lesli_shield 1.0.3 → 1.0.4

data/app/services/lesli_shield/role_privilege_service.rb

@@ -0,0 +1,112 @@
+=begin
+
+Lesli
+
+Copyright (c) 2026, Lesli Technologies, S. A.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program. If not, see http://www.gnu.org/licenses/.
+
+Lesli · Ruby on Rails SaaS Development Framework.
+
+Made with ♥ by LesliTech
+Building a better future, one line of code at a time.
+
+@contact  hello@lesli.tech
+@website  https://www.lesli.tech
+@license  GPLv3 http://www.gnu.org/licenses/gpl-3.0.en.html
+
+// · ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~
+// · 
+=end
+
+module LesliShield
+    class RolePrivilegeService < Lesli::ApplicationLesliService
+
+        # Syncronize the descriptor privileges with the role privilege cache table 
+        def synchronize role
+
+            # bulk all the descriptor privileges
+            # this script was built manually for performance, maintenance
+            # and to make it easy to read for future changes, basically what it does 
+            # is get the controllers and actions assigned to a descriptor through the 
+            # system_descriptor_privileges table and create an array of hashes with
+            # all the raw privileges (this includes duplicated privileges)
+            # IMPORTANT: A descriptor privilege is evaluated as active if:
+            #   - the role has assigned the descriptor through the power association
+            #   - the descriptor has assigned the privilege through the controller actions table
+            #   - the power has active that group of actions, this means that, if the power has
+            #     not marked as active the pshow, pindex, etc column the power is not active
+            #     even if it is assigned and active to a descriptor
+
+            records = Lesli::Role.joins(%(
+                INNER JOIN "lesli_shield_role_actions" 
+                ON "lesli_shield_role_actions"."role_id" = "lesli_roles"."id"
+            )).joins(%(
+                INNER JOIN lesli_resources as resource_actions
+                ON resource_actions.id = lesli_shield_role_actions.action_id
+            )).joins(%(
+                INNER JOIN lesli_resources as resource_controllers
+                ON resource_controllers.id = resource_actions.parent_id
+            )).select(%(
+                lesli_shield_role_actions.role_id as role_id,
+                resource_controllers.route as controller, 
+                resource_actions.action as action,
+                lesli_shield_role_actions.deleted_at IS NULL as active
+            )).with_deleted
+
+            # get privileges only for the given role, this is needed to sync only modified roles
+            records = records.where("lesli_shield_role_actions.role_id" => role.id)
+
+            # get privileges only for the given role action, this is needed to sync only modified actions
+            records = records.where("lesli_shield_role_actions.id" => @action.id) if @action
+
+
+            # we use the deleted_at column to know if a privilege is enable or disable, NULL values
+            # at the deleted_at column means privilege is active, so if we sort by deleted_at column
+            # all the active privileges will be at the top, then the uniq method is going to take
+            # always the active values, to completely disable a privilege for a specific controller/action
+            # we have to disable in all the roles
+            records = records.order("lesli_shield_role_actions.deleted_at DESC")
+
+
+            # convert the results to json so it is easy to insert/update
+            records = records.as_json(only: [:controller, :action, :role_id, :active])
+
+            
+            # IMPORTANT: We must save only uniq privileges in the role_privilege table
+            # this means that it does not matters how many times we defined a privilege dependency
+            # we insert the privilege only once.
+            # Example: If we defined that we need access to UsersController#index in 20 descriptors,
+            # in the role_privileges will be only one record for that specific controller and action
+            records = records.uniq do |privilege|
+
+                # NOTE: If can disable a privilege that belongs to a descriptor, 
+                # however, if the same privilege is define in another active descriptor, 
+                # the role that has both descriptor will be able to access the resources 
+                # of that privilege, that is a normal and desire behavior.
+                [privilege["controller"], privilege["action"], privilege["role_id"]]
+            end
+
+
+            # small check to ensure I have records to update/insert
+            return if records.blank?
+
+            # bulk update/insert into role privilege cache table
+            # IMPORTANT: Due to the importance and how delicate this process is, it is better
+            #            to copy the controller name and actions from the system, instead of 
+            #            just have a reference to the system_controller_actions table
+            Role::Privilege.with_deleted.upsert_all(records, unique_by: [:controller, :action, :role_id])
+        end 
+    end
+end

data/app/{operators/lesli_shield/user_registration_operator.rb → services/lesli_shield/user_registration_service.rb}

@@ -2,7 +2,7 @@
 
 Lesli
 
-Copyright (c) 2023, Lesli Technologies, S. A.
+Copyright (c) 2026, Lesli Technologies, S. A.
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -17,9 +17,9 @@ GNU General Public License for more details.
 You should have received a copy of the GNU General Public License
 along with this program. If not, see http://www.gnu.org/licenses/.
 
-Lesli · Ruby on Rails Development Platform.
+Lesli · Ruby on Rails SaaS Development Framework.
 
-Made with ♥ by https://www.lesli.tech
+Made with ♥ by LesliTech
 Building a better future, one line of code at a time.
 
 @contact  hello@lesli.tech
@@ -28,11 +28,10 @@ Building a better future, one line of code at a time.
 
 // · ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~
 // · 
-
 =end
 
 module LesliShield
-    class UserRegistrationOperator < Lesli::ApplicationLesliService
+    class UserRegistrationService < Lesli::ApplicationLesliService
 
         def initialize(current_user)
             @resource = current_user
@@ -41,37 +40,22 @@ module LesliShield
 
         def confirm
 
-            if current_user.blank?
-                failures.push(I18n.t("core.shared.messages_warning_user_not_found")) 
-                return self
-            end
-
             # confirm the user
             current_user.confirm
 
-            # force token deletion so we are sure nobody will be able to use the token again
-            resource.update(confirmation_token: nil)
 
-            # send a welcome email to user as is confirmed
-            Lesli::DeviseMailer.with(user: resource).welcome.deliver_later
+            # force token deletion so we are sure nobody 
+            # will be able to use the token again
+            current_user.update(confirmation_token: nil)
 
-            # initialize user dependencies
-            current_user.after_confirmation
+            # Minimum security settings required
+            #self.settings.create_with(:value => false).find_or_create_by(:name => "mfa_enabled")
+            #self.settings.create_with(:value => :email).find_or_create_by(:name => "mfa_method")
 
         end
 
         def create_account
 
-            if resource.blank?
-                failures.push(I18n.t("core.shared.messages_warning_user_not_found")) 
-                return self
-            end
-
-            if resource.account
-                failures.push(I18n.t("core.users.messages_info_user_already_belongs_to_account")) 
-                return self
-            end
-
             # check if instance is for multi-account
             allow_multiaccount = Lesli.config.security.dig(:allow_multiaccount)
 
@@ -95,7 +79,7 @@ module LesliShield
 
             # add owner role to user only if multi-account is allowed
             if allow_multiaccount == true
-                resource.roles.create({ role: account.roles.find_by(name: "owner") })
+                resource.user_roles.create({ role: account.roles.find_by(name: "owner") })
             end
 
             # add profile role to user only if multi-account is allowed
@@ -112,11 +96,24 @@ module LesliShield
                 end
             end
 
+            # Synchronize roles for the very first time
+            resource.roles.each do |role|
+                LesliShield::RolePrivilegeService.new(nil).synchronize(role)
+            end
+
             # update user :)
             resource.save
 
-            # initialize user dependencies
-            resource.after_account_assignation
+            # # initialize user dependencies
+            # def after_account_assignation
+            # return unless self.account
+
+            # #Courier::One::Firebase::User.sync_user(self)
+            # # Lesli::Courier.new(:lesli_calendar).from(:calendar_service, self).create({
+            # #     name: "Personal Calendar", 
+            # #     default: true
+            # # })
+            # end
 
         end
     end

data/app/services/lesli_shield/user_session_service.rb

@@ -0,0 +1,78 @@
+=begin
+
+Lesli
+
+Copyright (c) 2025, Lesli Technologies, S. A.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program. If not, see http://www.gnu.org/licenses/.
+
+Lesli · Ruby on Rails SaaS Development Framework.
+
+Made with ♥ by LesliTech
+Building a better future, one line of code at a time.
+
+@contact  hello@lesli.tech
+@website  https://www.lesli.tech
+@license  GPLv3 http://www.gnu.org/licenses/gpl-3.0.en.html
+
+// · ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~
+// · 
+=end
+
+module LesliShield
+    class UserSessionService < Lesli::ApplicationLesliService
+
+        def index
+            LesliShield::User::Session
+            .joins(:user)
+            .select(
+                :id,
+                :user_id,
+                :first_name,
+                :session_source,
+                Date2.new.date_time.db_column("created_at", "lesli_shield_user_sessions"),
+                Date2.new.date_time.db_column("last_used_at"),
+                Date2.new.date_time.db_column("expiration_at"),
+                "CONCAT_WS(' ', agent_platform, agent_os, '/', agent_browser, agent_version) as device"
+            )
+            .page(query[:pagination][:page])
+            .per(query[:pagination][:perPage])
+            .order(updated_at: :desc)
+        end
+
+        # create a new session
+        def create(remote_ip, user_agent=nil, session_source="devise_standard_session")
+
+            # register a new unique session
+            current_session = current_user.sessions.create({
+                :remote => remote_ip,
+
+                :agent_os => user_agent&.dig(:os) || "unknown",
+                :agent_platform => user_agent&.dig(:platform) || "unknown",
+                :agent_browser => user_agent&.dig(:browser) || "unknown",
+                :agent_version => user_agent&.dig(:version) || "unknown",
+                
+                :session_source => session_source,
+                :last_used_at => Date2.new.get,
+
+                :usage_count => 1
+            })
+
+            # register or sync the current_user with the user representation on Firebase
+            #Courier::One::Firebase::User.sync_user(@resource) if defined? CloudOne
+
+            self.response(current_session)
+        end
+    end
+end

data/app/services/lesli_shield/user_validator_service.rb

@@ -0,0 +1,221 @@
+=begin
+
+Lesli
+
+Copyright (c) 2023, Lesli Technologies, S. A.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program. If not, see http://www.gnu.org/licenses/.
+
+Lesli · Ruby on Rails SaaS Development Framework.
+
+Made with ♥ by https://www.lesli.tech
+Building a better future, one line of code at a time.
+
+@contact  hello@lesli.tech
+@website  https://www.lesli.tech
+@license  GPLv3 http://www.gnu.org/licenses/gpl-3.0.en.html
+
+// · ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~
+// · 
+=end
+
+module LesliShield
+    class UserValidatorService < Lesli::ApplicationLesliService
+
+        def validate 
+            active?()
+            confirmed?()
+            roles_empty?()
+            active_roles?()
+        end
+
+
+        # validates if password meet with the minimum password requirements
+        # this settings are stored in the account_settings table
+        def password_complexity(password)
+
+            if password.blank?
+                failures.push('error_password_cannot_be_blank') 
+                return self
+            end
+
+            # remove all the special characters for easy validations of some rules
+            password_string_no_special = password.gsub(/[^0-9A-Za-z]/, '')
+
+            # database keys with the parameters to validate
+            password_values = [
+                'password_expiration_time_days',
+                'password_enforce_complexity',
+                'password_special_char_count',
+                'password_lowercase_count',
+                'password_uppercase_count',
+                'password_minimum_length',
+                'password_digit_count'
+            ].map do |setting_name|
+                "name = '#{setting_name}'"
+            end
+
+            password_settings = []
+
+            # get password settings from the database
+            if @resource.account
+
+                # if user is already registered
+                password_settings = @resource.account.settings.where(password_values.join(" or "))
+
+            elseif Account.first
+
+                # for new accounts just take the first account in the database
+                password_settings = Account.first.settings.where(password_values.join(" or "))
+
+            end
+
+            password_settings.each do |settings|
+
+                # exit validations if password complexity is not enabled
+                if settings[:name] == 'password_enforce_complexity' && settings[:value] != "1"
+                    failures = []
+                    break
+                end
+
+                # check if the password has te minimum number of special characters required
+                if settings[:name] == 'password_special_char_count'
+
+                    # this regex removes all "normal" letters and numbers leaving special characters
+                    if settings[:value].to_i > password.scan(/[^0-9A-Za-z]/).length
+                        failures.push('error_password_special_char_count')
+                    end
+
+                end
+
+                # check if the password has te minimum number of lowercase letters required
+                if settings[:name] == 'password_lowercase_count'
+
+                    if settings[:value].to_i > password_string_no_special.scan(/[^0-9A-Z]/).length
+                        failures.push('error_password_lowercase_count')
+                    end
+
+                end
+
+                # check if the password has te minimum number of uppercase letters required
+                if settings[:name] == 'password_uppercase_count'
+
+                    if settings[:value].to_i > password_string_no_special.scan(/[^0-9a-z]/).length
+                        failures.push('error_password_uppercase_count')
+                    end
+
+                end
+
+                # check if the password has te minium number of numbers required xD
+                if settings[:name] == 'password_digit_count'
+
+                    if settings[:value].to_i > password_string_no_special.scan(/[^A-Za-z]/).length
+                        failures.push('error_password_digit_count')
+                    end
+
+                end
+
+                # check if the password has te minimum size required
+                if settings[:name] == 'password_minimum_length'
+
+                    if settings[:value].to_i > password.length
+                        failures.push('error_password_minimum_length')
+                    end
+
+                end
+
+            end
+
+            return self
+
+        end
+
+        def valid?
+            failures.empty?
+        end
+
+        private
+
+
+        # check if user is able to create a new session
+        def active?
+
+            unless @resource.active? && @resource.locked_until != nil
+
+                # save a locked log for the requested user
+                @resource.logs.create({
+                    title: "session_creation_failed",
+                    description: "user_locked"
+                })
+
+                return false
+
+            end
+
+            return true
+        end
+
+        def confirmed?
+
+            # check if user is already confirmed
+            unless @resource.confirmed?
+
+                # save a invalid credentials log for the requested user
+                @resource.logs.create({
+                    title: "session_creation_failed",
+                    description: "email_not_confirmed"
+                })
+
+                return false
+
+            end
+
+            return true
+
+        end
+
+        def roles_empty?
+
+            # check if user has roles assigned
+            if @resource.roles.empty?
+
+                @resource.logs.create({
+                    title: "session_creation_failed",
+                    description: "user_has_no_assigned_role"
+                })
+
+                return true
+
+            end
+
+            return false
+
+        end
+
+        def active_roles?
+
+            # check user has at least one active role before authorize the sign-in request
+            unless (@resource.roles.map {|role| role.active}.include? true)
+                @resource.logs.create({
+                    title: "session_creation_failed",
+                    description: "user_has_no_active_role"
+                })
+
+                return false
+            end
+
+            return true
+        end
+    end
+end

data/app/views/devise/confirmations/show.html.erb

@@ -38,7 +38,7 @@ Building a better future, one line of code at a time.
 </script>
 <% end %>
 
-<%= render("lesli/wrappers/application-devise-simple", title: "Account confirmation") do %>
+<%= render("devise/shared/application-devise-simple", title:"Account confirmation") do %>
 
     <% if flash[:danger] %>
         <% flash.each do |type, msg| %>
@@ -50,14 +50,12 @@ Building a better future, one line of code at a time.
 
     <% if flash[:success] %>
         <div class="confirmation-message">
-            <svg version="1.1" viewBox="0 0 512 512" width="512px" xml:space="preserve" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
-                <path d="M256,6.998c-137.533,0-249,111.467-249,249c0,137.534,111.467,249,249,249s249-111.467,249-249  C505,118.464,393.533,6.998,256,6.998z M256,485.078c-126.309,0-229.08-102.771-229.08-229.081  c0-126.31,102.771-229.08,229.08-229.08c126.31,0,229.08,102.771,229.08,229.08C485.08,382.307,382.31,485.078,256,485.078z"/>
-                <polygon points="384.235,158.192 216.919,325.518 127.862,236.481 113.72,250.624 216.919,353.803 398.28,172.334"/>
-            </svg>
-            <p>Confirmation successfully</p>
+            <p>Your account has been successfully verified</p>
         </div>
     <% end %>
 
+    <%= render("devise/shared/links", login:true) %>  
+
 <% end %>
 
                 

data/app/views/devise/passwords/edit.html.erb

@@ -1,5 +1,4 @@
-
-<%= render("lesli/wrappers/application-devise-simple", title:"Cambiar contraseña") do %>
+<%= render("devise/shared/application-devise-simple", title:"Password update") do %>
 
     <%= form_for(
         resource, 

data/app/views/devise/passwords/new.html.erb

@@ -1,5 +1,5 @@
 
-<%= render("lesli/wrappers/application-devise-simple", title:"Forgot your password?") do %>
+<%= render("devise/shared/application-devise-simple", title:"Forgot your password?") do %>
 
     <%= form_for(
         resource, 

data/app/views/devise/registrations/new.html.erb

@@ -28,11 +28,12 @@ Building a better future, one line of code at a time.
 // · ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~
 // · 
 %>
+<% 
+resource.email = 'test2@lesli.tech'
+resource.password = 'Test123!'
+%>
+<%= render("devise/shared/application-devise", title:"Create an account to discover Lesli") do %>
 
-
-<%= render("lesli/wrappers/application-devise", title:"Create an account to discover Lesli") do %>
-
-    <%# Log in form %>
     <%= form_for(
         resource, 
         as: resource_name, 

data/app/views/devise/sessions/new.html.erb

@@ -39,13 +39,14 @@ if Lesli.config.demo
 end
 %>
 
-<%= render("lesli/wrappers/application-devise", title:"Welcome to Lesli") do %>
+<%= render("devise/shared/application-devise", title:"Welcome to Lesli") do %>
 
     <%= form_for(
         resource, 
         as: resource_name, 
         url: user_session_path,
-        builder: LesliView::Forms::Builder
+        builder: LesliView::Forms::Builder,
+        data: { turbo: false }
         ) do |form| %>
 
         <% if Lesli.config.demo %>

data/app/views/devise/shared/_application-devise-simple.erb

@@ -0,0 +1,59 @@
+<%
+=begin
+
+Lesli
+
+Copyright (c) 2023, Lesli Technologies, S. A.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program. If not, see http://www.gnu.org/licenses/.
+
+Lesli · Ruby on Rails SaaS development platform.
+
+Made with ♥ by https://www.lesli.tech
+Building a better future, one line of code at a time.
+
+@contact  hello@lesli.tech
+@website  https://www.lesli.tech
+@license  GPLv3 http://www.gnu.org/licenses/gpl-3.0.en.html
+
+// · ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~     ~·~
+// · 
+=end
+%>
+
+<% title = defined?(title) ? title : "" %>
+
+<main id="lesli-application">
+    <section class="hero is-fullheight">
+        <div class="hero-head has-text-centered">
+            <%# Logo container %>
+            <div class="logo mb-4">
+                <%= image_tag(
+                    "#{lesli_instance_code}/brand/app-auth.svg",    # dynamic path to the instance main logo
+                    :class => "#{lesli_instance_code}-logo",        # dynamic class according to the instance
+                    :alt => "Main logo") 
+                %>
+                <h1 class="title is-size-4 has-text-primary">
+                    <%#= I18n.t("core.users/sessions.view_text_welcome") %>
+                    <%= title %>
+                </h1>
+            </div>
+        </div>
+        <div class="hero-body">
+            
+            <%= yield %>
+
+        </div>
+    </section>
+</main>