hobo 0.8.4 → 0.8.5

data/CHANGES.txt

@@ -1,3 +1,30 @@
+=== Hobo 0.8.5 ===
+
+New permission system
+
+  Various fixes
+  
+  Now runs permission checks *before* callbacks, not after
+    
+    In the switch to the new permissions system, we changed to running them after all callbacks. This turned
+    out to be wrong. Permissions should only be about what the user tried to change, not other changes
+    triggered by application logic
+
+  API change: Web method permissions should now be defined as foo_permitted? instead of foo_call_permitted?
+
+Updated hobo command and hobo generator to use the new config.gem style for apps that use the Hobo gem
+
+  The --add-gem option to script/generate hobo will add "config.gem 'hobo'" to environment.rb. The hobo command
+  does this automatically
+
+Lifecycles fix -- state_name would throw a nil error if there was no state (not returns nil)
+    
+  This was causing the :new_key option to fail on a create step
+
+Fixes to problems with live-search introduced with the Rails 2.2 upgrade
+
+
+
 === Hobo 0.8.4 ===
 
 Rails 2.2 compatible. Rails 2.1 support dropped.

data/Rakefile

@@ -40,11 +40,11 @@ Echoe.new('hobo') do |p|
   p.project = "hobo"
 
   p.changelog = "CHANGES.txt"
-  p.version   = "0.8.4"
+  p.version   = "0.8.5"
 
   p.dependencies = [
-    'hobosupport =0.8.4',
-    'hobofields =0.8.4',
+    'hobosupport =0.8.5',
+    'hobofields =0.8.5',
     'rails >=2.2.2',
     'mislav-will_paginate >=2.2.1']
     

data/bin/hobo

@@ -74,7 +74,7 @@ Dir.chdir(app_path) do
   FileUtils.touch("public/stylesheets/application.css")
 
   puts "\nInitialising Hobo...\n"
-  command(gen, "hobo --add-routes")
+  command(gen, "hobo --add-gem --add-routes")
 
   puts "\nInstalling Hobo Rapid and default theme...\n"
   command("#{gen} hobo_rapid --import-tags")

data/hobo.gemspec

@@ -1,18 +1,18 @@
 
-# Gem::Specification for Hobo-0.8.4
+# Gem::Specification for Hobo-0.8.5
 # Originally generated by Echoe
 
 --- !ruby/object:Gem::Specification 
 name: hobo
 version: !ruby/object:Gem::Version 
-  version: 0.8.4
+  version: 0.8.5
 platform: ruby
 authors: 
 - Tom Locke
 autorequire: 
 bindir: bin
 
-date: 2008-12-06 00:00:00 +00:00
+date: 2008-12-09 00:00:00 +00:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -23,7 +23,7 @@ dependencies:
     requirements: 
     - - "="
       - !ruby/object:Gem::Version 
-        version: 0.8.4
+        version: 0.8.5
     version: 
 - !ruby/object:Gem::Dependency 
   name: hobofields
@@ -33,7 +33,7 @@ dependencies:
     requirements: 
     - - "="
       - !ruby/object:Gem::Version 
-        version: 0.8.4
+        version: 0.8.5
     version: 
 - !ruby/object:Gem::Dependency 
   name: rails

data/lib/hobo.rb

@@ -16,7 +16,7 @@ class HoboError < RuntimeError; end
 
 module Hobo
 
-  VERSION = "0.8.4"
+  VERSION = "0.8.5"
   
   class PermissionDeniedError < RuntimeError; end
 

data/lib/hobo/accessible_associations.rb

@@ -9,31 +9,36 @@ module Hobo
 
       array = params_hash_to_array(array_or_hash)
       array.map! do |record_hash_or_string|
-        find_or_create_and_update(owner, association, association_name, record_hash_or_string) { association.build }
+        finder = association.member_class.scoped :conditions => association.conditions
+        find_or_create_and_update(owner, association_name, finder, record_hash_or_string) do |id|
+          # The block is required to either locate find an existing record in the collection, or build a new one
+          if id
+            # TODO: We don't really want to find these one by one
+            association.find(id)
+          else
+            association.build
+          end
+        end
       end
       array.compact
     end
     
     
-    def find_or_create_and_update(owner, association, association_name, record_hash_or_string)
+    def find_or_create_and_update(owner, association_name, finder, record_hash_or_string)
       if record_hash_or_string.is_a?(String)
-        # An ID (if it starts '@') or else a name
-        record = find_record(association, record_hash_or_string)
+        # An ID or a name - the passed block will find the record
+        record = find_by_name_or_id(finder, record_hash_or_string)
       
       elsif record_hash_or_string.is_a?(Hash)
         # A hash of attributes
         hash = record_hash_or_string
 
         # Remove completely blank hashes
-        return nil if hash.values.join.blank?
+        return nil if hash.values.all?(&:blank?)
 
         id = hash.delete(:id)
 
-        record = if id
-                   association.find(id) # TODO: We don't really want to find these one by one
-                 else
-                   record = yield
-                 end
+        record = yield id
         record.attributes = hash
         owner.include_in_save(association_name, record) unless owner.new_record? && record.new_record?
         
@@ -43,7 +48,7 @@ module Hobo
       end
       record
     end
-    
+
     
     def params_hash_to_array(array_or_hash)
       if array_or_hash.is_a?(Hash)
@@ -54,17 +59,12 @@ module Hobo
     end
     
 
-    def find_record(association, id_or_name)
-      klass = association.member_class
+    def find_by_name_or_id(finder, id_or_name)
       if id_or_name =~ /^@(.*)/
         id = $1
-        if id =~ /:/
-          Hobo::Model.find_by_typed_id(id)
-        else
-          klass.find(id)
-        end
+        finder.find(id)
       else
-        klass.named(id_or_name, :conditions => association.conditions)
+        finder.named(id_or_name)
       end
     end
   
@@ -103,7 +103,18 @@ module Hobo
       if options[:accessible]
         class_eval %{
           def #{name}_with_accessible=(record_hash_or_string)
-            record = Hobo::AccessibleAssociations.find_or_create_and_update(self, #{name}, :#{name}, record_hash_or_string) { self.class.reflections[:#{name}].klass.new }
+            refl = self.class.reflections[:#{name}]
+            conditions = ActiveRecord::Associations::BelongsToAssociation.new(self, refl).conditions
+            finder = refl.klass.scoped(:conditions => conditions)
+            record = Hobo::AccessibleAssociations.find_or_create_and_update(self, :#{name}, finder, record_hash_or_string) do |id|
+              if id
+                raise ArgumentError, "attempted to update the wrong record in belongs_to association #{self}##{name}" unless 
+                  #{name} && id == self.#{name}.id
+                #{name}
+              else
+                refl.klass.new
+              end
+            end
             self.#{name}_without_accessible = record
           end
         }, __FILE__, __LINE__ - 5

data/lib/hobo/controller.rb

@@ -122,7 +122,7 @@ module Hobo
     
     def tag_renderer
       @tag_renderer ||= begin
-        add_variables_to_assigns
+        @template.send(:_evaluate_assigns_and_ivars)
         Hobo::Dryml.empty_page_renderer(@template)
       end
     end    
@@ -135,7 +135,7 @@ module Hobo
     NO_SEARCH_RESULTS_HTML = "<p>Your search returned no matches.</p>"
     def site_search(query)
       results_hash = Hobo.find_by_search(query)
-      all_results = results_hash.values.flatten.select { |r| Hobo.can_view?(current_user, r, nil) }
+      all_results = results_hash.values.flatten.select { |r| r.viewable_by?(current_user) }
       if all_results.empty?
         render :text => NO_SEARCH_RESULTS_HTML
       else

data/lib/hobo/lifecycles/lifecycle.rb

@@ -141,7 +141,8 @@ module Hobo
 
 
       def state_name
-        record.read_attribute(self.class.state_field).to_sym
+        name = record.read_attribute(self.class.state_field)
+        name.to_sym if name
       end
 
 

data/lib/hobo/model_controller.rb

@@ -111,7 +111,7 @@ module Hobo
           # Make sure we have a copy of the options - it is being mutated somewhere
           opts = {}.merge(options)
           self.this = find_instance(opts) unless opts[:no_find]
-          raise Hobo::PermissionDeniedError unless Hobo.can_call?(current_user, @this, method)
+          raise Hobo::PermissionDeniedError unless @this.method_callable_by?(current_user, method)
           if got_block
             instance_eval(&block)
           else

data/lib/hobo/permissions.rb

@@ -7,16 +7,12 @@ module Hobo
     end
     
     def self.included(klass)
-      klass.extend ClassMethods
-      
-      create_with_callbacks  = find_aliased_name klass, :create_with_callbacks
-      update_with_callbacks  = find_aliased_name klass, :update_with_callbacks
-      destroy_with_callbacks = find_aliased_name klass, :destroy_with_callbacks
-      
       klass.class_eval do
-        alias_method create_with_callbacks,  :create_with_callbacks_with_hobo_permission_check
-        alias_method update_with_callbacks,  :update_with_callbacks_with_hobo_permission_check
-        alias_method destroy_with_callbacks, :destroy_with_callbacks_with_hobo_permission_check
+        extend ClassMethods
+        
+        alias_method_chain :create, :hobo_permission_check
+        alias_method_chain :update, :hobo_permission_check
+        alias_method_chain :destroy, :hobo_permission_check
 
         attr_accessor :acting_user, :origin, :origin_attribute
 
@@ -91,40 +87,26 @@ module Hobo
       acting_user && !(self.class.has_lifecycle? && lifecycle.active_step)
     end
         
-    def create_with_callbacks_with_hobo_permission_check(*args)
-      return false if callback(:before_create) == false
-      
+    def create_with_hobo_permission_check(*args, &b)
       if permission_check_required?
         create_permitted? or raise PermissionDeniedError, "#{self.class.name}#create"
       end
-      
-      result = create_without_callbacks
-      callback(:after_create)
-      result
+      create_without_hobo_permission_check(*args, &b)
     end
 
-    def update_with_callbacks_with_hobo_permission_check(*args)
-      return false if callback(:before_update) == false
-      
+    def update_with_hobo_permission_check(*args)
       if permission_check_required?
         update_permitted? or raise PermissionDeniedError, "#{self.class.name}#update"
       end
-      
-      result = update_without_callbacks(*args)
-      callback(:after_update)
-      result
+      update_without_hobo_permission_check(*args)
     end
 
-    def destroy_with_callbacks_with_hobo_permission_check
-      return false if callback(:before_destroy) == false
-      
+    def destroy_with_hobo_permission_check
       if permission_check_required?
         destroy_permitted? or raise PermissionDeniedError, "#{self.class.name}#.destroy"
       end
       
-      result = destroy_without_callbacks
-      callback(:after_destroy)
-      result
+      destroy_without_hobo_permission_check
     end
     
     # -------------------------------------- #
@@ -184,8 +166,8 @@ module Hobo
     end
     
     def method_callable_by?(user, method)
-      permission_method = "#{method}_call_permitted?"
-      respond_to?(permission_method) && with_acting_user(current_user) { send(permission_method) }
+      permission_method = "#{method}_permitted?"
+      respond_to?(permission_method) && with_acting_user(user) { send(permission_method) }
     end
     
     def viewable_by?(user, attribute=nil)
@@ -337,20 +319,30 @@ module Hobo
       
     # By default, attempt to derive edit permission from create/update permission
     def edit_permitted?(attribute)
-      Hobo::Permissions.unknownify_attribute(self, attribute) if attribute
+      if attribute
+        with_attribute_or_belongs_to_keys(attribute) do |attr, ftype|
+          unknownify_attribute(self, attr)
+          unknownify_attribute(self, ftype) if ftype
+        end
+      end
       new_record? ? create_permitted? : update_permitted?
     rescue Hobo::UndefinedAccessError
       # The permission is dependent on the unknown value
       # so this attribute is not editable
       false
     ensure
-      Hobo::Permissions.deunknownify_attribute(self, attribute) if attribute
+      if attribute
+        with_attribute_or_belongs_to_keys(attribute) do |attr, ftype|
+          deunknownify_attribute(self, attr)
+          deunknownify_attribute(self, ftype) if ftype
+        end
+      end
     end
   
   
     # Add some singleton methods to +record+ so give the effect that +attribute+ is unknown. That is,
     # attempts to access the attribute will result in a Hobo::UndefinedAccessError
-    def self.unknownify_attribute(record, attr)
+    def unknownify_attribute(record, attr)
       record.metaclass.class_eval do
         
         define_method attr do
@@ -386,7 +378,7 @@ module Hobo
     end
     
     # Best. Name. Ever
-    def self.deunknownify_attribute(record, attr)
+    def deunknownify_attribute(record, attr)
       [attr, "#{attr}_change", "#{attr}_was", "#{attr}_changed?", :changed?, :changed, :changes].each do |m|
         record.metaclass.send :remove_method, m.to_sym
       end

data/rails_generators/hobo/hobo_generator.rb

@@ -1,16 +1,12 @@
 class HoboGenerator < Rails::Generator::Base
 
   def manifest
+    if options[:add_gem]
+      add_to_file "config/environment.rb", "Rails::Initializer.run do |config|", "  config.gem 'hobo'\n"
+    end
+    
     if options[:add_routes]
-      routes_path = File.join(RAILS_ROOT, "config/routes.rb")
-
-      route = "  Hobo.add_routes(map)\n"
-      route_src = File.read(routes_path)
-      unless route_src.include?(route)
-        head = "ActionController::Routing::Routes.draw do |map|"
-        route_src.sub!(head, head + "\n\n" + route)
-        File.open(routes_path, 'w') {|f| f.write(route_src) }
-      end
+      add_to_file "config/routes.rb", "ActionController::Routing::Routes.draw do |map|", "\n  Hobo.add_routes(map)\n"
     end
 
     record do |m|
@@ -32,7 +28,7 @@ class HoboGenerator < Rails::Generator::Base
 
   protected
     def banner
-      "Usage: #{$0} #{spec.name} [--add-routes]"
+      "Usage: #{$0} #{spec.name} [--add-routes] [--add-gem]"
     end
 
     def add_options!(opt)
@@ -40,5 +36,17 @@ class HoboGenerator < Rails::Generator::Base
       opt.separator 'Options:'
       opt.on("--add-routes",
              "Add Hobo routes to config/routes.rb") { |v| options[:add_routes] = v }
+      opt.on("--add-gem",
+             "Edit environment.rb to require the hobo gem") { |v| options[:add_gem] = v }
     end
+    
+    def add_to_file(filename, after_line, new_line)
+      filename = File.join(RAILS_ROOT, filename)
+      src = File.read filename
+      unless src.include? new_line
+        src.sub!(after_line, after_line + "\n" + new_line)
+        File.open(filename, 'w') {|f| f.write(src) }
+      end
+    end
+
 end

data/rails_generators/hobo/templates/initializer.rb

@@ -1,9 +1 @@
-# Load Hobo from the gem if is not already loaded 
-# (i.e. if the plugin is not present)
-
-unless defined? Hobo
-  gem 'hobo'
-  require 'hobo'
-end
-
 Hobo::ModelRouter.reload_routes_on_every_request = true

data/taglibs/rapid_forms.dryml

@@ -773,8 +773,8 @@ Use the `uri` option to specify a redirect location:
 
 
 <def tag="or-cancel">
-  <if test="&linkable?">or <a>Cancel</a></if>
+  <if test="&linkable?">or <a merge-attrs>Cancel</a></if>
   <else>
-    <if test="&linkable?(this.class)">or <a to="&this.class">Cancel</a></if>
+    <if test="&linkable?(this.class)">or <a to="&this.class" merge-attrs>Cancel</a></if>
   </else>
 </def>

data/test/permissions/test_permissions.rb

@@ -254,6 +254,18 @@ class PermissionsTest < Test::Unit::TestCase
         assert_equal("code.zip", @r.code_example.filename)        
       end
       
+      should "allow the code example related to a recipe to be changed" do
+        r = existing_recipe @user
+        c1 = CodeExample.create! :filename => "exmaple1.zip"
+        c2 = CodeExample.create! :filename => "exmaple2.zip"
+        r.code_example = c1
+        r.save
+        
+        r.user_update_attributes! @user, :code_example => "@#{c2.id}"
+        
+        assert_equal(c2, r.code_example)
+      end
+      
       context "on an existing recipe with a code example" do 
         setup do
           @ce = CodeExample.create! :filename => "exmaple.zip"
@@ -261,8 +273,11 @@ class PermissionsTest < Test::Unit::TestCase
         end
       
         should "allow update of the code-example" do
-          @r.user_update_attributes! @user, :code_example => { :filename => "changed.zip" }
+          # To update the exsting target of a belongs_to association, the id must be included in the hash
+          # It is an error to provide any id other than that of the existing target
+          @r.user_update_attributes! @user, :code_example => { :id => @ce.id, :filename => "changed.zip" }
           assert_equal("changed.zip", @r.code_example.filename)
+          assert_equal(@ce, @r.code_example)
         end
 
         should "allow removal of the code-example" do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: hobo
 version: !ruby/object:Gem::Version 
-  version: 0.8.4
+  version: 0.8.5
 platform: ruby
 authors: 
 - Tom Locke
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2008-12-06 00:00:00 +00:00
+date: 2008-12-09 00:00:00 +00:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -20,7 +20,7 @@ dependencies:
     requirements: 
     - - "="
       - !ruby/object:Gem::Version 
-        version: 0.8.4
+        version: 0.8.5
     version: 
 - !ruby/object:Gem::Dependency 
   name: hobofields
@@ -30,7 +30,7 @@ dependencies:
     requirements: 
     - - "="
       - !ruby/object:Gem::Version 
-        version: 0.8.4
+        version: 0.8.5
     version: 
 - !ruby/object:Gem::Dependency 
   name: rails