hot-glue 0.6.0 → 0.6.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 822437dfda890941c29f2ff18b927c60a84279306c0937d354f69e18c67f51e5
-  data.tar.gz: 193b9bb92313ae7440c72d8d7598f918400136f7edabc70bf7ec7def1b4f96ed
+  metadata.gz: 98f341b6907ade21c64956cab48b59503280aefaf9836b718d33e26ed854d32a
+  data.tar.gz: ada2f154b32372c90c107c7507cb57d65850e761017bd17c04e6d5afc7302097
 SHA512:
-  metadata.gz: '0210383122eded31e46b9cc02bc6a7c230d95936f13635149c884774e762b178eb326e3722466a6ff8e365fd3d45782a05c0a60733d678499762ff49d6f7b58d'
-  data.tar.gz: 8cc9ed4dc85875d66dbd66ecac22908bfd6a8759588e37a2b26bb03522a16b8559ca0bc0ee0311a28a627f2f25af703ed744ea1aba6f8f1d48c5fbc35d28748a
+  metadata.gz: 7f38775a9cd7743c6dfb39fe4c4bed6e8b27e6987dd455b460205db6b0e13f8ea5c25e7bd24d59992ead7ca8d689f31fc71c73c5f40ea7578aaace49c41dfaca
+  data.tar.gz: ce1fa03301507fdc462d8a43d6d0253a4bbf8d1c2184d1a582683d56ff67d5d5b9eb21b60902a8d4dfe390d41e4b3ade485e255db659ab7683e34558d838388a

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    hot-glue (0.5.26)
+    hot-glue (0.6.0.1)
       ffaker (~> 2.16)
       kaminari (~> 1.2)
       rails (> 5.1)
@@ -90,7 +90,7 @@ GEM
       xpath (~> 3.2)
     concurrent-ruby (1.1.10)
     crass (1.0.6)
-    date (3.3.3)
+    date (3.3.4)
     devise (4.8.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
@@ -139,12 +139,12 @@ GEM
     mini_mime (1.1.2)
     mini_portile2 (2.8.4)
     minitest (5.16.3)
-    net-imap (0.4.2)
+    net-imap (0.4.4)
       date
       net-protocol
     net-pop (0.1.2)
       net-protocol
-    net-protocol (0.2.1)
+    net-protocol (0.2.2)
       timeout
     net-smtp (0.4.0)
       net-protocol
@@ -235,7 +235,7 @@ GEM
     stimulus-rails (1.1.1)
       railties (>= 6.0.0)
     thor (1.2.1)
-    timeout (0.4.0)
+    timeout (0.4.1)
     turbo-rails (1.3.2)
       actionpack (>= 6.0.0)
       activejob (>= 6.0.0)

data/README.md

@@ -64,25 +64,23 @@ _If you are on Rails 6, see [LEGACY SETUP FOR RAILS 6](https://github.com/jasonf
 
 ## The Super-Quick Setup
 
-https://jasonfleetwoodboldt.com/courses/stepping-up-rails/rails-quick-scripts/
+https://jasonfleetwoodboldt.com/courses/stepping-up-rails/jason-fleetwood-boldts-rails-cookbook/
 
-Copy & paste the whole code block from each section into your terminal. (Pick only ONE option for each section.)
+Copy & paste the whole code block from each section into your terminal. Remember, there is a small "Copy" button at the top-right of each code block to help you copy & paste the script into your terminal. 
 
+These are the sections you need, you can ignore any others:
 
-From section #1 (`rails new`), choose either (1) ImportMap Rails, (2) JSBundling, or (3) Shakapacker. 
-
-For Hot Glue, you will need:
-
-Section #1 is to create a new Rails app. (Or you can do that yourself.)
-
-Section #2 is to setup Rspec, FactoryBot, and Faker — choose 2B for Rspec0
-
-Skip #3 and #4 is optional. #5 is optional but recommended. 
-
-Sectoin #6 is for Hot Glue itself, and Section #7 is for Kaminari
-
-You will also need section #8 to setup Devise if you want authentication.
+* Section 1A for a new JS Bundling app, then skip down to 
+* Section 2B: Rspec + Friends
+* Section 2B-Capy: Capybara for Rspec, then skip down to 
+* Section 3 for a welcome controller
+( you can skip everything in Section 4 )
+* Section 5 for debugging tools
+* _Section 6 is the Hot Glue installer itself_ (this gem) - for Bootstrap, choose section 6A
+* Section 7A to install Bootstrap along with CSSBundling
+* Section 8 to set up Devise if you want authentication. (See how Hot Glue interacts with Devise below.)
 
+If you do this through the quick setup above, you can then skip down past the next section to the "HOT GLUE DOCS" below. 
 
 ## Step-By-Step Setup
 
@@ -294,10 +292,21 @@ Alternatively, you can define your own driver like so:
 
 # HOT GLUE DOCS
 
+Remember: Use `bin/rails generate model Thing` to generate models. Then add `has_many`, `belongs_to`, and _migrate your database_ before building the scaffold with Hot Glue.
+
+You will also need every Rails model to contain _either_ a database column _or_ an object-level method named one of these five things:
+`name`
+`to_label`
+`full_name`
+`display_name`
+`email`
+
+If your database doesn't contain one of these five, add a method to your model using `def to_label`. This will be used as the default label for the object throughout the Hot Glue build system. 
+
 ## First Argument
 (no double slash)
 
-TitleCase class name of the thing you want to build a scaffoling for.
+TitleCase class name of the thing you want to build a scaffolding for.
 
 ```
 ./bin/rails generate hot_glue:scaffold Thing
@@ -672,8 +681,9 @@ Notice that each modifiers can be used with specific field types.
 | (truthy label)\|(falsy label) | specify a binary switch with a pipe (\|) character if the value is truthy, it will display as "truthy label" if the value is falsy, it will display as "falsy label" | booleans, datetimes, dates, times |   |    |
 | partials                      | applies to enums only, you must have a partial whose name matches each enum type                                                                                 | enums only                        |   |   |
 | tinymce                       | applies to text fields only, be sure to setup TineMCE globally                                                                                                   | text fields only                  |    |   |
+| typeahead                     | turns a foreign key (only) into a searchable typeahead field                                                                                                     | foreign keys only                 |   |   |
 
-Except for "(truthy label)" and "(falsy label)" which represent the labels you should specify separated by the pipe character (|), use the modifier exactly as shown.
+Except for "(truthy label)" and "(falsy label)" which use the special syntax, use the modifier _exactly_ as it is named.
 
 ### `--pundit`
 If you enable Pundit, your controllers will look for a Policy that matches the name of the thing being built.
@@ -954,6 +964,25 @@ This happens using two interconnected mechanisms:
 please note that *creating* and *deleting* do not yet have a full & complete implementation: Your pages won't re-render the pages being viewed cross-peer (that is, between two users using the app at the same time) if the insertion or deletion causes the pagination to be off for another user.
 
 
+### `--related-sets`
+
+Used to show a checkbox set of related records. The relationship should be a `has_and_belongs_to_many` or a `has_many through:` from the object being built.
+
+Consider the classic example of three tables: users, user_roles, and roles
+
+User `has_many :user_roles`; UserRole `belongs_to :user` and `belongs_to :role`; and Role `has_many :user_roles` and `has_many :user, through: :user_roles`
+
+We'll generate a scaffold to edit the users table. A checkbox set of related roles will also appear to allow editing of roles. (In this example, the only field to be edited is the email field.)
+
+```
+rails generate hot_glue:scaffold User --related-sets=roles --include=email,roles --gd
+```
+
+Note this leaves open a privileged escalation attack (a security vulnerability).
+
+To fix this, you'll need to use Pundit with special syntax designed for this purpose. Please see Example #16 in the [https://school.jfbcodes.com/8188](Hot Glue Tutorial).
+
+
 ## "Thing" Label
 
 Note that on a per model basis, you can also globally omit the label or set a unique label value using
@@ -1393,11 +1422,11 @@ You can now use a typeahead when editing the book. Instead of displaying the aut
 You will do these three things:
 
 1. As a one-time setup step for your app, run
-`bin/rails generate hot_glue:install_typeahead`
+`bin/rails generate hot_glue:typeahead_install`
 2. When generating a scaffold you want to make a typeahead association, use `--modify='parent_id{typeahead}'` where `parent_id` is the foreign key
 `bin/rails generate hot_glue:scaffold Book --include=title,author_id --modify='author_id{typeahead}'`
 3. Within each namespace, you will generate a special typeahead controller (it exists for the associated object to be searched on
-`bin/rails generate hot_glue:typehead Author`
+`bin/rails generate hot_glue:typeahead Author`
 This will create a controller for `AuthorsTypeaheadController` that will allow text search against any *string* field on the `Author` model.
 This special generator takes flags `--namespace` as the normal generator and also `--search-by` to let you specify the list of fields you want to search by.
 
@@ -1464,6 +1493,34 @@ bin/rails generate Thing --include=my_story --modify='my_story{tinymce}'
 
 # VERSION HISTORY
 
+#### v0.6.1 - `--related-sets`
+
+Used to show a checkbox set of related records. The relationship should be a `has_and_belongs_to_many` or a `has_many through:` from the object being built.
+
+Consider the classic example of three tables: users, user_roles, and roles
+
+User `has_many :user_roles`; UserRole `belongs_to :user` and `belongs_to :role`; and Role `has_many :user_roles` and `has_many :user, through: :user_roles`
+
+We'll generate a scaffold to edit the users table. A checkbox set of related roles will also appear to allow editing of roles. (In this example, the only field to be edited is the email field.)
+
+```
+rails generate hot_glue:scaffold User --related-sets=roles --include=email,roles --gd
+```
+
+Note that when making a scaffold like this, you may leave open a privileged escalation attack (a security vulnerability).
+
+To fix this, you'll need to use Pundit with special syntax designed for this purpose. 
+
+For a complete solution, please see Example #16 in the [https://school.jfbcodes.com/8188](Hot Glue Tutorial).
+
+Without Pundit, due to a quirk in how this code works with ActiveRecord, all update operates to the related sets table are permitted (and go through), even if the update operation otherwise fails validation for the fields on the object. (ActiveRecord doesn't seem to have a way to validate the related sets directly.)
+
+In this case, your update actions may update the relate sets table but fail to update the current object.
+
+Using this feature with Pundit will fix this problem, and it is achieved with a (hacky) implementation that performs a pre-check for each related set against the Pundit policy. 
+
+#### v0.6.0.1 - small tweaks to typeahead
+
 #### 2023-11-03 - v0.6.0
 
 Typeahead Associations
@@ -1476,7 +1533,7 @@ from a searchable typehead input.
 The typeahead is implemented with a native Stimulus JS pair of controllers and is a modern & clean replacement to the old typeahead options.
 
 1. As a one-time setup step for your app, run
-   `bin/rails generate hot_glue:install_typeahead`
+   `bin/rails generate hot_glue:typeahead_install`
 2. When generating a scaffold you want to make a typeahead association, use `--modify='parent_id{typeahead}'` where `parent_id` is the foreign key
    `bin/rails generate hot_glue:scaffold Book --include=title,author_id --modify='author_id{typeahead}'`
 3. Within each namespace, you will generate a special typeahead controller (it exists for the associated object to be searched on

data/lib/generators/hot_glue/field_factory.rb

@@ -10,6 +10,8 @@ require_relative "fields/text_field"
 require_relative "fields/time_field"
 require_relative "fields/uuid_field"
 require_relative "fields/attachment_field"
+require_relative "fields/related_set_field"
+
 
 
 class FieldFactory
@@ -42,6 +44,8 @@ class FieldFactory
               EnumField
             when :attachment
               AttachmentField
+            when :related_set
+              RelatedSetField
             end
     @class_name = class_name
 
@@ -61,6 +65,7 @@ class FieldFactory
                              modify_as: generator.modify_as[name.to_sym] || nil,
                              display_as: generator.display_as[name.to_sym] || nil,
                              default_boolean_display: generator.default_boolean_display,
-                             namespace: generator.namespace_value)
+                             namespace: generator.namespace_value,
+                             pundit: generator.pundit )
   end
 end

data/lib/generators/hot_glue/fields/association_field.rb

@@ -10,7 +10,7 @@ class AssociationField < Field
                  update_show_only: ,
                  hawk_keys: , auth: , sample_file_path:,  ownership_field: ,
                  attachment_data: nil , layout_strategy: , form_placeholder_labels: nil,
-                 form_labels_position:, modify_as: , self_auth: , namespace: )
+                 form_labels_position:, modify_as: , self_auth: , namespace:, pundit:  )
     super
 
     @assoc_model = eval("#{class_name}.reflect_on_association(:#{assoc})")
@@ -80,20 +80,20 @@ class AssociationField < Field
     assoc = eval("#{class_name}.reflect_on_association(:#{assoc_name})")
 
     if modify_as && modify_as[:typeahead]
-         search_url  = "#{namespace ? namespace + "_" : ""}#{assoc.plural_name}_typeahead_index_url"
-
-         "<div class='typeahead typeahead--#{singular}--#{assoc.name}_id'
-           data-controller='typeahead'
-           data-typeahead-url-value='<%= #{search_url} %>'
-           data-typeahead-typeahead-results-outlet='#search-results'>
-           <%= text_field_tag :#{assoc.plural_name}_query, '', placeholder: 'Search #{assoc.plural_name}', class: 'search__input',
-                             data: { action: 'keyup->typeahead#fetchResults keydown->typeahead#navigateResults', typeahead_target: 'query' },
-                             autofocus: true,
-                             autocomplete: 'off',
-                             value: #{singular}.try(:#{assoc.name}).try(:name) %>
-           <%= f.hidden_field :#{assoc.name}_id, value: #{singular}.try(:#{assoc.name}).try(:id), 'data-typeahead-target': 'hiddenFormValue' %>
-           <div data-typeahead-target='results'></div>
-         </div>"
+      search_url  = "#{namespace ? namespace + "_" : ""}#{assoc.plural_name}_typeahead_index_url"
+      "<div class='typeahead typeahead--#{assoc.name}_id'
+      data-controller='typeahead'
+      data-typeahead-url-value='<%= #{search_url} %>'
+      data-typeahead-typeahead-results-outlet='#search-results'>
+      <%= text_field_tag :#{assoc.plural_name}_query, '', placeholder: 'Search #{assoc.plural_name}', class: 'search__input',
+                     data: { action: 'keyup->typeahead#fetchResults keydown->typeahead#navigateResults', typeahead_target: 'query' },
+                     autofocus: true,
+                     autocomplete: 'off',
+                     value: #{singular}.try(:#{assoc.name}).try(:name) %>
+      <%= f.hidden_field :#{assoc.name}_id, value: #{singular}.try(:#{assoc.name}).try(:id), 'data-typeahead-target': 'hiddenFormValue' %>
+      <div data-typeahead-target='results'></div>
+      <div data-typeahead-target='classIdentifier' data-id=\"typeahead--#{assoc_name}_id\"></div>
+      </div>"
     else
       if assoc.nil?
         exit_message = "*** Oops. on the #{class_name} object, there doesn't seem to be an association called '#{assoc_name}'"

data/lib/generators/hot_glue/fields/attachment_field.rb

@@ -1,10 +1,9 @@
 class AttachmentField < Field
   attr_accessor :attachment_data
   def initialize(name:, class_name:, default_boolean_display: ,
-                 display_as:,
-                 singular:, update_show_only:, hawk_keys:, auth:,
+                 display_as:, singular:, update_show_only:, hawk_keys:, auth:,
                  sample_file_path: nil, attachment_data:, ownership_field:, layout_strategy: ,
-                 form_placeholder_labels: , form_labels_position:, modify_as:, self_auth: , namespace:  )
+                 form_placeholder_labels: , form_labels_position:, modify_as:, self_auth: , namespace:, pundit:   )
     super
 
     @attachment_data = attachment_data

data/lib/generators/hot_glue/fields/field.rb

@@ -5,7 +5,7 @@ class Field
                 :hawk_keys,   :layout_strategy, :limit, :modify_as, :name, :object, :sample_file_path,
                 :self_auth,
                 :singular_class,  :singular, :sql_type, :ownership_field,
-                :update_show_only, :namespace
+                :update_show_only, :namespace, :pundit
 
   def initialize(
     auth: ,
@@ -24,7 +24,8 @@ class Field
     singular: ,
     update_show_only:,
     self_auth:,
-    namespace:
+    namespace:,
+    pundit:
   )
     @name = name
     @layout_strategy = layout_strategy
@@ -40,13 +41,14 @@ class Field
     @form_labels_position = form_labels_position
     @modify_as = modify_as
     @display_as = display_as
+    @pundit = pundit
 
     @self_auth = self_auth
     @default_boolean_display = default_boolean_display
-    @namesapce = namespace
+    @namespace = namespace
 
     # TODO: remove knowledge of subclasses from Field
-    unless self.class == AttachmentField
+    unless self.class == AttachmentField || self.class == RelatedSetField
       @sql_type = eval("#{class_name}.columns_hash['#{name}']").sql_type
       @limit = eval("#{class_name}.columns_hash['#{name}']").limit
     end
@@ -56,6 +58,10 @@ class Field
     @name
   end
 
+  def form_field_output
+    raise "superclass must implement"
+  end
+
   def field_error_name
     name
   end

data/lib/generators/hot_glue/fields/related_set_field.rb

@@ -0,0 +1,60 @@
+class RelatedSetField < Field
+
+  attr_accessor :assoc_name, :assoc_class, :assoc
+
+  def initialize( class_name: , default_boolean_display:, display_as: ,
+                  name: , singular: ,
+                  update_show_only: ,
+                  hawk_keys: , auth: , sample_file_path:,  ownership_field: ,
+                  attachment_data: nil , layout_strategy: , form_placeholder_labels: nil,
+                  form_labels_position:, modify_as: , self_auth: , namespace:, pundit:)
+    super
+
+    @related_set_model = eval("#{class_name}.reflect_on_association(:#{name})")
+
+    if @related_set_model.nil?
+          raise "You specified a related set #{name} but there is no association on #{singular_class} for #{name}; please add a `has_and_belongs_to_many :#{name}` OR a `has_many :#{name}, through: ...` to the #{singular_class} model"
+
+      # exit_message = "*** Oops: The model #{class_name} is missing an association for :#{assoc_name} or the model #{assoc_name.titlecase} doesn't exist. TODO: Please implement a model for #{assoc_name.titlecase}; or add to #{class_name} `belongs_to :#{assoc_name}`.  To make a controller that can read all records, specify with --god."
+      puts exit_message
+      raise(HotGlue::Error, exit_message)
+    end
+
+    @assoc_class = eval(@related_set_model.try(:class_name))
+
+    name_list = [:name, :to_label, :full_name, :display_name, :email]
+
+    if assoc_class && name_list.collect{ |field|
+      assoc_class.respond_to?(field.to_s) || assoc_class.instance_methods.include?(field)
+    }.none?
+      exit_message = "Oops: Missing a label for `#{assoc_class}`. Can't find any column to use as the display label for the #{@assoc_name} association on the #{class_name} model. TODO: Please implement just one of: 1) name, 2) to_label, 3) full_name, 4) display_name 5) email. You can implement any of these directly on your`#{assoc_class}` model (can be database fields or model methods) or alias them to field you want to use as your display label. Then RERUN THIS GENERATOR. (Field used will be chosen based on rank here.)"
+      raise(HotGlue::Error, exit_message)
+    end
+
+  end
+
+
+  def form_field_output
+    disabled_syntax = +""
+    if pundit
+      disabled_syntax << ", {disabled: ! #{class_name}Policy.new(#{auth}, @#{singular}).role_ids_able?}"
+    end
+    " <%= f.collection_check_boxes :#{association_ids_method}, #{association_class_name}.all, :id, :label, {}#{disabled_syntax} do |m| %>
+      <%= m.check_box %> <%= m.label %><br />
+    <% end %>"
+  end
+
+  def association_ids_method
+    eval("#{class_name}.reflect_on_association(:#{name})").class_name.underscore + "_ids"
+  end
+
+  def association_class_name
+    eval("#{class_name}.reflect_on_association(:#{name})").class_name
+  end
+
+  def viewable_output
+    "<%= #{singular}.#{name}.collect(&:label).join(\", \") %>"
+  end
+end
+
+

data/lib/generators/hot_glue/markup_templates/erb.rb

@@ -8,7 +8,7 @@ module  HotGlue
                   :inline_list_labels, :layout_object,
                   :columns,  :col_identifier, :singular,
                   :form_placeholder_labels, :hawk_keys, :update_show_only,
-                  :attachments, :show_only, :columns_map, :pundit
+                  :attachments, :show_only, :columns_map, :pundit, :related_sets
 
 
       def initialize(singular:, singular_class: ,
@@ -17,7 +17,7 @@ module  HotGlue
                    ownership_field: , form_labels_position: ,
                    inline_list_labels: ,
                    form_placeholder_labels:, hawk_keys: ,
-                   update_show_only:, attachments: , columns_map:, pundit: )
+                   update_show_only:, attachments: , columns_map:, pundit:, related_sets:  )
 
       @singular = singular
       @singular_class = singular_class
@@ -39,6 +39,7 @@ module  HotGlue
       @hawk_keys = hawk_keys
       @update_show_only = update_show_only
       @attachments = attachments
+      @related_sets = related_sets
     end
 
     def add_spaces_each_line(text, num_spaces)
@@ -150,7 +151,7 @@ module  HotGlue
 
         "<div class='#{col_identifier} #{singular}--#{column.join("-")}'#{style_with_flex_basis}> " +
         column.map { |col|
-          if eval("#{singular_class}.columns_hash['#{col}']").nil? && !attachments.keys.include?(col)
+          if eval("#{singular_class}.columns_hash['#{col}']").nil? && !attachments.keys.include?(col) && !related_sets.include?(col)
             raise "Can't find column '#{col}' on #{singular_class}, are you sure that is the column name?"
           end
           field_output = columns_map[col].line_field_output

data/lib/generators/hot_glue/scaffold_generator.rb

@@ -23,7 +23,7 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
                 :nest_with, :path, :plural, :sample_file_path, :show_only_data, :singular,
                 :singular_class, :smart_layout, :stacked_downnesting, :update_show_only, :ownership_field,
                 :layout_strategy, :form_placeholder_labels, :form_labels_position, :pundit,
-                :self_auth, :namespace_value
+                :self_auth, :namespace_value, :related_sets
   # important: using an attr_accessor called :namespace indirectly causes a conflict with Rails class_name method
   # so we use namespace_value instead
 
@@ -89,6 +89,7 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
   class_option :modify, default: {}
   class_option :display_as, default: {}
   class_option :pundit, default: nil
+  class_option :related_sets, default: ''
 
   def initialize(*meta_args)
     super
@@ -320,7 +321,7 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
     end
 
     if @god
-      @auth = nil
+      # @auth = nil
     end
     # when in self auth, the object is the same as the authenticated object
 
@@ -370,6 +371,24 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
       puts "NESTING: #{@nested_set}"
     end
 
+    # related_sets
+    related_set_input = options['related_sets'].split(",")
+    @related_sets = {}
+    related_set_input.each do |setting|
+      name = setting.to_sym
+      association_ids_method = eval("#{singular_class}.reflect_on_association(:#{setting.to_sym})").class_name.underscore + "_ids"
+      class_name = eval("#{singular_class}.reflect_on_association(:#{setting.to_sym})").class_name
+
+      @related_sets[setting.to_sym] =   { name: setting.to_sym,
+                          association_ids_method: association_ids_method,
+                          class_name: class_name }
+    end
+
+    if @related_sets.any?
+      puts "RELATED SETS: #{@related_sets}"
+
+    end
+
     # OBJECT OWNERSHIP & NESTING
     @reference_name = HotGlue.derrive_reference_name(singular_class)
     if @auth && @self_auth
@@ -409,13 +428,16 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
 
     buttons_width = ((!@no_edit && 1) || 0) + ((!@no_delete && 1) || 0) + @magic_buttons.count
 
+
+
+
     # build a new polymorphic object
     @associations = []
     @columns_map = {}
     @columns.each do |col|
-      if !(@the_object.columns_hash.keys.include?(col.to_s) || @attachments.keys.include?(col))
-        raise "couldn't find #{col} in either field list or attachments list"
-      end
+      # if !(@the_object.columns_hash.keys.include?(col.to_s) || @attachments.keys.include?(col))
+      #   raise "couldn't find #{col} in either field list or attachments list"
+      # end
 
       if col.to_s.starts_with?("_")
         @show_only << col
@@ -425,6 +447,10 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
         type = @the_object.columns_hash[col.to_s].type
       elsif @attachments.keys.include?(col)
         type = :attachment
+      elsif @related_sets.keys.include?(col)
+        type = :related_set
+      else
+        raise "couldn't find #{col} in either field list, attachments, or related sets"
       end
       this_column_object = FieldFactory.new(name: col.to_s,
                                             generator: self,
@@ -440,7 +466,7 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
       if field.is_a?(AssociationField)
         if @modify_as && @modify_as[key] && @modify_as[key][:typeahead]
           assoc_name = field.assoc_name
-          file_path = "app/controllers/#{namespace ? namspace + "/" : ""}#{assoc_name.pluralize}_typeahead_controller.rb"
+          file_path = "app/controllers/#{@namespace ? @namespace + "/" : ""}#{assoc_name.pluralize}_typeahead_controller.rb"
 
           if ! File.exist?(file_path)
 
@@ -455,6 +481,8 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
       end
     end
 
+
+
     # create the template object
     if @markup == "erb"
       @template_builder = HotGlue::ErbTemplate.new(
@@ -473,6 +501,7 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
         attachments: @attachments,
         columns_map: @columns_map,
         pundit: @pundit,
+        related_sets: @related_sets
       )
     elsif @markup == "slim"
       raise(HotGlue::Error, "SLIM IS NOT IMPLEMENTED")
@@ -607,6 +636,7 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
   end
 
   def identify_object_owner
+    return if @god
     auth_assoc = @auth && @auth.gsub("current_", "")
 
     if @object_owner_sym && !@self_auth
@@ -657,6 +687,16 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
 
       check_if_sample_file_is_present
     end
+
+    if @related_sets.any?
+      if !@pundit
+        puts "********************\nWARNING: You are using --related-sets without using Pundit. This makes the set fully accessible. Use Pundit to prevent a privileged escalation vulnerability\n********************\n"
+      end
+      @related_sets.each do |key, related_set|
+        @columns << related_set[:name] if !@columns.include?(related_set[:name])
+        puts "Adding related set :#{related_set[:name]} as-a-column"
+      end
+    end
   end
 
   def check_if_sample_file_is_present
@@ -676,13 +716,13 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
     puts ""
   end
 
-  def fields_filtered_for_email_lookups
-    @columns
+  def fields_filtered_for_strong_params
+    @columns - @related_sets.collect{|key, set| set[:name]}
   end
 
   def creation_syntax
     if @factory_creation == ''
-      "@#{singular } = #{ class_name }.create(modified_params)"
+      "@#{singular } = #{ class_name }.new(modified_params)"
     else
       "#{@factory_creation}\n" +
         "    @#{singular } = factory.#{singular}"
@@ -969,7 +1009,7 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
   end
 
   def object_scope
-    if @auth
+    if @auth && !@god
       if @nested_set.none?
         @auth + ".#{plural}"
       else
@@ -1296,7 +1336,7 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
 
   def n_plus_one_includes
     if @associations.any? || @attachments.any?
-      ".includes(" + (@associations.map { |x| x } + @attachments.collect { |k, v| "#{k}_attachment" }).map { |x| ":#{x.to_s}" }.join(", ") + ")"
+      ".includes(" + (@associations.map { |x| x } + @attachments.collect { |k, v| "#{k}_attachment" } ).map { |x| ":#{x.to_s}" }.join(", ") + ")"
     else
       ""
     end
@@ -1342,7 +1382,7 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
   end
 
   def any_datetime_fields?
-    (@columns - @attachments.keys.collect(&:to_sym)).collect { |col| eval("#{singular_class}.columns_hash['#{col}']").type }.include?(:datetime)
+    (@columns - @attachments.keys.collect(&:to_sym) - @related_sets.keys ).collect { |col| eval("#{singular_class}.columns_hash['#{col}']").type }.include?(:datetime)
   end
 
   def post_action_parental_updates

data/lib/generators/hot_glue/templates/controller.rb.erb

@@ -72,7 +72,7 @@ class <%= controller_class_name %> < <%= controller_descends_from %>
 
   <% end %>def load_all_<%= plural %><% if @pundit %>
     @<%= plural_name %> =  policy_scope(<%= object_scope %>).page(params[:page])<%= n_plus_one_includes %><%= ".per(per)" if @paginate_per_page_selector %>
-    authorize @<%= plural_name %>.all<% else %> <% if !@self_auth %>
+    <% else %> <% if !@self_auth %>
     @<%= plural_name %> = <%= object_scope.gsub("@",'') %><%= n_plus_one_includes %>.page(params[:page])<%= ".per(per)" if @paginate_per_page_selector %><%= " if params.include?(:#{ @nested_set.last[:singular]}_id)" if @nested_set.any? && @nested_set[0] &&  @nested_set[0][:optional] %><% if @nested_set[0] &&  @nested_set[0][:optional] %>
     @<%= plural_name %> = <%= class_name %>.all<% end %><% else %>
     @<%= plural_name %> = <%= class_name %>.where(id: <%= auth_object.gsub("@",'') %>.id)<%= n_plus_one_includes %>.page(params[:page])<%= ".per(per)" if @paginate_per_page_selector %><% end %>
@@ -80,7 +80,8 @@ class <%= controller_class_name %> < <%= controller_descends_from %>
   end
 
   def index
-    load_all_<%= plural %><% if @pundit %>
+    load_all_<%= plural %><% if @pundit %><% if @pundit %>
+    authorize @<%= plural_name %><% end %>
   rescue Pundit::NotAuthorizedError
     flash[:alert] = "You are not authorized to perform this action."
     render "layouts/error"<% end %>
@@ -94,19 +95,23 @@ class <%= controller_class_name %> < <%= controller_descends_from %>
     @action = "new"
   rescue Pundit::NotAuthorizedError
     flash[:alert] = "You are not authorized to perform this action."
+    load_all_users
     render :index<% end %>
   end
 
   def create
     modified_params = modify_date_inputs_on_params(<%= singular_name %>_params.dup, <%= current_user_object %>, <%= datetime_fields_list %>) <% if @object_owner_sym &&  eval("#{class_name}.reflect_on_association(:#{@object_owner_sym})").class == ActiveRecord::Reflection::BelongsToReflection  %>
     modified_params = modified_params.merge(<%= @object_owner_sym %>: <%= @object_owner_eval %>) <% elsif @object_owner_optional && any_nested? %>
-    modified_params = modified_params.merge(<%= @object_owner_name %> ? {<%= @object_owner_sym %>: <%= @object_owner_eval %>} : {}) <% elsif !@object_owner_eval.empty? %>
+    modified_params = modified_params.merge(<%= @object_owner_name %> ? {<%= @object_owner_sym %>: <%= @object_owner_eval %>} : {}) <% elsif !@object_owner_eval.empty? && !@god %>
     modified_params = modified_params.merge(<%= @object_owner_eval %>) <% end %>
 
       <% if @hawk_keys.any? %>
     modified_params = hawk_params({<%= hawk_to_ruby %>}, modified_params)<% end %>
-      <%= controller_attachment_orig_filename_pickup_syntax %>
+    <%= controller_attachment_orig_filename_pickup_syntax %>
     <%= creation_syntax %>
+    <% if @pundit %><% @related_sets.each do |key, related_set| %>
+    check_<%= related_set[:association_ids_method].to_s %>_permissions(modified_params, :create)<% end %><% end %>
+    <% if @pundit %>authorize @<%= singular %><% end %>
 
     if @<%= singular_name %>.save
       flash[:notice] = "Successfully created #{@<%= singular %>.<%= display_class %>}"
@@ -152,17 +157,20 @@ class <%= controller_class_name %> < <%= controller_descends_from %>
       flash[:notice] << "<% singular %> <%= button.titlecase %>."
     end
     <% end %>
+
     modified_params = modify_date_inputs_on_params(<% if @update_show_only %>update_<% end %><%= singular_name %>_params.dup<%= controller_update_params_tap_away_magic_buttons  %>, <%= current_user_object %>, <%= datetime_fields_list %>) <% if @object_owner_sym &&  eval("#{class_name}.reflect_on_association(:#{@object_owner_sym})").class == ActiveRecord::Reflection::BelongsToReflection  %>
     modified_params = modified_params.merge(<%= @object_owner_sym %>: <%= @object_owner_eval %>) <% elsif @object_owner_optional && any_nested? %>
-    modified_params = modified_params.merge(<%= @object_owner_name %> ? {<%= @object_owner_sym %>: <%= @object_owner_eval %>} : {}) <% elsif ! @object_owner_eval.empty?  && !@self_auth%>
+    modified_params = modified_params.merge(<%= @object_owner_name %> ? {<%= @object_owner_sym %>: <%= @object_owner_eval %>} : {}) <% elsif ! @object_owner_eval.empty?  && !@self_auth && ! @god%>
     modified_params = modified_params.merge(<%= @object_owner_eval %>) <% end %>
+    <% if @pundit %><% @related_sets.each do |key, related_set| %>
+    check_<%= related_set[:association_ids_method].to_s %>_permissions(modified_params, :update)<% end %><% end %>
 
     <% if @hawk_keys.any? %>    modified_params = hawk_params({<%= hawk_to_ruby %>}, modified_params)<% end %>
       <%= controller_attachment_orig_filename_pickup_syntax %>
     <% if @pundit %>
     if @<%= singular_name %>.attributes = modified_params
-        authorize @<%= singular_name %>
-        @<%= singular_name %>.save
+      authorize @<%= singular_name %>
+      @<%= singular_name %>.save
     <% else %>
     if @<%= singular_name %>.update(modified_params)
     <% end %>
@@ -194,12 +202,23 @@ class <%= controller_class_name %> < <%= controller_descends_from %>
     render :update<% end %>
   end<% end %>
 
+<% if @pundit %><% @related_sets.each do |key, rs| %>
+  def check_<%= rs[:association_ids_method] %>_permissions(modified_params, action)
+    if modified_params[:<%= rs[:association_ids_method] %>].present? && modified_params[:<%= rs[:association_ids_method] %>] != @<%= singular %>.<%= rs[:association_ids_method] %>
+      # authorize the <%= rs[:association_ids_method] %> change using special modified_relations: {<%= rs[:association_ids_method] %>: modified_params[:<%= rs[:association_ids_method] %>>]} syntax for Pundit
+      if ! <%= singular_class %>Policy.new(current_user, @<%= singular %>, modified_relations: {role_ids: modified_params[:<%= rs[:association_ids_method] %>]}).method("#{action}?".to_sym).call
+        authorize @<%= singular %>, "#{action}?".to_sym
+        raise Pundit::NotAuthorizedError, message: @<%= singular %>.errors.collect{|k| "#{k.attribute} #{k.message}"}.join(" ")
+      end
+    end
+  end<% end %><% end %>
+
   def <%=singular_name%>_params
-    params.require(:<%= testing_name %>).permit(<%= (fields_filtered_for_email_lookups - @show_only ) + @magic_buttons.collect{|x| "__#{x}".to_sym }%>)
+    params.require(:<%= testing_name %>).permit(<%= ((fields_filtered_for_strong_params - @show_only ) + @magic_buttons.collect{|x| "__#{x}"}).collect{|sym| ":#{sym}"}.join(", ") %><%= ", " + @related_sets.collect{|key, rs| "#{rs[:association_ids_method]}: []"}.join(", ") if @related_sets.any? %>)
   end<% if @update_show_only %>
 
   def update_<%=singular_name%>_params
-    params.require(:<%= testing_name %>).permit(<%= (fields_filtered_for_email_lookups - @update_show_only) + @magic_buttons.collect{|x| "__#{x}".to_sym }%>)
+    params.require(:<%= testing_name %>).permit(<%= ((fields_filtered_for_strong_params - @update_show_only)  + @magic_buttons.collect{|x| "__#{x}"}).collect{|sym| ":#{sym}"}.join(", ") %><%= ", " + @related_sets.collect{|key, rs| "#{rs[:association_ids_method]}: []"}.join(", ") if @related_sets.any? %>)
   end<% end %>
 
   def namespace

data/lib/generators/hot_glue/templates/typeahead_controller.rb.erb

@@ -6,7 +6,7 @@ class <%= ((@namespace.titleize.gsub(" ", "") + "::" if @namespace) || "") + @pl
 
   def index
     query = params[:query]
-
+    @typeahead_identifier = params[:typeahead_identifier]
     @<%= @plural %> = <%= @singular.titleize.gsub(" ", "") %>.where("<%= @search_by.collect{|search| "LOWER(#{search}) LIKE ?" }.join(" OR ") %>", <%= @search_by.collect{|search|  "\"%\#{query.downcase}%\"" }.join(", ") %>).limit(10)
 
     render layout: false

data/lib/generators/hot_glue/templates/typeahead_views/index.html.erb

@@ -1,7 +1,7 @@
 
 <div class="typeahead-results__<%= @plural %>"
      data-controller="typeahead-results"
-     data-typeahead-results-typeahead-outlet=".typeahead--book--<%= @singular %>_id"
+     data-typeahead-results-typeahead-outlet=".<\%= @typeahead_identifier %>"
      data-typeahead-results-current-class="search__result--current" >
   <ul class="search__results" data-typeahead-results-target="result">
     <\% if @<%= @plural %>.any? %>

data/lib/generators/hot_glue/templates/typeahead_views/typeahead_controller.js

@@ -1,7 +1,8 @@
 import { Controller } from "@hotwired/stimulus"
 
 export default class extends Controller {
-  static targets = [ "query", "results", "hiddenFormValue" ]
+  static targets = [ "query", "results", "hiddenFormValue",
+    "classIdentifier"]
   static values = { url: String }
   static outlets = [ "typeahead-results" ]
 
@@ -10,6 +11,10 @@ export default class extends Controller {
   }
 
   fetchResults() {
+
+
+    var typeaheadIdentifier = this.classIdentifierTarget.dataset.id
+
     if(this.query == "") {
       this.reset()
       return
@@ -22,6 +27,7 @@ export default class extends Controller {
 
     const url = new URL(this.urlValue)
     url.searchParams.append("query", this.query)
+    url.searchParams.append("typeahead_identifier", typeaheadIdentifier)
 
     this.abortPreviousFetchRequest()
 

data/lib/generators/hot_glue/templates/typeahead_views/typeahead_results_controller.js

@@ -12,7 +12,6 @@ export default class extends Controller {
 
   connect() {
     this.currentResultIndex = 0
-
     const allElements = this.resultTarget.querySelectorAll(".search-result-item");
 
     allElements.forEach((element, index) => {
@@ -29,7 +28,6 @@ export default class extends Controller {
     const result_id = element.dataset.id;
 
     // how to pass this to the search controller, set the field value and clear out the search
-    console.log("search item clicked...", result_value, result_id)
 
     this.typeaheadOutlets.forEach(outlet => {
       outlet.hiddenFormValueTarget.value = result_id;

data/lib/hotglue/version.rb

@@ -1,5 +1,5 @@
 module HotGlue
   class Version
-    CURRENT = '0.6.0'
+    CURRENT = '0.6.1'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: hot-glue
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 0.6.1
 platform: ruby
 authors:
 - Jason Fleetwood-Boldt
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-11-03 00:00:00.000000000 Z
+date: 2023-11-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -90,6 +90,7 @@ files:
 - lib/generators/hot_glue/fields/field.rb
 - lib/generators/hot_glue/fields/float_field.rb
 - lib/generators/hot_glue/fields/integer_field.rb
+- lib/generators/hot_glue/fields/related_set_field.rb
 - lib/generators/hot_glue/fields/string_field.rb
 - lib/generators/hot_glue/fields/text_field.rb
 - lib/generators/hot_glue/fields/time_field.rb
@@ -174,5 +175,5 @@ requirements: []
 rubygems_version: 3.4.10
 signing_key:
 specification_version: 4
-summary: A gem to build Tubro Rails scaffolding.
+summary: A gem to build Turbo Rails scaffolding.
 test_files: []