lesli_shield 1.0.2 → 1.0.4

data/{db/migrate/v1/0801003010_create_lesli_shield_dashboards.rb → app/models/lesli_shield/role/privilege.rb}

@@ -2,7 +2,7 @@
 
 Lesli
 
-Copyright (c) 2025, Lesli Technologies, S. A.
+Copyright (c) 2026, Lesli Technologies, S. A.
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -30,8 +30,9 @@ Building a better future, one line of code at a time.
 // · 
 =end
 
-class CreateLesliShieldDashboards < ActiveRecord::Migration[6.1]
-    def change
-        create_table_lesli_shared_dashboards_10(:lesli_shield)
+module LesliShield
+    class Role::Privilege < Lesli::ApplicationLesliRecord
+        self.table_name = "lesli_shield_role_privileges"
+        belongs_to :role, class_name: "Lesli::Role"
     end
 end

data/app/models/lesli_shield/user/role.rb

@@ -0,0 +1,8 @@
+module LesliShield
+    class User::Role < ApplicationRecord
+        self.table_name = 'lesli_shield_user_roles'
+        belongs_to :user
+        belongs_to :role, class_name: "Lesli::Role"
+        has_many :roles
+    end
+end

data/app/models/lesli_shield/user/session.rb

@@ -0,0 +1,80 @@
+=begin
+
+Lesli
+
+Copyright (c) 2026, Lesli Technologies, S. A.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program. If not, see http://www.gnu.org/licenses/.
+
+Lesli · Ruby on Rails SaaS Development Framework.
+
+Made with ♥ by LesliTech
+Building a better future, one line of code at a time.
+
+@contact  hello@lesli.tech
+@website  https://www.lesli.tech
+@license  GPLv3 http://www.gnu.org/licenses/gpl-3.0.en.html
+
+// · ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~
+// · 
+=end
+
+module LesliShield
+    class User::Session < Lesli::ApplicationLesliRecord
+        self.table_name = 'lesli_shield_user_sessions'
+        belongs_to :user, class_name: 'Lesli::User'
+
+        after_create :set_session_token
+
+        enum :session_source, {
+            :dispatcher_standard_session => "dispatcher_standard_session",
+            :devise_standard_session => "devise_standard_session"
+        }
+
+        def set_session_token
+
+            return if self.session_source == "devise_standard_session"
+
+            return unless self.session_token.blank?
+
+            rebuild_token = true
+
+            while rebuild_token do
+
+                session_token = SecureRandom.alphanumeric(20)
+
+                # assign token to user if token is unique
+                unless User::Session.find_by(:session_token => session_token)
+                    self.session_token = session_token
+                    self.save!
+                    rebuild_token = false
+                end
+
+            end
+
+        end
+
+        def active?
+            if self.deleted_at.present?
+                return false
+            end
+
+            if self.expiration_at != nil && self.expiration_at < Time.now.utc
+                return false
+            end
+
+            return true
+        end
+    end
+end

data/app/services/lesli_shield/invite_service.rb

@@ -0,0 +1,43 @@
+=begin
+
+Lesli
+
+Copyright (c) 2025, Lesli Technologies, S. A.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program. If not, see http://www.gnu.org/licenses/.
+
+Lesli · Ruby on Rails SaaS Development Framework.
+
+Made with ♥ by LesliTech
+Building a better future, one line of code at a time.
+
+@contact  hello@lesli.tech
+@website  https://www.lesli.tech
+@license  GPLv3 http://www.gnu.org/licenses/gpl-3.0.en.html
+
+// · ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~
+// · 
+=end
+
+module LesliShield
+    class InviteService < Lesli::ApplicationLesliService
+
+        def index params
+            Invite.all
+            .page(query[:pagination][:page])
+            .per(query[:pagination][:perPage])
+            .order(updated_at: :desc)
+        end
+    end
+end

data/app/services/lesli_shield/role_action_service.rb

@@ -0,0 +1,118 @@
+module LesliShield
+    class RoleActionService < Lesli::ApplicationLesliService 
+
+        def find id
+            super(Role::Action.with_deleted.find(id))
+        end
+
+        def index role_id
+
+            def clean action 
+                {
+                    :id => action.id,
+                    :role_id => action.role_id,
+                    :action_id => action.action_id,
+                    :deleted_at => action.deleted_at,
+                    :active => action.active
+                }
+            end
+
+            role_actions = {}
+
+            Role::Action.with_deleted.joins(action: :parent)
+            .where(:role_id => role_id)
+            .select(
+                :id,
+                :role_id,
+                :deleted_at,
+                "parents_lesli_resources.id as controller_id",
+                "parents_lesli_resources.label as controller_name",
+                "lesli_resources.action as action_name",
+                "lesli_resources.id as action_id",
+                "case when lesli_shield_role_actions.deleted_at is null then TRUE else FALSE end active"
+            ).each do |action|
+
+                unless role_actions.has_key?(action[:controller_name])
+                    role_actions[action[:controller_name]] = {
+                        list:nil,
+                        index: nil,
+                        show:nil,
+                        create:nil,
+                        update:nil,
+                        destroy:nil
+                    }
+                end
+
+                if  action[:action_name] == "list"
+                    role_actions[action[:controller_name]][:list] = clean(action)
+                end
+
+                if  action[:action_name] == "index"
+                    role_actions[action[:controller_name]][:index] = clean(action)
+                end
+
+                if  action[:action_name] == "show"
+                    role_actions[action[:controller_name]][:show] = clean(action)
+                end
+
+                if  action[:action_name] == "create"
+                    role_actions[action[:controller_name]][:create] = clean(action)
+                end
+
+                if  action[:action_name] == "update"
+                    role_actions[action[:controller_name]][:update] = clean(action)
+                end
+
+                if  action[:action_name] == "destroy"
+                    role_actions[action[:controller_name]][:destroy] = clean(action)
+                end
+            end
+
+            role_actions
+        end
+
+        def add_guest_actions role
+
+            # Adding default system actions for profile descriptor
+            [
+                { controller: "lesli/users", actions: ["update"] },        # enable user edition
+                { controller: "lesli/abouts", actions: ["show"] },         # system status
+                { controller: "lesli/user/sessions", actions: ["index"] }, # session management
+                { controller: "lesli_admin/profiles", actions: ["show"] }  # enable profile view
+            ].each do |controller_action|
+
+                controller_action[:actions].each do |action_name|
+
+                    system_controller_action = Lesli::Resource.actions.joins(:parent)
+                    .where("parents_lesli_resources.route = ?", controller_action[:controller])
+                    .where("lesli_resources.action = ?", action_name)
+
+                    role.actions.find_or_create_by(
+                        action: system_controller_action.first
+                    )
+                end
+            end
+        end
+
+        def add_owner_actions role
+
+            now = Time.current
+
+            # Adding default system actions for profile descriptor
+            actions = Lesli::Resource.actions
+
+            records = actions.map do |action|
+                {
+                    role_id: role.id,
+                    action_id: action.id,
+                    created_at: now,
+                    updated_at: now
+                }
+            end
+
+            role.actions.upsert_all(records,
+                unique_by: :index_role_actions_on_role_and_action
+            )
+        end
+    end
+end

data/app/services/lesli_shield/role_privilege_service.rb

@@ -0,0 +1,112 @@
+=begin
+
+Lesli
+
+Copyright (c) 2026, Lesli Technologies, S. A.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program. If not, see http://www.gnu.org/licenses/.
+
+Lesli · Ruby on Rails SaaS Development Framework.
+
+Made with ♥ by LesliTech
+Building a better future, one line of code at a time.
+
+@contact  hello@lesli.tech
+@website  https://www.lesli.tech
+@license  GPLv3 http://www.gnu.org/licenses/gpl-3.0.en.html
+
+// · ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~
+// · 
+=end
+
+module LesliShield
+    class RolePrivilegeService < Lesli::ApplicationLesliService
+
+        # Syncronize the descriptor privileges with the role privilege cache table 
+        def synchronize role
+
+            # bulk all the descriptor privileges
+            # this script was built manually for performance, maintenance
+            # and to make it easy to read for future changes, basically what it does 
+            # is get the controllers and actions assigned to a descriptor through the 
+            # system_descriptor_privileges table and create an array of hashes with
+            # all the raw privileges (this includes duplicated privileges)
+            # IMPORTANT: A descriptor privilege is evaluated as active if:
+            #   - the role has assigned the descriptor through the power association
+            #   - the descriptor has assigned the privilege through the controller actions table
+            #   - the power has active that group of actions, this means that, if the power has
+            #     not marked as active the pshow, pindex, etc column the power is not active
+            #     even if it is assigned and active to a descriptor
+
+            records = Lesli::Role.joins(%(
+                INNER JOIN "lesli_shield_role_actions" 
+                ON "lesli_shield_role_actions"."role_id" = "lesli_roles"."id"
+            )).joins(%(
+                INNER JOIN lesli_resources as resource_actions
+                ON resource_actions.id = lesli_shield_role_actions.action_id
+            )).joins(%(
+                INNER JOIN lesli_resources as resource_controllers
+                ON resource_controllers.id = resource_actions.parent_id
+            )).select(%(
+                lesli_shield_role_actions.role_id as role_id,
+                resource_controllers.route as controller, 
+                resource_actions.action as action,
+                lesli_shield_role_actions.deleted_at IS NULL as active
+            )).with_deleted
+
+            # get privileges only for the given role, this is needed to sync only modified roles
+            records = records.where("lesli_shield_role_actions.role_id" => role.id)
+
+            # get privileges only for the given role action, this is needed to sync only modified actions
+            records = records.where("lesli_shield_role_actions.id" => @action.id) if @action
+
+
+            # we use the deleted_at column to know if a privilege is enable or disable, NULL values
+            # at the deleted_at column means privilege is active, so if we sort by deleted_at column
+            # all the active privileges will be at the top, then the uniq method is going to take
+            # always the active values, to completely disable a privilege for a specific controller/action
+            # we have to disable in all the roles
+            records = records.order("lesli_shield_role_actions.deleted_at DESC")
+
+
+            # convert the results to json so it is easy to insert/update
+            records = records.as_json(only: [:controller, :action, :role_id, :active])
+
+            
+            # IMPORTANT: We must save only uniq privileges in the role_privilege table
+            # this means that it does not matters how many times we defined a privilege dependency
+            # we insert the privilege only once.
+            # Example: If we defined that we need access to UsersController#index in 20 descriptors,
+            # in the role_privileges will be only one record for that specific controller and action
+            records = records.uniq do |privilege|
+
+                # NOTE: If can disable a privilege that belongs to a descriptor, 
+                # however, if the same privilege is define in another active descriptor, 
+                # the role that has both descriptor will be able to access the resources 
+                # of that privilege, that is a normal and desire behavior.
+                [privilege["controller"], privilege["action"], privilege["role_id"]]
+            end
+
+
+            # small check to ensure I have records to update/insert
+            return if records.blank?
+
+            # bulk update/insert into role privilege cache table
+            # IMPORTANT: Due to the importance and how delicate this process is, it is better
+            #            to copy the controller name and actions from the system, instead of 
+            #            just have a reference to the system_controller_actions table
+            Role::Privilege.with_deleted.upsert_all(records, unique_by: [:controller, :action, :role_id])
+        end 
+    end
+end

data/app/{operators/lesli_shield/user_registration_operator.rb → services/lesli_shield/user_registration_service.rb}

@@ -2,7 +2,7 @@
 
 Lesli
 
-Copyright (c) 2023, Lesli Technologies, S. A.
+Copyright (c) 2026, Lesli Technologies, S. A.
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -17,9 +17,9 @@ GNU General Public License for more details.
 You should have received a copy of the GNU General Public License
 along with this program. If not, see http://www.gnu.org/licenses/.
 
-Lesli · Ruby on Rails Development Platform.
+Lesli · Ruby on Rails SaaS Development Framework.
 
-Made with ♥ by https://www.lesli.tech
+Made with ♥ by LesliTech
 Building a better future, one line of code at a time.
 
 @contact  hello@lesli.tech
@@ -28,11 +28,10 @@ Building a better future, one line of code at a time.
 
 // · ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~
 // · 
-
 =end
 
 module LesliShield
-    class UserRegistrationOperator < Lesli::ApplicationLesliService
+    class UserRegistrationService < Lesli::ApplicationLesliService
 
         def initialize(current_user)
             @resource = current_user
@@ -41,37 +40,22 @@ module LesliShield
 
         def confirm
 
-            if current_user.blank?
-                failures.push(I18n.t("core.shared.messages_warning_user_not_found")) 
-                return self
-            end
-
             # confirm the user
             current_user.confirm
 
-            # force token deletion so we are sure nobody will be able to use the token again
-            resource.update(confirmation_token: nil)
 
-            # send a welcome email to user as is confirmed
-            Lesli::DeviseMailer.with(user: resource).welcome.deliver_later
+            # force token deletion so we are sure nobody 
+            # will be able to use the token again
+            current_user.update(confirmation_token: nil)
 
-            # initialize user dependencies
-            current_user.after_confirmation
+            # Minimum security settings required
+            #self.settings.create_with(:value => false).find_or_create_by(:name => "mfa_enabled")
+            #self.settings.create_with(:value => :email).find_or_create_by(:name => "mfa_method")
 
         end
 
         def create_account
 
-            if resource.blank?
-                failures.push(I18n.t("core.shared.messages_warning_user_not_found")) 
-                return self
-            end
-
-            if resource.account
-                failures.push(I18n.t("core.users.messages_info_user_already_belongs_to_account")) 
-                return self
-            end
-
             # check if instance is for multi-account
             allow_multiaccount = Lesli.config.security.dig(:allow_multiaccount)
 
@@ -95,7 +79,7 @@ module LesliShield
 
             # add owner role to user only if multi-account is allowed
             if allow_multiaccount == true
-                resource.roles.create({ role: account.roles.find_by(name: "owner") })
+                resource.user_roles.create({ role: account.roles.find_by(name: "owner") })
             end
 
             # add profile role to user only if multi-account is allowed
@@ -112,11 +96,24 @@ module LesliShield
                 end
             end
 
+            # Synchronize roles for the very first time
+            resource.roles.each do |role|
+                LesliShield::RolePrivilegeService.new(nil).synchronize(role)
+            end
+
             # update user :)
             resource.save
 
-            # initialize user dependencies
-            resource.after_account_assignation
+            # # initialize user dependencies
+            # def after_account_assignation
+            # return unless self.account
+
+            # #Courier::One::Firebase::User.sync_user(self)
+            # # Lesli::Courier.new(:lesli_calendar).from(:calendar_service, self).create({
+            # #     name: "Personal Calendar", 
+            # #     default: true
+            # # })
+            # end
 
         end
     end

data/app/services/lesli_shield/user_session_service.rb

@@ -0,0 +1,78 @@
+=begin
+
+Lesli
+
+Copyright (c) 2025, Lesli Technologies, S. A.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program. If not, see http://www.gnu.org/licenses/.
+
+Lesli · Ruby on Rails SaaS Development Framework.
+
+Made with ♥ by LesliTech
+Building a better future, one line of code at a time.
+
+@contact  hello@lesli.tech
+@website  https://www.lesli.tech
+@license  GPLv3 http://www.gnu.org/licenses/gpl-3.0.en.html
+
+// · ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~
+// · 
+=end
+
+module LesliShield
+    class UserSessionService < Lesli::ApplicationLesliService
+
+        def index
+            LesliShield::User::Session
+            .joins(:user)
+            .select(
+                :id,
+                :user_id,
+                :first_name,
+                :session_source,
+                Date2.new.date_time.db_column("created_at", "lesli_shield_user_sessions"),
+                Date2.new.date_time.db_column("last_used_at"),
+                Date2.new.date_time.db_column("expiration_at"),
+                "CONCAT_WS(' ', agent_platform, agent_os, '/', agent_browser, agent_version) as device"
+            )
+            .page(query[:pagination][:page])
+            .per(query[:pagination][:perPage])
+            .order(updated_at: :desc)
+        end
+
+        # create a new session
+        def create(remote_ip, user_agent=nil, session_source="devise_standard_session")
+
+            # register a new unique session
+            current_session = current_user.sessions.create({
+                :remote => remote_ip,
+
+                :agent_os => user_agent&.dig(:os) || "unknown",
+                :agent_platform => user_agent&.dig(:platform) || "unknown",
+                :agent_browser => user_agent&.dig(:browser) || "unknown",
+                :agent_version => user_agent&.dig(:version) || "unknown",
+                
+                :session_source => session_source,
+                :last_used_at => Date2.new.get,
+
+                :usage_count => 1
+            })
+
+            # register or sync the current_user with the user representation on Firebase
+            #Courier::One::Firebase::User.sync_user(@resource) if defined? CloudOne
+
+            self.response(current_session)
+        end
+    end
+end