RubyGems - forest_liana - Versions diffs - 7.8.0 → 8.0.0.beta.2 - Mend

forest_liana 7.8.0 → 8.0.0.beta.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (45) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 82f94463ae1662d3d4eeac62d1b68b5c3a6895adfce97c87e99eb7312d8b0966
-  data.tar.gz: fa9f1794cde3218d3c7aa27231549493203a49876957c170fb26ee7c1b4baf73
+  metadata.gz: 8c3bc9feb8975c2d4bb725c5badda68b4d880fcc3a2553cc2d1d6164f5e56366
+  data.tar.gz: b1f6e70a0723450674b53944f933036fea21b4a9b6cceab806cf32cd7654896a
 SHA512:
-  metadata.gz: 9f30218cb8f5df0e921c754fa1d0b08f79194da46ebe7dac74bffb5343fdf8dd0797ef2542bd41d4bd240aff04821ac0bdd6bdf307375ef3c9a8d978ef07d6f9
-  data.tar.gz: 7192187737dfb2a67f724bb5c444072f707b3ed02f8c69dc216f4504e2e249ffebe683dff9719f405dca9960f4a44b196e1bb1ccbe021cd62bec4cc36b687621
+  metadata.gz: 42a2ae2c6800ea8cf501ee3896554852cd677003d2aea5353fbc2d74d5dee34ee55d02079f8a9a31949af19d7a6ecc8c97e8be3a15a9844aa2ae11ff2fb75e73
+  data.tar.gz: 2a97e185ccde89910027740ea833a8e3373f4cb2466a16c2023554534be4ddc3c2419d40015be0edbecb6283a304d4ef4b80472fcea98b99649a122b28fb9c2e

data/app/controllers/forest_liana/actions_controller.rb CHANGED Viewed

@@ -2,12 +2,14 @@ module ForestLiana
   class ActionsController < ApplicationController
     def get_smart_action_hook_request
-      begin
+      if params[:data] && params[:data][:attributes] && params[:data][:attributes][:collection_name]
         params[:data][:attributes]
-      rescue => error
+      else
+        error = 'parameters data attributes missing'
         FOREST_REPORTER.report error
         FOREST_LOGGER.error "Smart Action hook request error: #{error}"
-        {}
+        raise ForestLiana::Errors::HTTP422Error.new("Error in smart action load hook: cannot retrieve action from collection")
       end
     end

data/app/controllers/forest_liana/application_controller.rb CHANGED Viewed

@@ -3,6 +3,9 @@ require 'csv'
 module ForestLiana
   class ApplicationController < ForestLiana::BaseController
+    rescue_from ForestLiana::Ability::Exceptions::AccessDenied, with: :render_error
+    rescue_from ForestLiana::Errors::HTTP422Error, with: :render_error
     def self.papertrail?
       Object.const_get('PaperTrail::Version').is_a?(Class) rescue false
     end
@@ -96,6 +99,18 @@ module ForestLiana
     private
+    def render_error(exception)
+      errors = {
+        status: exception.error_code,
+        detail: exception.message,
+      }
+      errors['name'] = exception.name if exception.try(:name)
+      errors['data'] = exception.data if exception.try(:data)
+      render json: { errors: [errors] }, status: exception.status
+    end
     def force_utf8_encoding(json)
       if json['data'].class == Array
         # NOTICE: Collection of records case

data/app/controllers/forest_liana/resources_controller.rb CHANGED Viewed

@@ -1,5 +1,6 @@
 module ForestLiana
   class ResourcesController < ForestLiana::ApplicationController
+    include ForestLiana::Ability
     begin
       prepend ResourcesExtensions
     rescue NameError
@@ -14,24 +15,11 @@ module ForestLiana
     end
     def index
+      action = request.format == 'csv' ? 'export' : 'browse'
+      forest_authorize!(action, forest_user, @resource)
       begin
-        if request.format == 'csv'
-          checker = ForestLiana::PermissionsChecker.new(@resource, 'exportEnabled', @rendering_id, user: forest_user)
-          return head :forbidden unless checker.is_authorized?
-        else
-          checker = ForestLiana::PermissionsChecker.new(
-            @resource,
-            'browseEnabled',
-            @rendering_id,
-            user: forest_user,
-            collection_list_parameters: get_collection_list_permission_info(forest_user, request)
-          )
-          return head :forbidden unless checker.is_authorized?
-        end
         getter = ForestLiana::ResourcesGetter.new(@resource, params, forest_user)
         getter.perform
         respond_to do |format|
           format.json { render_jsonapi(getter) }
           format.csv { render_csv(getter, @resource) }
@@ -55,16 +43,8 @@ module ForestLiana
     def count
       find_resource
+      forest_authorize!('browse', forest_user, @resource)
       begin
-        checker = ForestLiana::PermissionsChecker.new(
-          @resource,
-          'browseEnabled',
-          @rendering_id,
-          user: forest_user,
-          collection_list_parameters: get_collection_list_permission_info(forest_user, request)
-        )
-        return head :forbidden unless checker.is_authorized?
         getter = ForestLiana::ResourcesGetter.new(@resource, params, forest_user)
         getter.count
@@ -88,10 +68,8 @@ module ForestLiana
     end
     def show
+      forest_authorize!('read', forest_user, @resource)
       begin
-        checker = ForestLiana::PermissionsChecker.new(@resource, 'readEnabled', @rendering_id, user: forest_user)
-        return head :forbidden unless checker.is_authorized?
         getter = ForestLiana::ResourceGetter.new(@resource, params, forest_user)
         getter.perform
@@ -106,10 +84,8 @@ module ForestLiana
     end
     def create
+      forest_authorize!('add', forest_user, @resource)
       begin
-        checker = ForestLiana::PermissionsChecker.new(@resource, 'addEnabled', @rendering_id, user: forest_user)
-        return head :forbidden unless checker.is_authorized?
         creator = ForestLiana::ResourceCreator.new(@resource, params)
         creator.perform
@@ -130,10 +106,8 @@ module ForestLiana
     end
     def update
+      forest_authorize!('edit', forest_user, @resource)
       begin
-        checker = ForestLiana::PermissionsChecker.new(@resource, 'editEnabled', @rendering_id, user: forest_user)
-        return head :forbidden unless checker.is_authorized?
         updater = ForestLiana::ResourceUpdater.new(@resource, params, forest_user)
         updater.perform
@@ -154,37 +128,37 @@ module ForestLiana
     end
     def destroy
-      checker = ForestLiana::PermissionsChecker.new(@resource, 'deleteEnabled', @rendering_id, user: forest_user)
-      return head :forbidden unless checker.is_authorized?
+      forest_authorize!('delete', forest_user, @resource)
+        begin
+        collection_name = ForestLiana.name_for(@resource)
+        scoped_records = ForestLiana::ScopeManager.apply_scopes_on_records(@resource, forest_user, collection_name, params[:timezone])
-      collection_name = ForestLiana.name_for(@resource)
-      scoped_records = ForestLiana::ScopeManager.apply_scopes_on_records(@resource, forest_user, collection_name, params[:timezone])
-      unless scoped_records.exists?(params[:id])
-        return render serializer: nil, json: { status: 404 }, status: :not_found
-      end
+        unless scoped_records.exists?(params[:id])
+          return render serializer: nil, json: { status: 404 }, status: :not_found
+        end
-      scoped_records.destroy(params[:id])
+        scoped_records.destroy(params[:id])
-      head :no_content
-    rescue => error
-      FOREST_REPORTER.report error
-      FOREST_LOGGER.error "Record Destroy error: #{error}\n#{format_stacktrace(error)}"
-      internal_server_error
+        head :no_content
+      rescue => error
+        FOREST_REPORTER.report error
+        FOREST_LOGGER.error "Record Destroy error: #{error}\n#{format_stacktrace(error)}"
+        internal_server_error
+      end
     end
     def destroy_bulk
-      checker = ForestLiana::PermissionsChecker.new(@resource, 'deleteEnabled', @rendering_id, user: forest_user)
-      return head :forbidden unless checker.is_authorized?
-      ids = ForestLiana::ResourcesGetter.get_ids_from_request(params, forest_user)
-      @resource.destroy(ids) if ids&.any?
+      forest_authorize!('delete', forest_user, @resource)
+      begin
+        ids = ForestLiana::ResourcesGetter.get_ids_from_request(params, forest_user)
+        @resource.destroy(ids) if ids&.any?
-      head :no_content
-    rescue => error
-      FOREST_REPORTER.report error
-      FOREST_LOGGER.error "Records Destroy error: #{error}\n#{format_stacktrace(error)}"
-      internal_server_error
+        head :no_content
+      rescue => error
+        FOREST_REPORTER.report error
+        FOREST_LOGGER.error "Records Destroy error: #{error}\n#{format_stacktrace(error)}"
+        internal_server_error
+      end
     end
     private

data/app/controllers/forest_liana/smart_actions_controller.rb CHANGED Viewed

@@ -1,5 +1,9 @@
 module ForestLiana
   class SmartActionsController < ForestLiana::ApplicationController
+    rescue_from ForestLiana::Ability::Exceptions::TriggerForbidden, with: :render_error
+    rescue_from ForestLiana::Ability::Exceptions::RequireApproval, with: :render_error
+    rescue_from ForestLiana::Ability::Exceptions::ActionConditionError, with: :render_error
+    include ForestLiana::Ability
     if Rails::VERSION::MAJOR < 4
       before_filter :smart_action_pre_perform_checks
     else
@@ -8,9 +12,17 @@ module ForestLiana
     private
+    def smart_action_pre_perform_checks
+      get_smart_action_request
+      find_resource
+      check_permission_for_smart_route
+      ensure_record_ids_in_scope
+    end
     def get_smart_action_request
       begin
         params[:data][:attributes]
+        @parameters = ForestLiana::Ability::Permission::RequestPermission::decodeSignedApprovalRequest(params.permit!)
       rescue => error
         FOREST_REPORTER.report error
         FOREST_LOGGER.error "Smart Action execution error: #{error}"
@@ -18,29 +30,52 @@ module ForestLiana
       end
     end
-    def smart_action_pre_perform_checks
-      check_permission_for_smart_route
-      ensure_record_ids_in_scope
+    def find_resource
+      begin
+        @resource = SchemaUtils.find_model_from_collection_name(@parameters[:data][:attributes][:collection_name])
+        if @resource.nil? || !SchemaUtils.model_included?(@resource) ||
+          !@resource.ancestors.include?(ActiveRecord::Base)
+          render serializer: nil, json: { status: 404 }, status: :not_found
+        end
+        @resource
+      rescue => error
+        FOREST_REPORTER.report error
+        FOREST_LOGGER.error "Find Collection error: #{error}\n#{format_stacktrace(error)}"
+        render serializer: nil, json: { status: 404 }, status: :not_found
+      end
+    end
+    def check_permission_for_smart_route
+      smart_action_request = @parameters[:data][:attributes]
+      if !smart_action_request.nil? && smart_action_request.has_key?(:smart_action_id)
+        forest_authorize!(
+          'action',
+          forest_user,
+          @resource,
+          {parameters: params, endpoint: request.fullpath.split('?').first, http_method: request.request_method}
+        )
+      else
+        FOREST_LOGGER.error 'Smart action execution error: Unable to retrieve the smart action id.'
+        render serializer: nil, json: { status: 400 }, status: :bad_request
+      end
     end
     def ensure_record_ids_in_scope
       begin
-        attributes = get_smart_action_request
+        attributes = @parameters[:data][:attributes]
         # if performing a `selectAll` let the `get_ids_from_request` handle the scopes
         return if attributes[:all_records]
-        resource = find_resource(attributes[:collection_name])
         # user is using the composite_primary_keys gem
-        if resource.primary_key.kind_of?(Array)
+        if @resource.primary_key.kind_of?(Array)
           # TODO: handle primary keys
           return
         end
-        filter = JSON.generate({ 'field' => resource.primary_key, 'operator' => 'in', 'value' => attributes[:ids] })
+        filter = JSON.generate({ 'field' => @resource.primary_key, 'operator' => 'in', 'value' => attributes[:ids] })
-        resources_getter = ForestLiana::ResourcesGetter.new(resource, { :filters => filter, :timezone => attributes[:timezone] }, forest_user)
+        resources_getter = ForestLiana::ResourcesGetter.new(@resource, { :filters => filter, :timezone => attributes[:timezone] }, forest_user)
         # resources getter will return records inside the scope. if the length differs then ids are out of scope
         return if resources_getter.count == attributes[:ids].length
@@ -53,54 +88,5 @@ module ForestLiana
         render serializer: nil, json: { error: 'Smart Action: failed to evaluate permissions' }, status: :internal_server_error
       end
     end
-    def check_permission_for_smart_route
-      begin
-        smart_action_request = get_smart_action_request
-        if !smart_action_request.nil? && smart_action_request.has_key?(:smart_action_id)
-          checker = ForestLiana::PermissionsChecker.new(
-            find_resource(smart_action_request[:collection_name]),
-            'actions',
-            @rendering_id,
-            user: forest_user,
-            smart_action_request_info: get_smart_action_request_info
-          )
-          return head :forbidden unless checker.is_authorized?
-        else
-          FOREST_LOGGER.error 'Smart action execution error: Unable to retrieve the smart action id.'
-          render serializer: nil, json: { status: 400 }, status: :bad_request
-        end
-      rescue => error
-        FOREST_REPORTER.report error
-        FOREST_LOGGER.error "Smart Action execution error: #{error}"
-        render serializer: nil, json: { status: 400 }, status: :bad_request
-      end
-    end
-    def find_resource(collection_name)
-      begin
-          resource = SchemaUtils.find_model_from_collection_name(collection_name)
-          if resource.nil? || !SchemaUtils.model_included?(resource) ||
-            !resource.ancestors.include?(ActiveRecord::Base)
-            render serializer: nil, json: { status: 404 }, status: :not_found
-          end
-          resource
-      rescue => error
-        FOREST_REPORTER.report error
-        FOREST_LOGGER.error "Find Collection error: #{error}\n#{format_stacktrace(error)}"
-        render serializer: nil, json: { status: 404 }, status: :not_found
-      end
-    end
-    # smart action permissions are retrieved from the action's endpoint and http_method
-    def get_smart_action_request_info
-      {
-        # trim query params to get the endpoint
-        endpoint: request.fullpath.split('?').first,
-        http_method: request.request_method
-      }
-    end
   end
 end

data/app/controllers/forest_liana/stats_controller.rb CHANGED Viewed

@@ -1,22 +1,6 @@
 module ForestLiana
   class StatsController < ForestLiana::ApplicationController
-    if Rails::VERSION::MAJOR < 4
-      before_filter only: [:get] do
-        find_resource()
-        check_permission('statWithParameters')
-      end
-      before_filter only: [:get_with_live_query] do
-        check_permission('liveQueries')
-      end
-    else
-      before_action only: [:get] do
-        find_resource()
-        check_permission('statWithParameters')
-      end
-      before_action only: [:get_with_live_query] do
-        check_permission('liveQueries')
-      end
-    end
+    include ForestLiana::Ability
     CHART_TYPE_VALUE = 'Value'
     CHART_TYPE_PIE = 'Pie'
@@ -24,7 +8,14 @@ module ForestLiana
     CHART_TYPE_LEADERBOARD = 'Leaderboard'
     CHART_TYPE_OBJECTIVE = 'Objective'
+    if Rails::VERSION::MAJOR < 4
+      before_filter :find_resource, only: :get
+    else
+      before_action :find_resource, only: :get
+    end
     def get
+      forest_authorize!('chart', forest_user, nil, {parameters: params})
       case params[:type]
       when CHART_TYPE_VALUE
         stat = ValueStatGetter.new(@resource, params, forest_user)
@@ -47,6 +38,7 @@ module ForestLiana
     end
     def get_with_live_query
+      forest_authorize!('chart', forest_user, nil, {parameters: params})
       begin
         stat = QueryStatGetter.new(params)
         stat.perform
@@ -67,54 +59,18 @@ module ForestLiana
       end
     end
+    def params
+      super.permit!
+    end
     private
     def find_resource
-      @resource = SchemaUtils.find_model_from_collection_name(
-        params[:collection])
+      @resource = SchemaUtils.find_model_from_collection_name(params[:collection])
       if @resource.nil? || !@resource.ancestors.include?(ActiveRecord::Base)
         render json: {status: 404}, status: :not_found, serializer: nil
       end
     end
-    def get_live_query_request_info
-      params['query']
-    end
-    def get_stat_parameter_request_info
-      parameters = Rails::VERSION::MAJOR < 5 ? params.dup : params.permit(params.keys).to_h;
-      # Notice: Removes useless properties
-      parameters.delete('timezone');
-      parameters.delete('controller');
-      parameters.delete('action');
-      # NOTICE: Remove the field information from group_by_field => collection:id
-      if parameters['group_by_field']
-        parameters['group_by_field'] = parameters['group_by_field'].split(':').first
-      end
-      return parameters;
-    end
-    def check_permission(permission_name)
-      begin
-        query_request = permission_name == 'liveQueries' ? get_live_query_request_info : get_stat_parameter_request_info;
-        checker = ForestLiana::PermissionsChecker.new(
-          nil,
-          permission_name,
-          @rendering_id,
-          user: forest_user,
-          query_request_info: query_request
-        )
-        return head :forbidden unless checker.is_authorized?
-      rescue => error
-        FOREST_REPORTER.report error
-        FOREST_LOGGER.error "Stats execution error: #{error}"
-        render serializer: nil, json: { status: 400 }, status: :bad_request
-      end
-    end
   end
 end

data/app/services/forest_liana/ability/exceptions/access_denied.rb ADDED Viewed

@@ -0,0 +1,16 @@
+module ForestLiana
+  module Ability
+    module Exceptions
+      class AccessDenied < ForestLiana::Errors::ExpectedError
+        def initialize
+          super(
+            403,
+            :forbidden,
+            'You don\'t have permission to access this resource',
+            'AccessDenied'
+          )
+        end
+      end
+    end
+  end
+end

data/app/services/forest_liana/ability/exceptions/action_condition_error.rb ADDED Viewed

@@ -0,0 +1,16 @@
+module ForestLiana
+  module Ability
+    module Exceptions
+      class ActionConditionError < ForestLiana::Errors::ExpectedError
+        def initialize
+          super(
+            409,
+                :conflict,
+                'The conditions to trigger this action cannot be verified. Please contact an administrator.',
+                'InvalidActionConditionError'
+          )
+        end
+      end
+    end
+  end
+end

data/app/services/forest_liana/ability/exceptions/require_approval.rb ADDED Viewed

@@ -0,0 +1,18 @@
+module ForestLiana
+  module Ability
+    module Exceptions
+      class RequireApproval < ForestLiana::Errors::ExpectedError
+        attr_reader :data
+        def initialize(data)
+          @data = data
+          super(
+            403,
+                :forbidden,
+                'This action requires to be approved.',
+                'CustomActionRequiresApprovalError',
+          )
+        end
+      end
+    end
+  end
+end

data/app/services/forest_liana/ability/exceptions/trigger_forbidden.rb ADDED Viewed

@@ -0,0 +1,16 @@
+module ForestLiana
+  module Ability
+    module Exceptions
+      class TriggerForbidden < ForestLiana::Errors::ExpectedError
+        def initialize
+          super(
+            403,
+                :forbidden,
+                'You don\'t have the permission to trigger this action',
+                'CustomActionTriggerForbiddenError'
+          )
+        end
+      end
+    end
+  end
+end

data/app/services/forest_liana/ability/fetch.rb ADDED Viewed

@@ -0,0 +1,23 @@
+module ForestLiana
+  module Ability
+    module Fetch
+      def get_permissions(route)
+        begin
+          response = ForestLiana::ForestApiRequester.get(route)
+          if response.is_a?(Net::HTTPOK)
+            JSON.parse(response.body)
+          else
+            raise "Forest API returned an #{ForestLiana::Errors::HTTPErrorHelper.format(response)}"
+          end
+        rescue => exception
+          FOREST_REPORTER.report exception
+          FOREST_LOGGER.error 'Cannot retrieve the permissions from the Forest server.'
+          FOREST_LOGGER.error 'Which was caused by:'
+          ForestLiana::Errors::ExceptionHelper.recursively_print(exception, margin: ' ', is_error: true)
+          nil
+        end
+      end
+    end
+  end
+end

data/app/services/forest_liana/ability/permission/request_permission.rb ADDED Viewed

@@ -0,0 +1,19 @@
+require 'jwt'
+module ForestLiana
+  module Ability
+    module Permission
+      class RequestPermission
+        def self.decodeSignedApprovalRequest(params)
+          if (params[:data][:attributes][:signed_approval_request])
+            decode_parameters = JWT.decode(params[:data][:attributes][:signed_approval_request], ForestLiana.env_secret, true, { algorithm: 'HS256' }).try(:first)
+            ActionController::Parameters.new(decode_parameters)
+          else
+            params
+          end
+        end
+      end
+    end
+  end
+end

data/app/services/forest_liana/ability/permission/smart_action_checker.rb ADDED Viewed

@@ -0,0 +1,71 @@
+module ForestLiana
+  module Ability
+    module Permission
+      class SmartActionChecker
+        def initialize(parameters, collection, smart_action, user)
+          @parameters = parameters
+          @collection = collection
+          @smart_action = smart_action
+          @user = user
+        end
+        def can_execute?
+          if @parameters[:data][:attributes][:signed_approval_request].present? && @smart_action['userApprovalEnabled'].include?(@user['roleId'])
+            can_approve?
+          else
+            can_trigger?
+          end
+        end
+        private
+        def can_approve?
+          @parameters = RequestPermission.decodeSignedApprovalRequest(@parameters)
+          if ((@smart_action['userApprovalConditions'].empty? || match_conditions('userApprovalConditions')) &&
+            (@parameters[:data][:attributes][:requester_id] != @user['id'] || @smart_action['selfApprovalEnabled'].include?(@user['roleId']))
+          )
+            return true
+          end
+          raise ForestLiana::Ability::Exceptions::TriggerForbidden.new
+        end
+        def can_trigger?
+          if @smart_action['triggerEnabled'].include?(@user['roleId']) && @smart_action['approvalRequired'].exclude?(@user['roleId'])
+            return true if @smart_action['triggerConditions'].empty? || match_conditions('triggerConditions')
+          elsif @smart_action['approvalRequired'].include?(@user['roleId'])
+            if @smart_action['approvalRequiredConditions'].empty? || match_conditions('approvalRequiredConditions')
+              raise ForestLiana::Ability::Exceptions::RequireApproval.new(@smart_action['userApprovalEnabled'])
+            end
+          end
+          raise ForestLiana::Ability::Exceptions::TriggerForbidden.new
+        end
+        def match_conditions(condition_name)
+          begin
+            attributes = @parameters[:data][:attributes]
+            records = FiltersParser.new(
+              @smart_action[condition_name][0]['filter'].to_json,
+              @collection,
+              @parameters[:timezone],
+              @parameters
+            ).apply_filters
+            if attributes[:all_records]
+              records = records.where.not(id: attributes[:all_records_ids_excluded])
+            else
+              # check if the ids are present into the request of activeRecord
+              records = records.where(id: attributes[:ids])
+            end
+            records.select(@collection.table_name + '.id').count == attributes[:ids].count
+          rescue
+            raise ForestLiana::Ability::Exceptions::ActionConditionError.new
+          end
+        end
+      end
+    end
+  end
+end