       else
         raise_unknown_operator_error(operator)
       end
@@ -154,7 +149,7 @@ module ForestLiana
 
     def parse_value(operator, value)
       case operator
-      when 'not', 'greater_than', 'less_than', 'not_equal', 'equal', 'before', 'after'
+      when 'not', 'greater_than', 'less_than', 'not_equal', 'equal', 'before', 'after', 'in'
         value
       when 'contains', 'not_contains'
         "%#{value}%"
@@ -292,5 +287,26 @@ module ForestLiana
         raise ForestLiana::Errors::HTTP422Error.new('Invalid condition format')
       end
     end
+
+    private
+
+    def prepare_value_for_operator(operator, value)
+      # parenthesis around the parsed_value are required to make the `IN` operator work
+      operator == 'in' ? "(#{value})" : value
+    end
+
+    def sanitize_condition(field_and_operator, operator, parsed_value)
+      if Rails::VERSION::MAJOR < 5
+        condition_value = prepare_value_for_operator(operator, ActiveRecord::Base.sanitize(parsed_value))
+        "#{field_and_operator} #{condition_value}"
+        # NOTICE: sanitize method as been removed in Rails 5.1 and sanitize_sql introduced in Rails 5.2.
+      elsif Rails::VERSION::MAJOR == 5 && Rails::VERSION::MINOR == 1
+        condition_value = prepare_value_for_operator(operator, ActiveRecord::Base.connection.quote(parsed_value))
+        "#{field_and_operator} #{condition_value}"
+      else
+        condition_value = prepare_value_for_operator(operator, '?')
+        ActiveRecord::Base.sanitize_sql(["#{field_and_operator} #{condition_value}", parsed_value])
+      end
+    end
   end
 end

data/app/services/forest_liana/has_many_dissociator.rb

@@ -1,5 +1,5 @@
 module ForestLiana
-  class HasManyDissociator
+  class HasManyDissociator < ForestLiana::ApplicationController
     def initialize(resource, association, params)
       @resource = resource
       @association = association
@@ -17,7 +17,7 @@ module ForestLiana
       if @data.is_a?(Array)
         record_ids = @data.map { |record| record[:id] }
       elsif @data.dig('attributes').present?
-        record_ids = ForestLiana::ResourcesGetter.get_ids_from_request(@params)
+        record_ids = ForestLiana::ResourcesGetter.get_ids_from_request(@params, forest_user)
       else
         record_ids = Array.new
       end

data/app/services/forest_liana/has_many_getter.rb

@@ -4,7 +4,7 @@ module ForestLiana
     attr_reader :includes
     attr_reader :records_count
 
-    def initialize(resource, association, params)
+    def initialize(resource, association, params, forest_user)
       @resource = resource
       @association = association
       @params = params
@@ -13,7 +13,7 @@ module ForestLiana
       @collection = get_collection(@collection_name)
       compute_includes()
       includes_symbols = @includes.map { |include| include.to_sym }
-      @search_query_builder = SearchQueryBuilder.new(@params, includes_symbols, @collection)
+      @search_query_builder = SearchQueryBuilder.new(@params, includes_symbols, @collection, forest_user)
 
       prepare_query()
     end

data/app/services/forest_liana/leaderboard_stat_getter.rb

@@ -1,20 +1,22 @@
 module ForestLiana
   class LeaderboardStatGetter < StatGetter
-    def initialize(resource, params)
-      @resource = resource
-      @params = params
-      @model_relationship =  @resource.reflect_on_association(@params[:relationship_field]).klass
-      compute_includes()
-      @label_field = @params[:label_field]
-      @aggregate = @params[:aggregate].downcase
-      @aggregate_field = @params[:aggregate_field]
-      @limit = @params[:limit]
-      @groub_by = "#{@resource.table_name}.#{@label_field}"
+    def initialize(parent_model, params, forest_user)
+      @scoped_parent_model = get_scoped_model(parent_model, forest_user, params[:timezone])
+      child_model = @scoped_parent_model.reflect_on_association(params[:relationship_field]).klass
+      @scoped_child_model = get_scoped_model(child_model, forest_user, params[:timezone])
+      @label_field = params[:label_field]
+      @aggregate = params[:aggregate].downcase
+      @aggregate_field = params[:aggregate_field]
+      @limit = params[:limit]
+      @groub_by = "#{@scoped_parent_model.table_name}.#{@label_field}"
     end
 
     def perform
-      result = @model_relationship
-        .joins(@includes)
+      includes = ForestLiana::QueryHelper.get_one_association_names_symbol(@scoped_child_model)
+
+      result = @scoped_child_model
+        .joins(includes)
+        .where({ @scoped_parent_model.name.downcase.to_sym => @scoped_parent_model })
         .group(@groub_by)
         .order(order)
         .limit(@limit)
@@ -24,8 +26,12 @@ module ForestLiana
       @record = Model::Stat.new(value: result)
     end
 
-    def compute_includes
-      @includes = ForestLiana::QueryHelper.get_one_association_names_symbol(@model_relationship)
+    def get_scoped_model(model, forest_user, timezone)
+      scope_filters = ForestLiana::ScopeManager.get_scope_for_user(forest_user, model.name, as_string: true)
+
+      return model.unscoped if scope_filters.blank?
+
+      FiltersParser.new(scope_filters, model, timezone).apply_filters
     end
 
     def order

data/app/services/forest_liana/line_stat_getter.rb

@@ -25,8 +25,10 @@ module ForestLiana
     def perform
       value = get_resource().joins(@includes)
 
-      unless @params[:filters].blank?
-        value = FiltersParser.new(@params[:filters], value, @params[:timezone]).apply_filters
+      filters = ForestLiana::ScopeManager.append_scope_for_user(@params[:filters], @user, @resource.name)
+
+      unless filters.blank?
+        value = FiltersParser.new(filters, @resource, @params[:timezone]).apply_filters
       end
 
       Groupdate.week_start = :monday

data/app/services/forest_liana/permissions_checker.rb

@@ -7,7 +7,6 @@ module ForestLiana
     @@expiration_in_seconds = (ENV['FOREST_PERMISSIONS_EXPIRATION_IN_SECONDS'] || 3600).to_i
 
     def initialize(resource, permission_name, rendering_id, user_id: nil, smart_action_request_info: nil, collection_list_parameters: Hash.new, query_request_info: nil)
-      
       @collection_name = resource.present? ? ForestLiana.name_for(resource) : nil
       @permission_name = permission_name
       @rendering_id = rendering_id
@@ -119,7 +118,7 @@ module ForestLiana
       permissions = @@renderings_cached[@rendering_id]
       permissions && permissions['stats'] && permissions['stats']['queries']
     end
-    
+
     def get_stat_with_parameters_content(statPermissionType)
       permissions = @@renderings_cached[@rendering_id]
       permissions && permissions['stats'] && permissions['stats'][statPermissionType]
@@ -163,7 +162,7 @@ module ForestLiana
 
       return false unless segments_queries_permissions
 
-      # NOTICE: @query_request_info matching an existing segment query 
+      # NOTICE: @query_request_info matching an existing segment query
       return segments_queries_permissions.include? @collection_list_parameters[:segmentQuery]
     end
 
@@ -172,7 +171,7 @@ module ForestLiana
 
       return false unless live_queries_permissions
 
-      # NOTICE: @query_request_info matching an existing live query 
+      # NOTICE: @query_request_info matching an existing live query
       return live_queries_permissions.include? @query_request_info
     end
 

data/app/services/forest_liana/permissions_getter.rb

@@ -23,7 +23,7 @@ module ForestLiana
       #     },
       #   },
       # },
-      # rederings => {
+      # renderings => {
       #   {rendering_id} => {
       #       {collection_id} => {
       #         segments => ['query1', 'query2']
@@ -32,7 +32,7 @@ module ForestLiana
       #   }
       # }
       # With `rendering_specific_only` this returns only the permissions related data specific to the provided rendering
-      # For now this only includes scopes
+      # For now this only includes scopes (but scopes are not used anymore in permissions)
       def get_permissions_for_rendering(rendering_id, rendering_specific_only: false)
         begin
           query_parameters = { 'renderingId' => rendering_id }

data/app/services/forest_liana/pie_stat_getter.rb

@@ -7,8 +7,10 @@ module ForestLiana
         timezone_offset = @params[:timezone].to_i
         resource = get_resource().eager_load(@includes)
 
-        unless @params[:filters].blank?
-          resource = FiltersParser.new(@params[:filters], resource, @params[:timezone]).apply_filters
+        filters = ForestLiana::ScopeManager.append_scope_for_user(@params[:filters], @user, @resource.name)
+
+        unless filters.blank?
+          resource = FiltersParser.new(filters, resource, @params[:timezone]).apply_filters
         end
 
         result = resource
@@ -53,7 +55,8 @@ module ForestLiana
       if @params[:aggregate].downcase == 'sum'
         field = @params[:aggregate_field].downcase
       else
-        field = Rails::VERSION::MAJOR >= 5 || @includes.size > 0 ? 'id' : 'all'
+        # `count_id` is required only for rails v5
+        field = Rails::VERSION::MAJOR == 5 || @includes.size > 0 ? 'id' : 'all'
       end
       "#{@params[:aggregate].downcase}_#{field} #{order}"
     end