lean_cms 0.2.12

data/app/controllers/lean_cms/posts_controller.rb

@@ -0,0 +1,78 @@
+module LeanCms
+  class PostsController < LeanCms::ApplicationController
+    before_action :require_blog_editing
+    before_action :set_post, only: [:show, :edit, :update, :destroy]
+    before_action :authorize_edit, only: [:edit, :update, :destroy]
+    before_action :check_content_lock, only: [:destroy]
+
+    def index
+      @posts = LeanCms::Post.includes(:author, :last_edited_by)
+                       .order(created_at: :desc)
+      
+      # Filter by content_type if provided
+      if params[:content_type].present?
+        case params[:content_type]
+        when 'blog'
+          @posts = @posts.blog_posts
+        when 'portfolio'
+          @posts = @posts.portfolio_items
+        end
+      end
+    end
+
+    def show
+    end
+
+    def new
+      @post = LeanCms::Post.new
+    end
+
+    def create
+      @post = LeanCms::Post.new(post_params)
+      @post.author = current_user
+      @post.last_edited_by = current_user
+
+      if @post.save
+        redirect_to lean_cms_posts_path, notice: 'Post created successfully.'
+      else
+        render :new, status: :unprocessable_entity
+      end
+    end
+
+    def edit
+    end
+
+    def update
+      @post.last_edited_by = current_user
+
+      if @post.update(post_params)
+        redirect_to lean_cms_posts_path, notice: 'Post updated successfully.'
+      else
+        render :edit, status: :unprocessable_entity
+      end
+    end
+
+    def destroy
+      @post.destroy
+      redirect_to lean_cms_posts_path, notice: 'Post deleted successfully.'
+    end
+
+    private
+
+    def set_post
+      @post = LeanCms::Post.find(params[:id])
+    end
+
+    def authorize_edit
+      unless can_edit?(@post)
+        redirect_to lean_cms_posts_path, alert: 'You are not authorized to edit this post.'
+      end
+    end
+
+    def post_params
+      params.require(:lean_cms_post).permit(
+        :title, :slug, :excerpt, :body, :status, :published_at, :content_type, :featured_image
+      )
+    end
+  end
+end

data/app/controllers/lean_cms/sessions_controller.rb

@@ -0,0 +1,50 @@
+module LeanCms
+  class SessionsController < ::ApplicationController
+    allow_unauthenticated_access only: %i[ new create ]
+    rate_limit to: 10, within: 3.minutes, only: :create, with: -> { redirect_to lean_cms_new_session_path, alert: "Try again later." }
+
+    layout "lean_cms/auth"
+
+    def new
+      redirect_to after_authentication_url if authenticated?
+    end
+
+    def create
+      user_class = LeanCms.user_class.constantize
+
+      if user = user_class.authenticate_by(params.permit(:email_address, :password))
+        unless user.active?
+          redirect_to lean_cms_new_session_path, alert: "Your account has been deactivated. Please contact an administrator."
+          return
+        end
+
+        start_new_session_for user
+        user.record_login!
+
+        if user.must_change_password?
+          magic_link = LeanCms::MagicLink.create_for_password_reset(user)
+          redirect_to lean_cms_password_setup_path(token: magic_link.token), notice: "Please set a new password."
+        else
+          redirect_to after_authentication_url
+        end
+      else
+        redirect_to lean_cms_new_session_path, alert: "Try another email address or password."
+      end
+    end
+
+    def destroy
+      terminate_session
+      redirect_to lean_cms_new_session_path, status: :see_other
+    end
+
+    private
+
+    def after_authentication_url
+      if LeanCms::Current.user&.has_any_cms_permission?
+        lean_cms_root_path
+      else
+        session.delete(:return_to_after_authenticating) || "/"
+      end
+    end
+  end
+end

data/app/controllers/lean_cms/settings_controller.rb

@@ -0,0 +1,124 @@
+module LeanCms
+  class SettingsController < ApplicationController
+    skip_before_action :check_content_lock
+    before_action :require_settings_access
+
+    def edit
+      # Load current settings (default to enabled for backward compatibility)
+      @in_context_editing_enabled = LeanCms::Setting.get('in_context_editing', 'true') == 'true'
+      @show_blog_enabled = LeanCms::Setting.get('show_blog', 'true') == 'true'
+      @show_portfolio_enabled = LeanCms::Setting.get('show_portfolio', 'true') == 'true'
+      
+      # Load counts for display
+      @blog_count = LeanCms::Post.published.blog_posts.count
+      @portfolio_count = LeanCms::Post.published.portfolio_items.count
+
+      # Blog and Portfolio hero text
+      @blog_title = LeanCms::Setting.get('blog_title', 'Our Blog')
+      @blog_subtitle = LeanCms::Setting.get('blog_subtitle', 'Insights, updates, and stories from Custom Assembly Services')
+      @portfolio_title = LeanCms::Setting.get('portfolio_title', 'Our Portfolio')
+      @portfolio_subtitle = LeanCms::Setting.get('portfolio_subtitle', 'Showcasing our industrial assembly and installation projects')
+
+      # Privacy & Compliance
+      @cookie_consent_enabled = LeanCms::Setting.get('cookie_consent_enabled', 'false') == 'true'
+      @cookie_consent_message = LeanCms::Setting.get('cookie_consent_message', 'We use cookies to improve your experience and analyze site traffic. You can choose which cookies to allow.')
+      @cookie_consent_forced_on = LeanCms::Setting.enabled?('google_analytics_enabled')
+
+      # Analytics
+      @google_analytics_enabled = LeanCms::Setting.enabled?('google_analytics_enabled')
+      @google_analytics_id = LeanCms::Setting.get('google_analytics_id', '')
+    end
+
+    def update
+      # Site favicon (uploaded override for the public site)
+      LeanCms::Setting.remove_site_favicon! if params[:remove_site_favicon] == "1"
+      LeanCms::Setting.update_site_favicon!(params[:site_favicon]) if params[:site_favicon].present?
+
+      # Update in-context editing setting
+      LeanCms::Setting.set('in_context_editing', params[:in_context_editing] == '1' ? 'true' : 'false')
+      
+      # Update show blog and portfolio settings
+      LeanCms::Setting.set('show_blog', params[:show_blog] == '1' ? 'true' : 'false')
+      LeanCms::Setting.set('show_portfolio', params[:show_portfolio] == '1' ? 'true' : 'false')
+
+      # Update blog and portfolio hero text
+      LeanCms::Setting.set('blog_title', params[:blog_title].to_s) if params.key?(:blog_title)
+      LeanCms::Setting.set('blog_subtitle', params[:blog_subtitle].to_s) if params.key?(:blog_subtitle)
+      LeanCms::Setting.set('portfolio_title', params[:portfolio_title].to_s) if params.key?(:portfolio_title)
+      LeanCms::Setting.set('portfolio_subtitle', params[:portfolio_subtitle].to_s) if params.key?(:portfolio_subtitle)
+
+      # Update site address (as structured JSON)
+      address_data = {
+        'street1' => params[:site_street1].to_s,
+        'street2' => params[:site_street2].to_s,
+        'city' => params[:site_city].to_s,
+        'state' => params[:site_state].to_s.upcase,
+        'zip' => params[:site_zip].to_s
+      }
+      LeanCms::Setting.set_json('site_address', address_data)
+
+      # Update phone and email
+      LeanCms::Setting.set('site_phone', params[:site_phone]) if params[:site_phone]
+      LeanCms::Setting.set('site_email', params[:site_email]) if params[:site_email]
+
+      # Update business hours (as JSON)
+      if params[:business_hours_labels] || params[:business_hours_note]
+        hours_data = {
+          'hours' => build_hours_array,
+          'note' => params[:business_hours_note].to_s
+        }
+        LeanCms::Setting.set_json('business_hours', hours_data)
+      end
+
+      # Update Google Analytics (when enabled, force cookie consent on)
+      LeanCms::Setting.set('google_analytics_enabled', params[:google_analytics_enabled] == '1' ? 'true' : 'false')
+      LeanCms::Setting.set('google_analytics_id', params[:google_analytics_id].to_s.strip) if params.key?(:google_analytics_id)
+      LeanCms::Setting.set('cookie_consent_enabled', 'true') if LeanCms::Setting.enabled?('google_analytics_enabled')
+
+      # Update cookie consent (cannot disable if GA is enabled)
+      if params.key?(:cookie_consent_enabled)
+        forced_on = LeanCms::Setting.enabled?('google_analytics_enabled')
+        value = params[:cookie_consent_enabled] == '1' ? 'true' : 'false'
+        LeanCms::Setting.set('cookie_consent_enabled', forced_on ? 'true' : value)
+      end
+      LeanCms::Setting.set('cookie_consent_message', params[:cookie_consent_message].to_s) if params.key?(:cookie_consent_message)
+
+      redirect_to lean_cms_settings_path, notice: 'Settings updated successfully.'
+    end
+
+    def lock
+      reason = params[:reason].presence || 'Content sync in progress'
+      LeanCms::Setting.lock_content!(reason)
+      redirect_to lean_cms_settings_path, notice: "Content editing locked: #{reason}"
+    end
+
+    def unlock
+      LeanCms::Setting.unlock_content!
+      redirect_to lean_cms_settings_path, notice: 'Content editing unlocked. Editors can now make changes.'
+    end
+
+    # AJAX endpoint to toggle override settings
+    def update_override
+      allowed_keys = %w[contact_info_override contact_hours_override]
+      key = params[:key]
+      value = params[:value]
+
+      if allowed_keys.include?(key) && %w[true false].include?(value)
+        LeanCms::Setting.set(key, value)
+        head :ok
+      else
+        head :unprocessable_entity
+      end
+    end
+
+    private
+
+    def build_hours_array
+      return [] unless params[:business_hours_labels]
+      params[:business_hours_labels]
+        .zip(params[:business_hours_values] || [])
+        .map { |label, value| { 'label' => label.to_s, 'value' => value.to_s } }
+        .reject { |h| h['label'].blank? && h['value'].blank? }
+    end
+  end
+end

data/app/controllers/lean_cms/users_controller.rb

@@ -0,0 +1,113 @@
+module LeanCms
+  class UsersController < ApplicationController
+    before_action :set_user, only: [:show, :edit, :update, :deactivate, :activate, :send_password_reset]
+    after_action :verify_authorized
+
+    def index
+      authorize User
+      @users = policy_scope(User).includes(:sessions).order(created_at: :desc)
+    end
+
+    def show
+      authorize @user
+    end
+
+    def new
+      @user = User.new
+      authorize @user
+    end
+
+    def create
+      @user = User.new(user_params)
+      @user.active = false  # Will be activated when they set their password
+      @user.password = SecureRandom.hex(32)  # Temporary password, will be replaced
+      authorize @user
+
+      if @user.save
+        magic_link = MagicLink.create_for_invitation(@user, created_by_ip: request.remote_ip)
+        UsersMailer.invitation(@user, magic_link).deliver_later
+        redirect_to lean_cms_users_path, notice: "User invited. They will receive an email to set their password."
+      else
+        render :new, status: :unprocessable_entity
+      end
+    end
+
+    def edit
+      authorize @user
+    end
+
+    def update
+      authorize @user
+
+      # Prevent non-super-admins from granting super admin or settings access
+      if !current_user.is_super_admin?
+        if params[:user][:is_super_admin] == "1" || params[:user][:is_super_admin] == true
+          flash[:alert] = "Only super admins can grant super admin privileges."
+          render :edit, status: :unprocessable_entity
+          return
+        end
+        if params[:user][:can_access_settings] == "1" || params[:user][:can_access_settings] == true
+          flash[:alert] = "Only super admins can grant settings access."
+          render :edit, status: :unprocessable_entity
+          return
+        end
+      end
+
+      if @user.update(user_params)
+        redirect_to lean_cms_users_path, notice: "User updated successfully."
+      else
+        render :edit, status: :unprocessable_entity
+      end
+    end
+
+    def deactivate
+      authorize @user
+
+      if @user == current_user
+        redirect_to lean_cms_users_path, alert: "You cannot deactivate your own account."
+        return
+      end
+
+      @user.deactivate!
+      redirect_to lean_cms_users_path, notice: "User deactivated."
+    end
+
+    def activate
+      authorize @user
+
+      # Send a password reset link when activating a previously deactivated user
+      magic_link = MagicLink.create_for_password_reset(@user, created_by_ip: request.remote_ip)
+      UsersMailer.reactivation(@user, magic_link).deliver_later
+      @user.activate!
+
+      redirect_to lean_cms_users_path, notice: "User activated. They will receive an email to set a new password."
+    end
+
+    def send_password_reset
+      authorize @user
+
+      magic_link = MagicLink.create_for_password_reset(@user, created_by_ip: request.remote_ip)
+      UsersMailer.admin_triggered_password_reset(@user, magic_link).deliver_later
+
+      redirect_to lean_cms_users_path, notice: "Password reset email sent to #{@user.email_address}."
+    end
+
+    private
+
+    def set_user
+      @user = User.find(params[:id])
+    end
+
+    def user_params
+      permitted = [:name, :email_address, :can_edit_pages, :can_edit_blog, :can_manage_users]
+
+      # Only super admins can modify these permissions
+      if current_user.is_super_admin?
+        permitted << :can_access_settings
+        permitted << :is_super_admin
+      end
+
+      params.require(:user).permit(permitted)
+    end
+  end
+end

data/app/helpers/lean_cms/activity_helper.rb

@@ -0,0 +1,190 @@
+module LeanCms
+  module ActivityHelper
+    def activity_item_label(version)
+      case version.item_type
+      when "LeanCms::Setting"
+        setting = parsed_setting_object(version)
+        "Setting: #{setting&.dig('key') || version.item_id}"
+      when "LeanCms::PageContent"
+        pc = version.item_type.constantize.unscoped.find_by(id: version.item_id)
+        if pc
+          page_slug = pc.page&.full_path || pc.page&.slug || pc.read_attribute(:page).to_s
+          "Page Content: #{page_slug}/#{pc.section}/#{pc.key}"
+        else
+          "Page Content ##{version.item_id}"
+        end
+      when "LeanCms::Post"
+        post = version.item_type.constantize.unscoped.find_by(id: version.item_id)
+        post ? "Post: #{post.title}" : "Post ##{version.item_id}"
+      when "User"
+        user = User.unscoped.find_by(id: version.item_id)
+        user ? "User: #{user.email_address}" : "User ##{version.item_id}"
+      when "LeanCms::FormSubmission"
+        fs = version.item_type.constantize.unscoped.find_by(id: version.item_id)
+        fs ? "Form Submission ##{version.item_id}" : "Form Submission ##{version.item_id}"
+      else
+        "#{version.item_type} ##{version.item_id}"
+      end
+    rescue
+      "#{version.item_type} ##{version.item_id}"
+    end
+
+    def activity_who(version)
+      return "System" if version.whodunnit.blank?
+      user = User.unscoped.find_by(id: version.whodunnit)
+      user ? user.email_address : "User ##{version.whodunnit}"
+    rescue
+      "User ##{version.whodunnit}"
+    end
+
+    def activity_action_badge_class(event)
+      case event.to_s
+      when "create" then "bg-green-100 text-green-800"
+      when "update" then "bg-blue-100 text-blue-800"
+      when "destroy" then "bg-red-100 text-red-800"
+      else "bg-gray-100 text-gray-800"
+      end
+    end
+
+    def activity_old_value(version)
+      return "—" if version.event == "create"
+      obj = parsed_version_object(version)
+      return "—" if obj.blank?
+
+      format_attributes_for_display(obj, version.item_type)
+    rescue
+      "—"
+    end
+
+    def activity_new_value(version)
+      return "—" if version.event == "destroy"
+      obj = parsed_version_object(version)
+      return "—" if obj.blank? && version.event != "create"
+
+      case version.item_type
+      when "LeanCms::Setting"
+        if version.event == "create"
+          obj["value"].to_s.truncate(80)
+        else
+          item = version.item_type.constantize.unscoped.find_by(id: version.item_id)
+          item&.value&.to_s&.truncate(80) || "—"
+        end
+      else
+        if version.event == "create"
+          format_attributes_for_display(obj, version.item_type)
+        else
+          item = version.item_type.constantize.unscoped.find_by(id: version.item_id)
+          item ? truncate_item_summary(item) : "—"
+        end
+      end
+    rescue
+      "—"
+    end
+
+    private
+
+    def parsed_version_object(version)
+      return {} if version.object.blank?
+      YAML.safe_load(
+        version.object,
+        permitted_classes: [Symbol, Time, ActiveSupport::TimeWithZone, ActiveSupport::TimeZone, Date, DateTime],
+        aliases: true
+      ) || {}
+    rescue
+      {}
+    end
+
+    def parsed_setting_object(version)
+      parsed_version_object(version)
+    end
+
+    def truncate_item_summary(item)
+      case item.class.name
+      when "LeanCms::PageContent"
+        page_slug = item.page&.full_path || item.page&.slug || item.read_attribute(:page).to_s
+        value_summary = format_display_value(item.display_value)
+        "#{page_slug}/#{item.section}/#{item.key}: #{value_summary}"
+      when "LeanCms::Post"
+        item.title.to_s.truncate(60)
+      when "LeanCms::Page"
+        "#{item.title} (#{item.slug})"
+      when "User"
+        item.email_address.to_s
+      when "LeanCms::FormSubmission"
+        "Submission ##{item.id}"
+      else
+        item.to_s.truncate(60)
+      end
+    rescue
+      "—"
+    end
+
+    def format_attributes_for_display(obj, item_type)
+      case item_type
+      when "LeanCms::Setting"
+        obj["value"].to_s.truncate(80)
+      when "LeanCms::PageContent"
+        page_slug = safe_page_slug(obj["page"])
+        section = obj["section"].to_s.presence || "—"
+        key = obj["key"].to_s.presence || "—"
+        value_summary = format_value_from_attributes(obj)
+        "#{page_slug}/#{section}/#{key}: #{value_summary}"
+      when "LeanCms::Post"
+        parts = []
+        parts << obj["title"].to_s if obj["title"].present?
+        parts << obj["excerpt"].to_s.truncate(40) if obj["excerpt"].present?
+        parts.any? ? parts.join(" — ").truncate(80) : "Post ##{obj["id"]}"
+      when "LeanCms::Page"
+        title = obj["title"].to_s.presence || "—"
+        slug = obj["slug"].to_s.presence || "—"
+        "#{title} (#{slug})"
+      when "User"
+        obj["email_address"].to_s.presence || obj["name"].to_s.presence || "User ##{obj["id"]}"
+      when "LeanCms::FormSubmission"
+        "Submission ##{obj["id"]}"
+      else
+        safe_attributes_summary(obj)
+      end
+    rescue
+      "—"
+    end
+
+    def safe_page_slug(page_attr)
+      return "—" if page_attr.blank?
+      return page_attr.to_s if page_attr.is_a?(String)
+      page_attr.respond_to?(:slug) ? page_attr.slug.to_s : page_attr.respond_to?(:full_path) ? page_attr.full_path.to_s : "—"
+    end
+
+    def format_value_from_attributes(obj)
+      val = obj["value"].to_s.presence || obj["content"].to_s.presence
+      return "—" if val.blank?
+      stripped = val.gsub(/<[^>]*>/, " ").squish
+      stripped.present? ? stripped.truncate(50) : "—"
+    end
+
+    def format_display_value(val)
+      return "—" if val.blank?
+      return val.truncate(40) if val.is_a?(String)
+      return "Cards (#{val.size})" if val.is_a?(Array)
+      return "Image attached" if val.respond_to?(:attached?) && val.attached?
+      return "Image attached" if val.is_a?(ActiveStorage::Attached::One)
+      val.to_s.truncate(40)
+    end
+
+    def safe_attributes_summary(obj)
+      skip = %w[created_at updated_at id]
+      filtered = obj.except(*skip).transform_values { |v| safe_attribute_value(v) }
+      filtered.reject! { |_, v| v.blank? }
+      filtered.any? ? filtered.map { |k, v| "#{k}: #{v}" }.join("; ").truncate(80) : "—"
+    end
+
+    def safe_attribute_value(v)
+      return v.to_s if v.is_a?(String) || v.is_a?(Numeric) || v == true || v == false
+      return v.strftime("%Y-%m-%d %H:%M") if v.respond_to?(:strftime)
+      return v.slug.to_s if v.respond_to?(:slug)
+      return v.title.to_s if v.respond_to?(:title)
+      return v.email_address.to_s if v.respond_to?(:email_address)
+      "—"
+    end
+  end
+end

data/app/helpers/lean_cms/application_helper.rb

@@ -0,0 +1,43 @@
+module LeanCms
+  module ApplicationHelper
+    # Darken a hex color by a percentage
+    def darken_color(hex_color, percent)
+      hex_color = hex_color.gsub('#', '')
+      rgb = hex_color.scan(/../).map { |color| color.to_i(16) }
+      rgb = rgb.map { |channel| [(channel * (100 - percent) / 100).round, 0].max }
+      "##{rgb.map { |channel| channel.to_s(16).rjust(2, '0') }.join}"
+    end
+
+    # Format date for display
+    def format_date(date)
+      return unless date
+      date.strftime("%B %d, %Y")
+    end
+
+    # Format datetime for display
+    def format_datetime(datetime)
+      return unless datetime
+      datetime.strftime("%B %d, %Y at %I:%M %p")
+    end
+
+    # Status badge colors
+    def status_badge_class(status)
+      case status.to_s
+      when 'published'
+        'bg-green-100 text-green-800'
+      when 'draft'
+        'bg-yellow-100 text-yellow-800'
+      when 'new_submission'
+        'bg-blue-100 text-blue-800'
+      when 'read'
+        'bg-gray-100 text-gray-800'
+      when 'replied'
+        'bg-green-100 text-green-800'
+      when 'archived'
+        'bg-gray-100 text-gray-600'
+      else
+        'bg-gray-100 text-gray-800'
+      end
+    end
+  end
+end

data/app/helpers/lean_cms/content_helper.rb

@@ -0,0 +1,34 @@
+module LeanCms
+  module ContentHelper
+    # Render editable content section
+    def render_editable_section(page_key, section_key, default: nil, **options)
+      content = LeanCms::PageContent.for_section(page_key, section_key)
+
+      if content.persisted?
+        case content.content_type.to_sym
+        when :rich
+          content_tag(:div, content.rich_content, **options)
+        when :markdown
+          # TODO: Add markdown rendering with a gem like Redcarpet
+          content_tag(:div, simple_format(content.content), **options)
+        else
+          content_tag(:div, content.content, **options)
+        end
+      else
+        default
+      end
+    end
+
+    # Check if current user can edit CMS content
+    def can_edit_cms?
+      current_user&.has_any_cms_permission?
+    end
+
+    # Show edit link if user is CMS editor
+    def cms_edit_link(path, text: "Edit", css_class: "")
+      return unless can_edit_cms?
+
+      link_to text, path, class: "cms-edit-link #{css_class}".strip
+    end
+  end
+end