hippo-fw 0.9.1

data/lib/hippo/access/role.rb

@@ -0,0 +1,86 @@
+module Hippo
+    module Access
+
+        class Role
+            class_attribute :read_types, :write_types, :delete_types
+
+            def initialize(user)
+                @user = user
+            end
+
+            def can_read?(model)
+                read_types.include?(model)
+            end
+
+            def can_write?(model)
+                write_types.include?(model)
+            end
+
+            def can_delete?(model)
+                delete_types.include?(model)
+            end
+
+            class << self
+                ALL=Array.new
+
+                def grant_global_access(types=:all, *klass)
+                    unless types.is_a?(Symbol)
+                        klass.unshift(types)
+                        types=:all
+                    end
+                    types = [:read,:write,:delete] if :all == types
+                    types = [*types]
+                    ALL.each do | child |
+                        types.each{ |type| child.send(type).concat(klass) }
+                    end
+                end
+
+                def inherited(subklass)
+                    ALL << subklass
+                    subklass.read_types = []; subklass.write_types = []; subklass.delete_types = []
+                end
+
+                def grant( *klasses )
+                    read_types.push(*klasses)
+                    write_types.push(*klasses)
+                    delete_types.push(*klasses)
+                end
+
+                def read( *klasses )
+                    read_types.push(*klasses)
+                end
+
+                def write( *klasses )
+                    write_types.push(*klasses)
+                end
+
+                def delete(*klasses )
+                    delete_types.push(*klasses)
+                end
+
+                def lock(klass, *attributes)
+                    attributes.each do | attr |
+                        LockedFields.lock(klass, attr, self)
+                    end
+                end
+
+                def lock_writes(klass, *attributes)
+                    attributes.each do | attr |
+                        LockedFields.lock(klass, attr, self, :write)
+                    end
+                end
+
+                def all_available
+                    ALL
+                end
+
+                # By default a role can only access if it's type is included in the
+                # array of acceptable roles.  An Admin role may provide a custom implementation
+                def can_access_locked_roles?(roles)
+                    roles.include?(self)
+                end
+            end
+        end
+
+    end
+end

data/lib/hippo/access/role_collection.rb

@@ -0,0 +1,88 @@
+module Hippo
+    module Access
+
+        class RoleCollection
+            include Enumerable
+
+            def initialize(user)
+                @role_names = user.role_names.clone
+                @role_names << 'basic_user'
+                @roles = @role_names.map{ |name|
+                    "Hippo::Access::Roles::#{name.classify}".safe_constantize
+                }.compact.map{ |klass| klass.new(user) }
+            end
+
+            def exposed_data
+                @role_names
+            end
+
+            # @param role [String]
+            # @return [Boolean] Does a role with the given id exist?
+            def include?(role)
+                @role_names.include?(role)
+            end
+
+            # @param model [Hippo::Model]
+            # @param attribute [Symbol]
+            # @return [Boolean] Can the User view the model?
+            def can_read?(model, attribute = nil)
+                klass=model_to_class(model)
+                test_access(klass, attribute, :read){ |role| role.can_read?(klass) }
+            end
+
+            # @param model [Hippo::Model]
+            # @param attribute [Symbol]
+            # @return [Boolean] Can the User create and update the model?
+            def can_write?(model, attribute = nil)
+                klass=model_to_class(model)
+                test_access(klass, attribute, :write){ |role| role.can_write?(klass) }
+            end
+
+            # @param model [Hippo::Model]
+            # @param id  [Fixnum] the id of the record to remove
+            # @return [Boolean] Can the User delete the model?
+            def can_delete?(model,id)
+                klass=model_to_class(model)
+                @roles.each{ |role| role.can_delete?(klass) }
+            end
+
+            # @return [Array<symbol>] list of roles
+            def to_sym
+                @roles.map{ |r| r.class.to_s.demodulize.downcase.to_sym }
+            end
+
+            def each
+                @roles.each{|r| yield r}
+            end
+
+          private
+
+            def role_types
+                @role_types ||= @roles.map(&:class)
+            end
+
+            def model_to_class(model)
+                model.is_a?(Class) ? model : model.class
+            end
+
+            # Test if the given roles grant access to the model
+            def test_access(model, attribute, access_type)
+                # Check if the attribute is locked
+                # If it is, the locks determine access, otherwise use the model's grants
+                locked_to_roles = LockedFields.roles_needed_for(model, attribute, access_type)
+                if locked_to_roles.none?
+                    return @roles.detect{ |role| yield role }.present?
+                else
+                    role_types.any?{|role| role.can_access_locked_roles?(locked_to_roles) }
+                end
+            end
+
+        end
+
+    end
+end
+
+
+require_relative "roles/support"
+require_relative "roles/basic_user"
+require_relative "roles/administrator"

data/lib/hippo/access/roles/administrator.rb

@@ -0,0 +1,32 @@
+module Hippo
+    module Access
+
+        module Roles
+
+            class Administrator < Role
+
+                # The admin can access all the things
+                def self.can_access_locked_roles?(roles)
+                    true
+                end
+
+                def can_read?(model)
+                    true
+                end
+
+                def can_write?(model)
+                    true
+                end
+
+                def can_delete?(model)
+                    true
+                end
+
+                lock User, :password_digest
+
+            end
+
+        end
+
+    end
+end

data/lib/hippo/access/roles/basic_user.rb

@@ -0,0 +1,13 @@
+module Hippo
+    module Access
+
+        module Roles
+
+            class BasicUser < Role
+
+            end
+
+        end
+
+    end
+end

data/lib/hippo/access/roles/support.rb

@@ -0,0 +1,15 @@
+require_relative '../../user'
+
+module Hippo
+    module Access
+
+        module Roles
+
+            class Support < Role
+                self.read << ::Hippo::User
+            end
+
+        end
+
+    end
+end

data/lib/hippo/access/test_fixture_extensions.rb

@@ -0,0 +1,16 @@
+module AccessFixtureTestPatches
+
+    def table_rows
+        results = super
+        if model_class && model_class < ActiveRecord::Base && model_class.record_modifications
+            results[ table_name ].each do | row |
+                # 135138680 is the 'admin' user
+                row['created_by_id'] ||= 135138680 if model_class.column_names.include?('created_by_id')
+                row['updated_by_id'] ||= 135138680 if model_class.column_names.include?('updated_by_id')
+            end
+        end
+        results
+    end
+end
+
+ActiveRecord::FixtureSet.prepend AccessFixtureTestPatches

data/lib/hippo/access/track_modifications.rb

@@ -0,0 +1,79 @@
+module Hippo::Concerns
+
+    # Extends Rails updated_by and created_by timestamps to also track who created and updated the model.
+    # It reads the current user's id from User.current_id when saving and updating the record
+    # The class_name for the created_by and updated_by is set to {Hippo::Configuration#user_model}
+    module TrackModifications
+        extend ActiveSupport::Concern
+        ApiAttributeAccess::DEFAULT_BLACKLISTED.merge(
+            created_at: nil, updated_at: nil,
+            created_by_id: nil, updated_by_id: nil
+        )
+
+        module ClassMethods
+            def should_record_user_modifications?
+                record_user_modifications
+            end
+
+            def tracks_user_modifications
+                belongs_to :created_by, :class_name=>'Hippo::User'
+                belongs_to :updated_by, :class_name=>'Hippo::User'
+
+                before_update :record_update_modifications
+                before_create :record_create_modifications
+
+                self.export_scope :with_user_logins
+
+                class_attribute :record_user_modifications
+                self.record_user_modifications = true
+            end
+
+
+            def with_user_logins
+                q = self; t = table_name
+                if current_scope.nil? || current_scope.select_values.exclude?("#{t}.*")
+                    q = q.select("#{t}.*")
+                end
+                if self.column_names.include?('created_by_id')
+                    q = q.select("created_by_user.login as created_by_login")
+                          .joins("left join hippo_users as created_by_user on " \
+                                 "created_by_user.id = #{t}.created_by_id")
+                end
+                if self.column_names.include?('updated_by_id')
+                    q = q.select("updated_by_user.login as updated_by_login")
+                          .joins("left join hippo_users as updated_by_user on " \
+                                 "updated_by_user.id = #{t}.updated_by_id")
+                end
+                q
+            end
+
+        end
+
+        private
+
+        def _record_user_to_column( column )
+            user_id = Hippo::User.current_id ? Hippo::User.current_id : 0
+            write_attribute( column, user_id ) if self.class.column_names.include?( column )
+        end
+
+        def record_create_modifications
+            if self.class.should_record_user_modifications?
+                _record_user_to_column('updated_by_id')
+                _record_user_to_column('created_by_id')
+            end
+            true
+        end
+
+        def record_update_modifications
+            if self.class.should_record_user_modifications? && should_record_timestamps?
+                _record_user_to_column('updated_by_id')
+            end
+            true
+        end
+
+        def change_tracking_fields
+            %w{updated_by_id created_by_id updated_at created_at}
+        end
+    end
+
+end

data/lib/hippo/access/version.rb

@@ -0,0 +1,5 @@
+module Hippo
+    module Access
+        VERSION=0.2
+    end
+end

data/lib/hippo/api.rb

@@ -0,0 +1,23 @@
+require_relative '../hippo'
+require_relative 'api/to_json'
+require_relative 'api/request_wrapper'
+require_relative 'api/error_formatter'
+require_relative 'api/formatted_reply'
+require_relative 'api/controller_base'
+require_relative 'api/generic_controller'
+require_relative 'api/cable'
+require_relative 'api/sprockets_extension'
+require_relative 'api/helper_methods'
+require_relative 'api/pub_sub'
+require_relative 'api/handlers/user_session'
+require_relative 'api/handlers/asset'
+require_relative 'api/handlers/print'
+require_relative 'api/root'
+
+module Hippo
+
+    module API
+        mattr_accessor :webpack
+    end
+
+end

data/lib/hippo/api/cable.rb

@@ -0,0 +1,57 @@
+require 'action_cable'
+# require 'action_cable/subscription_adapter/postgresql'
+
+module Hippo
+    module API
+        module Cable
+            mattr_reader :server
+            mattr_reader :config
+
+            def self.handle_request(request)
+                @@server.call(request.env)
+            end
+
+            class Channel < ActionCable::Channel::Base
+            end
+
+            class Connection < ActionCable::Connection::Base
+                identified_by :current_user
+
+                def connect
+                    unless cookies['user_id'] &&
+                            self.current_user = Hippo::User
+                                                    .where(id: cookies['user_id']).first
+                        Hippo.logger.warn("Rejecting ws connection due to unauthorized access by user_id #{cookies['user_id']}")
+
+                        reject_unauthorized_connection
+                    end
+                end
+
+                protected
+
+                def cookies
+                    request.session
+                end
+            end
+
+            def self.configure
+
+                require_relative 'updates'
+                @@config = ActionCable::Server::Configuration.new
+                config.logger = Hippo.logger
+                config.cable = Hippo.config.cable
+                config.connection_class = -> { Connection }
+                config.allowed_request_origins = -> (host) {
+                    host
+                }
+
+                ActionCable::Server::Base.config = config
+                @@server = ActionCable.server
+                Updates.relay!
+            end
+
+        end
+
+
+    end
+end

data/lib/hippo/api/controller_base.rb

@@ -0,0 +1,299 @@
+require_relative './formatted_reply'
+
+module Hippo
+    module API
+
+        # The Controller handles querying models
+        # using either pre-defined scopes or hash based queries;
+        # and also including optional associations with the reply
+        #
+        # It assigns the following meaning the these parameters.
+        #    * f: (fields)   Include the following fields (usually methods) with the reply
+        #    * w: (with)     Uses the defined scope to query and/or add extra data to the model
+        #    * q: (query)    Query the model using fields and values
+        #         it is an array of clauses, which can be either forms
+        #         { field: value }, or { field: { op: 'like', value: 'value%' } }
+        #    * i: (include)  Include associations along with the model in the reply
+        #    * o: (order)    Order by, { field => "ASC|DESC" }
+        #    * l: (limit)    Limit the returned rows to the count
+        #    * s: (start)    Start the query at the given offset (for paging)
+        #    * df: (data format) Should data be returned as 'object' (default) or 'array'
+        # The parameters are deliberately shortened so they can be used in
+        # query parameters without blowing the URL up to an unacceptable length
+
+        class ControllerBase
+
+            attr_reader :model, :params, :data
+            include FormattedReply
+
+            def initialize(model, authentication, params, data={})
+                @model  = model
+                @params = params
+                @data   = data
+                @authentication = authentication
+            end
+
+            protected
+
+            def current_user
+                @current_user ||= @authentication.current_user
+            end
+
+            def perform_retrieval
+                query   = build_query
+                query   = add_scopes_to_query(query)
+                query   = add_access_limits_to_query(query)
+                options = build_reply_options
+                if should_include_total_count?
+                    options[:total_count] = count_query_records(query)
+                end
+                query = add_modifiers_to_query(query)
+                query = query.first! if params[:id]
+                std_api_reply(:retrieve, query, options)
+            end
+
+            def perform_single_destroy
+                query = model.where(id: params[:id])
+                query = add_access_limits_to_query(query)
+                record = query.first!
+                record.destroy
+                std_api_reply(:destroy, record, {})
+            end
+
+            def perform_multiple_destroy
+                query = model.where(id: data.map{|rec|rec['id']})
+                query = add_access_limits_to_query(query)
+                success = true
+                query.each do |record|
+                    if current_user.can_delete?(record, record.id)
+                        success = false unless record.destroy
+                    end
+                end
+                options = build_reply_options.merge(success: success)
+                std_api_reply(:destroy, query, options)
+            end
+
+            def perform_multiple_updates
+                query = model.where(id: data.map {|rec|rec['id'] })
+                query = add_access_limits_to_query(query)
+                success = true
+                query.each do |record|
+                    record_data = data.detect { |rd| rd['id'] == record.id }
+                    next unless record_data
+                    if current_user.can_write?(record, record.id)
+                        record.set_attribute_data(record_data, current_user)
+                        success = false unless record.save
+                    end
+                end
+                options = build_reply_options.merge(success: success)
+                std_api_reply(:update, query, options)
+            end
+
+            def perform_single_update
+                query = build_query
+                query = add_access_limits_to_query(query)
+                record = query.first!
+                record.set_attribute_data(data, current_user)
+                options = build_reply_options.merge(success: record.save)
+                std_api_reply(:update, record, options)
+            end
+
+            # @return [Array<String>] The fields to include in query.  May represent either an attribute or a method
+            def requested_fields
+                [*params[:f]]
+            end
+            def reply_with_array?
+                params[:df] == 'array'
+            end
+            def query_scopes
+                [*params[:w]]
+            end
+            def query_params
+                params[:q]
+            end
+            def include_associations
+                [*params[:i]]
+            end
+            def sort_order
+                params[:o]
+            end
+            def query_limit_size
+                limit = max_query_results_size
+                requested_limit ? [requested_limit, limit].min : limit
+            end
+            def query_offset
+                params[:s]
+            end
+            def requested_limit
+                params.key?(:l) ? params[:l].to_i : nil
+            end
+
+            # reply options
+
+            # Should the result include the total number of available records
+            def should_include_total_count?
+                requested_limit && params[:s] && !params[:id]
+            end
+
+            # Extract options that are suitable for use in 'as_json'
+            def build_reply_options
+                options = {}
+                if include_associations.any?
+                    options[:include] = include_associations.each_with_object({}) do |association, includes|
+                        includes.merge! build_allowed_associations(association)
+                    end
+                end
+
+                if requested_fields.any?
+                    options[:methods] = requested_fields.select do |f|
+                        model.has_exported_method?(f, current_user)
+                    end
+                end
+                options[:format] = reply_with_array? ? 'array' : 'object'
+                options
+            end
+
+            def build_allowed_associations(association, model_class = self.model)
+                includes = {}
+                if association.is_a?(Hash)
+                    association.each do |include_name, sub_associations|
+                        if model_class.has_exported_association?(include_name, current_user) &&
+                           (reflection = model_class.reflect_on_association(include_name.to_sym))
+
+                            sub_includes = includes[include_name.to_sym] = {}
+                            allowed = build_allowed_associations(sub_associations, reflection.klass)
+                            unless allowed.empty?
+                                sub_includes[:include] ||= []
+                                sub_includes[:include] << allowed
+                            end
+                        end
+                    end
+                elsif association.is_a?(Array)
+                    association.each do |sub_association|
+                        if model_class.has_exported_association?(sub_association, current_user)
+                            includes.merge! build_allowed_associations(sub_association, model_class)
+                        end
+                    end
+                else
+                    includes[association.to_sym] = {} if  model_class.has_exported_association?(association, current_user)
+                end
+                includes
+            end
+
+            # query options
+
+            def add_access_limits_to_query(query)
+                if model.respond_to?(:access_limits_for_query)
+                    model.access_limits_for_query(query, current_user, params)
+                else
+                    query
+                end
+            end
+
+            def build_query(query = model.all)
+                query = query.where(id: params[:id]) if params[:id]
+                if params[:nested_attribute]
+                    query = query.where(params[:nested_attribute])
+                end
+                query = add_access_limits_to_query(query)
+                query = add_params_to_query(query) if query_params.present?
+                query
+            end
+
+            def count_query_records(query)
+                query.unscope(:select).count
+            end
+
+            def add_scopes_to_query(query)
+                query = add_scope_to_query(query) if query_scopes.present?
+                query
+            end
+
+            def add_modifiers_to_query(query)
+                query = query.limit(query_limit_size)
+                query = query.offset(query_offset.to_i) if query_offset.present?
+                if include_associations.any?
+                    allowed_includes = include_associations.each_with_object([]) do |desired, results|
+                        if desired.is_a?(Hash)
+                            nested = {}
+                            desired.each do |name, sub_associations|
+                                nested[name.to_sym] = sub_associations if model.has_exported_association?(name, current_user)
+                            end
+                            results.push(nested) unless nested.empty?
+                        else
+                            results.push(desired.to_sym) if model.has_exported_association?(desired, current_user)
+                        end
+                    end
+                    query = query.includes(allowed_includes) unless allowed_includes.empty?
+                end
+                if sort_order.present?
+                    sort_order.each do |fld, dir|
+                        query = model.append_sort_to_query(
+                            query, fld, dir.downcase.to_sym
+                        )
+                    end
+                end
+                query
+            end
+
+            def max_query_results_size
+                250 # should be enough for everybody, amirite?
+            end
+
+            def add_scope_to_query(query)
+                query_scopes.each do |name, arg|
+                    next unless model.has_exported_scope?(name, current_user)
+                    args = [name]
+                    args.push(arg) unless arg.blank?
+                    query = query.send(*args)
+                end
+                query
+            end
+
+            def add_params_to_query(query)
+                query_params.each do |field, value|
+                    next unless (field = convert_field_to_arel(field))
+                    if value.is_a?(Hash) && value.key?('value')
+                        op = value['op']
+                        value = value['value']
+                    end
+                    query = query.where(
+                        field_to_predicate(field, value, op)
+                    )
+                end
+                query
+            end
+
+            def convert_field_to_arel(field)
+                if field.include?('.')
+                    (table_name, field_name) = field.split('.')
+                    if model.has_exported_join_table?(table_name, current_user)
+                        Arel::Table.new(table_name)[field_name]
+                    else
+                        nil
+                    end
+                elsif model.attribute_method?(field)
+                    model.arel_table[field]
+                else
+                    Arel::Nodes::SqlLiteral.new(
+                        model.connection.quote_column_name(field)
+                    )
+                end
+            end
+
+            # complete list: https://github.com/rails/arel/blob/master/lib/arel/predications.rb
+            def field_to_predicate(field, value, op = nil)
+                case op
+                when nil, 'eq' then field.eq(value)
+                when 'like' then field.matches(value)
+                when 'ne'   then field.not_eq(value)
+                when 'lt'   then field.lt(value)
+                when 'in'   then field.in(Range.new(*value))
+                when 'gt'   then field.gt(value)
+                else
+                    value =~ /%/ ? field.matches(value) : field.eq(value)
+                end
+            end
+        end
+    end
+end