motor-admin 0.1.57 → 0.1.58

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dd48d06a028ec31b8836ef75713286dc9622d1eb7322ad851e3f5b8c08ca8783
-  data.tar.gz: b2f09fa05a3380f4da4af372d25597ede7081c1be533ce7ee5c047b43a5ee07e
+  metadata.gz: 98eed032de058a25fc5951c40afac9faeedd33ad66299ab381f15527e122aeeb
+  data.tar.gz: 4797ba6520bf3614ced8ea7aa800145f2ee7c35934820c5ae623dfe19c007a45
 SHA512:
-  metadata.gz: 6eed979d27d7f266b986ef3433efc5863d6e7ae46cd446b48decb77fd8e24ff28250d9124d79e3c63bfe704930ab2e936bd048d3f4f350a1b5a6dfe4b4e26f5d
-  data.tar.gz: d1fc8ac42009bd30f98373d6fe9f48ffc6cdc421be688e552dd031d54656115a979b6403d0dd3ac0de9ec1813f3b2c9860311cc87b0c88a438670651e45c8e87
+  metadata.gz: 7d966ae337a44f486a56f0dcb741d06787af84e67e4a4f5c5f750796b6a8b7979e9685ec9485854e34d994477ddcfdbc55882d9efc0dd26b356f8bbfe66bb0dd
+  data.tar.gz: 82e3f0b57ef8aa4902a36da9a8d94814f3d42f5b18cd73d70a95e59d69b5737d8652505bf3b6468629b51fef06c55e55b3ab03840838db8b1222edbc9ef9a3df

data/README.md

@@ -32,6 +32,7 @@ $ rails motor:install && rake db:migrate
 * [Data visualization](#data-visualization)
 * [Dashboards](#dashboards)
 * [Email alerts](#email-alerts)
+* [Authorization](#authorization)
 * [Intelligence search](#intelligence-search)
 * [Optimized for mobile](#optimized-for-mobile)
 * [Configurations sync between environments](#configurations-sync)
@@ -90,6 +91,9 @@ Sender address can be specified using `MOTOR_ALERTS_FROM_ADDRESS` environment va
 
 Intelligence search can be opened via the top right corner button or using <kbd>Cmd</kbd> + <kbd>P</kbd> shortcut.
 
+### Authorization
+
+Motor Admin allows to set row-level and column-level permissions via [cancan](https://github.com/CanCanCommunity/cancancan) gem. Admin UI permissions should be defined in `app/models/motor/ability.rb` file in `Motor::Ability` class. See [Motor Admin guide](https://github.com/omohokcoj/motor-admin/blob/master/guides/defining_prmissions.md) and [CanCan documentation](https://github.com/CanCanCommunity/cancancan/blob/develop/docs/Defining-Abilities.md) to learn how to define user permissions.
 
 ### Optimized for Mobile
 
@@ -141,8 +145,6 @@ MOTOR_DEVELOPMENT=true rails s
 
 ## Comming Soon
 
-* User groups
-* Row-level permissions
 * Multiple databases
 * NoSQL data sources
 * Pro Bussines intelligence features

data/app/controllers/concerns/motor/current_ability.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Motor
+  module CurrentAbility
+    def current_ability
+      @current_ability ||=
+        if defined?(Motor::Ability) && current_user
+          klass = Motor::Ability.dup.tap do |k|
+            k.prepend(Motor::CancanUtils::AbilityPatch)
+          end
+
+          params = [current_user]
+          params << request if Motor::Ability.instance_method(:initialize).arity == 2
+
+          klass.new(*params)
+        else
+          Motor::CancanUtils::CanManageAll.new
+        end
+    end
+  end
+end

data/app/controllers/concerns/motor/current_user_method.rb

@@ -3,13 +3,14 @@
 module Motor
   module CurrentUserMethod
     def current_user
-      if defined?(current_admin)
-        current_admin
-      elsif defined?(current_admin_user)
-        current_admin_user
-      elsif defined?(super)
-        super
-      end
+      @current_user ||=
+        if defined?(current_admin)
+          current_admin
+        elsif defined?(current_admin_user)
+          current_admin_user
+        elsif defined?(super)
+          super
+        end
     end
   end
 end

data/app/controllers/motor/alerts_controller.rb

@@ -10,11 +10,11 @@ module Motor
     authorize_resource :alert, only: :create
 
     def index
-      render json: { data: Motor::ApiQuery::BuildJson.call(@alerts.active, params) }
+      render json: { data: Motor::ApiQuery::BuildJson.call(@alerts.active, params, current_ability) }
     end
 
     def show
-      render json: { data: Motor::ApiQuery::BuildJson.call(@alert, params) }
+      render json: { data: Motor::ApiQuery::BuildJson.call(@alert, params, current_ability) }
     end
 
     def create
@@ -25,7 +25,7 @@ module Motor
         Motor::Alerts::ScheduledAlertsCache.clear
         Motor::Configs::WriteToFile.call
 
-        render json: { data: Motor::ApiQuery::BuildJson.call(@alert, params) }
+        render json: { data: Motor::ApiQuery::BuildJson.call(@alert, params, current_ability) }
       end
     rescue Motor::Alerts::Persistance::InvalidInterval
       invalid_interval_response
@@ -36,7 +36,7 @@ module Motor
       Motor::Alerts::ScheduledAlertsCache.clear
       Motor::Configs::WriteToFile.call
 
-      render json: { data: Motor::ApiQuery::BuildJson.call(@alert, params) }
+      render json: { data: Motor::ApiQuery::BuildJson.call(@alert, params, current_ability) }
     rescue Motor::Alerts::Persistance::NameAlreadyExists
       name_already_exists_response
     rescue Motor::Alerts::Persistance::InvalidInterval

data/app/controllers/motor/api_base_controller.rb

@@ -3,14 +3,7 @@
 module Motor
   class ApiBaseController < ActionController::API
     include Motor::CurrentUserMethod
-
-    class CanCanAbilityManageAll
-      include CanCan::Ability
-
-      def initialize(_)
-        can :manage, :all
-      end
-    end
+    include Motor::CurrentAbility
 
     unless Rails.env.test?
       rescue_from StandardError do |e|
@@ -19,9 +12,5 @@ module Motor
         render json: { errors: [e.message] }, status: :internal_server_error
       end
     end
-
-    def current_ability
-      CanCanAbilityManageAll.new(current_user)
-    end
   end
 end

data/app/controllers/motor/application_controller.rb

@@ -3,5 +3,6 @@
 module Motor
   class ApplicationController < ActionController::Base
     include Motor::CurrentUserMethod
+    include Motor::CurrentAbility
   end
 end

data/app/controllers/motor/audits_controller.rb

@@ -8,7 +8,7 @@ module Motor
       audits = Motor::ApiQuery.call(@audits, params)
 
       render json: {
-        data: Motor::ApiQuery::BuildJson.call(audits, params),
+        data: Motor::ApiQuery::BuildJson.call(audits, params, current_ability),
         meta: Motor::ApiQuery::BuildMeta.call(audits, params)
       }
     end

data/app/controllers/motor/configs_controller.rb

@@ -7,7 +7,7 @@ module Motor
     load_and_authorize_resource
 
     def index
-      render json: { data: Motor::ApiQuery::BuildJson.call(@configs, params) }
+      render json: { data: Motor::ApiQuery::BuildJson.call(@configs, params, current_ability) }
     end
 
     def create
@@ -19,7 +19,7 @@ module Motor
       @config.save!
       Motor::Configs::WriteToFile.call
 
-      render json: { data: Motor::ApiQuery::BuildJson.call(@config, params) }
+      render json: { data: Motor::ApiQuery::BuildJson.call(@config, params, current_ability) }
     rescue ActiveRecord::RecordNotUnique
       retry
     end

data/app/controllers/motor/dashboards_controller.rb

@@ -10,11 +10,11 @@ module Motor
     authorize_resource :dashboard, only: :create
 
     def index
-      render json: { data: Motor::ApiQuery::BuildJson.call(@dashboards.active, params) }
+      render json: { data: Motor::ApiQuery::BuildJson.call(@dashboards.active, params, current_ability) }
     end
 
     def show
-      render json: { data: Motor::ApiQuery::BuildJson.call(@dashboard, params) }
+      render json: { data: Motor::ApiQuery::BuildJson.call(@dashboard, params, current_ability) }
     end
 
     def create
@@ -24,7 +24,7 @@ module Motor
         ApplicationRecord.transaction { @dashboard.save! }
         Motor::Configs::WriteToFile.call
 
-        render json: { data: Motor::ApiQuery::BuildJson.call(@dashboard, params) }
+        render json: { data: Motor::ApiQuery::BuildJson.call(@dashboard, params, current_ability) }
       end
     rescue ActiveRecord::RecordNotUnique
       retry
@@ -34,7 +34,7 @@ module Motor
       Motor::Dashboards::Persistance.update_from_params!(@dashboard, dashboard_params)
       Motor::Configs::WriteToFile.call
 
-      render json: { data: Motor::ApiQuery::BuildJson.call(@dashboard, params) }
+      render json: { data: Motor::ApiQuery::BuildJson.call(@dashboard, params, current_ability) }
     rescue Motor::Dashboards::Persistance::TitleAlreadyExists
       render json: { errors: [{ source: 'title', detail: 'Title already exists' }] }, status: :unprocessable_entity
     end
@@ -51,6 +51,10 @@ module Motor
 
     def build_dashboard
       @dashboard = Motor::Dashboards::Persistance.build_from_params(dashboard_params)
+
+      @dashboard.define_singleton_method(:tags) do
+        taggable_tags.map(&:tag)
+      end
     end
 
     def dashboard_params

data/app/controllers/motor/data_controller.rb

@@ -11,19 +11,19 @@ module Motor
       @resources = Motor::ApiQuery.call(@resources, params)
 
       render json: {
-        data: Motor::ApiQuery::BuildJson.call(@resources, params),
+        data: Motor::ApiQuery::BuildJson.call(@resources, params, current_ability),
         meta: Motor::ApiQuery::BuildMeta.call(@resources, params)
       }
     end
 
     def show
-      render json: { data: Motor::ApiQuery::BuildJson.call(@resource, params) }
+      render json: { data: Motor::ApiQuery::BuildJson.call(@resource, params, current_ability) }
     end
 
     def create
       @resource.save!
 
-      render json: { data: Motor::ApiQuery::BuildJson.call(@resource, params) }
+      render json: { data: Motor::ApiQuery::BuildJson.call(@resource, params, current_ability) }
     rescue ActiveRecord::RecordInvalid
       render json: { errors: @resource.errors }, status: :unprocessable_entity
     end
@@ -31,7 +31,7 @@ module Motor
     def update
       @resource.update!(resource_params)
 
-      render json: { data: Motor::ApiQuery::BuildJson.call(@resource, params) }
+      render json: { data: Motor::ApiQuery::BuildJson.call(@resource, params, current_ability) }
     rescue ActiveRecord::RecordInvalid
       render json: { errors: @resource.errors }, status: :unprocessable_entity
     end
@@ -47,6 +47,11 @@ module Motor
     end
 
     def execute
+      resource_preferences = Motor::Resource.find_by(name: @resource.class.name.underscore).preferences
+      resource_action = resource_preferences[:actions].find { |a| a[:preferences][:method_name] == params[:method] }
+
+      authorize!(resource_action[:name].to_sym, @resource)
+
       @resource.public_send(params[:method].to_sym)
 
       head :ok

data/app/controllers/motor/forms_controller.rb

@@ -10,11 +10,11 @@ module Motor
     authorize_resource :form, only: :create
 
     def index
-      render json: { data: Motor::ApiQuery::BuildJson.call(@forms.active, params) }
+      render json: { data: Motor::ApiQuery::BuildJson.call(@forms.active, params, current_ability) }
     end
 
     def show
-      render json: { data: Motor::ApiQuery::BuildJson.call(@form, params) }
+      render json: { data: Motor::ApiQuery::BuildJson.call(@form, params, current_ability) }
     end
 
     def create
@@ -24,7 +24,7 @@ module Motor
         ApplicationRecord.transaction { @form.save! }
         Motor::Configs::WriteToFile.call
 
-        render json: { data: Motor::ApiQuery::BuildJson.call(@form, params) }
+        render json: { data: Motor::ApiQuery::BuildJson.call(@form, params, current_ability) }
       end
     rescue ActiveRecord::RecordNotUnique
       retry
@@ -34,7 +34,7 @@ module Motor
       Motor::Forms::Persistance.update_from_params!(@form, form_params)
       Motor::Configs::WriteToFile.call
 
-      render json: { data: Motor::ApiQuery::BuildJson.call(@form, params) }
+      render json: { data: Motor::ApiQuery::BuildJson.call(@form, params, current_ability) }
     rescue Motor::Forms::Persistance::NameAlreadyExists
       render json: { errors: [{ source: 'name', detail: 'Name already exists' }] }, status: :unprocessable_entity
     end

data/app/controllers/motor/queries_controller.rb

@@ -10,11 +10,11 @@ module Motor
     authorize_resource :query, only: :create
 
     def index
-      render json: { data: Motor::ApiQuery::BuildJson.call(@queries.active, params) }
+      render json: { data: Motor::ApiQuery::BuildJson.call(@queries.active, params, current_ability) }
     end
 
     def show
-      render json: { data: Motor::ApiQuery::BuildJson.call(@query, params) }
+      render json: { data: Motor::ApiQuery::BuildJson.call(@query, params, current_ability) }
     end
 
     def create
@@ -24,7 +24,7 @@ module Motor
         ApplicationRecord.transaction { @query.save! }
         Motor::Configs::WriteToFile.call
 
-        render json: { data: Motor::ApiQuery::BuildJson.call(@query, params) }
+        render json: { data: Motor::ApiQuery::BuildJson.call(@query, params, current_ability) }
       end
     rescue ActiveRecord::RecordNotUnique
       retry
@@ -34,7 +34,7 @@ module Motor
       Motor::Queries::Persistance.update_from_params!(@query, query_params)
       Motor::Configs::WriteToFile.call
 
-      render json: { data: Motor::ApiQuery::BuildJson.call(@query, params) }
+      render json: { data: Motor::ApiQuery::BuildJson.call(@query, params, current_ability) }
     rescue Motor::Queries::Persistance::NameAlreadyExists
       render json: { errors: [{ source: 'name', detail: 'Name already exists' }] }, status: :unprocessable_entity
     end

data/app/controllers/motor/resources_controller.rb

@@ -7,14 +7,14 @@ module Motor
     load_and_authorize_resource
 
     def index
-      render json: { data: Motor::ApiQuery::BuildJson.call(@resources, params) }
+      render json: { data: Motor::ApiQuery::BuildJson.call(@resources, params, current_ability) }
     end
 
     def create
       Motor::BuildSchema::PersistResourceConfigs.call(@resource)
       Motor::Configs::WriteToFile.call
 
-      render json: { data: Motor::ApiQuery::BuildJson.call(@resource, params) }
+      render json: { data: Motor::ApiQuery::BuildJson.call(@resource, params, current_ability) }
     end
 
     private

data/app/controllers/motor/run_queries_controller.rb

@@ -20,7 +20,8 @@ module Motor
     private
 
     def render_result
-      query_result = Queries::RunQuery.call(@query, variables_hash: params[:variables])
+      variables = params.fetch(:variables, {}).merge(current_user_variables)
+      query_result = Queries::RunQuery.call(@query, variables_hash: variables)
 
       if query_result.error
         render json: { errors: [{ detail: query_result.error }] }, status: :unprocessable_entity
@@ -29,6 +30,16 @@ module Motor
       end
     end
 
+    def current_user_variables
+      return {} unless current_user
+
+      current_user
+        .attributes
+        .slice('id', 'email')
+        .transform_keys { |key| "current_user_#{key}" }
+        .compact
+    end
+
     def query_result_hash(query_result)
       {
         data: query_result.data,

data/app/controllers/motor/ui_controller.rb

@@ -4,7 +4,7 @@ module Motor
   class UiController < ApplicationController
     layout 'motor/application'
 
-    helper_method :current_user
+    helper_method :current_user, :current_ability
 
     def index
       render_ui

data/app/views/motor/ui/show.html.erb

@@ -1 +1 @@
-<%= raw(Motor::Configs::BuildUiAppTag.call(current_user)) %>
+<%= raw(Motor::Configs::BuildUiAppTag.call(current_user, current_ability)) %>

data/lib/motor.rb

@@ -53,6 +53,7 @@ require 'motor/version'
 require 'motor/admin'
 require 'motor/assets'
 require 'motor/active_record_utils'
+require 'motor/cancan_utils'
 require 'motor/build_schema'
 require 'motor/api_query'
 require 'motor/tags'

data/lib/motor/admin.rb

@@ -69,6 +69,14 @@ module Motor
       config.after_initialize do
         next unless defined?(ActiveStorage::Engine)
 
+        ActiveSupport.on_load(:active_storage_attachment) do
+          ActiveStorage::Attachment.include(Motor::ActiveRecordUtils::ActiveStorageLinksExtension)
+        end
+
+        ActiveSupport.on_load(:active_storage_blob) do
+          ActiveStorage::Blob.singleton_class.prepend(Motor::ActiveRecordUtils::ActiveStorageBlobPatch)
+        end
+
         ActiveStorage::Attachment.include(Motor::ActiveRecordUtils::ActiveStorageLinksExtension)
         ActiveStorage::Blob.singleton_class.prepend(Motor::ActiveRecordUtils::ActiveStorageBlobPatch)
       end

data/lib/motor/api_query/build_json.rb

@@ -5,83 +5,90 @@ module Motor
     module BuildJson
       module_function
 
-      def call(rel, params)
-        rel = rel.none if params.dig(:page, :limit).yield_self { |limit| limit.present? && limit.to_i.zero? }
-
+      # @param rel [ActiveRecord::Base, ActiveRecord::Relation]
+      # @param params [Hash]
+      # @param current_ability [CanCan::Ability]
+      # @return [Hash]
+      def call(rel, params, current_ability = Motor::CancanUtils::CanManageAll.new)
+        rel = rel.none if limit_zero_params?(params)
         rel = rel.preload_associations_lazily if rel.is_a?(ActiveRecord::Relation)
 
-        json_params = {}.with_indifferent_access
-
-        assign_include_params(json_params, rel, params)
-        assign_fields_params(json_params, rel, params)
-
-        rel.as_json(json_params)
-      end
+        model = rel.is_a?(ActiveRecord::Relation) ? rel.klass : rel.class
 
-      def assign_include_params(json_params, _rel, api_params)
-        return if api_params['include'].blank?
+        include_hash = build_include_hash(params['include'])
+        models_index = build_models_index(model, include_hash)
 
-        include_params = api_params['include']
+        json_params = normalize_include_params(include_hash)
 
-        if include_params.is_a?(String)
-          include_params =
-            include_params.split(',').reduce({}) do |accumulator, path|
-              hash = {}
+        assign_fields_params!(json_params, model, params, current_ability, models_index)
 
-              path.split('.').reduce(hash) do |acc, part|
-                acc_hash = {}
-
-                acc[part] = acc_hash
+        rel.as_json(json_params.with_indifferent_access)
+      end
 
-                acc_hash
-              end
+      # @param include_params [Hash]
+      # @return [Hash]
+      def build_include_hash(include_params)
+        return {} if include_params.blank?
 
-              accumulator.deep_merge(hash)
-            end
+        if include_params.is_a?(String)
+          build_hash_from_string_path(include_params)
+        else
+          include_params
         end
-
-        json_params.deep_merge!(normalize_include_params(include_params))
       end
 
-      def assign_fields_params(json_params, rel, params)
+      # @param json_params [Hash]
+      # @param model [Class<ActiveRecord::Base>]
+      # @param params [Hash]
+      # @param current_ability [CanCan::Ability]
+      # @param models_index [Hash]
+      # @return [void]
+      def assign_fields_params!(json_params, model, params, current_ability, models_index)
         return if params[:fields].blank?
 
-        model = rel.is_a?(ActiveRecord::Relation) ? rel.klass : rel.class
-
         params[:fields].each do |key, fields|
-          fields = fields.split(',') if fields.is_a?(String)
-
-          merge_fields_params!(json_params, key, fields, model)
-        end
-      end
+          fields_model = models_index[key]
 
-      def merge_fields_params!(json_params, key, fields, model)
-        model_name = model.name.underscore
+          next unless model
 
-        if key == model_name || model_name.split('/').last == key
-          json_params.merge!(build_fields_hash(model, fields))
-        else
-          hash = find_key_in_params(json_params, key)
+          fields = fields.split(',') if fields.is_a?(String)
 
-          fields_hash = build_fields_hash(model.reflections[key]&.klass, fields)
+          fields_hash = fields_model == model ? json_params : find_key_in_params(json_params, key)
 
-          hash.merge!(fields_hash)
+          fields_hash.merge!(build_fields_hash(fields_model, fields, current_ability))
         end
       end
 
-      def build_fields_hash(model, fields)
-        columns = model ? model.columns.map(&:name) : []
+      # @param model [Class<ActiveRecord::Base>]
+      # @param fields [Hash]
+      # @param current_ability [CanCan::Ability]
+      # @return [Hash]
+      def build_fields_hash(model, fields, current_ability)
+        return { 'methods' => fields } unless model
+
+        column_names = model.column_names.map(&:to_sym)
+        instance_methods = model.instance_methods
+        permitted_attributes = current_ability.permitted_attributes(:read, model)
+        is_permitted_all = column_names == permitted_attributes
+
         fields_hash = { 'only' => [], 'methods' => [] }
 
         fields.each_with_object(fields_hash) do |field, acc|
-          if field.in?(columns)
+          field_symbol = field.to_sym
+
+          next if !is_permitted_all && permitted_attributes.exclude?(field_symbol)
+
+          if column_names.include?(field_symbol)
             acc['only'] << field
-          elsif model.nil? || model.instance_methods.include?(field.to_sym)
+          elsif instance_methods.include?(field_symbol)
             acc['methods'] << field
           end
         end
       end
 
+      # @param params [Hash]
+      # @param key [String]
+      # @return [Hash]
       def find_key_in_params(params, key)
         params = params['include']
 
@@ -93,6 +100,8 @@ module Motor
         end
       end
 
+      # @param params [Hash]
+      # @return [Hash]
       def normalize_include_params(params)
         case params
         when Array
@@ -112,6 +121,51 @@ module Motor
           raise ArgumentError, "Wrong include param type #{params.class}"
         end
       end
+
+      # @param model [Class<ActiveRecord::Base>]
+      # @param includes_hash [Hash]
+      # @return [Hash]
+      def build_models_index(model, includes_hash)
+        default_index = {
+          model.name.underscore => model,
+          model.name.underscore.split('/').last => model
+        }
+
+        includes_hash.reduce(default_index) do |acc, (key, value)|
+          reflection = model.reflections[key]
+
+          next acc unless reflection
+          next acc if reflection.polymorphic?
+
+          acc[key] = reflection.klass
+
+          acc.merge(build_models_index(reflection.klass, value))
+        end
+      end
+
+      # @param string_path [String]
+      # @return [Hash]
+      def build_hash_from_string_path(string_path)
+        string_path.split(',').reduce({}) do |accumulator, path|
+          hash = {}
+
+          path.split('.').reduce(hash) do |acc, part|
+            acc_hash = {}
+
+            acc[part] = acc_hash
+
+            acc_hash
+          end
+
+          accumulator.deep_merge(hash)
+        end
+      end
+
+      # @param params [Hash]
+      # @return [Boolean]
+      def limit_zero_params?(params)
+        params.dig(:page, :limit).yield_self { |limit| limit.present? && limit.to_i.zero? }
+      end
     end
   end
 end

data/lib/motor/assets.rb

@@ -8,10 +8,19 @@ module Motor
     MANIFEST_PATH = ASSETS_PATH.join('manifest.json')
     DEV_SERVER_URL = 'http://localhost:9090/'
 
+    CACHE_STORE =
+      if Rails.env.production?
+        ActiveSupport::Cache::MemoryStore.new(size: 5.megabytes)
+      else
+        ActiveSupport::Cache::NullStore.new
+      end
+
     module_function
 
     def manifest
-      JSON.parse(MANIFEST_PATH.read)
+      CACHE_STORE.fetch('manifest') do
+        JSON.parse(MANIFEST_PATH.read)
+      end
     end
 
     def icons

data/lib/motor/build_schema.rb

@@ -58,9 +58,10 @@ module Motor
 
     module_function
 
-    def call(cache_keys = {})
+    def call(cache_keys = {}, current_ability = nil)
       schema = LoadFromRails.call
       schema = MergeSchemaConfigs.call(schema, cache_keys)
+      schema = ApplyPermissions.call(schema, current_ability) if current_ability
 
       ReorderSchema.call(schema, cache_keys)
     end
@@ -75,4 +76,5 @@ require_relative './build_schema/find_icon'
 require_relative './build_schema/persist_resource_configs'
 require_relative './build_schema/reorder_schema'
 require_relative './build_schema/merge_schema_configs'
+require_relative './build_schema/apply_permissions'
 require_relative './build_schema/utils'

data/lib/motor/build_schema/active_storage_attachment_schema.rb

@@ -5,6 +5,7 @@ module Motor
     ACTIVE_STORAGE_ATTACHMENT_SCHEMA = {
       name: 'active_storage/attachment',
       slug: 'active_storage__attachments',
+      class_name: 'ActiveStorage::Attachment',
       table_name: 'active_storage_attachments',
       primary_key: 'id',
       display_name: 'Attachments',

data/lib/motor/build_schema/apply_permissions.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module Motor
+  module BuildSchema
+    module ApplyPermissions
+      module_function
+
+      def call(schema, ability)
+        schema.map do |model|
+          klass = model[:class_name].constantize
+
+          next unless ability.can?(:read, klass)
+
+          model[:associations] = filter_associations(model[:associations], ability)
+          model[:columns] = filter_columns(klass, model[:columns], ability)
+          model[:actions] = filter_actions(klass, model[:actions], ability)
+
+          model
+        end.compact
+      end
+
+      def filter_associations(associations, ability)
+        associations.select do |assoc|
+          ability.can?(:read, assoc[:model_name].classify.constantize)
+        end
+      end
+
+      def filter_columns(model, columns, ability)
+        columns.map do |column|
+          next unless ability.can?(:read, model, column[:name])
+
+          next if column.dig(:reference, :model_name).present? &&
+                  !ability.can?(:read, column[:reference][:model_name].classify.constantize)
+
+          unless ability.can?(:update, model, column[:name])
+            column = column.merge(access_type: BuildSchema::ColumnAccessTypes::READ_ONLY)
+          end
+
+          column
+        end.compact
+      end
+
+      def filter_actions(model, actions, ability)
+        actions.select do |action|
+          ability.can?(action[:name].to_sym, model)
+        end
+      end
+    end
+  end
+end

data/lib/motor/build_schema/find_icon.rb

@@ -35,6 +35,7 @@ module Motor
       'token' => 'key',
       'secret' => 'lock',
       'automation' => 'manual-gearbox',
+      'workflow' => 'manual-gearbox',
       'relationship' => 'hierarchy',
       'person' => 'user',
       'people' => 'users',
@@ -96,6 +97,9 @@ module Motor
       'page' => 'brand-pagekit',
       'date' => 'calendar-event',
       'customer' => 'users',
+      'client' => 'users',
+      'ticket' => 'ticket',
+      'event' => 'event',
       'contact' => 'users',
       'member' => 'users',
       'admin' => 'user-check',
@@ -107,7 +111,8 @@ module Motor
       'product' => 'building-store',
       'html' => 'code',
       'stripe' => 'brand-stripe',
-      'email' => 'mail'
+      'email' => 'mail',
+      'status' => 'hash'
     }.freeze
 
     DEFAULT_ICON = 'database'

data/lib/motor/cancan_utils.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module CancanUtils
+end
+
+require_relative './cancan_utils/ability_patch'
+require_relative './cancan_utils/can_manage_all'

data/lib/motor/cancan_utils/ability_patch.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module Motor
+  module CancanUtils
+    module AbilityPatch
+      def serialized_rules
+        @rules.map do |rule|
+          {
+            base_behavior: rule.base_behavior,
+            actions: expand_actions(rule.actions),
+            subjects: rule.subjects.map(&:to_s),
+            attributes: rule.attributes,
+            conditions: rule.conditions.as_json
+          }
+        end
+      end
+
+      def rules_hash
+        serialized_rules.hash
+      end
+
+      private
+
+      def default_alias_actions
+        super.merge(destroy: %i[remove delete])
+      end
+    end
+  end
+end

data/lib/motor/cancan_utils/can_manage_all.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Motor
+  module CancanUtils
+    class CanManageAll
+      include CanCan::Ability
+      prepend CancanUtils::AbilityPatch
+
+      def initialize(_ = nil)
+        can :manage, :all
+      end
+    end
+  end
+end

data/lib/motor/configs/build_ui_app_tag.rb

@@ -12,57 +12,67 @@ module Motor
 
       module_function
 
-      def call(current_user = nil)
+      def call(current_user = nil, current_ability = nil)
         cache_keys = LoadFromCache.load_cache_keys
 
         CACHE_STORE.fetch("#{cache_keys.hash}#{current_user&.id}") do
           CACHE_STORE.clear
 
-          Motor::ApplicationController.helpers.tag.div('', id: 'app', data: build_data(cache_keys, current_user))
+          data = build_data(cache_keys, current_user, current_ability)
+          Motor::ApplicationController.helpers.tag.div('', id: 'app', data: data)
         end
       end
 
       # @return [Hash]
-      def build_data(cache_keys = {}, current_user = nil)
+      def build_data(cache_keys = {}, current_user = nil, current_ability = nil)
         {
           current_user: current_user&.as_json(only: %i[id email]),
+          current_rules: current_ability.serialized_rules,
           audits_count: Motor::Audit.count,
           base_path: Motor::Admin.routes.url_helpers.motor_path,
-          schema: Motor::BuildSchema.call(cache_keys),
+          schema: Motor::BuildSchema.call(cache_keys, current_ability),
           header_links: header_links_data_hash(cache_keys[:configs]),
-          queries: queries_data_hash(cache_keys[:queries]),
-          dashboards: dashboards_data_hash(cache_keys[:dashboards]),
-          alerts: alerts_data_hash(cache_keys[:alerts]),
-          forms: forms_data_hash(cache_keys[:forms])
+          queries: queries_data_hash(build_cache_key(cache_keys, :queries, current_user, current_ability),
+                                     current_ability),
+          dashboards: dashboards_data_hash(build_cache_key(cache_keys, :dashboards, current_user, current_ability),
+                                           current_ability),
+          alerts: alerts_data_hash(build_cache_key(cache_keys, :alerts, current_user, current_ability),
+                                   current_ability),
+          forms: forms_data_hash(build_cache_key(cache_keys, :forms, current_user, current_ability), current_ability)
         }
       end
 
+      # @return [String]
+      def build_cache_key(cache_keys, key, current_user, current_ability)
+        "#{cache_keys[key].hash}#{current_user&.id}#{current_ability&.rules_hash}"
+      end
+
       def header_links_data_hash(cache_key = nil)
         configs = Motor::Configs::LoadFromCache.load_configs(cache_key: cache_key)
 
         configs.find { |c| c.key == 'header.links' }&.value || []
       end
 
-      def queries_data_hash(cache_key = nil)
-        Motor::Configs::LoadFromCache.load_queries(cache_key: cache_key)
+      def queries_data_hash(cache_key = nil, current_ability = nil)
+        Motor::Configs::LoadFromCache.load_queries(cache_key: cache_key, current_ability: current_ability)
                                      .as_json(only: %i[id name updated_at],
                                               include: { tags: { only: %i[id name] } })
       end
 
-      def dashboards_data_hash(cache_key = nil)
-        Motor::Configs::LoadFromCache.load_dashboards(cache_key: cache_key)
+      def dashboards_data_hash(cache_key = nil, current_ability = nil)
+        Motor::Configs::LoadFromCache.load_dashboards(cache_key: cache_key, current_ability: current_ability)
                                      .as_json(only: %i[id title updated_at],
                                               include: { tags: { only: %i[id name] } })
       end
 
-      def alerts_data_hash(cache_key = nil)
-        Motor::Configs::LoadFromCache.load_alerts(cache_key: cache_key)
+      def alerts_data_hash(cache_key = nil, current_ability = nil)
+        Motor::Configs::LoadFromCache.load_alerts(cache_key: cache_key, current_ability: current_ability)
                                      .as_json(only: %i[id name is_enabled updated_at],
                                               include: { tags: { only: %i[id name] } })
       end
 
-      def forms_data_hash(cache_key = nil)
-        Motor::Configs::LoadFromCache.load_forms(cache_key: cache_key)
+      def forms_data_hash(cache_key = nil, current_ability = nil)
+        Motor::Configs::LoadFromCache.load_forms(cache_key: cache_key, current_ability: current_ability)
                                      .as_json(only: %i[id name updated_at],
                                               include: { tags: { only: %i[id name] } })
       end

data/lib/motor/configs/load_from_cache.rb

@@ -32,27 +32,39 @@ module Motor
         end
       end
 
-      def load_queries(cache_key: nil)
+      def load_queries(cache_key: nil, current_ability: nil)
         maybe_fetch_from_cache('queries', cache_key) do
-          Motor::Query.all.active.preload(:tags).load
+          rel = Motor::Query.all.active.preload(:tags)
+          rel = rel.accessible_by(current_ability) if current_ability
+
+          rel.load
         end
       end
 
-      def load_dashboards(cache_key: nil)
+      def load_dashboards(cache_key: nil, current_ability: nil)
         maybe_fetch_from_cache('dashboards', cache_key) do
-          Motor::Dashboard.all.active.preload(:tags).load
+          rel = Motor::Dashboard.all.active.preload(:tags)
+          rel = rel.accessible_by(current_ability) if current_ability
+
+          rel.load
         end
       end
 
-      def load_alerts(cache_key: nil)
+      def load_alerts(cache_key: nil, current_ability: nil)
         maybe_fetch_from_cache('alerts', cache_key) do
-          Motor::Alert.all.active.preload(:tags).load
+          rel = Motor::Alert.all.active.preload(:tags)
+          rel = rel.accessible_by(current_ability) if current_ability
+
+          rel.load
         end
       end
 
-      def load_forms(cache_key: nil)
+      def load_forms(cache_key: nil, current_ability: nil)
         maybe_fetch_from_cache('forms', cache_key) do
-          Motor::Form.all.active.preload(:tags).load
+          rel = Motor::Form.all.active.preload(:tags)
+          rel = rel.accessible_by(current_ability) if current_ability
+
+          rel.load
         end
       end
 

data/lib/motor/queries/run_query.rb

@@ -16,6 +16,8 @@ module Motor
 
       PG_ERROR_REGEXP = /\APG.+ERROR:/.freeze
 
+      RESERVED_VARIABLES = %w[current_user_id current_user_email].freeze
+
       module_function
 
       # @param query [Motor::Query]
@@ -110,11 +112,13 @@ module Motor
       end
 
       # @param variable_configs [Array<Hash>]
-      # @param variable_hash [Hash]
+      # @param variables_hash [Hash]
       # @return [Hash]
       def merge_variable_default_values(variable_configs, variables_hash)
-        variable_configs.each_with_object({}) do |variable, acc|
-          acc[variable[:name]] = variables_hash[variable[:name]] || variable[:default_value]
+        variable_configs.each_with_object(variables_hash.slice(*RESERVED_VARIABLES)) do |variable, acc|
+          next if RESERVED_VARIABLES.include?(variable[:name])
+
+          acc[variable[:name]] ||= variables_hash[variable[:name]] || variable[:default_value]
         end
       end
     end

data/lib/motor/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Motor
-  VERSION = '0.1.57'
+  VERSION = '0.1.58'
 end

data/ui/dist/manifest.json

@@ -2068,11 +2068,11 @@
   "mail-opened.svg": "icons/mail-opened.svg",
   "mail.svg": "icons/mail.svg",
   "mailbox.svg": "icons/mailbox.svg",
-  "main-dd83302a0e62f7cfdba6.css.gz": "main-dd83302a0e62f7cfdba6.css.gz",
-  "main-dd83302a0e62f7cfdba6.js.LICENSE.txt": "main-dd83302a0e62f7cfdba6.js.LICENSE.txt",
-  "main-dd83302a0e62f7cfdba6.js.gz": "main-dd83302a0e62f7cfdba6.js.gz",
-  "main.css": "main-dd83302a0e62f7cfdba6.css",
-  "main.js": "main-dd83302a0e62f7cfdba6.js",
+  "main-ba741735a93c9314bbfa.css.gz": "main-ba741735a93c9314bbfa.css.gz",
+  "main-ba741735a93c9314bbfa.js.LICENSE.txt": "main-ba741735a93c9314bbfa.js.LICENSE.txt",
+  "main-ba741735a93c9314bbfa.js.gz": "main-ba741735a93c9314bbfa.js.gz",
+  "main.css": "main-ba741735a93c9314bbfa.css",
+  "main.js": "main-ba741735a93c9314bbfa.js",
   "man.svg": "icons/man.svg",
   "manual-gearbox.svg": "icons/manual-gearbox.svg",
   "map-2.svg": "icons/map-2.svg",

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: motor-admin
 version: !ruby/object:Gem::Version
-  version: 0.1.57
+  version: 0.1.58
 platform: ruby
 authors:
 - Pete Matsyburka
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-06-08 00:00:00.000000000 Z
+date: 2021-06-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activerecord-filter
@@ -44,14 +44,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '4.9'
+        version: '5.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '4.9'
+        version: '5.0'
 - !ruby/object:Gem::Dependency
   name: cancancan
   requirement: !ruby/object:Gem::Requirement
@@ -121,6 +121,7 @@ files:
 - LICENSE
 - README.md
 - Rakefile
+- app/controllers/concerns/motor/current_ability.rb
 - app/controllers/concerns/motor/current_user_method.rb
 - app/controllers/concerns/motor/load_and_authorize_dynamic_resource.rb
 - app/controllers/concerns/motor/wrap_io_params.rb
@@ -191,6 +192,7 @@ files:
 - lib/motor/build_schema.rb
 - lib/motor/build_schema/active_storage_attachment_schema.rb
 - lib/motor/build_schema/adjust_devise_model_schema.rb
+- lib/motor/build_schema/apply_permissions.rb
 - lib/motor/build_schema/find_display_column.rb
 - lib/motor/build_schema/find_icon.rb
 - lib/motor/build_schema/load_from_rails.rb
@@ -198,6 +200,9 @@ files:
 - lib/motor/build_schema/persist_resource_configs.rb
 - lib/motor/build_schema/reorder_schema.rb
 - lib/motor/build_schema/utils.rb
+- lib/motor/cancan_utils.rb
+- lib/motor/cancan_utils/ability_patch.rb
+- lib/motor/cancan_utils/can_manage_all.rb
 - lib/motor/configs.rb
 - lib/motor/configs/build_configs_hash.rb
 - lib/motor/configs/build_ui_app_tag.rb
@@ -1485,8 +1490,8 @@ files:
 - ui/dist/icons/zoom-money.svg.gz
 - ui/dist/icons/zoom-out.svg.gz
 - ui/dist/icons/zoom-question.svg.gz
-- ui/dist/main-dd83302a0e62f7cfdba6.css.gz
-- ui/dist/main-dd83302a0e62f7cfdba6.js.gz
+- ui/dist/main-ba741735a93c9314bbfa.css.gz
+- ui/dist/main-ba741735a93c9314bbfa.js.gz
 - ui/dist/manifest.json
 homepage:
 licenses: