knitkit 2.0.0 → 2.0.1

data/app/controllers/knitkit/erp_app/desktop/content_controller.rb

@@ -3,22 +3,36 @@ module Knitkit
     module Desktop
       
       class ContentController < Knitkit::ErpApp::Desktop::AppController
-         def update
-          id      = params[:id]
-          html    = params[:html]
-          content = Content.find(id)
-          content.body_html = html
+        def update
+          model = DesktopApplication.find_by_internal_identifier('knitkit')
+          begin
+            current_user.with_capability(model, 'edit_html', 'Article') do
+              id      = params[:id]
+              html    = params[:html]
+              content = Content.find(id)
+              content.body_html = html
     
-          render :json => (content.save ? {:success => true} : {:success => false})
+              render :json => (content.save ? {:success => true} : {:success => false})
+            end
+          rescue ErpTechSvcs::Utils::CompassAccessNegotiator::Errors::UserDoesNotHaveCapability=>ex
+            render :json => {:success => false, :message => ex.message}
+          end
         end
 
         def save_excerpt
-          id      = params[:id]
-          html    = params[:html]
-          content = Content.find(id)
-          content.excerpt_html = html
+          model = DesktopApplication.find_by_internal_identifier('knitkit')
+          begin
+            current_user.with_capability(model, 'edit_excerpt', 'Article') do
+              id      = params[:id]
+              html    = params[:html]
+              content = Content.find(id)
+              content.excerpt_html = html
         
-          render :json => (content.save ? {:success => true} : {:success => false})
+              render :json => (content.save ? {:success => true} : {:success => false})
+            end
+          rescue ErpTechSvcs::Utils::CompassAccessNegotiator::Errors::UserDoesNotHaveCapability=>ex
+            render :json => {:success => false, :message => ex.message}
+          end
         end
 
       end#ContentController

data/app/controllers/knitkit/erp_app/desktop/file_assets_controller.rb

@@ -2,16 +2,19 @@ module Knitkit
   module ErpApp
     module Desktop
       class FileAssetsController < ::ErpApp::Desktop::FileManager::BaseController
+        skip_before_filter :verify_authenticity_token, :only => :upload_file
         skip_before_filter :require_login, :only => [:download_file_asset]
-        before_filter :set_asset_model, :except => [:download_file_asset]
+        before_filter :set_asset_model
+        before_filter :set_root_node
 
-        def base_path
-          @base_path = nil
-          if @context == :website
-            @base_path = File.join(@file_support.root,"/sites/site-#{@assets_model.id}", "files") unless @assets_model.nil?
+        def base_path          
+          if @root_node.nil?
+            @base_path = nil
           else
-            @base_path = File.join(@file_support.root,"/files") unless @assets_model.nil?
+            @base_path = File.join(@file_support.root, @root_node) 
           end
+
+          @base_path
         end
 
         def expand_directory
@@ -27,7 +30,7 @@ module Knitkit
           path = params[:path] == 'root_node' ? base_path : params[:path]
           name = params[:name]
 
-          @assets_model.add_file('#Empty File', File.join(@file_support.root, path, name))
+          @assets_model.add_file('#Empty File', File.join(path, name))
 
           render :json => {:success => true}
         end
@@ -43,34 +46,50 @@ module Knitkit
         end
 
         def upload_file
-          result = {}
-          upload_path = request.env['HTTP_EXTRAPOSTDATA_DIRECTORY'].blank? ? params[:directory] : request.env['HTTP_EXTRAPOSTDATA_DIRECTORY']
-          name = request.env['HTTP_X_FILE_NAME'].blank? ? params[:file_data].original_filename : request.env['HTTP_X_FILE_NAME']
-          data = request.env['HTTP_X_FILE_NAME'].blank? ? params[:file_data] : request.raw_post
+          #Website level assets if allowed to be viewed can also be uploaded and deleted so this is only checking for the view capability
+          if @context == Website
+            capability_type = "view"
+            capability_resource = "SiteFileAsset"
+          else
+            capability_type = "upload"
+            capability_resource = "GlobalFileAsset"
+          end
 
+          model = DesktopApplication.find_by_internal_identifier('knitkit')
           begin
-            upload_path == 'root_node' ? @assets_model.add_file(data, File.join(@file_support.root,base_path,name)) : @assets_model.add_file(data, File.join(@file_support.root,upload_path,name))
-            result = {:success => true}
-          rescue Exception=>ex
-            logger.error ex.message
-            logger.error ex.backtrace.join("\n")
-            result = {:success => false, :error => "Error uploading file."}
+            current_user.with_capability(model, capability_type, capability_resource) do
+              result = {}
+              upload_path = request.env['HTTP_X_DIRECTORY'].blank? ? params[:directory] : request.env['HTTP_X_DIRECTORY']
+              name = request.env['HTTP_X_FILE_NAME'].blank? ? params[:file_data].original_filename : request.env['HTTP_X_FILE_NAME']
+              data = request.env['HTTP_X_FILE_NAME'].blank? ? params[:file_data] : request.raw_post
+
+              begin
+                upload_path == 'root_node' ? @assets_model.add_file(data, File.join(@file_support.root,base_path,name)) : @assets_model.add_file(data, File.join(@file_support.root,upload_path,name))
+                result = {:success => true}
+              rescue Exception=>ex
+                logger.error ex.message
+                logger.error ex.backtrace.join("\n")
+                result = {:success => false, :error => "Error uploading file."}
+              end
+
+              #the awesome uploader widget whats this to mime type text, leave it render :inline
+              render :inline => result.to_json
+            end
+          rescue ErpTechSvcs::Utils::CompassAccessNegotiator::Errors::UserDoesNotHaveCapability=>ex
+            render :json => {:success => false, :message => ex.message}
           end
-
-          #the awesome uploader widget whats this to mime type text, leave it render :inline
-          render :inline => result.to_json
         end
 
         def save_move
           result          = {}
           path            = params[:node]
           new_parent_path = params[:parent_node]
-          new_parent_path = base_path if new_parent_path == ROOT_NODE
+          new_parent_path = @root_node if new_parent_path == ROOT_NODE
 
-          unless File.exists? path
-            result = {:success => false, :msg => 'File does not exists'}
+          if Rails.application.config.erp_tech_svcs.file_storage == :filesystem and !File.exists?(File.join(@file_support.root, path))
+            result = {:success => false, :msg => 'File does not exist.'}
           else
-            path = path[1..path.length] if path[0] == "/"
+            #path = path[1..path.length] if path[0] == "/"
             file = @assets_model.files.find(:first, :conditions => ['name = ? and directory = ?', ::File.basename(path), ::File.dirname(path)])
             file.move(new_parent_path)
             result = {:success => true, :msg => "#{File.basename(path)} was moved to #{new_parent_path} successfully"}
@@ -80,30 +99,44 @@ module Knitkit
         end
 
         def delete_file
-          path = params[:node]
-          result = {}
+          if @context == Website
+            capability_type = "view"
+            capability_resource = "SiteFileAsset"
+          else
+            capability_type = "delete"
+            capability_resource = "GlobalFileAsset"
+          end
+
+          model = DesktopApplication.find_by_internal_identifier('knitkit')
           begin
-            name = File.basename(path)
-            result, message, is_folder = @file_support.delete_file(File.join(@file_support.root,path))
-            if result && !is_folder
-              file = @assets_model.files.find(:first, :conditions => ['name = ? and directory = ?', ::File.basename(path), ::File.dirname(path)])
-              file.destroy
+            current_user.with_capability(model, capability_type, capability_resource) do
+              path = params[:node]
+              result = {}
+              begin
+                name = File.basename(path)
+                result, message, is_folder = @file_support.delete_file(File.join(@file_support.root,path))
+                if result && !is_folder
+                  file = @assets_model.files.find(:first, :conditions => ['name = ? and directory = ?', ::File.basename(path), ::File.dirname(path)])
+                  file.destroy
+                end
+                result = {:success => result, :error => message}
+              rescue Exception=>ex
+                logger.error ex.message
+                logger.error ex.backtrace.join("\n")
+                result = {:success => false, :error => "Error deleting #{name}"}
+              end
+              render :json => result
             end
-            result = {:success => result, :error => message}
-          rescue Exception=>ex
-            logger.error ex.message
-            logger.error ex.backtrace.join("\n")
-            result = {:success => false, :error => "Error deleting #{name}"}
+          rescue ErpTechSvcs::Utils::CompassAccessNegotiator::Errors::UserDoesNotHaveCapability=>ex
+            render :json => {:success => false, :message => ex.message}
           end
-          render :json => result
         end
 
         def rename_file
-          result = {:success => true, :data => {:success => true}}
           path = params[:node]
           name = params[:file_name]
 
-          result, message = @file_support.rename_file(path, name)
+          result, message = @file_support.rename_file(File.join(@file_support.root,path), name)
           if result
             file = @assets_model.files.find(:first, :conditions => ['name = ? and directory = ?', ::File.basename(path), ::File.dirname(path)])
             file.name = name
@@ -113,16 +146,62 @@ module Knitkit
           render :json =>  {:success => true, :message => message}
         end
 
-        def download_file_asset
-          contents, message = @file_support.get_contents(params[:path])
+        def update_security
+          path   = params[:path]
+          secure = params[:secure]
+          roles  = ['admin', 'file_downloader']
+          
+          file = @assets_model.files.find(:first, :conditions => ['name = ? and directory = ?', ::File.basename(path), ::File.dirname(path)])
+          roles << @assets_model.website_role_iid if @context == :website
+          
+          (secure == 'true') ? file.add_capability(:download, nil, roles) : file.remove_all_capabilities
+
+          # if we're using S3, set file permissions to private or public_read   
+          @file_support.set_permissions(path, ((secure == 'true') ? :private : :public_read)) if Rails.application.config.erp_tech_svcs.file_storage == :s3
+          
+          render :json =>  {:success => true}
+        end
 
-          send_data contents, :filename => File.basename(path)
+        # DEPRECATED, use erp_app/public#download
+        def download_file_asset
+          path = params[:path]
+
+          file = @assets_model.files.find(:first, :conditions => ['name = ? and directory = ?', ::File.basename(path), ::File.dirname(path)])
+          if(file.has_capabilities?)
+            begin
+              unless current_user == false
+                current_user.with_capability(file, :download, nil) do
+                  redirect_to file.data.url
+                end
+              else
+                raise ErpTechSvcs::Utils::CompassAccessNegotiator::Errors::UserDoesNotHaveCapability
+              end
+            rescue ErpTechSvcs::Utils::CompassAccessNegotiator::Errors::UserDoesNotHaveCapability=>ex
+              render :text => ex.message
+            rescue Exception=>ex
+              render :text => "User does not have capability."
+            end
+          else
+            redirect_to file.data.url
+          end
         end
 
         protected
 
         def set_file_support
-          @file_support = ErpTechSvcs::FileSupport::Base.new(:storage => ErpTechSvcs::FileSupport.options[:storage])
+          @file_support = ErpTechSvcs::FileSupport::Base.new(:storage => Rails.application.config.erp_tech_svcs.file_storage)
+        end
+
+        def set_root_node
+          @root_node = nil
+
+          if @context == :website
+            @root_node = File.join(Rails.application.config.erp_tech_svcs.file_assets_location,"sites",@assets_model.iid) unless @assets_model.nil?
+          else
+            @root_node = File.join(Rails.application.config.erp_tech_svcs.file_assets_location,"shared_site_files")
+          end
+
+          @root_node
         end
 
         def set_asset_model
@@ -130,7 +209,7 @@ module Knitkit
 
           if @context == :website
             #get website id this can be an xhr request or regular
-            website_id = request.env['HTTP_EXTRAPOSTDATA_WEBSITE_ID'].blank? ? params[:website_id] : request.env['HTTP_EXTRAPOSTDATA_WEBSITE_ID']
+            website_id = request.env['HTTP_X_WEBSITEID'].blank? ? params[:website_id] : request.env['HTTP_X_WEBSITEID']
             (@assets_model = website_id.blank? ? nil : Website.find(website_id))
 
             render :inline => {:success => false, :error => "No Website Selected"}.to_json if (@assets_model.nil? && params[:action] != "base_path")

data/app/controllers/knitkit/erp_app/desktop/image_assets_controller.rb

@@ -2,24 +2,98 @@ module Knitkit
   module ErpApp
     module Desktop
       class ImageAssetsController < FileAssetsController
-        def base_path
-          @base_path = nil
-          if @context == :website
-            @base_path = File.join(@file_support.root,"/sites/site-#{@assets_model.id}", "images") unless @assets_model.nil?
+        
+        def get_images
+          directory = (params[:directory] == 'root_node' or params[:directory].blank?) ? base_path : params[:directory]
+          # this @assets_model.images.select should be refactored into a query
+          render :json => @assets_model.images.select{|image| image.directory == directory.sub(@file_support.root,'')}.collect{|image|{:name => image.name, :shortName => image.name[0..15], :url => image.data.url}}
+        end
+
+        def upload_file
+          #Website level assets if allowed to be viewed can also be uploaded and deleted so this is only checking for the view capability
+          if @context == Website
+            capability_type = "view"
+            capability_resource = "SiteImageAsset"
           else
-            @base_path = File.join(@file_support.root,"/images") unless @assets_model.nil?
+            capability_type = "upload"
+            capability_resource = "GlobalImageAsset"
+          end
+
+          model = DesktopApplication.find_by_internal_identifier('knitkit')
+          begin
+            current_user.with_capability(model, capability_type, capability_resource) do
+              result = {}
+              upload_path = request.env['HTTP_X_DIRECTORY'].blank? ? params[:directory] : request.env['HTTP_X_DIRECTORY']
+              name = request.env['HTTP_X_FILE_NAME'].blank? ? params[:file_data].original_filename : request.env['HTTP_X_FILE_NAME']
+              data = request.env['HTTP_X_FILE_NAME'].blank? ? params[:file_data] : request.raw_post
+
+              begin
+                upload_path == 'root_node' ? @assets_model.add_file(data, File.join(@file_support.root,base_path,name)) : @assets_model.add_file(data, File.join(@file_support.root,upload_path,name))
+                result = {:success => true}
+              rescue Exception=>ex
+                logger.error ex.message
+                logger.error ex.backtrace.join("\n")
+                result = {:success => false, :error => "Error uploading file."}
+              end
+
+              #the awesome uploader widget whats this to mime type text, leave it render :inline
+              render :inline => result.to_json
+            end
+          rescue ErpTechSvcs::Utils::CompassAccessNegotiator::Errors::UserDoesNotHaveCapability=>ex
+            render :json => {:success => false, :message => ex.message}
           end
         end
 
-        def get_images
-          directory = (params[:directory] == 'root_node' or params[:directory].blank?) ? base_path : params[:directory]
-          render :json => @assets_model.images.select{|image| image.directory == directory.sub(@file_support.root,'')}.collect{|image|{:name => image.name, :shortName => image.name[0..15], :url => image.data.url}}
+        def delete_file
+          if @context == Website
+            capability_type = "view"
+            capability_resource = "SiteImageAsset"
+          else
+            capability_type = "delete"
+            capability_resource = "GlobalImageAsset"
+          end
+
+          model = DesktopApplication.find_by_internal_identifier('knitkit')
+          begin
+            current_user.with_capability(model, capability_type, capability_resource) do
+              path = params[:node]
+              result = {}
+              begin
+                name = File.basename(path)
+                result, message, is_folder = @file_support.delete_file(File.join(@file_support.root,path))
+                if result && !is_folder
+                  file = @assets_model.files.find(:first, :conditions => ['name = ? and directory = ?', ::File.basename(path), ::File.dirname(path)])
+                  file.destroy
+                end
+                result = {:success => result, :error => message}
+              rescue Exception=>ex
+                logger.error ex.message
+                logger.error ex.backtrace.join("\n")
+                result = {:success => false, :error => "Error deleting #{name}"}
+              end
+              render :json => result
+            end
+          rescue ErpTechSvcs::Utils::CompassAccessNegotiator::Errors::UserDoesNotHaveCapability=>ex
+            render :json => {:success => false, :message => ex.message}
+          end
         end
 
         protected
 
+        def set_root_node
+          @root_node = nil
+
+          if @context == :website
+            @root_node = File.join("public", "sites", @assets_model.iid, "images") unless @assets_model.nil?
+          else
+            @root_node = File.join("public", "images")
+          end
+
+          @root_node
+        end
+
         def set_file_support
-          @file_support = ErpTechSvcs::FileSupport::Base.new(:storage => ErpTechSvcs::FileSupport.options[:storage])
+          @file_support = ErpTechSvcs::FileSupport::Base.new(:storage => Rails.application.config.erp_tech_svcs.file_storage)
         end
         
       end#ImageAssetsController

data/app/controllers/knitkit/erp_app/desktop/online_document_sections_controller.rb

@@ -0,0 +1,38 @@
+module Knitkit
+  module ErpApp
+    module Desktop
+      class OnlineDocumentSectionsController < Knitkit::ErpApp::Desktop::AppController
+        
+        def new
+          website = Website.find(params[:website_id])
+          online_document_section = OnlineDocumentSection.new(:website_id => website.id, :in_menu => params[:in_menu] == 'yes', :title => params[:title],
+                                                              :internal_identifier => params[:internal_identifier])
+           
+          if online_document_section.save
+            if params[:website_section_id]
+              parent_website_section = WebsiteSection.find(params[:website_section_id])
+              online_document_section.move_to_child_of(parent_website_section)
+            end 
+            online_document_section.update_path!
+            if params[:documenttype] == "Content"
+              documented_content = DocumentedContent.create(:title => online_document_section.title, :created_by => current_user, :body_html => online_document_section.title)
+              DocumentedItem.create(:documented_content_id => documented_content.id, :online_document_section_id => online_document_section.id)
+            end
+            
+            result = {:success => true, :node => build_section_hash(online_document_section, online_document_section.website),
+                      :documented_content => documented_content.content_hash}
+          else
+            message = "<ul>"
+            online_document_section.errors.collect do |e, m|
+              message << "<li>#{e} #{m}</li>"
+            end
+            message << "</ul>"
+            result = {:success => false, :message => message}
+          end
+
+          render :json => result
+        end     
+      end
+    end
+  end
+end

data/app/controllers/knitkit/erp_app/desktop/position_controller.rb

@@ -4,13 +4,22 @@ module Knitkit
       class PositionController < Knitkit::ErpApp::Desktop::AppController
         
         def update
-          params[:position_array].each do |position|
-            model = position['klass'].constantize.find(position['id'])
-            model.position = position['position'].to_i
-            model.save
-          end
+          model = DesktopApplication.find_by_internal_identifier('knitkit')
+          begin
+            current_user.with_capability(model, 'drag_item', 'WebsiteTree') do
+
+              params[:position_array].each do |position|
+                model = position['klass'].constantize.find(position['id'])
+                model.position = position['position'].to_i
+                model.save
+              end
 
-          render :json => {:success => true}
+              render :json => {:success => true}
+              
+            end
+          rescue ErpTechSvcs::Utils::CompassAccessNegotiator::Errors::UserDoesNotHaveCapability=>ex
+            render :json => {:success => false, :message => ex.message}
+          end
         end
         
       end#PositionController