RubyGems - hot-glue - Versions diffs - 0.6.0.1 → 0.6.1 - Mend

hot-glue 0.6.0.1 → 0.6.1

Files changed (13) hide show

checksums.yaml +4 -4
data/Gemfile.lock +4 -4
data/README.md +50 -2
data/lib/generators/hot_glue/field_factory.rb +7 -1
data/lib/generators/hot_glue/fields/association_field.rb +1 -1
data/lib/generators/hot_glue/fields/attachment_field.rb +2 -3
data/lib/generators/hot_glue/fields/field.rb +9 -3
data/lib/generators/hot_glue/fields/related_set_field.rb +60 -0
data/lib/generators/hot_glue/markup_templates/erb.rb +4 -3
data/lib/generators/hot_glue/scaffold_generator.rb +52 -12
data/lib/generators/hot_glue/templates/controller.rb.erb +28 -9
data/lib/hotglue/version.rb +1 -1
metadata +4 -3

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8ffc84538112521ab7f15e7c0d234de7ffc5e5231e49a6ffb3cb3fd77c4f0545
-  data.tar.gz: f9e7c8e6b171aace305d5fae08ee24d08f6304c0127e5044579e8d3c30cc6ca6
+  metadata.gz: 98f341b6907ade21c64956cab48b59503280aefaf9836b718d33e26ed854d32a
+  data.tar.gz: ada2f154b32372c90c107c7507cb57d65850e761017bd17c04e6d5afc7302097
 SHA512:
-  metadata.gz: 53da97a3e0c570c41594ae47ed50149a5519e512d1677c38dc70fb118e69893d67165b7f7de89e0e8f56325f766934225f810c52fba501c9b9a1a71943cdc365
-  data.tar.gz: f6fd036dd5abeb33724927a6a25e2fab560f553f4df23cf186438f09036e68f147aef50ce356b7c9c3858cd3fbe81c02bc9649b46076562da3a3cf43f0cf0530
+  metadata.gz: 7f38775a9cd7743c6dfb39fe4c4bed6e8b27e6987dd455b460205db6b0e13f8ea5c25e7bd24d59992ead7ca8d689f31fc71c73c5f40ea7578aaace49c41dfaca
+  data.tar.gz: ce1fa03301507fdc462d8a43d6d0253a4bbf8d1c2184d1a582683d56ff67d5d5b9eb21b60902a8d4dfe390d41e4b3ade485e255db659ab7683e34558d838388a

data/Gemfile.lock CHANGED Viewed

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    hot-glue (0.6.0)
+    hot-glue (0.6.0.1)
       ffaker (~> 2.16)
       kaminari (~> 1.2)
       rails (> 5.1)
@@ -90,7 +90,7 @@ GEM
       xpath (~> 3.2)
     concurrent-ruby (1.1.10)
     crass (1.0.6)
-    date (3.3.3)
+    date (3.3.4)
     devise (4.8.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
@@ -144,7 +144,7 @@ GEM
       net-protocol
     net-pop (0.1.2)
       net-protocol
-    net-protocol (0.2.1)
+    net-protocol (0.2.2)
       timeout
     net-smtp (0.4.0)
       net-protocol
@@ -235,7 +235,7 @@ GEM
     stimulus-rails (1.1.1)
       railties (>= 6.0.0)
     thor (1.2.1)
-    timeout (0.4.0)
+    timeout (0.4.1)
     turbo-rails (1.3.2)
       actionpack (>= 6.0.0)
       activejob (>= 6.0.0)

data/README.md CHANGED Viewed

@@ -681,8 +681,9 @@ Notice that each modifiers can be used with specific field types.
 | (truthy label)\|(falsy label) | specify a binary switch with a pipe (\|) character if the value is truthy, it will display as "truthy label" if the value is falsy, it will display as "falsy label" | booleans, datetimes, dates, times |   |    |
 | partials                      | applies to enums only, you must have a partial whose name matches each enum type                                                                                 | enums only                        |   |   |
 | tinymce                       | applies to text fields only, be sure to setup TineMCE globally                                                                                                   | text fields only                  |    |   |
+| typeahead                     | turns a foreign key (only) into a searchable typeahead field                                                                                                     | foreign keys only                 |   |   |
-Except for "(truthy label)" and "(falsy label)" which represent the labels you should specify separated by the pipe character (|), use the modifier exactly as shown.
+Except for "(truthy label)" and "(falsy label)" which use the special syntax, use the modifier _exactly_ as it is named.
 ### `--pundit`
 If you enable Pundit, your controllers will look for a Policy that matches the name of the thing being built.
@@ -963,6 +964,25 @@ This happens using two interconnected mechanisms:
 please note that *creating* and *deleting* do not yet have a full & complete implementation: Your pages won't re-render the pages being viewed cross-peer (that is, between two users using the app at the same time) if the insertion or deletion causes the pagination to be off for another user.
+### `--related-sets`
+Used to show a checkbox set of related records. The relationship should be a `has_and_belongs_to_many` or a `has_many through:` from the object being built.
+Consider the classic example of three tables: users, user_roles, and roles
+User `has_many :user_roles`; UserRole `belongs_to :user` and `belongs_to :role`; and Role `has_many :user_roles` and `has_many :user, through: :user_roles`
+We'll generate a scaffold to edit the users table. A checkbox set of related roles will also appear to allow editing of roles. (In this example, the only field to be edited is the email field.)
+```
+rails generate hot_glue:scaffold User --related-sets=roles --include=email,roles --gd
+```
+Note this leaves open a privileged escalation attack (a security vulnerability).
+To fix this, you'll need to use Pundit with special syntax designed for this purpose. Please see Example #16 in the [https://school.jfbcodes.com/8188](Hot Glue Tutorial).
 ## "Thing" Label
 Note that on a per model basis, you can also globally omit the label or set a unique label value using
@@ -1406,7 +1426,7 @@ You will do these three things:
 2. When generating a scaffold you want to make a typeahead association, use `--modify='parent_id{typeahead}'` where `parent_id` is the foreign key
 `bin/rails generate hot_glue:scaffold Book --include=title,author_id --modify='author_id{typeahead}'`
 3. Within each namespace, you will generate a special typeahead controller (it exists for the associated object to be searched on
-`bin/rails generate hot_glue:typehead Author`
+`bin/rails generate hot_glue:typeahead Author`
 This will create a controller for `AuthorsTypeaheadController` that will allow text search against any *string* field on the `Author` model.
 This special generator takes flags `--namespace` as the normal generator and also `--search-by` to let you specify the list of fields you want to search by.
@@ -1473,6 +1493,34 @@ bin/rails generate Thing --include=my_story --modify='my_story{tinymce}'
 # VERSION HISTORY
+#### v0.6.1 - `--related-sets`
+Used to show a checkbox set of related records. The relationship should be a `has_and_belongs_to_many` or a `has_many through:` from the object being built.
+Consider the classic example of three tables: users, user_roles, and roles
+User `has_many :user_roles`; UserRole `belongs_to :user` and `belongs_to :role`; and Role `has_many :user_roles` and `has_many :user, through: :user_roles`
+We'll generate a scaffold to edit the users table. A checkbox set of related roles will also appear to allow editing of roles. (In this example, the only field to be edited is the email field.)
+```
+rails generate hot_glue:scaffold User --related-sets=roles --include=email,roles --gd
+```
+Note that when making a scaffold like this, you may leave open a privileged escalation attack (a security vulnerability).
+To fix this, you'll need to use Pundit with special syntax designed for this purpose.
+For a complete solution, please see Example #16 in the [https://school.jfbcodes.com/8188](Hot Glue Tutorial).
+Without Pundit, due to a quirk in how this code works with ActiveRecord, all update operates to the related sets table are permitted (and go through), even if the update operation otherwise fails validation for the fields on the object. (ActiveRecord doesn't seem to have a way to validate the related sets directly.)
+In this case, your update actions may update the relate sets table but fail to update the current object.
+Using this feature with Pundit will fix this problem, and it is achieved with a (hacky) implementation that performs a pre-check for each related set against the Pundit policy.
+#### v0.6.0.1 - small tweaks to typeahead
 #### 2023-11-03 - v0.6.0
 Typeahead Associations

data/lib/generators/hot_glue/field_factory.rb CHANGED Viewed

@@ -10,6 +10,8 @@ require_relative "fields/text_field"
 require_relative "fields/time_field"
 require_relative "fields/uuid_field"
 require_relative "fields/attachment_field"
+require_relative "fields/related_set_field"
 class FieldFactory
@@ -42,8 +44,11 @@ class FieldFactory
               EnumField
             when :attachment
               AttachmentField
+            when :related_set
+              RelatedSetField
             end
     @class_name = class_name
     @field = field_class.new(name: name,
                              layout_strategy: generator.layout_strategy,
                              form_placeholder_labels: generator.form_placeholder_labels,
@@ -60,6 +65,7 @@ class FieldFactory
                              modify_as: generator.modify_as[name.to_sym] || nil,
                              display_as: generator.display_as[name.to_sym] || nil,
                              default_boolean_display: generator.default_boolean_display,
-                             namespace: generator.namespace_value)
+                             namespace: generator.namespace_value,
+                             pundit: generator.pundit )
   end
 end

data/lib/generators/hot_glue/fields/association_field.rb CHANGED Viewed

@@ -10,7 +10,7 @@ class AssociationField < Field
                  update_show_only: ,
                  hawk_keys: , auth: , sample_file_path:,  ownership_field: ,
                  attachment_data: nil , layout_strategy: , form_placeholder_labels: nil,
-                 form_labels_position:, modify_as: , self_auth: , namespace: )
+                 form_labels_position:, modify_as: , self_auth: , namespace:, pundit:  )
     super
     @assoc_model = eval("#{class_name}.reflect_on_association(:#{assoc})")

data/lib/generators/hot_glue/fields/attachment_field.rb CHANGED Viewed

@@ -1,10 +1,9 @@
 class AttachmentField < Field
   attr_accessor :attachment_data
   def initialize(name:, class_name:, default_boolean_display: ,
-                 display_as:,
-                 singular:, update_show_only:, hawk_keys:, auth:,
+                 display_as:, singular:, update_show_only:, hawk_keys:, auth:,
                  sample_file_path: nil, attachment_data:, ownership_field:, layout_strategy: ,
-                 form_placeholder_labels: , form_labels_position:, modify_as:, self_auth: , namespace:  )
+                 form_placeholder_labels: , form_labels_position:, modify_as:, self_auth: , namespace:, pundit:   )
     super
     @attachment_data = attachment_data

data/lib/generators/hot_glue/fields/field.rb CHANGED Viewed

@@ -5,7 +5,7 @@ class Field
                 :hawk_keys,   :layout_strategy, :limit, :modify_as, :name, :object, :sample_file_path,
                 :self_auth,
                 :singular_class,  :singular, :sql_type, :ownership_field,
-                :update_show_only, :namespace
+                :update_show_only, :namespace, :pundit
   def initialize(
     auth: ,
@@ -24,7 +24,8 @@ class Field
     singular: ,
     update_show_only:,
     self_auth:,
-    namespace:
+    namespace:,
+    pundit:
   )
     @name = name
     @layout_strategy = layout_strategy
@@ -40,13 +41,14 @@ class Field
     @form_labels_position = form_labels_position
     @modify_as = modify_as
     @display_as = display_as
+    @pundit = pundit
     @self_auth = self_auth
     @default_boolean_display = default_boolean_display
     @namespace = namespace
     # TODO: remove knowledge of subclasses from Field
-    unless self.class == AttachmentField
+    unless self.class == AttachmentField || self.class == RelatedSetField
       @sql_type = eval("#{class_name}.columns_hash['#{name}']").sql_type
       @limit = eval("#{class_name}.columns_hash['#{name}']").limit
     end
@@ -56,6 +58,10 @@ class Field
     @name
   end
+  def form_field_output
+    raise "superclass must implement"
+  end
   def field_error_name
     name
   end

data/lib/generators/hot_glue/fields/related_set_field.rb ADDED Viewed

@@ -0,0 +1,60 @@
+class RelatedSetField < Field
+  attr_accessor :assoc_name, :assoc_class, :assoc
+  def initialize( class_name: , default_boolean_display:, display_as: ,
+                  name: , singular: ,
+                  update_show_only: ,
+                  hawk_keys: , auth: , sample_file_path:,  ownership_field: ,
+                  attachment_data: nil , layout_strategy: , form_placeholder_labels: nil,
+                  form_labels_position:, modify_as: , self_auth: , namespace:, pundit:)
+    super
+    @related_set_model = eval("#{class_name}.reflect_on_association(:#{name})")
+    if @related_set_model.nil?
+          raise "You specified a related set #{name} but there is no association on #{singular_class} for #{name}; please add a `has_and_belongs_to_many :#{name}` OR a `has_many :#{name}, through: ...` to the #{singular_class} model"
+      # exit_message = "*** Oops: The model #{class_name} is missing an association for :#{assoc_name} or the model #{assoc_name.titlecase} doesn't exist. TODO: Please implement a model for #{assoc_name.titlecase}; or add to #{class_name} `belongs_to :#{assoc_name}`.  To make a controller that can read all records, specify with --god."
+      puts exit_message
+      raise(HotGlue::Error, exit_message)
+    end
+    @assoc_class = eval(@related_set_model.try(:class_name))
+    name_list = [:name, :to_label, :full_name, :display_name, :email]
+    if assoc_class && name_list.collect{ |field|
+      assoc_class.respond_to?(field.to_s) || assoc_class.instance_methods.include?(field)
+    }.none?
+      exit_message = "Oops: Missing a label for `#{assoc_class}`. Can't find any column to use as the display label for the #{@assoc_name} association on the #{class_name} model. TODO: Please implement just one of: 1) name, 2) to_label, 3) full_name, 4) display_name 5) email. You can implement any of these directly on your`#{assoc_class}` model (can be database fields or model methods) or alias them to field you want to use as your display label. Then RERUN THIS GENERATOR. (Field used will be chosen based on rank here.)"
+      raise(HotGlue::Error, exit_message)
+    end
+  end
+  def form_field_output
+    disabled_syntax = +""
+    if pundit
+      disabled_syntax << ", {disabled: ! #{class_name}Policy.new(#{auth}, @#{singular}).role_ids_able?}"
+    end
+    " <%= f.collection_check_boxes :#{association_ids_method}, #{association_class_name}.all, :id, :label, {}#{disabled_syntax} do |m| %>
+      <%= m.check_box %> <%= m.label %><br />
+    <% end %>"
+  end
+  def association_ids_method
+    eval("#{class_name}.reflect_on_association(:#{name})").class_name.underscore + "_ids"
+  end
+  def association_class_name
+    eval("#{class_name}.reflect_on_association(:#{name})").class_name
+  end
+  def viewable_output
+    "<%= #{singular}.#{name}.collect(&:label).join(\", \") %>"
+  end
+end

data/lib/generators/hot_glue/markup_templates/erb.rb CHANGED Viewed

@@ -8,7 +8,7 @@ module  HotGlue
                   :inline_list_labels, :layout_object,
                   :columns,  :col_identifier, :singular,
                   :form_placeholder_labels, :hawk_keys, :update_show_only,
-                  :attachments, :show_only, :columns_map, :pundit
+                  :attachments, :show_only, :columns_map, :pundit, :related_sets
       def initialize(singular:, singular_class: ,
@@ -17,7 +17,7 @@ module  HotGlue
                    ownership_field: , form_labels_position: ,
                    inline_list_labels: ,
                    form_placeholder_labels:, hawk_keys: ,
-                   update_show_only:, attachments: , columns_map:, pundit: )
+                   update_show_only:, attachments: , columns_map:, pundit:, related_sets:  )
       @singular = singular
       @singular_class = singular_class
@@ -39,6 +39,7 @@ module  HotGlue
       @hawk_keys = hawk_keys
       @update_show_only = update_show_only
       @attachments = attachments
+      @related_sets = related_sets
     end
     def add_spaces_each_line(text, num_spaces)
@@ -150,7 +151,7 @@ module  HotGlue
         "<div class='#{col_identifier} #{singular}--#{column.join("-")}'#{style_with_flex_basis}> " +
         column.map { |col|
-          if eval("#{singular_class}.columns_hash['#{col}']").nil? && !attachments.keys.include?(col)
+          if eval("#{singular_class}.columns_hash['#{col}']").nil? && !attachments.keys.include?(col) && !related_sets.include?(col)
             raise "Can't find column '#{col}' on #{singular_class}, are you sure that is the column name?"
           end
           field_output = columns_map[col].line_field_output

data/lib/generators/hot_glue/scaffold_generator.rb CHANGED Viewed

@@ -23,7 +23,7 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
                 :nest_with, :path, :plural, :sample_file_path, :show_only_data, :singular,
                 :singular_class, :smart_layout, :stacked_downnesting, :update_show_only, :ownership_field,
                 :layout_strategy, :form_placeholder_labels, :form_labels_position, :pundit,
-                :self_auth, :namespace_value
+                :self_auth, :namespace_value, :related_sets
   # important: using an attr_accessor called :namespace indirectly causes a conflict with Rails class_name method
   # so we use namespace_value instead
@@ -89,6 +89,7 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
   class_option :modify, default: {}
   class_option :display_as, default: {}
   class_option :pundit, default: nil
+  class_option :related_sets, default: ''
   def initialize(*meta_args)
     super
@@ -320,7 +321,7 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
     end
     if @god
-      @auth = nil
+      # @auth = nil
     end
     # when in self auth, the object is the same as the authenticated object
@@ -370,6 +371,24 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
       puts "NESTING: #{@nested_set}"
     end
+    # related_sets
+    related_set_input = options['related_sets'].split(",")
+    @related_sets = {}
+    related_set_input.each do |setting|
+      name = setting.to_sym
+      association_ids_method = eval("#{singular_class}.reflect_on_association(:#{setting.to_sym})").class_name.underscore + "_ids"
+      class_name = eval("#{singular_class}.reflect_on_association(:#{setting.to_sym})").class_name
+      @related_sets[setting.to_sym] =   { name: setting.to_sym,
+                          association_ids_method: association_ids_method,
+                          class_name: class_name }
+    end
+    if @related_sets.any?
+      puts "RELATED SETS: #{@related_sets}"
+    end
     # OBJECT OWNERSHIP & NESTING
     @reference_name = HotGlue.derrive_reference_name(singular_class)
     if @auth && @self_auth
@@ -409,13 +428,16 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
     buttons_width = ((!@no_edit && 1) || 0) + ((!@no_delete && 1) || 0) + @magic_buttons.count
     # build a new polymorphic object
     @associations = []
     @columns_map = {}
     @columns.each do |col|
-      if !(@the_object.columns_hash.keys.include?(col.to_s) || @attachments.keys.include?(col))
-        raise "couldn't find #{col} in either field list or attachments list"
-      end
+      # if !(@the_object.columns_hash.keys.include?(col.to_s) || @attachments.keys.include?(col))
+      #   raise "couldn't find #{col} in either field list or attachments list"
+      # end
       if col.to_s.starts_with?("_")
         @show_only << col
@@ -425,6 +447,10 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
         type = @the_object.columns_hash[col.to_s].type
       elsif @attachments.keys.include?(col)
         type = :attachment
+      elsif @related_sets.keys.include?(col)
+        type = :related_set
+      else
+        raise "couldn't find #{col} in either field list, attachments, or related sets"
       end
       this_column_object = FieldFactory.new(name: col.to_s,
                                             generator: self,
@@ -440,7 +466,7 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
       if field.is_a?(AssociationField)
         if @modify_as && @modify_as[key] && @modify_as[key][:typeahead]
           assoc_name = field.assoc_name
-          file_path = "app/controllers/#{namespace ? namspace + "/" : ""}#{assoc_name.pluralize}_typeahead_controller.rb"
+          file_path = "app/controllers/#{@namespace ? @namespace + "/" : ""}#{assoc_name.pluralize}_typeahead_controller.rb"
           if ! File.exist?(file_path)
@@ -455,6 +481,8 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
       end
     end
     # create the template object
     if @markup == "erb"
       @template_builder = HotGlue::ErbTemplate.new(
@@ -473,6 +501,7 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
         attachments: @attachments,
         columns_map: @columns_map,
         pundit: @pundit,
+        related_sets: @related_sets
       )
     elsif @markup == "slim"
       raise(HotGlue::Error, "SLIM IS NOT IMPLEMENTED")
@@ -607,6 +636,7 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
   end
   def identify_object_owner
+    return if @god
     auth_assoc = @auth && @auth.gsub("current_", "")
     if @object_owner_sym && !@self_auth
@@ -657,6 +687,16 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
       check_if_sample_file_is_present
     end
+    if @related_sets.any?
+      if !@pundit
+        puts "********************\nWARNING: You are using --related-sets without using Pundit. This makes the set fully accessible. Use Pundit to prevent a privileged escalation vulnerability\n********************\n"
+      end
+      @related_sets.each do |key, related_set|
+        @columns << related_set[:name] if !@columns.include?(related_set[:name])
+        puts "Adding related set :#{related_set[:name]} as-a-column"
+      end
+    end
   end
   def check_if_sample_file_is_present
@@ -676,13 +716,13 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
     puts ""
   end
-  def fields_filtered_for_email_lookups
-    @columns
+  def fields_filtered_for_strong_params
+    @columns - @related_sets.collect{|key, set| set[:name]}
   end
   def creation_syntax
     if @factory_creation == ''
-      "@#{singular } = #{ class_name }.create(modified_params)"
+      "@#{singular } = #{ class_name }.new(modified_params)"
     else
       "#{@factory_creation}\n" +
         "    @#{singular } = factory.#{singular}"
@@ -969,7 +1009,7 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
   end
   def object_scope
-    if @auth
+    if @auth && !@god
       if @nested_set.none?
         @auth + ".#{plural}"
       else
@@ -1296,7 +1336,7 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
   def n_plus_one_includes
     if @associations.any? || @attachments.any?
-      ".includes(" + (@associations.map { |x| x } + @attachments.collect { |k, v| "#{k}_attachment" }).map { |x| ":#{x.to_s}" }.join(", ") + ")"
+      ".includes(" + (@associations.map { |x| x } + @attachments.collect { |k, v| "#{k}_attachment" } ).map { |x| ":#{x.to_s}" }.join(", ") + ")"
     else
       ""
     end
@@ -1342,7 +1382,7 @@ class HotGlue::ScaffoldGenerator < Erb::Generators::ScaffoldGenerator
   end
   def any_datetime_fields?
-    (@columns - @attachments.keys.collect(&:to_sym)).collect { |col| eval("#{singular_class}.columns_hash['#{col}']").type }.include?(:datetime)
+    (@columns - @attachments.keys.collect(&:to_sym) - @related_sets.keys ).collect { |col| eval("#{singular_class}.columns_hash['#{col}']").type }.include?(:datetime)
   end
   def post_action_parental_updates

data/lib/generators/hot_glue/templates/controller.rb.erb CHANGED Viewed

@@ -72,7 +72,7 @@ class <%= controller_class_name %> < <%= controller_descends_from %>
   <% end %>def load_all_<%= plural %><% if @pundit %>
     @<%= plural_name %> =  policy_scope(<%= object_scope %>).page(params[:page])<%= n_plus_one_includes %><%= ".per(per)" if @paginate_per_page_selector %>
-    authorize @<%= plural_name %>.all<% else %> <% if !@self_auth %>
+    <% else %> <% if !@self_auth %>
     @<%= plural_name %> = <%= object_scope.gsub("@",'') %><%= n_plus_one_includes %>.page(params[:page])<%= ".per(per)" if @paginate_per_page_selector %><%= " if params.include?(:#{ @nested_set.last[:singular]}_id)" if @nested_set.any? && @nested_set[0] &&  @nested_set[0][:optional] %><% if @nested_set[0] &&  @nested_set[0][:optional] %>
     @<%= plural_name %> = <%= class_name %>.all<% end %><% else %>
     @<%= plural_name %> = <%= class_name %>.where(id: <%= auth_object.gsub("@",'') %>.id)<%= n_plus_one_includes %>.page(params[:page])<%= ".per(per)" if @paginate_per_page_selector %><% end %>
@@ -80,7 +80,8 @@ class <%= controller_class_name %> < <%= controller_descends_from %>
   end
   def index
-    load_all_<%= plural %><% if @pundit %>
+    load_all_<%= plural %><% if @pundit %><% if @pundit %>
+    authorize @<%= plural_name %><% end %>
   rescue Pundit::NotAuthorizedError
     flash[:alert] = "You are not authorized to perform this action."
     render "layouts/error"<% end %>
@@ -94,19 +95,23 @@ class <%= controller_class_name %> < <%= controller_descends_from %>
     @action = "new"
   rescue Pundit::NotAuthorizedError
     flash[:alert] = "You are not authorized to perform this action."
+    load_all_users
     render :index<% end %>
   end
   def create
     modified_params = modify_date_inputs_on_params(<%= singular_name %>_params.dup, <%= current_user_object %>, <%= datetime_fields_list %>) <% if @object_owner_sym &&  eval("#{class_name}.reflect_on_association(:#{@object_owner_sym})").class == ActiveRecord::Reflection::BelongsToReflection  %>
     modified_params = modified_params.merge(<%= @object_owner_sym %>: <%= @object_owner_eval %>) <% elsif @object_owner_optional && any_nested? %>
-    modified_params = modified_params.merge(<%= @object_owner_name %> ? {<%= @object_owner_sym %>: <%= @object_owner_eval %>} : {}) <% elsif !@object_owner_eval.empty? %>
+    modified_params = modified_params.merge(<%= @object_owner_name %> ? {<%= @object_owner_sym %>: <%= @object_owner_eval %>} : {}) <% elsif !@object_owner_eval.empty? && !@god %>
     modified_params = modified_params.merge(<%= @object_owner_eval %>) <% end %>
       <% if @hawk_keys.any? %>
     modified_params = hawk_params({<%= hawk_to_ruby %>}, modified_params)<% end %>
-      <%= controller_attachment_orig_filename_pickup_syntax %>
+    <%= controller_attachment_orig_filename_pickup_syntax %>
     <%= creation_syntax %>
+    <% if @pundit %><% @related_sets.each do |key, related_set| %>
+    check_<%= related_set[:association_ids_method].to_s %>_permissions(modified_params, :create)<% end %><% end %>
+    <% if @pundit %>authorize @<%= singular %><% end %>
     if @<%= singular_name %>.save
       flash[:notice] = "Successfully created #{@<%= singular %>.<%= display_class %>}"
@@ -152,17 +157,20 @@ class <%= controller_class_name %> < <%= controller_descends_from %>
       flash[:notice] << "<% singular %> <%= button.titlecase %>."
     end
     <% end %>
     modified_params = modify_date_inputs_on_params(<% if @update_show_only %>update_<% end %><%= singular_name %>_params.dup<%= controller_update_params_tap_away_magic_buttons  %>, <%= current_user_object %>, <%= datetime_fields_list %>) <% if @object_owner_sym &&  eval("#{class_name}.reflect_on_association(:#{@object_owner_sym})").class == ActiveRecord::Reflection::BelongsToReflection  %>
     modified_params = modified_params.merge(<%= @object_owner_sym %>: <%= @object_owner_eval %>) <% elsif @object_owner_optional && any_nested? %>
-    modified_params = modified_params.merge(<%= @object_owner_name %> ? {<%= @object_owner_sym %>: <%= @object_owner_eval %>} : {}) <% elsif ! @object_owner_eval.empty?  && !@self_auth%>
+    modified_params = modified_params.merge(<%= @object_owner_name %> ? {<%= @object_owner_sym %>: <%= @object_owner_eval %>} : {}) <% elsif ! @object_owner_eval.empty?  && !@self_auth && ! @god%>
     modified_params = modified_params.merge(<%= @object_owner_eval %>) <% end %>
+    <% if @pundit %><% @related_sets.each do |key, related_set| %>
+    check_<%= related_set[:association_ids_method].to_s %>_permissions(modified_params, :update)<% end %><% end %>
     <% if @hawk_keys.any? %>    modified_params = hawk_params({<%= hawk_to_ruby %>}, modified_params)<% end %>
       <%= controller_attachment_orig_filename_pickup_syntax %>
     <% if @pundit %>
     if @<%= singular_name %>.attributes = modified_params
-        authorize @<%= singular_name %>
-        @<%= singular_name %>.save
+      authorize @<%= singular_name %>
+      @<%= singular_name %>.save
     <% else %>
     if @<%= singular_name %>.update(modified_params)
     <% end %>
@@ -194,12 +202,23 @@ class <%= controller_class_name %> < <%= controller_descends_from %>
     render :update<% end %>
   end<% end %>
+<% if @pundit %><% @related_sets.each do |key, rs| %>
+  def check_<%= rs[:association_ids_method] %>_permissions(modified_params, action)
+    if modified_params[:<%= rs[:association_ids_method] %>].present? && modified_params[:<%= rs[:association_ids_method] %>] != @<%= singular %>.<%= rs[:association_ids_method] %>
+      # authorize the <%= rs[:association_ids_method] %> change using special modified_relations: {<%= rs[:association_ids_method] %>: modified_params[:<%= rs[:association_ids_method] %>>]} syntax for Pundit
+      if ! <%= singular_class %>Policy.new(current_user, @<%= singular %>, modified_relations: {role_ids: modified_params[:<%= rs[:association_ids_method] %>]}).method("#{action}?".to_sym).call
+        authorize @<%= singular %>, "#{action}?".to_sym
+        raise Pundit::NotAuthorizedError, message: @<%= singular %>.errors.collect{|k| "#{k.attribute} #{k.message}"}.join(" ")
+      end
+    end
+  end<% end %><% end %>
   def <%=singular_name%>_params
-    params.require(:<%= testing_name %>).permit(<%= (fields_filtered_for_email_lookups - @show_only ) + @magic_buttons.collect{|x| "__#{x}".to_sym }%>)
+    params.require(:<%= testing_name %>).permit(<%= ((fields_filtered_for_strong_params - @show_only ) + @magic_buttons.collect{|x| "__#{x}"}).collect{|sym| ":#{sym}"}.join(", ") %><%= ", " + @related_sets.collect{|key, rs| "#{rs[:association_ids_method]}: []"}.join(", ") if @related_sets.any? %>)
   end<% if @update_show_only %>
   def update_<%=singular_name%>_params
-    params.require(:<%= testing_name %>).permit(<%= (fields_filtered_for_email_lookups - @update_show_only) + @magic_buttons.collect{|x| "__#{x}".to_sym }%>)
+    params.require(:<%= testing_name %>).permit(<%= ((fields_filtered_for_strong_params - @update_show_only)  + @magic_buttons.collect{|x| "__#{x}"}).collect{|sym| ":#{sym}"}.join(", ") %><%= ", " + @related_sets.collect{|key, rs| "#{rs[:association_ids_method]}: []"}.join(", ") if @related_sets.any? %>)
   end<% end %>
   def namespace

data/lib/hotglue/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module HotGlue
   class Version
-    CURRENT = '0.6.0.1'
+    CURRENT = '0.6.1'
   end
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: hot-glue
 version: !ruby/object:Gem::Version
-  version: 0.6.0.1
+  version: 0.6.1
 platform: ruby
 authors:
 - Jason Fleetwood-Boldt
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-11-11 00:00:00.000000000 Z
+date: 2023-11-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -90,6 +90,7 @@ files:
 - lib/generators/hot_glue/fields/field.rb
 - lib/generators/hot_glue/fields/float_field.rb
 - lib/generators/hot_glue/fields/integer_field.rb
+- lib/generators/hot_glue/fields/related_set_field.rb
 - lib/generators/hot_glue/fields/string_field.rb
 - lib/generators/hot_glue/fields/text_field.rb
 - lib/generators/hot_glue/fields/time_field.rb
@@ -174,5 +175,5 @@ requirements: []
 rubygems_version: 3.4.10
 signing_key:
 specification_version: 4
-summary: A gem to build Tubro Rails scaffolding.
+summary: A gem to build Turbo Rails scaffolding.
 test_files: []