incline 0.1.5

data/app/controllers/incline/contact_controller.rb

@@ -0,0 +1,34 @@
+module Incline
+  class ContactController < ApplicationController
+
+    allow_anon true
+
+    ##
+    # GET /incline/contact
+    def new
+      @msg = Incline::ContactMessage.new
+    end
+
+    ##
+    # POST /incline/contact
+    def create
+      @msg = get_message
+      if @msg.valid?
+        @msg.remote_ip = request.remote_ip
+        @msg.send_message
+        flash[:success] = 'Your message has been sent.'
+        redirect_to root_url
+      else
+        render 'new'
+      end
+    end
+
+    private
+
+    def get_message
+      p = params.require(:contact_message).permit(:your_name, :your_email, :related_to, :subject, :body, :recaptcha)
+      Incline::ContactMessage.new(p)
+    end
+
+  end
+end

data/app/controllers/incline/password_resets_controller.rb

@@ -0,0 +1,113 @@
+module Incline
+  class PasswordResetsController < ApplicationController
+    before_action :set_reset_request, only: [ :new, :create ]
+    before_action :set_user, only: [:edit, :update]
+    before_action :valid_user, only: [ :edit, :update ]
+    before_action :set_reset, only: [ :edit, :update ]
+    before_action :check_expiration, only: [ :edit, :update ]
+
+    # The user should NOT be logged in.
+    require_anon true
+
+
+    ##
+    # GET /incline/password_resets/new
+    def new
+
+    end
+
+    ##
+    # POST /incline/password_resets
+    def create
+      unless @reset_request.valid?
+        render 'new' and return
+      end
+
+      @user = User.find_by(email: @reset_request.email)
+      if @user && @user.enabled? && @user.activated?
+        @user.create_reset_digest
+        @user.send_password_reset_email request.remote_ip
+      elsif @user
+        if !@user.enabled?
+          User.send_disabled_reset_email(email, request.remote_ip)
+        elsif !@user.active?
+          User.send_inactive_reset_email(email, request.remote_ip)
+        else
+          User.send_missing_reset_email(email, request.remote_ip)
+        end
+      else
+        User.send_missing_reset_email(email, request.remote_ip)
+      end
+
+      flash[:info] = 'An email with password reset information has been sent to you.'
+      redirect_to root_url
+    end
+
+    ##
+    # GET /incline/password_resets/reset-token?email=user@example.com
+    def edit
+
+    end
+
+    ##
+    # POST /incline/password_resets/reset-token
+    def update
+      unless @reset.valid?
+        render 'edit' and return
+      end
+
+      if @user.update_attributes(password: @reset.password, password_confirmation: @reset.password)
+        log_in @user
+        flash[:success] = 'Password has been reset.'
+        redirect_to @user
+      else
+        @user.errors[:base] << 'Failed to reset password.'
+        render 'edit'
+      end
+    end
+
+    private
+
+    def set_reset_request
+      @reset_request = Incline::PasswordResetRequest.new(reset_request_params)
+    end
+
+    def set_reset
+      @reset = Incline::PasswordReset.new(reset_params)
+    end
+
+    def set_user
+      @user = User.find_by(email: params[:email])
+    end
+
+    def reset_request_params
+      if params[:password_reset_request]
+        params.require(:password_reset_request).permit(:email, :recaptcha)
+      else
+        {}
+      end
+    end
+
+    def reset_params
+      if params[:password_reset]
+        merge(params.require(:password_reset).permit(:password, :password_confirmation, :recaptcha))
+      else
+        {}
+      end
+    end
+
+    def valid_user
+      unless @user && @user.enabled? && @user.activated? && @user.authenticated?(:reset, params[:id])
+        redirect_to root_url
+      end
+    end
+
+    def check_expiration
+      if @user.password_reset_expired?
+        flash[:danger] = 'Password reset request has expired.'
+        redirect_to new_password_reset_url
+      end
+    end
+
+  end
+end

data/app/controllers/incline/security_controller.rb

@@ -0,0 +1,100 @@
+module Incline
+  class SecurityController < ApplicationController
+
+    before_action :set_dt_request, only: [ :index, :locate ]
+    before_action :set_security, only: [ :show, :edit, :update ]
+
+    require_admin true
+
+    layout :layout_to_use
+
+    ##
+    # GET /incline/security
+    def index
+      @lists = {}
+      unless @dt_request.provided?
+        Incline::ActionSecurity.valid_items   # ensure only valid items are in the database.
+
+        # build lists for the dropdown filters.
+        @lists[:controller_name] = Incline::ActionSecurity.visible.pluck(:controller_name).uniq.sort
+        @lists[:action_name] = Incline::ActionSecurity.visible.pluck(:action_name).uniq.sort
+        @lists[:short_permitted] = Incline::ActionSecurity::SHORT_PERMITTED_FILTERS
+      end
+    end
+
+    ##
+    # GET /incline/security/1
+    def show
+    end
+
+    ##
+    # GET /incline/security/1/edit
+    def edit
+    end
+
+    ##
+    # PATCH/PUT /incline/security/1
+    def update
+      if @security.update(security_params)
+        handle_update_success notice: 'Action security was successfully updated.'
+      else
+        handle_update_failure :edit
+      end
+    end
+
+    # POST /incline/security/1/locate
+    def locate
+      render json: { record: @dt_request.record_location }
+    end
+
+    # GET/POST /incline/security/api?action=...
+    def api
+      process_api_action
+    end
+
+    private
+
+    def layout_to_use
+      inline_request? ? false : nil
+    end
+
+    def handle_update_failure(action)
+      if json_request?
+        # add a model-level error and render the json response.
+        @access_group.errors.add(:base, 'failed to save')
+        render 'show', formats: [ :json ]
+      else
+        # render the appropriate action.
+        render action
+      end
+    end
+
+    def handle_update_success(*messages)
+      # reload the cache from the database.
+      Incline::ActionSecurity.valid_items true, false
+
+      if inline_request?
+        # inline and json requests expect json on success.
+        render 'show', formats: [ :json ]
+      else
+        # otherwise, we redirect.
+        redirect_to index_security_url, *messages
+      end
+    end
+
+    def set_dt_request
+      @dt_request = Incline::DataTablesRequest.new(params.merge(force_regex: true)) do
+        Incline::ActionSecurity.visible
+      end
+    end
+
+    def set_security
+      @security = Incline::ActionSecurity.find(params[:id])
+    end
+
+    def security_params
+      params.require(:action_security).permit(group_ids: [])
+    end
+
+  end
+end

data/app/controllers/incline/sessions_controller.rb

@@ -0,0 +1,50 @@
+module Incline
+  ##
+  # A simple controller providing the login and logout methods for the application.
+  class SessionsController < ApplicationController
+
+    # must be anon to login.
+    require_anon :new, :create
+
+    # don't raise an error if anon tries to logout.
+    allow_anon true
+
+    ##
+    # GET /incline/login
+    def new
+    end
+
+    ##
+    # POST /incline/login
+    def create
+      if (@user = Incline::UserManager.authenticate(params[:session][:email], params[:session][:password], request.remote_ip))
+        if @user.activated?
+          # log the user in.
+          log_in @user
+          params[:session][:remember_me] == '1' ? remember(@user) : forget(@user)
+
+          # show alerts on login.
+          session[:show_alerts] = true
+
+          redirect_back_or @user
+        else
+          flash[:safe_warning] = 'Your account has not yet been activated.<br/>Check your email for the activation link.'
+          redirect_to root_url
+        end
+      else
+        # deny login.
+        flash.now[:danger] = 'Invalid email or password.'
+        render 'new'
+      end
+    end
+
+    ##
+    # DELETE /incline/logout
+    def destroy
+      log_out if logged_in?
+      redirect_to root_url
+    end
+
+  end
+
+end

data/app/controllers/incline/users_controller.rb

@@ -0,0 +1,304 @@
+# require_dependency "incline/application_controller"
+
+module Incline
+  class UsersController < ApplicationController
+
+    before_action :set_user,          except: [ :index, :new, :create, :api ]
+    before_action :set_dt_request,    only: [ :index, :locate ]
+    before_action :set_disable_info,  only: [ :disable_confirm, :disable ]
+    before_action :not_current,       only: [ :destroy, :disable, :disable_confirm, :enable, :promote, :demote ]
+
+    layout :use_layout, except: [ :index ]
+
+    # Only anonymous users can signup.
+    require_anon :new, :create
+
+    # Only admins can delete/disable/enable users, or list all users, or show/edit/update other users.
+    require_admin :index, :show, :edit, :update, :destroy, :disable, :disable_confirm, :enable, :promote, :demote, :locate
+
+    ##
+    # GET /incline/users
+    def index
+
+    end
+
+    ##
+    # GET /incline/signup
+    def new
+      @user = Incline::User.new
+    end
+
+    ##
+    # POST /incline/signup
+    def create
+      @user = Incline::User.new(user_params :before_create)
+
+      if system_admin? # skip recaptcha check if an admin is currently logged in.
+        @user.recaptcha = :verified
+      end
+
+      if @user.valid?
+        if @user.save
+          @user.send_activation_email request.remote_ip
+          if system_admin?
+            flash[:info] = "The user #{@user} has been created, but will need to activate their account before use."
+            additional_params = user_params :after_create
+            if additional_params.any?
+              unless @user.update_attributes(additional_params)
+                flash[:warning] = 'Failed to apply additional attributes to new user account.'
+              end
+            end
+            if inline_request?
+              render 'show', formats: [ :json ]
+            else
+              redirect_to users_url
+            end
+            return
+          else
+            flash[:safe_info] = 'Your account has been created, but needs to be activated before you can use it.<br>Please check your email to activate your account.'
+            if inline_request?
+              render 'show', formats: [ :json ]
+            else
+              redirect_to root_url
+            end
+            return
+          end
+        else
+          @user.errors[:base] << 'Failed to create user account.'
+        end
+      end
+      render 'new'
+    end
+
+    ##
+    # GET /incline/users/1
+    def show
+      render 'show'
+    end
+
+    ##
+    # GET /incline/users/1/edit
+    def edit
+      render 'edit'
+    end
+
+    ##
+    # PUT /incline/users/1
+    def update
+      if @user.update_attributes(user_params)
+        if current_user?(@user)
+          flash[:success] = 'Your profile has been updated.'
+          if inline_request?
+            render 'show', formats: [ :json ]
+          else
+            redirect_to @user
+          end
+          return
+        else
+          flash[:success] = "The user #{@user} has been updated."
+          if inline_request?
+            render 'show', formats: [ :json ]
+          else
+            redirect_to users_path
+          end
+          return
+        end
+      end
+      render 'edit'
+    end
+
+    ##
+    # DELETE /incline/users/1
+    def destroy
+      if @user.enabled?
+        flash[:danger] = 'Cannot delete an enabled user.'
+      elsif @user.disabled_at.blank? || @user.disabled_at > 15.days.ago
+        flash[:danger] = 'Cannot delete a user within 15 days of being disabled.'
+      else
+        @user.destroy
+        flash[:success] = "User #{@user} has been deleted."
+      end
+      if inline_request?
+        render 'show', formats: [ :json ]
+      else
+        redirect_to users_path
+      end
+    end
+
+    ##
+    # GET /incline/users/1/disable
+    def disable_confirm
+      unless @disable_info.user.enabled?
+        flash[:warning] = "User #{@disable_info.user} is already disabled."
+        unless inline_request?
+          redirect_to users_path
+        end
+      end
+    end
+
+    ##
+    # PUT /incline/users/1/disable
+    def disable
+      if @disable_info.valid?
+        if @disable_info.user.disable(current_user, @disable_info.reason)
+          flash[:success] = "User #{@disable_info.user} has been disabled."
+          if inline_request?
+            render 'show', formats: [ :json ]
+          else
+            redirect_to users_path
+          end
+          return
+        else
+          @disable_info.errors.add(:user, 'was unable to be updated')
+        end
+      end
+      render 'disable_confirm'
+    end
+
+    ##
+    # PUT /incline/users/1/enable
+    def enable
+      if @user.enabled?
+        flash[:warning] = "User #{@user} is already enabled."
+        unless inline_request?
+          redirect_to users_path and return
+        end
+      else
+        if @user.enable
+          flash[:success] = "User #{@user} has been enabled."
+        else
+          flash[:danger] = "Failed to enable user #{@user}."
+        end
+      end
+      if inline_request?
+        render 'show', formats: [ :json ]
+      else
+        redirect_to users_path
+      end
+    end
+
+    ##
+    # PUT /incline/users/1/promote
+    def promote
+      # add the administrator flag to the selected user.
+      if @user.system_admin?
+        flash[:warning] = "User #{@user} is already an administrator."
+        unless inline_request?
+          redirect_to users_path and return
+        end
+      else
+        if @user.update(system_admin: true)
+          flash[:success] = "User #{@user} has been promoted to administrator."
+        else
+          flash[:danger] = "Failed to promote user #{@user}."
+        end
+      end
+
+      if inline_request?
+        render 'show', formats: [ :json ]
+      else
+        redirect_to users_path
+      end
+    end
+
+    ##
+    # PUT /incline/users/1/demote
+    def demote
+      # remove the administrator flag from the selected user.
+      if @user.system_admin?
+        if @user.update(system_admin: false)
+          flash[:success] = "User #{@user} has been demoted from administrator."
+        else
+          flash[:danger] = "Failed to demote user #{@user}."
+        end
+      else
+        flash[:warning] = "User #{@user} is not an administrator."
+        unless inline_request?
+          redirect_to users_path and return
+        end
+      end
+
+      if inline_request?
+        render 'show', formats: [ :json ]
+      else
+        redirect_to users_path
+      end
+
+    end
+
+    # POST /incline/users/1/locate
+    def locate
+      render json: { record: @dt_request.record_location }
+    end
+
+    # GET/POST /incline/users/api?action=...
+    def api
+      process_api_action
+    end
+
+    private
+
+    def set_dt_request
+      @dt_request = Incline::DataTablesRequest.new(params) do
+        (current_user.system_admin? ? Incline::User.known : Incline::User.known.enabled)
+      end
+    end
+
+    def use_layout
+      inline_request? ? false : nil
+    end
+
+    def valid_user?
+      # This method allows us to override the "require_admin" and "require_anon" settings for these actions.
+
+      action = params[:action].to_sym
+
+      # The current user can show or edit their own details without any further validation.
+      return true if [ :show, :edit, :update ].include?(action) && logged_in? && current_user?(set_user)
+
+      # A system administrator can create new users.
+      return true if [ :new, :create ].include?(action) && logged_in? && system_admin?
+
+      super
+    end
+
+    def set_user
+      @user ||=
+          if system_admin?
+            Incline::User.find(params[:id])
+          else
+            Incline::User.enabled.find(params[:id])
+          end ||
+              Incline::User.new(name: 'Invalid User', email: 'invalid-user')
+    end
+
+    def set_disable_info
+      @disable_info = Incline::DisableInfo.new(disable_info_params)
+      @disable_info.user = @user
+    end
+
+    def user_params(mode = :all)
+      ok = (mode == :all || mode == :before_create) ? [ :name, :email, :password, :password_confirmation, :recaptcha ] : [ ]
+
+      # admins can add groups to other users.
+      ok += [ { group_ids: [] } ] if (mode == :all || mode == :after_create) && logged_in? && system_admin? && !current_user?(set_user)
+
+      params.require(:user).permit(ok)
+    end
+
+    def disable_info_params
+      params[:disable_info] ?
+          params.require(:disable_info).permit(:reason) :
+          { }
+    end
+
+    def not_current
+      if current_user?(@user)
+        flash[:warning] = 'You cannot perform this operation on yourself.'
+        redirect_to users_path
+      end
+    end
+
+
+  end
+end

data/app/controllers/incline/welcome_controller.rb

@@ -0,0 +1,19 @@
+require_dependency "incline/application_controller"
+
+module Incline
+  ##
+  # An innocuous controller that simply hosts the home page of the application.
+  class WelcomeController < ApplicationController
+
+    allow_anon true
+
+    ##
+    # Get /incline
+    #
+    # Use +root "incline/welcome#home"+ in your +routes.rb+ file to use this, or define your own
+    # home page as desired.
+    def home
+
+    end
+  end
+end

data/app/mailers/incline/application_mailer_base.rb

@@ -0,0 +1,11 @@
+module Incline
+  ##
+  # This class defines the default behavior for mailers in this application.
+  #
+  class ApplicationMailerBase < ActionMailer::Base
+
+
+    layout 'mailer'
+
+  end
+end

data/app/mailers/incline/contact_form.rb

@@ -0,0 +1,19 @@
+
+module Incline
+  ##
+  # This mailer is used for the generic contact form.
+  class ContactForm < ::Incline::ApplicationMailerBase
+
+    ##
+    # Sends the message from the contact form.
+    def contact(msg)
+      @data = {
+          msg: msg,
+          client_ip: msg.remote_ip,
+          gems: Incline::gem_list
+      }
+      mail subject: msg.full_subject, reply_to: msg.your_email
+    end
+  end
+
+end

data/app/mailers/incline/user_mailer.rb

@@ -0,0 +1,45 @@
+
+module Incline
+
+  ##
+  # This mailer is used for the account activation, password reset, and invalid password reset messages.
+  #
+  class UserMailer < ::Incline::ApplicationMailerBase
+
+    ##
+    # Sends the activation email to a new user.
+    def account_activation(data = {})
+      @data = {
+          user: nil,
+          client_ip: '0.0.0.0'
+      }.merge(data || {})
+      raise unless data[:user]
+      mail to: data[:user].email, subject: 'Account activation'
+    end
+
+    ##
+    # Sends the password reset email to an existing user.
+    def password_reset(data = {})
+      @data = {
+          user: nil,
+          client_ip: '0.0.0.0'
+      }.merge(data || {})
+      raise unless data[:user]
+      mail to: data[:user].email, subject: 'Password reset request'
+    end
+
+    ##
+    # Sends an invalid password reset attempt message to a user whether they exist or not.
+    def invalid_password_reset(data = {})
+      @data = {
+          email: nil,
+          message: 'This email address is not associated with an existing account.',
+          client_ip: '0.0.0.0'
+      }.merge(data || {})
+      raise unless data[:email]
+      mail to: data[:email], subject: 'Password reset request'
+    end
+
+  end
+
+end