RubyGems - forest_liana - Versions diffs - 7.8.0 → 8.0.0.beta.2 - Mend

forest_liana 7.8.0 → 8.0.0.beta.2

Files changed (45) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 82f94463ae1662d3d4eeac62d1b68b5c3a6895adfce97c87e99eb7312d8b0966
-  data.tar.gz: fa9f1794cde3218d3c7aa27231549493203a49876957c170fb26ee7c1b4baf73
+  metadata.gz: 8c3bc9feb8975c2d4bb725c5badda68b4d880fcc3a2553cc2d1d6164f5e56366
+  data.tar.gz: b1f6e70a0723450674b53944f933036fea21b4a9b6cceab806cf32cd7654896a
 SHA512:
-  metadata.gz: 9f30218cb8f5df0e921c754fa1d0b08f79194da46ebe7dac74bffb5343fdf8dd0797ef2542bd41d4bd240aff04821ac0bdd6bdf307375ef3c9a8d978ef07d6f9
-  data.tar.gz: 7192187737dfb2a67f724bb5c444072f707b3ed02f8c69dc216f4504e2e249ffebe683dff9719f405dca9960f4a44b196e1bb1ccbe021cd62bec4cc36b687621
+  metadata.gz: 42a2ae2c6800ea8cf501ee3896554852cd677003d2aea5353fbc2d74d5dee34ee55d02079f8a9a31949af19d7a6ecc8c97e8be3a15a9844aa2ae11ff2fb75e73
+  data.tar.gz: 2a97e185ccde89910027740ea833a8e3373f4cb2466a16c2023554534be4ddc3c2419d40015be0edbecb6283a304d4ef4b80472fcea98b99649a122b28fb9c2e

data/app/controllers/forest_liana/actions_controller.rb CHANGED Viewed

@@ -2,12 +2,14 @@ module ForestLiana
   class ActionsController < ApplicationController
     def get_smart_action_hook_request
-      begin
+      if params[:data] && params[:data][:attributes] && params[:data][:attributes][:collection_name]
         params[:data][:attributes]
-      rescue => error
+      else
+        error = 'parameters data attributes missing'
         FOREST_REPORTER.report error
         FOREST_LOGGER.error "Smart Action hook request error: #{error}"
-        {}
+        raise ForestLiana::Errors::HTTP422Error.new("Error in smart action load hook: cannot retrieve action from collection")
       end
     end

data/app/controllers/forest_liana/application_controller.rb CHANGED Viewed

@@ -3,6 +3,9 @@ require 'csv'
 module ForestLiana
   class ApplicationController < ForestLiana::BaseController
+    rescue_from ForestLiana::Ability::Exceptions::AccessDenied, with: :render_error
+    rescue_from ForestLiana::Errors::HTTP422Error, with: :render_error
     def self.papertrail?
       Object.const_get('PaperTrail::Version').is_a?(Class) rescue false
     end
@@ -96,6 +99,18 @@ module ForestLiana
     private
+    def render_error(exception)
+      errors = {
+        status: exception.error_code,
+        detail: exception.message,
+      }
+      errors['name'] = exception.name if exception.try(:name)
+      errors['data'] = exception.data if exception.try(:data)
+      render json: { errors: [errors] }, status: exception.status
+    end
     def force_utf8_encoding(json)
       if json['data'].class == Array
         # NOTICE: Collection of records case

data/app/controllers/forest_liana/resources_controller.rb CHANGED Viewed

@@ -1,5 +1,6 @@
 module ForestLiana
   class ResourcesController < ForestLiana::ApplicationController
+    include ForestLiana::Ability
     begin
       prepend ResourcesExtensions
     rescue NameError
@@ -14,24 +15,11 @@ module ForestLiana
     end
     def index
+      action = request.format == 'csv' ? 'export' : 'browse'
+      forest_authorize!(action, forest_user, @resource)
       begin
-        if request.format == 'csv'
-          checker = ForestLiana::PermissionsChecker.new(@resource, 'exportEnabled', @rendering_id, user: forest_user)
-          return head :forbidden unless checker.is_authorized?
-        else
-          checker = ForestLiana::PermissionsChecker.new(
-            @resource,
-            'browseEnabled',
-            @rendering_id,
-            user: forest_user,
-            collection_list_parameters: get_collection_list_permission_info(forest_user, request)
-          )
-          return head :forbidden unless checker.is_authorized?
-        end
         getter = ForestLiana::ResourcesGetter.new(@resource, params, forest_user)
         getter.perform
         respond_to do |format|
           format.json { render_jsonapi(getter) }
           format.csv { render_csv(getter, @resource) }
@@ -55,16 +43,8 @@ module ForestLiana
     def count
       find_resource
+      forest_authorize!('browse', forest_user, @resource)
       begin
-        checker = ForestLiana::PermissionsChecker.new(
-          @resource,
-          'browseEnabled',
-          @rendering_id,
-          user: forest_user,
-          collection_list_parameters: get_collection_list_permission_info(forest_user, request)
-        )
-        return head :forbidden unless checker.is_authorized?
         getter = ForestLiana::ResourcesGetter.new(@resource, params, forest_user)
         getter.count
@@ -88,10 +68,8 @@ module ForestLiana
     end
     def show
+      forest_authorize!('read', forest_user, @resource)
       begin
-        checker = ForestLiana::PermissionsChecker.new(@resource, 'readEnabled', @rendering_id, user: forest_user)
-        return head :forbidden unless checker.is_authorized?
         getter = ForestLiana::ResourceGetter.new(@resource, params, forest_user)
         getter.perform
@@ -106,10 +84,8 @@ module ForestLiana
     end
     def create
+      forest_authorize!('add', forest_user, @resource)
       begin
-        checker = ForestLiana::PermissionsChecker.new(@resource, 'addEnabled', @rendering_id, user: forest_user)
-        return head :forbidden unless checker.is_authorized?
         creator = ForestLiana::ResourceCreator.new(@resource, params)
         creator.perform
@@ -130,10 +106,8 @@ module ForestLiana
     end
     def update
+      forest_authorize!('edit', forest_user, @resource)
       begin
-        checker = ForestLiana::PermissionsChecker.new(@resource, 'editEnabled', @rendering_id, user: forest_user)
-        return head :forbidden unless checker.is_authorized?
         updater = ForestLiana::ResourceUpdater.new(@resource, params, forest_user)
         updater.perform
@@ -154,37 +128,37 @@ module ForestLiana
     end
     def destroy
-      checker = ForestLiana::PermissionsChecker.new(@resource, 'deleteEnabled', @rendering_id, user: forest_user)
-      return head :forbidden unless checker.is_authorized?
+      forest_authorize!('delete', forest_user, @resource)
+        begin
+        collection_name = ForestLiana.name_for(@resource)
+        scoped_records = ForestLiana::ScopeManager.apply_scopes_on_records(@resource, forest_user, collection_name, params[:timezone])
-      collection_name = ForestLiana.name_for(@resource)
-      scoped_records = ForestLiana::ScopeManager.apply_scopes_on_records(@resource, forest_user, collection_name, params[:timezone])
-      unless scoped_records.exists?(params[:id])
-        return render serializer: nil, json: { status: 404 }, status: :not_found
-      end
+        unless scoped_records.exists?(params[:id])
+          return render serializer: nil, json: { status: 404 }, status: :not_found
+        end
-      scoped_records.destroy(params[:id])
+        scoped_records.destroy(params[:id])
-      head :no_content
-    rescue => error
-      FOREST_REPORTER.report error
-      FOREST_LOGGER.error "Record Destroy error: #{error}\n#{format_stacktrace(error)}"
-      internal_server_error
+        head :no_content
+      rescue => error
+        FOREST_REPORTER.report error
+        FOREST_LOGGER.error "Record Destroy error: #{error}\n#{format_stacktrace(error)}"
+        internal_server_error
+      end
     end
     def destroy_bulk
-      checker = ForestLiana::PermissionsChecker.new(@resource, 'deleteEnabled', @rendering_id, user: forest_user)
-      return head :forbidden unless checker.is_authorized?
-      ids = ForestLiana::ResourcesGetter.get_ids_from_request(params, forest_user)
-      @resource.destroy(ids) if ids&.any?
+      forest_authorize!('delete', forest_user, @resource)
+      begin
+        ids = ForestLiana::ResourcesGetter.get_ids_from_request(params, forest_user)
+        @resource.destroy(ids) if ids&.any?
-      head :no_content
-    rescue => error
-      FOREST_REPORTER.report error
-      FOREST_LOGGER.error "Records Destroy error: #{error}\n#{format_stacktrace(error)}"
-      internal_server_error
+        head :no_content
+      rescue => error
+        FOREST_REPORTER.report error
+        FOREST_LOGGER.error "Records Destroy error: #{error}\n#{format_stacktrace(error)}"
+        internal_server_error
+      end
     end
     private

data/app/controllers/forest_liana/smart_actions_controller.rb CHANGED Viewed

@@ -1,5 +1,9 @@
 module ForestLiana
   class SmartActionsController < ForestLiana::ApplicationController
+    rescue_from ForestLiana::Ability::Exceptions::TriggerForbidden, with: :render_error
+    rescue_from ForestLiana::Ability::Exceptions::RequireApproval, with: :render_error
+    rescue_from ForestLiana::Ability::Exceptions::ActionConditionError, with: :render_error
+    include ForestLiana::Ability
     if Rails::VERSION::MAJOR < 4
       before_filter :smart_action_pre_perform_checks
     else
@@ -8,9 +12,17 @@ module ForestLiana
     private
+    def smart_action_pre_perform_checks
+      get_smart_action_request
+      find_resource
+      check_permission_for_smart_route
+      ensure_record_ids_in_scope
+    end
     def get_smart_action_request
       begin
         params[:data][:attributes]
+        @parameters = ForestLiana::Ability::Permission::RequestPermission::decodeSignedApprovalRequest(params.permit!)
       rescue => error
         FOREST_REPORTER.report error
         FOREST_LOGGER.error "Smart Action execution error: #{error}"
@@ -18,29 +30,52 @@ module ForestLiana
       end
     end
-    def smart_action_pre_perform_checks
-      check_permission_for_smart_route
-      ensure_record_ids_in_scope
+    def find_resource
+      begin
+        @resource = SchemaUtils.find_model_from_collection_name(@parameters[:data][:attributes][:collection_name])
+        if @resource.nil? || !SchemaUtils.model_included?(@resource) ||
+          !@resource.ancestors.include?(ActiveRecord::Base)
+          render serializer: nil, json: { status: 404 }, status: :not_found
+        end
+        @resource
+      rescue => error
+        FOREST_REPORTER.report error
+        FOREST_LOGGER.error "Find Collection error: #{error}\n#{format_stacktrace(error)}"
+        render serializer: nil, json: { status: 404 }, status: :not_found
+      end
+    end
+    def check_permission_for_smart_route
+      smart_action_request = @parameters[:data][:attributes]
+      if !smart_action_request.nil? && smart_action_request.has_key?(:smart_action_id)
+        forest_authorize!(
+          'action',
+          forest_user,
+          @resource,
+          {parameters: params, endpoint: request.fullpath.split('?').first, http_method: request.request_method}
+        )
+      else
+        FOREST_LOGGER.error 'Smart action execution error: Unable to retrieve the smart action id.'
+        render serializer: nil, json: { status: 400 }, status: :bad_request
+      end
     end
     def ensure_record_ids_in_scope
       begin
-        attributes = get_smart_action_request
+        attributes = @parameters[:data][:attributes]
         # if performing a `selectAll` let the `get_ids_from_request` handle the scopes
         return if attributes[:all_records]
-        resource = find_resource(attributes[:collection_name])
         # user is using the composite_primary_keys gem
-        if resource.primary_key.kind_of?(Array)
+        if @resource.primary_key.kind_of?(Array)
           # TODO: handle primary keys
           return
         end
-        filter = JSON.generate({ 'field' => resource.primary_key, 'operator' => 'in', 'value' => attributes[:ids] })
+        filter = JSON.generate({ 'field' => @resource.primary_key, 'operator' => 'in', 'value' => attributes[:ids] })
-        resources_getter = ForestLiana::ResourcesGetter.new(resource, { :filters => filter, :timezone => attributes[:timezone] }, forest_user)
+        resources_getter = ForestLiana::ResourcesGetter.new(@resource, { :filters => filter, :timezone => attributes[:timezone] }, forest_user)
         # resources getter will return records inside the scope. if the length differs then ids are out of scope
         return if resources_getter.count == attributes[:ids].length
@@ -53,54 +88,5 @@ module ForestLiana
         render serializer: nil, json: { error: 'Smart Action: failed to evaluate permissions' }, status: :internal_server_error
       end
     end
-    def check_permission_for_smart_route
-      begin
-        smart_action_request = get_smart_action_request
-        if !smart_action_request.nil? && smart_action_request.has_key?(:smart_action_id)
-          checker = ForestLiana::PermissionsChecker.new(
-            find_resource(smart_action_request[:collection_name]),
-            'actions',
-            @rendering_id,
-            user: forest_user,
-            smart_action_request_info: get_smart_action_request_info
-          )
-          return head :forbidden unless checker.is_authorized?
-        else
-          FOREST_LOGGER.error 'Smart action execution error: Unable to retrieve the smart action id.'
-          render serializer: nil, json: { status: 400 }, status: :bad_request
-        end
-      rescue => error
-        FOREST_REPORTER.report error
-        FOREST_LOGGER.error "Smart Action execution error: #{error}"
-        render serializer: nil, json: { status: 400 }, status: :bad_request
-      end
-    end
-    def find_resource(collection_name)
-      begin
-          resource = SchemaUtils.find_model_from_collection_name(collection_name)
-          if resource.nil? || !SchemaUtils.model_included?(resource) ||
-            !resource.ancestors.include?(ActiveRecord::Base)
-            render serializer: nil, json: { status: 404 }, status: :not_found
-          end
-          resource
-      rescue => error
-        FOREST_REPORTER.report error
-        FOREST_LOGGER.error "Find Collection error: #{error}\n#{format_stacktrace(error)}"
-        render serializer: nil, json: { status: 404 }, status: :not_found
-      end
-    end
-    # smart action permissions are retrieved from the action's endpoint and http_method
-    def get_smart_action_request_info
-      {
-        # trim query params to get the endpoint
-        endpoint: request.fullpath.split('?').first,
-        http_method: request.request_method
-      }
-    end
   end
 end

data/app/controllers/forest_liana/stats_controller.rb CHANGED Viewed

@@ -1,22 +1,6 @@
 module ForestLiana
   class StatsController < ForestLiana::ApplicationController
-    if Rails::VERSION::MAJOR < 4
-      before_filter only: [:get] do
-        find_resource()
-        check_permission('statWithParameters')
-      end
-      before_filter only: [:get_with_live_query] do
-        check_permission('liveQueries')
-      end
-    else
-      before_action only: [:get] do
-        find_resource()
-        check_permission('statWithParameters')
-      end
-      before_action only: [:get_with_live_query] do
-        check_permission('liveQueries')
-      end
-    end
+    include ForestLiana::Ability
     CHART_TYPE_VALUE = 'Value'
     CHART_TYPE_PIE = 'Pie'
@@ -24,7 +8,14 @@ module ForestLiana
     CHART_TYPE_LEADERBOARD = 'Leaderboard'
     CHART_TYPE_OBJECTIVE = 'Objective'
+    if Rails::VERSION::MAJOR < 4
+      before_filter :find_resource, only: :get
+    else
+      before_action :find_resource, only: :get
+    end
     def get
+      forest_authorize!('chart', forest_user, nil, {parameters: params})
       case params[:type]
       when CHART_TYPE_VALUE
         stat = ValueStatGetter.new(@resource, params, forest_user)
@@ -47,6 +38,7 @@ module ForestLiana
     end
     def get_with_live_query
+      forest_authorize!('chart', forest_user, nil, {parameters: params})
       begin
         stat = QueryStatGetter.new(params)
         stat.perform
@@ -67,54 +59,18 @@ module ForestLiana
       end
     end
+    def params
+      super.permit!
+    end
     private
     def find_resource
-      @resource = SchemaUtils.find_model_from_collection_name(
-        params[:collection])
+      @resource = SchemaUtils.find_model_from_collection_name(params[:collection])
       if @resource.nil? || !@resource.ancestors.include?(ActiveRecord::Base)
         render json: {status: 404}, status: :not_found, serializer: nil
       end
     end
-    def get_live_query_request_info
-      params['query']
-    end
-    def get_stat_parameter_request_info
-      parameters = Rails::VERSION::MAJOR < 5 ? params.dup : params.permit(params.keys).to_h;
-      # Notice: Removes useless properties
-      parameters.delete('timezone');
-      parameters.delete('controller');
-      parameters.delete('action');
-      # NOTICE: Remove the field information from group_by_field => collection:id
-      if parameters['group_by_field']
-        parameters['group_by_field'] = parameters['group_by_field'].split(':').first
-      end
-      return parameters;
-    end
-    def check_permission(permission_name)
-      begin
-        query_request = permission_name == 'liveQueries' ? get_live_query_request_info : get_stat_parameter_request_info;
-        checker = ForestLiana::PermissionsChecker.new(
-          nil,
-          permission_name,
-          @rendering_id,
-          user: forest_user,
-          query_request_info: query_request
-        )
-        return head :forbidden unless checker.is_authorized?
-      rescue => error
-        FOREST_REPORTER.report error
-        FOREST_LOGGER.error "Stats execution error: #{error}"
-        render serializer: nil, json: { status: 400 }, status: :bad_request
-      end
-    end
   end
 end

data/app/services/forest_liana/ability/exceptions/access_denied.rb ADDED Viewed

@@ -0,0 +1,16 @@
+module ForestLiana
+  module Ability
+    module Exceptions
+      class AccessDenied < ForestLiana::Errors::ExpectedError
+        def initialize
+          super(
+            403,
+            :forbidden,
+            'You don\'t have permission to access this resource',
+            'AccessDenied'
+          )
+        end
+      end
+    end
+  end
+end

data/app/services/forest_liana/ability/exceptions/action_condition_error.rb ADDED Viewed

@@ -0,0 +1,16 @@
+module ForestLiana
+  module Ability
+    module Exceptions
+      class ActionConditionError < ForestLiana::Errors::ExpectedError
+        def initialize
+          super(
+            409,
+                :conflict,
+                'The conditions to trigger this action cannot be verified. Please contact an administrator.',
+                'InvalidActionConditionError'
+          )
+        end
+      end
+    end
+  end
+end

data/app/services/forest_liana/ability/exceptions/require_approval.rb ADDED Viewed

@@ -0,0 +1,18 @@
+module ForestLiana
+  module Ability
+    module Exceptions
+      class RequireApproval < ForestLiana::Errors::ExpectedError
+        attr_reader :data
+        def initialize(data)
+          @data = data
+          super(
+            403,
+                :forbidden,
+                'This action requires to be approved.',
+                'CustomActionRequiresApprovalError',
+          )
+        end
+      end
+    end
+  end
+end

data/app/services/forest_liana/ability/exceptions/trigger_forbidden.rb ADDED Viewed

@@ -0,0 +1,16 @@
+module ForestLiana
+  module Ability
+    module Exceptions
+      class TriggerForbidden < ForestLiana::Errors::ExpectedError
+        def initialize
+          super(
+            403,
+                :forbidden,
+                'You don\'t have the permission to trigger this action',
+                'CustomActionTriggerForbiddenError'
+          )
+        end
+      end
+    end
+  end
+end

data/app/services/forest_liana/ability/fetch.rb ADDED Viewed

@@ -0,0 +1,23 @@
+module ForestLiana
+  module Ability
+    module Fetch
+      def get_permissions(route)
+        begin
+          response = ForestLiana::ForestApiRequester.get(route)
+          if response.is_a?(Net::HTTPOK)
+            JSON.parse(response.body)
+          else
+            raise "Forest API returned an #{ForestLiana::Errors::HTTPErrorHelper.format(response)}"
+          end
+        rescue => exception
+          FOREST_REPORTER.report exception
+          FOREST_LOGGER.error 'Cannot retrieve the permissions from the Forest server.'
+          FOREST_LOGGER.error 'Which was caused by:'
+          ForestLiana::Errors::ExceptionHelper.recursively_print(exception, margin: ' ', is_error: true)
+          nil
+        end
+      end
+    end
+  end
+end

data/app/services/forest_liana/ability/permission/request_permission.rb ADDED Viewed

@@ -0,0 +1,19 @@
+require 'jwt'
+module ForestLiana
+  module Ability
+    module Permission
+      class RequestPermission
+        def self.decodeSignedApprovalRequest(params)
+          if (params[:data][:attributes][:signed_approval_request])
+            decode_parameters = JWT.decode(params[:data][:attributes][:signed_approval_request], ForestLiana.env_secret, true, { algorithm: 'HS256' }).try(:first)
+            ActionController::Parameters.new(decode_parameters)
+          else
+            params
+          end
+        end
+      end
+    end
+  end
+end

data/app/services/forest_liana/ability/permission/smart_action_checker.rb ADDED Viewed

@@ -0,0 +1,71 @@
+module ForestLiana
+  module Ability
+    module Permission
+      class SmartActionChecker
+        def initialize(parameters, collection, smart_action, user)
+          @parameters = parameters
+          @collection = collection
+          @smart_action = smart_action
+          @user = user
+        end
+        def can_execute?
+          if @parameters[:data][:attributes][:signed_approval_request].present? && @smart_action['userApprovalEnabled'].include?(@user['roleId'])
+            can_approve?
+          else
+            can_trigger?
+          end
+        end
+        private
+        def can_approve?
+          @parameters = RequestPermission.decodeSignedApprovalRequest(@parameters)
+          if ((@smart_action['userApprovalConditions'].empty? || match_conditions('userApprovalConditions')) &&
+            (@parameters[:data][:attributes][:requester_id] != @user['id'] || @smart_action['selfApprovalEnabled'].include?(@user['roleId']))
+          )
+            return true
+          end
+          raise ForestLiana::Ability::Exceptions::TriggerForbidden.new
+        end
+        def can_trigger?
+          if @smart_action['triggerEnabled'].include?(@user['roleId']) && @smart_action['approvalRequired'].exclude?(@user['roleId'])
+            return true if @smart_action['triggerConditions'].empty? || match_conditions('triggerConditions')
+          elsif @smart_action['approvalRequired'].include?(@user['roleId'])
+            if @smart_action['approvalRequiredConditions'].empty? || match_conditions('approvalRequiredConditions')
+              raise ForestLiana::Ability::Exceptions::RequireApproval.new(@smart_action['userApprovalEnabled'])
+            end
+          end
+          raise ForestLiana::Ability::Exceptions::TriggerForbidden.new
+        end
+        def match_conditions(condition_name)
+          begin
+            attributes = @parameters[:data][:attributes]
+            records = FiltersParser.new(
+              @smart_action[condition_name][0]['filter'].to_json,
+              @collection,
+              @parameters[:timezone],
+              @parameters
+            ).apply_filters
+            if attributes[:all_records]
+              records = records.where.not(id: attributes[:all_records_ids_excluded])
+            else
+              # check if the ids are present into the request of activeRecord
+              records = records.where(id: attributes[:ids])
+            end
+            records.select(@collection.table_name + '.id').count == attributes[:ids].count
+          rescue
+            raise ForestLiana::Ability::Exceptions::ActionConditionError.new
+          end
+        end
+      end
+    end
+  end
+end