lesli_shield 1.0.3 → 1.0.4

data/app/models/concerns/lesli_shield/user_security.rb

@@ -0,0 +1,222 @@
+=begin
+
+Lesli
+
+Copyright (c) 2025, Lesli Technologies, S. A.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program. If not, see http://www.gnu.org/licenses/.
+
+Lesli · Ruby on Rails SaaS Development Framework.
+
+Made with ♥ by LesliTech
+Building a better future, one line of code at a time.
+
+@contact  hello@lesli.tech
+@website  https://www.lesli.tech
+@license  GPLv3 http://www.gnu.org/licenses/gpl-3.0.en.html
+
+// · ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~
+// · 
+=end
+
+
+# User extension methods
+# Custom methods that belongs to a instance user
+module LesliShield
+    module UserSecurity
+        extend ActiveSupport::Concern
+
+        # get the max level permission from roles assigned to the user
+        def max_level_permission
+            self.roles.maximum(:permission_level) || 0
+        end
+
+        # check if user has roles with specific names
+        def has_roles?(*roles)
+            !roles.intersection(self.roles.map{ |r| r[:name] }).empty?
+        end
+
+        # check the privilege cache to check if user is able 
+        # to perform a specific action in a specific controller
+        def has_privileges_for?(controller, action)
+            begin
+                return self.privileges.where(
+                    controller: controller,
+                    action: action,
+                    active: true
+                ).exists?
+            rescue => exception
+                L2.danger(exception.to_s)
+                return false
+            end
+        end
+
+        # Check if user has enough privilege to work with the given role
+        def can_work_with_role?(role_id)
+
+            # get the role if only id is given
+            role = self.account.roles.find_by(:id => role_id)
+
+            # false if role not found
+            return false if role.blank?
+
+            # not valid role without object levelpermission defined
+            return false if role.level_permission.blank?
+
+            # get the max level permission from the roles the user has assigned
+            user_role_max_level_permission = self.roles.map(&:level_permission).max()
+
+            # check if user can work with the level permission of the role is trying to modify
+            # Note: user only can assigned an level permission below the max of his own roles
+            # Current user cannot assign role if role to assign is the same of the greater role 
+            # assigned to the current user
+            user_role_max_level_permission >= role.level_permission
+        end
+
+        # Checks configuration of all the roles assigned to the user
+        # if user has a role with "default path" to use as home to redirect after login
+        # IMPORTANT: This home path is used only the send the user after login, the user
+        #            and the role are not limited by this configuration
+        def has_role_with_default_path?()
+
+            # get the roles that contains a path
+            role = self.roles.where.not(path_default: [nil, ""])
+
+            # here we must order the results descendant because we must
+            # keep the path of the hightest level permission role.
+            # Example: we should use the path of the admin role if user has
+            # admin & employee roles, also order by default_path, so we get first 
+            # the roles with path in case the user has roles with the same level permission
+            role = role.order(level_permission: :desc).order(:path_default)
+
+            # get the first role found, due previously we sort in a descendant order
+            # the first role is going to be the one with highest level permission
+            # this is going to return nil if no role was found
+            default_path = role.first&.path_default  || "/"
+
+            # if first loggin for account owner send him to the onboarding page
+            if self.account.onboarding? && self.has_roles?("owner")
+                default_path = "/onboarding"
+            end
+
+            default_path
+        end
+
+        # Checks configuration of all the roles assigned to the user
+        # if user has a role limited to a defined path
+        # if user has a high privilege role that overrides any other role configuration
+        def has_role_limited_to_path?()
+
+            # get the roles ordering in descendant mode because we must
+            # keep the path of the hightest level permission role.
+            # Example: we should use the path of the admin role if user has
+            # admin & employee roles, also order by default_path, so we get first 
+            # the roles with path in case the user has roles with the same level permission
+            role = self.roles.order(level_permission: :desc).order(:path_default)
+
+            # get the first role found, due previously we sort in a descendant order
+            # the first role is going to be the one with highest level permission
+            # this is going to return nil if no role was found
+            role = role.first
+
+            # return the path of the role if is limited to a that specific path
+            return role.path_default if role.path_limited == true 
+
+            # return nil if role has no limits
+            return nil
+        end
+
+        # Sets this user as inactive and removes complete access to the platform
+        def revoke_access
+            self.update(active: false)
+        end
+
+        # Change user password forcing user to reset the password
+        def set_password_as_expired
+            self.update(password_expiration_at: Time.current)
+        end
+
+        # @description Change user password forcing user to reset the password
+        def set_password_for_reset
+            generate_password_reset_token()
+        end
+
+        def has_expired_password?
+            return false if self.password_expiration_at.blank?
+            return Time.current > self.password_expiration_at
+        end
+
+        # Check if user has a confirmed telephone number
+        def has_telephone_confirmed?
+            !!self.telephone_confirmed_at
+        end 
+
+        # Change user password forcing user to reset the password
+        def generate_password_reset_token
+            raw, hashed = Devise.token_generator.generate(Lesli::User, :reset_password_token)
+
+            self.update!(
+                password: nil,
+                reset_password_token: hashed,
+                reset_password_sent_at: Time.current
+            )
+
+            raw
+        end
+
+        # Generate a token to validate telephone number
+        def generate_telephone_token(length=4)
+            raw, enc = Devise.token_generator.create(
+                self.class, 
+                :telephone_confirmation_token, 
+                type:'number', 
+                length:length
+            )
+
+            self.telephone_confirmation_token   = enc
+            self.telephone_confirmation_sent_at = Time.now.utc
+            self.telephone_confirmed_at = nil
+            save(validate: false)
+            raw
+        end
+
+        # Mark telephone number as valid and confirmed
+        def confirm_telephone_number
+            self.telephone_confirmation_token   = nil
+            self.telephone_confirmation_sent_at = nil
+            self.telephone_confirmed_at = Time.now.utc
+            save(validate: false)
+        end
+
+        # Return a hash that contains all the abilities grouped by 
+        # controller and define every action privilege. It also
+        # evaluate if the user has the ability no matter if is given 
+        # to the user by role or by itself.
+        def abilities_by_controller
+
+            # Abilities hash where we will save all the privileges the user has to
+            abilities = {}
+
+            # We check all the privileges the user has in the cache table according to his roles
+            # and create a key per controller (with the full controller name) that contains an array of all the 
+            # methods/actions with permission
+            # self.privileges.all.each do |privilege|
+            #     abilities[privilege.controller] = [] if abilities[privilege.controller].nil?
+            #     abilities[privilege.controller] << privilege.action
+            # end
+
+            abilities
+        end
+    end
+end

data/app/models/lesli_shield/account.rb

@@ -34,11 +34,11 @@ module LesliShield
     class Account < ApplicationRecord
         belongs_to :account, class_name: "Lesli::Account"
         has_many :dashboards
+        has_many :invites
 
         after_create :initialize_account
 
         def initialize_account
-            Dashboard.initialize_account(self)
         end
     end
 end

data/app/models/lesli_shield/dashboard.rb

@@ -32,9 +32,6 @@ Building a better future, one line of code at a time.
 
 module LesliShield
     class Dashboard < Lesli::Shared::Dashboard
-        self.table_name = "lesli_shield_dashboards"
-        belongs_to :account
-
-        COMPONENTS = %i[]
+        COMPONENTS = %i[calendar chart_bar weather]
     end
 end

data/app/models/lesli_shield/invite.rb

@@ -0,0 +1,24 @@
+module LesliShield
+    class Invite < ApplicationRecord
+        belongs_to :account
+        belongs_to :user, class_name: "Lesli::User"
+
+        validates :email, presence: true, on: :create
+
+        before_create :before_create_invite
+
+        enum :status, { 
+            created: 0, 
+            accepted: 1, 
+            cancelled: 2,
+            sent: 5, 
+            requested: 6
+        }
+
+        private 
+
+        def before_create_invite
+            self.status = :created
+        end
+    end
+end

data/{lib/vue/confirmations.js → app/models/lesli_shield/role/action.rb}

@@ -1,7 +1,8 @@
-/*
+=begin
+
 Lesli
 
-Copyright (c) 2023, Lesli Technologies, S. A.
+Copyright (c) 2026, Lesli Technologies, S. A.
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -16,18 +17,24 @@ GNU General Public License for more details.
 You should have received a copy of the GNU General Public License
 along with this program. If not, see http://www.gnu.org/licenses/.
 
-Lesli · Your Smart Business Assistant. 
+Lesli · Ruby on Rails SaaS Development Framework.
 
-Made with ♥ by https://www.lesli.tech
+Made with ♥ by LesliTech
 Building a better future, one line of code at a time.
 
 @contact  hello@lesli.tech
-@website  https://lesli.tech
+@website  https://www.lesli.tech
 @license  GPLv3 http://www.gnu.org/licenses/gpl-3.0.en.html
 
-// · ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~
-// · 
-*/
-
-
+// · ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~
 // · 
+=end
+
+module LesliShield
+    class Role::Action < Lesli::ApplicationLesliRecord
+        self.table_name = 'lesli_shield_role_actions'
+        
+        belongs_to :role, class_name: 'Lesli::Role'
+        belongs_to :action, class_name: "Lesli::Resource"
+    end
+end

data/{db/migrate/v1/0801003010_create_lesli_shield_dashboards.rb → app/models/lesli_shield/role/privilege.rb}

@@ -2,7 +2,7 @@
 
 Lesli
 
-Copyright (c) 2025, Lesli Technologies, S. A.
+Copyright (c) 2026, Lesli Technologies, S. A.
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -30,8 +30,9 @@ Building a better future, one line of code at a time.
 // · 
 =end
 
-class CreateLesliShieldDashboards < ActiveRecord::Migration[6.1]
-    def change
-        create_table_lesli_shared_dashboards_10(:lesli_shield)
+module LesliShield
+    class Role::Privilege < Lesli::ApplicationLesliRecord
+        self.table_name = "lesli_shield_role_privileges"
+        belongs_to :role, class_name: "Lesli::Role"
     end
 end

data/app/models/lesli_shield/user/role.rb

@@ -0,0 +1,8 @@
+module LesliShield
+    class User::Role < ApplicationRecord
+        self.table_name = 'lesli_shield_user_roles'
+        belongs_to :user
+        belongs_to :role, class_name: "Lesli::Role"
+        has_many :roles
+    end
+end

data/app/models/lesli_shield/user/session.rb

@@ -0,0 +1,80 @@
+=begin
+
+Lesli
+
+Copyright (c) 2026, Lesli Technologies, S. A.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program. If not, see http://www.gnu.org/licenses/.
+
+Lesli · Ruby on Rails SaaS Development Framework.
+
+Made with ♥ by LesliTech
+Building a better future, one line of code at a time.
+
+@contact  hello@lesli.tech
+@website  https://www.lesli.tech
+@license  GPLv3 http://www.gnu.org/licenses/gpl-3.0.en.html
+
+// · ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~
+// · 
+=end
+
+module LesliShield
+    class User::Session < Lesli::ApplicationLesliRecord
+        self.table_name = 'lesli_shield_user_sessions'
+        belongs_to :user, class_name: 'Lesli::User'
+
+        after_create :set_session_token
+
+        enum :session_source, {
+            :dispatcher_standard_session => "dispatcher_standard_session",
+            :devise_standard_session => "devise_standard_session"
+        }
+
+        def set_session_token
+
+            return if self.session_source == "devise_standard_session"
+
+            return unless self.session_token.blank?
+
+            rebuild_token = true
+
+            while rebuild_token do
+
+                session_token = SecureRandom.alphanumeric(20)
+
+                # assign token to user if token is unique
+                unless User::Session.find_by(:session_token => session_token)
+                    self.session_token = session_token
+                    self.save!
+                    rebuild_token = false
+                end
+
+            end
+
+        end
+
+        def active?
+            if self.deleted_at.present?
+                return false
+            end
+
+            if self.expiration_at != nil && self.expiration_at < Time.now.utc
+                return false
+            end
+
+            return true
+        end
+    end
+end

data/app/services/lesli_shield/invite_service.rb

@@ -0,0 +1,43 @@
+=begin
+
+Lesli
+
+Copyright (c) 2025, Lesli Technologies, S. A.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program. If not, see http://www.gnu.org/licenses/.
+
+Lesli · Ruby on Rails SaaS Development Framework.
+
+Made with ♥ by LesliTech
+Building a better future, one line of code at a time.
+
+@contact  hello@lesli.tech
+@website  https://www.lesli.tech
+@license  GPLv3 http://www.gnu.org/licenses/gpl-3.0.en.html
+
+// · ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~
+// · 
+=end
+
+module LesliShield
+    class InviteService < Lesli::ApplicationLesliService
+
+        def index params
+            Invite.all
+            .page(query[:pagination][:page])
+            .per(query[:pagination][:perPage])
+            .order(updated_at: :desc)
+        end
+    end
+end

data/app/services/lesli_shield/role_action_service.rb

@@ -0,0 +1,118 @@
+module LesliShield
+    class RoleActionService < Lesli::ApplicationLesliService 
+
+        def find id
+            super(Role::Action.with_deleted.find(id))
+        end
+
+        def index role_id
+
+            def clean action 
+                {
+                    :id => action.id,
+                    :role_id => action.role_id,
+                    :action_id => action.action_id,
+                    :deleted_at => action.deleted_at,
+                    :active => action.active
+                }
+            end
+
+            role_actions = {}
+
+            Role::Action.with_deleted.joins(action: :parent)
+            .where(:role_id => role_id)
+            .select(
+                :id,
+                :role_id,
+                :deleted_at,
+                "parents_lesli_resources.id as controller_id",
+                "parents_lesli_resources.label as controller_name",
+                "lesli_resources.action as action_name",
+                "lesli_resources.id as action_id",
+                "case when lesli_shield_role_actions.deleted_at is null then TRUE else FALSE end active"
+            ).each do |action|
+
+                unless role_actions.has_key?(action[:controller_name])
+                    role_actions[action[:controller_name]] = {
+                        list:nil,
+                        index: nil,
+                        show:nil,
+                        create:nil,
+                        update:nil,
+                        destroy:nil
+                    }
+                end
+
+                if  action[:action_name] == "list"
+                    role_actions[action[:controller_name]][:list] = clean(action)
+                end
+
+                if  action[:action_name] == "index"
+                    role_actions[action[:controller_name]][:index] = clean(action)
+                end
+
+                if  action[:action_name] == "show"
+                    role_actions[action[:controller_name]][:show] = clean(action)
+                end
+
+                if  action[:action_name] == "create"
+                    role_actions[action[:controller_name]][:create] = clean(action)
+                end
+
+                if  action[:action_name] == "update"
+                    role_actions[action[:controller_name]][:update] = clean(action)
+                end
+
+                if  action[:action_name] == "destroy"
+                    role_actions[action[:controller_name]][:destroy] = clean(action)
+                end
+            end
+
+            role_actions
+        end
+
+        def add_guest_actions role
+
+            # Adding default system actions for profile descriptor
+            [
+                { controller: "lesli/users", actions: ["update"] },        # enable user edition
+                { controller: "lesli/abouts", actions: ["show"] },         # system status
+                { controller: "lesli/user/sessions", actions: ["index"] }, # session management
+                { controller: "lesli_admin/profiles", actions: ["show"] }  # enable profile view
+            ].each do |controller_action|
+
+                controller_action[:actions].each do |action_name|
+
+                    system_controller_action = Lesli::Resource.actions.joins(:parent)
+                    .where("parents_lesli_resources.route = ?", controller_action[:controller])
+                    .where("lesli_resources.action = ?", action_name)
+
+                    role.actions.find_or_create_by(
+                        action: system_controller_action.first
+                    )
+                end
+            end
+        end
+
+        def add_owner_actions role
+
+            now = Time.current
+
+            # Adding default system actions for profile descriptor
+            actions = Lesli::Resource.actions
+
+            records = actions.map do |action|
+                {
+                    role_id: role.id,
+                    action_id: action.id,
+                    created_at: now,
+                    updated_at: now
+                }
+            end
+
+            role.actions.upsert_all(records,
+                unique_by: :index_role_actions_on_role_and_action
+            )
+        end
+    end
+end