glib-web 5.0.4 → 5.0.5

data/app/views/json_ui/garage/test_page/tabBar.json.jbuilder

@@ -0,0 +1,144 @@
+json.title 'Test Page (tabBar)'
+
+page = json_ui_page json
+
+render 'json_ui/garage/test_page/header', json: json, page: page
+
+active_index = params[:tab].to_i
+
+page.body(
+  childViews: ->(body) do
+    body.panels_responsive(
+      padding: glib_json_padding_body,
+      childViews: ->(res) do
+        res.h2 text: 'Overview'
+        res.p(
+          text: 'tabBar renders a row of icon/text buttons used for primary navigation. ' \
+        'It supports badges, active-tab highlighting, style variants, and custom onClick actions.'
+        )
+        res.spacer height: 12
+        res.hr width: 'matchParent'
+        res.h2 text: 'Variants and Props'
+        res.spacer height: 8
+        res.label text: 'With badges'
+        res.spacer height: 6
+        res.tabBar(
+          activeIndex: 0,
+          buttons: ->(menu) do
+            [
+            { text: 'Inbox',     icon: 'inbox',       badge: { text: 5,   backgroundColor: '#272551' } },
+            { text: 'Alerts',    icon: 'notifications', badge: { text: '!', backgroundColor: '#cc0000' } },
+            { text: 'Messages',  icon: 'chat',          badge: { text: nil, backgroundColor: nil } }
+            ].each do |tab|
+              menu.button(
+                icon: tab[:icon],
+                text: tab[:text],
+                badge: tab[:badge],
+                disabled: false,
+                onClick: ->(action) do
+                  action.snackbars_alert message: "Tapped #{tab[:text]}"
+                end
+              )
+            end
+          end
+        )
+        res.spacer height: 12
+        res.label text: "Style: 'full-width-divider'"
+        res.spacer height: 6
+        res.tabBar(
+          activeIndex: 0,
+          styleClass: 'full-width-divider',
+          buttons: ->(menu) do
+            4.times do |index|
+              menu.button(
+                text: "Tab #{index}",
+                disabled: index == 0,
+                onClick: ->(action) do
+                  action.snackbars_alert message: "Tapped tab #{index}"
+                end
+              )
+            end
+          end
+        )
+        res.spacer height: 12
+        res.label text: "Style: 'no-grow'"
+        res.spacer height: 6
+        res.tabBar(
+          activeIndex: 0,
+          styleClass: 'no-grow',
+          buttons: ->(menu) do
+            3.times do |index|
+              menu.button(
+                text: "Tab #{index}",
+                disabled: index == 0,
+                onClick: ->(action) do
+                  action.snackbars_alert message: "Tapped tab #{index}"
+                end
+              )
+            end
+          end
+        )
+
+        res.spacer height: 12
+        res.hr width: 'matchParent'
+        res.h2 text: 'Edge and Advanced'
+        res.spacer height: 8
+        res.label text: 'All tabs disabled'
+        res.spacer height: 6
+        res.tabBar(
+          activeIndex: -1,
+          buttons: ->(menu) do
+            ['One', 'Two', 'Three'].each do |label|
+              menu.button(
+                text: label,
+                disabled: true,
+                onClick: ->(action) do
+                  action.snackbars_alert message: "Tapped #{label}"
+                end
+              )
+            end
+          end
+        )
+        res.spacer height: 12
+        res.label text: 'Many tabs (overflow)'
+        res.spacer height: 6
+        res.tabBar(
+          activeIndex: 0,
+          buttons: ->(menu) do
+            8.times do |index|
+              menu.button(
+                text: "Tab #{index}",
+                disabled: index == 0,
+                onClick: ->(action) do
+                  action.snackbars_alert message: "Tapped tab #{index}"
+                end
+              )
+            end
+          end
+        )
+        res.spacer height: 12
+        res.label text: 'Long badge text'
+        res.spacer height: 6
+        res.tabBar(
+          activeIndex: 0,
+          buttons: ->(menu) do
+            menu.button(
+              icon: 'star',
+              text: 'Stars',
+              disabled: true,
+              badge: { text: '⭐⭐⭐', backgroundColor: '#008000' },
+              onClick: ->(action) { action.snackbars_alert message: 'Stars' }
+            )
+            menu.button(
+              icon: 'inbox',
+              text: 'Inbox',
+              disabled: false,
+              badge: { text: 999, backgroundColor: '#272551' },
+              onClick: ->(action) { action.snackbars_alert message: 'Inbox' }
+            )
+          end
+        )
+      end
+    )
+  end
+)

data/app/views/json_ui/garage/test_page/table.json.jbuilder

@@ -2,9 +2,10 @@ json.title 'Test Page (Table)'
 
 page = json_ui_page json
 
+render 'json_ui/garage/test_page/header', json: json, page: page
+
 page.body(
   childViews: ->(body) do
-    render 'json_ui/garage/test_page/header', view: body
     body.panels_responsive(
       padding: glib_json_padding_body,
       childViews: ->(res) do

data/app/views/json_ui/garage/test_page/timeline.json.jbuilder

@@ -2,9 +2,10 @@ json.title 'Test Page (Timeline)'
 
 page = json_ui_page json
 
+render 'json_ui/garage/test_page/header', json: json, page: page
+
 page.body(
   childViews: ->(body) do
-    render 'json_ui/garage/test_page/header', view: body
     body.panels_responsive(
       padding: glib_json_padding_body,
       childViews: ->(res) do

data/app/views/json_ui/garage/test_page/timeouts.json.jbuilder

@@ -2,9 +2,10 @@ json.title 'Test Page (Timeouts)'
 
 page = json_ui_page json
 
+render 'json_ui/garage/test_page/header', json: json, page: page
+
 page.body(
   childViews: ->(body) do
-    render 'json_ui/garage/test_page/header', view: body
     body.panels_responsive(
       padding: glib_json_padding_body,
       childViews: ->(res) do
@@ -58,8 +59,13 @@ page.body(
                       interval: 2000,
                       repeat: true,
                       onTimeout: ->(subaction) do
-                        subaction.logics_set targetId: 'timeout_repeat_status', data: { text: 'Last tick fired' }
-                        subaction.snackbars_alert message: 'Repeat timeout elapsed'
+                        subaction.logics_set(
+                          targetId: 'timeout_repeat_status',
+                          data: { text: 'Last tick fired' },
+                          onSet: ->(ssaction) do
+                            ssaction.snackbars_alert message: 'Repeat timeout elapsed'
+                          end
+                        )
                       end
                     )
                   end

data/app/views/json_ui/garage/test_page/ul.json.jbuilder

@@ -2,8 +2,9 @@ json.title 'Test Page (Ul)'
 
 page = json_ui_page json
 
+render 'json_ui/garage/test_page/header', json: json, page: page
+
 page.body childViews: ->(body) do
-  render 'json_ui/garage/test_page/header', view: body
 
   body.panels_responsive padding: glib_json_padding_body, childViews: ->(res) do
     res.h2 text: 'Overview'

data/app/views/json_ui/garage/test_page/vertical.json.jbuilder

@@ -2,8 +2,9 @@ json.title 'Test Page (Vertical)'
 
 page = json_ui_page json
 
+render 'json_ui/garage/test_page/header', json: json, page: page
+
 page.body childViews: ->(body) do
-  render 'json_ui/garage/test_page/header', view: body
 
   body.panels_responsive padding: glib_json_padding_body, childViews: ->(res) do
     res.h2 text: 'Overview'

data/app/views/json_ui/garage/test_page/web.json.jbuilder

@@ -2,8 +2,9 @@ json.title 'Test Page (Web)'
 
 page = json_ui_page json
 
+render 'json_ui/garage/test_page/header', json: json, page: page
+
 page.body childViews: ->(body) do
-  render 'json_ui/garage/test_page/header', view: body
 
   body.panels_responsive padding: glib_json_padding_body, childViews: ->(res) do
     res.h2 text: 'Overview'

data/app/views/json_ui/garage/test_page/window.json.jbuilder

@@ -3,9 +3,10 @@ json.title 'Test Page (Form)'
 
 page = json_ui_page json
 
+render 'json_ui/garage/test_page/header', json: json, page: page
+
 page.body(
   childViews: ->(body) do
-    render 'json_ui/garage/test_page/header', view: body
     body.panels_responsive(
       padding: glib_json_padding_body,
       childViews: ->(res) do

data/app/views/json_ui/garage/test_page/windows.json.jbuilder

@@ -2,9 +2,10 @@ json.title 'Test Page (Windows)'
 
 page = json_ui_page json
 
+render 'json_ui/garage/test_page/header', json: json, page: page
+
 page.body(
   childViews: ->(body) do
-    render 'json_ui/garage/test_page/header', view: body
     body.panels_responsive(
       padding: glib_json_padding_body,
       childViews: ->(res) do

data/lib/glib/json_crawler/router.rb

@@ -74,6 +74,16 @@ module Glib
           JsonCrawler::FormsSubmit.new(http, args)
           @depth -= 1
           return
+        when 'panels/web-v1', 'panels/web'
+          # A panels/web embeds content by URL in an inline viewer -- a file
+          # preview (PDF/image), an inline HTML preview, etc. There's no onClick
+          # action to catch here, so when the URL is one of our own (same-host)
+          # endpoints we record it directly: the client fetches it to render the
+          # panel, so its authorization should be exercised by the permission test
+          # (it replays each per user and snapshots the response). We only record
+          # (no fetch); external embeds are filtered out by internal_url?.
+          url = args['url']
+          http_actions.add(['panels/web-v1', url]) if url.present? && internal_url?(url)
         end
 
         if args.is_a?(Hash) && args['rel'] != 'nofollow'
@@ -111,6 +121,24 @@ module Glib
               http_actions.add([action, params['url']])
               JsonCrawler::WindowsOpen.new(http, params, action)
             else
+              # IMPORTANT — do not drop the `http_actions.add` below.
+              #
+              # This `else` is reached by BOTH genuinely external links AND by
+              # same-host file/download endpoints that `allowed?` rejected for the
+              # file-extension rule (e.g. *.pdf). Recording the same-host ones is the
+              # ONLY way their file authorization ever gets exercised: the permission
+              # test replays each recorded action per user and snapshots the response.
+              # Remove this line and every file/download endpoint silently falls out
+              # of permission coverage -- a wrong authorization on one would then ship
+              # unnoticed (exactly the gap this was added to close).
+              #
+              # We do NOT traverse/download them (no WindowsOpen crawler is created
+              # here), and the permission replay runs with inspect_http:false so it
+              # never follows the storage redirect. External links are filtered out by
+              # `internal_url?`. Behaviour is guarded by
+              # test/dummy-app/test/json_crawler/router_test.rb -- if you delete the
+              # line below, that test goes red.
+              http_actions.add([action, params['url']]) if internal_url?(params['url'])
               self.log action, params['url']
             end
           when 'dialogs/show-v1', 'dialogs/show', 'popovers/show-v1', 'popovers/show'
@@ -227,6 +255,17 @@ module Glib
       end
 
       private
+        # True when `url` is one of our OWN (same-host) endpoints, used to tell an
+        # internal endpoint we want recorded for the permission test from a
+        # genuinely external link we ignore (in the openWeb `else`-branch and the
+        # panels/web case). Anchored at the start and required to end at a path
+        # boundary (`/`, `?`, `#`, or end-of-string), so a host that merely appears
+        # INSIDE an external URL's path or query is NOT treated as internal --
+        # unlike a bare substring match.
+        def internal_url?(url)
+          %r{\Ahttps?://#{Regexp.escape(host)}(?:[/?#]|\z)}.match?(url.to_s)
+        end
+
         def execute_crawler_action(http, action, url, params)
           params = JSON.parse(params) if params.is_a?(String)
           params ||= {}

data/lib/glib/test_helpers.rb

@@ -66,6 +66,44 @@ module Glib
       File.join(file_dir || __crawler_log_dir, filename)
     end
 
+    # Asserts that every model with ActiveStorage attachments is actually
+    # *exercised* by the crawler: at least one of its file endpoints must appear
+    # in the recorded crawler output. A structural "is this type authorized?"
+    # check can only prove a type is handled, not that its file authorization is
+    # covered end-to-end. This proves the latter -- the crawler recorded the
+    # endpoint, so the permission test replays it per user -- which is what
+    # catches a *wrong* authorization on a newly-added attachable type (or a
+    # fixture that was never made reachable in the crawl).
+    #
+    #   attachable_types: model classes (or names) that must be covered.
+    #   router_dir:       dir holding the crawler router CSVs (the dump_path).
+    #   signed_id_from:   ->(url) returning the blob signed_id for a file URL, or
+    #                     nil for non-file URLs. Route-specific, e.g.
+    #                     ->(u) { u[%r{/blobs/([^/]+)/}, 1] }.
+    #   exempt:           type names whose files are served outside the crawl.
+    #   pending:          type names known-uncovered -- an explicit burn-down
+    #                     list, kept honest by the stale-pending check below.
+    def assert_attachable_types_crawl_covered(attachable_types:, router_dir:, signed_id_from:, exempt: [], pending: [])
+      required = attachable_types.map(&:to_s) - exempt.map(&:to_s) - pending.map(&:to_s)
+      covered = __crawler_covered_record_types(router_dir, signed_id_from)
+
+      uncovered = (required - covered).sort
+      assert_empty(
+        uncovered,
+        'No crawled file endpoint covers these attachable types, so the permission test ' \
+        'never exercises their file authorization (a wrong policy on them would ship ' \
+        'silently). Give each a fixture whose file renders in a crawled page and regenerate ' \
+        "the crawler snapshots, or list it in `exempt:`/`pending:` -- #{uncovered.join(', ')}"
+      )
+
+      graduated = (pending.map(&:to_s) & covered).sort
+      assert_empty(
+        graduated,
+        'These `pending:` types are now crawl-covered -- remove them from the burn-down ' \
+        "list so it keeps reflecting the real gap: #{graduated.join(', ')}"
+      )
+    end
+
     def retrace_json_pages(user, past_actions:)
       __execute_crawler(user, inspect_http: false) do |router, http|
         # router.follow(http, guiding_routers)
@@ -92,7 +130,7 @@ module Glib
     # @param method [Symbol, nil] Optional HTTP method override
     #
     # @example
-    #   get new_chat_url(checklist_id: @checklist.id), params: json_params
+    #   get new_chat_url(post_id: @post.id), params: json_params
     #   submit_form(response.body, { chat: { message_body: 'Hello' } })
     #
     def submit_form(page_payload, data, url: nil, method: nil)
@@ -211,7 +249,7 @@ module Glib
 
         block.call(view)
 
-        ['childViews', 'header', 'body', 'footer', 'left', 'right', 'panels'].each do |key|
+        ['childViews', 'header', 'body', 'footer', 'left', 'right', 'panels', 'fullPageForm'].each do |key|
           child = view[key]
           if child.is_a?(Array)
             __traverse_form_views(child, &block)
@@ -223,6 +261,34 @@ module Glib
 
       # --- Crawler helpers ---
 
+      # Reads the crawler router CSVs and returns the distinct ActiveStorage
+      # `record_type`s reachable through the recorded file endpoints. Each row's
+      # URL is mapped to a blob via the caller-supplied `signed_id_from` (the
+      # only route-specific bit), then blob -> attachment -> record_type.
+      def __crawler_covered_record_types(router_dir, signed_id_from)
+        require 'csv'
+
+        Dir.glob(File.join(router_dir, '*.csv')).flat_map do |path|
+          CSV.read(path).filter_map do |row|
+            url = row[1]
+            next if url.blank?
+
+            signed_id = signed_id_from.call(url)
+            next if signed_id.blank?
+
+            blob =
+              begin
+                ActiveStorage::Blob.find_signed(signed_id)
+              rescue StandardError
+                nil
+              end
+            next if blob.nil?
+
+            ActiveStorage::Attachment.find_by(blob: blob)&.record_type
+          end
+        end.compact.uniq
+      end
+
       def __execute_crawler(user, inspect_http:, log_file: nil, &block)
         auth_token = login user
         user[:token] = auth_token

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: glib-web
 version: !ruby/object:Gem::Version
-  version: 5.0.4
+  version: 5.0.5
 platform: ruby
 authors:
 - ''
@@ -220,6 +220,7 @@ files:
 - app/helpers/glib/json_ui/view_builder/panels.rb
 - app/helpers/glib/urls_helper.rb
 - app/models/concerns/glib/enum_humanization.rb
+- app/models/concerns/glib/enum_symbolization.rb
 - app/models/concerns/glib/nilify_blanks.rb
 - app/models/concerns/glib/soft_deletable.rb
 - app/models/glib/active_storage/attachment.rb
@@ -405,12 +406,14 @@ files:
 - app/views/json_ui/garage/test_page/fields_location.json.jbuilder
 - app/views/json_ui/garage/test_page/fields_otp.json.jbuilder
 - app/views/json_ui/garage/test_page/fields_phone.json.jbuilder
+- app/views/json_ui/garage/test_page/fields_radio.json.jbuilder
 - app/views/json_ui/garage/test_page/fields_rating.json.jbuilder
 - app/views/json_ui/garage/test_page/fields_richText.json.jbuilder
 - app/views/json_ui/garage/test_page/fields_select.json.jbuilder
 - app/views/json_ui/garage/test_page/fields_sign.json.jbuilder
 - app/views/json_ui/garage/test_page/fields_stripeExternalAccount.json.jbuilder
 - app/views/json_ui/garage/test_page/fields_stripeToken.json.jbuilder
+- app/views/json_ui/garage/test_page/fields_text.json.jbuilder
 - app/views/json_ui/garage/test_page/fields_timer.json.jbuilder
 - app/views/json_ui/garage/test_page/fields_upload.json.jbuilder
 - app/views/json_ui/garage/test_page/fields_url_fragment.json.jbuilder
@@ -440,6 +443,8 @@ files:
 - app/views/json_ui/garage/test_page/snackbars.json.jbuilder
 - app/views/json_ui/garage/test_page/split.json.jbuilder
 - app/views/json_ui/garage/test_page/storage_items.json.jbuilder
+- app/views/json_ui/garage/test_page/switch.json.jbuilder
+- app/views/json_ui/garage/test_page/tabBar.json.jbuilder
 - app/views/json_ui/garage/test_page/table.json.jbuilder
 - app/views/json_ui/garage/test_page/timeline.json.jbuilder
 - app/views/json_ui/garage/test_page/timeouts.json.jbuilder