locomotive_cms 2.0.0.rc7 → 2.0.0.rc8

data/app/assets/javascripts/tinymce/plugins/locomotive_media/editor_plugin.js

@@ -43,13 +43,16 @@
         'collection': new Locomotive.Models.ContentAssetsCollection()
       });
 
+      view.render();
+
       // Register commands
       ed.addCommand('locomotiveMedia', function() {
         view.options.on_select = function(asset) {
           insertImage(ed, asset);
           view.close();
         }
-        view.render();
+
+        view.fetch_assets();
       });
 
       // Register buttons

data/app/assets/stylesheets/locomotive/backoffice/codemirror_changes.css.scss

@@ -7,6 +7,7 @@
 
   font-size: 13px;
   font-weight: normal;
+  line-height: 15px;
 
   @include background-image(linear-gradient(top, #f0f0f0, #f9f9f9 4px, #f9f9f9 4px, #ffffff 12px, #ffffff));
 

data/app/assets/stylesheets/locomotive/backoffice/datepicker.css.scss

@@ -8,7 +8,7 @@
 
   width: auto;
 
-  z-index: 999 !important;
+  z-index: 1001 !important;
 
   background: #f1f1f1;
 

data/app/assets/stylesheets/locomotive/backoffice/dialog_changes.css.scss

@@ -60,7 +60,7 @@
 
   .ui-dialog-content {
     position: relative;
-    z-index: 999;
+    z-index: 1200;
 
     text-align: left;
 
@@ -84,6 +84,12 @@
               width: 530px;
             }
           } // li.string
+
+          li.date {
+            input[type=text] {
+              width: 90px;
+            }
+          } // li.string
         }
       }
     } // .form.formtastic
@@ -118,14 +124,14 @@
       top: 8px;
       right: 10px;
 
-      z-index: 1003;
+      z-index: 1203;
 
       a, input[type=submit] {
         @include light-button;
       }
 
       input[type=file] {
-        z-index: 1003;
+        z-index: 1203;
       }
 
     } // .button-wrapper

data/app/assets/stylesheets/locomotive/backoffice/formtastic_changes.css.scss

@@ -421,8 +421,10 @@ form.formtastic {
           }
 
           &.no-label {
+            padding-top: 12px;
+
             > textarea, .CodeMirror, .CodeMirror-scroll {
-              margin-top: 12px;
+              margin-top: 0px;
               width: 868px;
             }
           }

data/app/cells/locomotive/global_actions_cell.rb

@@ -24,7 +24,7 @@ module Locomotive
         add :switch, :url => '#', :id => 'sites-picker-link'
       end
 
-      add :help, :url => '#', :class => 'tutorial', :id => 'help'
+      add :help, :url => 'http://doc.locomotivecms.com/templates/basics', :class => 'tutorial', :id => 'help'
       add :logout, :url => destroy_locomotive_session_url, :confirm => t('locomotive.messages.confirm'), :method => :delete
     end
 

data/app/controllers/locomotive/api/base_controller.rb

@@ -7,15 +7,13 @@ module Locomotive
 
       skip_before_filter :verify_authenticity_token
 
-      skip_load_and_authorize_resource
-
       before_filter :require_account
 
       before_filter :require_site
 
       before_filter :set_locale
 
-      # before_filter :validate_site_membership
+      before_filter :set_current_thread_variables
 
       self.responder = Locomotive::ActionController::Responder # custom responder
 
@@ -23,6 +21,11 @@ module Locomotive
 
       protected
 
+    def set_current_thread_variables
+      Thread.current[:account]  = current_locomotive_account
+      Thread.current[:site]     = current_site
+    end
+
       def current_ability
         @current_ability ||= Ability.new(current_locomotive_account, current_site)
       end
@@ -40,4 +43,4 @@ module Locomotive
 
     end
   end
-end
+end

data/app/controllers/locomotive/api/content_assets_controller.rb

@@ -2,11 +2,18 @@ module Locomotive
   module Api
     class ContentAssetsController < BaseController
 
+      load_and_authorize_resource :class => Locomotive::ContentAsset
+
       def index
         @content_assets = current_site.content_assets
         respond_with(@content_assets)
       end
 
+      def show
+        @content_asset = current_site.content_assets.find(params[:id])
+        respond_with(@content_asset)
+      end
+
       def create
         @content_asset = current_site.content_assets.create(params[:content_asset])
         respond_with @content_asset, :location => main_app.locomotive_api_content_assets_url
@@ -18,6 +25,12 @@ module Locomotive
         respond_with @content_asset, :location => main_app.locomotive_api_content_assets_url
       end
 
+      def destroy
+        @content_asset = current_site.content_assets.find(params[:id])
+        @content_asset.destroy
+        respond_with @content_asset
+      end
+
     end
   end
 end

data/app/controllers/locomotive/api/content_types_controller.rb

@@ -2,11 +2,18 @@ module Locomotive
   module Api
     class ContentTypesController < BaseController
 
+      load_and_authorize_resource :class => Locomotive::ContentType
+
       def index
-        @content_types = current_site.content_types
+        @content_types = current_site.content_types.order_by([[:name, :asc]])
         respond_with(@content_types)
       end
 
+      def show
+        @content_type = current_site.content_types.find(params[:id])
+        respond_with @content_type
+      end
+
       def create
         @content_type = current_site.content_types.create(params[:content_type])
         respond_with @content_type, :location => main_app.locomotive_api_content_types_url
@@ -18,6 +25,12 @@ module Locomotive
         respond_with @content_type, :location => main_app.locomotive_api_content_types_url
       end
 
+      def destroy
+        @content_type = current_site.content_types.find(params[:id])
+        @content_type.destroy
+        respond_with @content_type
+      end
+
     end
   end
 end

data/app/controllers/locomotive/api/current_site_controller.rb

@@ -3,7 +3,9 @@ module Locomotive
     class CurrentSiteController < BaseController
 
       def show
-        respond_with(current_site)
+        @site = current_site
+        authorize! :show, @site
+        respond_with(@site)
       end
 
     end

data/app/controllers/locomotive/api/memberships_controller.rb

@@ -0,0 +1,49 @@
+module Locomotive
+  module Api
+    class MembershipsController < BaseController
+
+      # It's an embedded document, so we'll just load manually
+      before_filter :load_membership, :only => [ :show, :update, :destroy ]
+      before_filter :load_memberships, :only => [ :index ]
+
+      authorize_resource :class => Locomotive::Membership
+
+      def index
+        respond_with(@memberships)
+      end
+
+      def show
+        respond_with(@membership)
+      end
+
+      def create
+        build_params = params[:membership].merge({ :role => 'author' }) # force author by default
+        @membership = current_site.memberships.create(build_params)
+        respond_with(@membership)
+      end
+
+      def update
+        @membership.update_attributes(params[:membership])
+        respond_with(@membership)
+      end
+
+      def destroy
+        @membership.destroy
+        respond_with(@membership)
+      end
+
+      protected
+
+      def load_membership
+        @membership ||= load_memberships.find(params[:id])
+      end
+
+      def load_memberships
+        @memberships ||= current_site.memberships
+      end
+
+    end
+
+  end
+end
+

data/app/controllers/locomotive/api/pages_controller.rb

@@ -2,11 +2,18 @@ module Locomotive
   module Api
     class PagesController < BaseController
 
+      load_and_authorize_resource :class => Locomotive::Page
+
       def index
-        @pages = current_site.pages.all
+        @pages = current_site.pages.order_by([[:depth, :asc], [:position, :asc]])
         respond_with(@pages)
       end
 
+      def show
+        @page = current_site.pages.find(params[:id])
+        respond_with(@page)
+      end
+
       def create
         @page = current_site.pages.create(params[:page])
         respond_with @page, :location => main_app.locomotive_api_pages_url
@@ -18,6 +25,12 @@ module Locomotive
         respond_with @page, :location => main_app.locomotive_api_pages_url
       end
 
+      def destroy
+        @page = current_site.pages.find(params[:id])
+        @page.destroy
+        respond_with @page
+      end
+
     end
 
   end

data/app/controllers/locomotive/api/sites_controller.rb

@@ -0,0 +1,44 @@
+module Locomotive
+  module Api
+    class SitesController < BaseController
+
+      load_and_authorize_resource :class => Locomotive::Site
+
+      # FIXME: the auto-loaded site won't pass authorization for show, update, or destroy
+      skip_load_and_authorize_resource :only => [ :show, :update, :destroy ]
+
+      def index
+        @sites = Locomotive::Site.all
+        respond_with(@sites)
+      end
+
+      def show
+        @site = Locomotive::Site.find(params[:id])
+        authorize! :show, @site
+        respond_with(@site)
+      end
+
+      def create
+        @site = Locomotive::Site.create(params[:site])
+        respond_with(@site)
+      end
+
+      def update
+        @site = Locomotive::Site.find(params[:id])
+        authorize! :update, @site
+        @site.update_attributes(params[:site])
+        respond_with @site
+      end
+
+      def destroy
+        @site = Locomotive::Site.find(params[:id])
+        authorize! :destroy, @site
+        @site.destroy
+        respond_with @site
+      end
+
+    end
+
+  end
+end
+

data/app/controllers/locomotive/api/snippets_controller.rb

@@ -2,11 +2,18 @@ module Locomotive
   module Api
     class SnippetsController < BaseController
 
+      load_and_authorize_resource :class => Locomotive::Snippet
+
       def index
-        @snippets = current_site.snippets.all
+        @snippets = current_site.snippets.order_by([[:name, :asc]])
         respond_with(@snippets)
       end
 
+      def show
+        @snippet = current_site.snippets.find(params[:id])
+        respond_with @snippet
+      end
+
       def create
         @snippet = current_site.snippets.create(params[:snippet])
         respond_with @snippet, :location => main_app.locomotive_api_snippets_url
@@ -18,6 +25,12 @@ module Locomotive
         respond_with @snippet, :location => main_app.locomotive_api_snippets_url
       end
 
+      def destroy
+        @snippet = current_site.snippets.find(params[:id])
+        @snippet.destroy
+        respond_with @snippet
+      end
+
     end
   end
 end

data/app/controllers/locomotive/api/theme_assets_controller.rb

@@ -2,11 +2,18 @@ module Locomotive
   module Api
     class ThemeAssetsController < BaseController
 
+      load_and_authorize_resource :class => Locomotive::ThemeAsset
+
       def index
         @theme_assets = current_site.theme_assets.all
         respond_with(@theme_assets)
       end
 
+      def show
+        @theme_asset = current_site.theme_assets.find(params[:id])
+        respond_with @theme_asset
+      end
+
       def create
         @theme_asset = current_site.theme_assets.create(params[:theme_asset])
         respond_with @theme_asset, :location => main_app.locomotive_api_theme_assets_url
@@ -18,6 +25,12 @@ module Locomotive
         respond_with @theme_asset, :location => main_app.locomotive_api_theme_assets_url
       end
 
+      def destroy
+        @theme_asset = current_site.theme_assets.find(params[:id])
+        @theme_asset.destroy
+        respond_with @theme_asset
+      end
+
     end
   end
 end

data/app/controllers/locomotive/public/content_entries_controller.rb

@@ -6,8 +6,6 @@ module Locomotive
 
       before_filter :sanitize_entry_params, :only => :create
 
-      skip_before_filter :verify_authenticity_token
-
       skip_load_and_authorize_resource
 
       self.responder = Locomotive::ActionController::PublicResponder # custom responder
@@ -17,7 +15,6 @@ module Locomotive
       def create
         @entry = @content_type.entries.create(params[:entry] || params[:content])
         flash[@content_type.slug.singularize] = @entry.to_presenter(:include_errors => true).as_json
-        Rails.logger.debug @entry.to_presenter(:include_errors => true).as_json
         respond_with @entry, :location => self.callback_url
       end
 
@@ -48,6 +45,13 @@ module Locomotive
         end
       end
 
+      def handle_unverified_request
+        if Locomotive.config.csrf_protection
+          reset_session
+          redirect_to '/', :status => 302
+        end
+      end
+
     end
   end
 end

data/app/helpers/locomotive/content_types_helper.rb

@@ -27,6 +27,10 @@ module Locomotive
         end
 
         visible << content_type
+
+      end.each do |content_type|
+        # make sure to have a fresh copy of the content types because for now we don't have the full content types (ie: content_types.only(...))
+        ::Mongoid::IdentityMap.remove(content_type)
       end
 
       if visible.size > 0