nileshtrivedi-safe_resource 0.5.3

data/generators/scaffold_resource/templates/controller.rb

@@ -0,0 +1,68 @@
+class <%= controller_class_name %>Controller < ResourceController::Base
+  before_filter :has_edit_permission, :only => [:edit]
+  before_filter :has_update_permission, :only => [:update]
+  before_filter :has_create_permission, :only => [:new, :create]
+  before_filter :has_view_permission, :only => [:show]
+  before_filter :has_delete_permission, :only => [:destroy]
+  before_filter :select_viewable_objects, :only => [:index]
+
+  private
+
+  def select_viewable_objects
+    #TODO: instead of Article.all, this should be chain.articles || Article.all as the case is
+    @viewable_<%= plural_name %> = end_of_association_chain.find(:all).select {|v| (v.viewable_by?(current_user, "id")) }
+    @viewable_<%= plural_name %> = @viewable_<%= plural_name %>.paginate(:page => params[:page], :per_page => 4)
+  end
+
+  def has_edit_permission
+    #TODO: infer permissions from updatable_by? whether to display the field for a given attribute or not
+    load_object
+    if(!@<%= singular_name %>.editable_by?(current_user))
+      flash[:notice] = "Permision denied."
+      redirect_to collection_url
+      return false
+    end
+    true
+  end
+
+  def has_create_permission
+    build_object
+    load_object
+    if(!@<%= singular_name %>.creatable_by?(current_user))
+      flash[:notice] = "Permision denied."
+      redirect_to collection_url
+      return
+    end
+  end
+
+  def has_view_permission
+    load_object
+    if(!@<%= singular_name %>.viewable_by?(current_user,"id"))
+      flash[:notice] = "Permision denied."
+      redirect_to collection_url
+      return
+    end
+  end
+
+  def has_delete_permission
+    load_object
+    if(!@<%= singular_name %>.deletable_by?(current_user))
+      flash[:notice] = "Permision denied."
+      redirect_to collection_url
+      return
+    end
+  end
+
+  def has_update_permission
+    load_object
+    #update attributes without saving to db so that we can call updatable_by?
+    #TODO: r_c will call update_attributes again even though simple save would be sufficient after the following line
+    @<%= singular_name %>.attributes = params[:article]
+    if(!@<%= singular_name %>.updatable_by?(current_user,@<%= singular_name %>))
+      flash[:notice] = "Permision denied."
+      redirect_to collection_url
+      return
+    end
+  end
+end
+

data/generators/scaffold_resource/templates/fixtures.yml

@@ -0,0 +1,10 @@
+one:
+  id: 1
+<% for attribute in attributes -%>
+  <%= attribute.name %>: <%= attribute.default %>
+<% end -%>
+two:
+  id: 2
+<% for attribute in attributes -%>
+  <%= attribute.name %>: <%= attribute.default %>
+<% end -%>

data/generators/scaffold_resource/templates/functional_test.rb

@@ -0,0 +1,57 @@
+require File.dirname(__FILE__) + '<%= '/..' * controller_class_nesting_depth %>/../test_helper'
+require '<%= controller_file_path %>_controller'
+
+# Re-raise errors caught by the controller.
+class <%= controller_class_name %>Controller; def rescue_action(e) raise e end; end
+
+class <%= controller_class_name %>ControllerTest < Test::Unit::TestCase
+  fixtures :<%= table_name %>
+
+  def setup
+    @controller = <%= controller_class_name %>Controller.new
+    @request    = ActionController::TestRequest.new
+    @response   = ActionController::TestResponse.new
+  end
+
+  def test_should_get_index
+    get :index
+    assert_response :success
+    assert assigns(:<%= table_name %>)
+  end
+
+  def test_should_get_new
+    get :new
+    assert_response :success
+  end
+  
+  def test_should_create_<%= file_name %>
+    old_count = <%= class_name %>.count
+    post :create, :<%= file_name %> => { }
+    assert_equal old_count+1, <%= class_name %>.count
+    
+    assert_redirected_to <%= file_name %>_path(assigns(:<%= file_name %>))
+  end
+
+  def test_should_show_<%= file_name %>
+    get :show, :id => 1
+    assert_response :success
+  end
+
+  def test_should_get_edit
+    get :edit, :id => 1
+    assert_response :success
+  end
+  
+  def test_should_update_<%= file_name %>
+    put :update, :id => 1, :<%= file_name %> => { }
+    assert_redirected_to <%= file_name %>_path(assigns(:<%= file_name %>))
+  end
+  
+  def test_should_destroy_<%= file_name %>
+    old_count = <%= class_name %>.count
+    delete :destroy, :id => 1
+    assert_equal old_count-1, <%= class_name %>.count
+    
+    assert_redirected_to <%= table_name %>_path
+  end
+end

data/generators/scaffold_resource/templates/helper.rb

@@ -0,0 +1,22 @@
+module <%= controller_class_name %>Helper
+  def safe_create_link
+    return link_to('New <%= singular_name.titleize %>', new_object_url) if <%= class_name %>.new.creatable_by?(current_user)
+  end
+
+  def safe_show_link(<%= singular_name %>)
+    return link_to('Show', object_url(<%= singular_name %>)) if <%= singular_name %>.viewable_by?(current_user,"id")
+  end
+
+  def safe_edit_link(<%= singular_name %>)
+    return link_to('Edit', edit_object_url(<%= singular_name %>)) if <%= singular_name %>.editable_by?(current_user)
+  end
+
+  def safe_delete_link(<%= singular_name %>)
+    return link_to('Delete', object_url(<%= singular_name %>), :confirm => 'Are you sure?', :method => :delete) if <%= singular_name %>.deletable_by?(current_user)
+  end
+
+  def safe_field_value(<%= singular_name %>, field)
+    return h(<%= singular_name %>.read_attribute(field)) if <%= singular_name %>.viewable_by?(current_user,field)
+  end  
+end
+

data/generators/scaffold_resource/templates/migration.rb

@@ -0,0 +1,15 @@
+class <%= migration_name %> < ActiveRecord::Migration
+  def self.up
+    create_table :<%= table_name %>, :force => true do |t|
+<% for attribute in attributes -%>
+      t.<%= attribute.type %> :<%= attribute.name %>
+<% end -%>
+
+      t.timestamps
+    end
+  end
+
+  def self.down
+    drop_table :<%= table_name %>
+  end
+end

data/generators/scaffold_resource/templates/model.rb

@@ -0,0 +1,60 @@
+class <%= class_name %> < ActiveRecord::Base
+
+<% for attribute in attributes -%>
+  validates_presence_of :<%= attribute.name %>
+<% end -%>
+  
+  attr_accessible #Enable mass assignment for allowed fields manually in order to avoid security issues
+    
+  # --- Hobo Permissions --- #
+
+  def creatable_by?(creator)
+    true
+  end
+
+  def updatable_by?(updater, new)
+    true
+  end
+
+  def deletable_by?(deleter)
+    true
+  end
+
+  def viewable_by?(viewer, field)
+    true
+  end
+  
+  def editable_by?(editor)
+    #whether the edit link should be made visible to 'editor' user
+    #this is different from updatable_by? because user may have the permission to change some of the fields.
+    #TODO: investigate how Hobo determines whether to show edit link or not -> Hobo fakes an edit to use updatable_by? by setting the field to 'Hobo:Undefined'
+    true
+  end  
+  
+    def same_fields?(other, *fields)
+      return true if other.nil?
+
+      fields = fields.flatten
+      fields.all?{|f| self.send(f) == other.send(f)}
+    end
+
+
+    def only_changed_fields?(other, *changed_fields)
+      return true if other.nil?
+
+      changed_fields = changed_fields.flatten.*.to_s
+      all_cols = self.class.columns.*.name - []
+      all_cols.all?{|c| c.in?(changed_fields) || self.send(c) == other.send(c) }
+    end
+  
+  protected
+  def validate
+    <% for attribute in attributes.select {|v| (v.name =~ /email$/ )} -%>
+    errors.add(:<%= attribute.name %>, "is not valid (use abc@abc.com)") unless <%= attribute.name %> =~ /\A([-a-z0-9]+[\w\.\-\+]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/i
+    <% end -%>
+    
+    <% for attribute in attributes.select {|v| (v.name =~ /(website|url)$/ )} -%>
+    errors.add(:<%= attribute.name %>, "is not valid (use http://www.abc.com)") unless <%= attribute.name %> =~ /^(http|https):\/\/[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?$/ix
+    <% end -%>
+  end
+end

data/generators/scaffold_resource/templates/old_migration.rb

@@ -0,0 +1,13 @@
+class <%= migration_name %> < ActiveRecord::Migration
+  def self.up
+    create_table :<%= table_name %>, :force => true do |t|
+<% for attribute in attributes -%>
+      t.column :<%= attribute.name %>, :<%= attribute.type %>
+<% end -%>
+    end
+  end
+
+  def self.down
+    drop_table :<%= table_name %>
+  end
+end

data/generators/scaffold_resource/templates/rspec/functional_spec.rb

@@ -0,0 +1,255 @@
+require File.expand_path(File.dirname(__FILE__) + '<%= '/..' * controller_class_nesting_depth %>/../spec_helper')
+
+describe <%= controller_class_name %>Controller do
+  describe "handling GET /<%= table_name %>" do
+
+    before(:each) do
+      @<%= file_name %> = mock_model(<%= controller_class_name.singularize %>)
+      <%= controller_class_name.singularize %>.stub!(:find).and_return([@<%= file_name %>])
+    end
+  
+    def do_get
+      get :index
+    end
+  
+    it "should be successful" do
+      do_get
+      response.should be_success
+    end
+
+    it "should render index template" do
+      do_get
+      response.should render_template('index')
+    end
+  
+    it "should find all <%= table_name %>" do
+      <%= controller_class_name.singularize %>.should_receive(:find).with(:all).and_return([@<%= file_name %>])
+      do_get
+    end
+  
+    it "should assign the found <%= table_name %> for the view" do
+      do_get
+      assigns[:<%= table_name %>].should == [@<%= file_name %>]
+    end
+  end
+
+  describe "handling GET /<%= table_name %>/1" do
+
+    before(:each) do
+      @<%= file_name %> = mock_model(<%= controller_class_name.singularize %>)
+      <%= controller_class_name.singularize %>.stub!(:find).and_return(@<%= file_name %>)
+    end
+  
+    def do_get
+      get :show, :id => "1"
+    end
+
+    it "should be successful" do
+      do_get
+      response.should be_success
+    end
+  
+    it "should render show template" do
+      do_get
+      response.should render_template('show')
+    end
+  
+    it "should find the <%= file_name %> requested" do
+      <%= controller_class_name.singularize %>.should_receive(:find).with("1").and_return(@<%= file_name %>)
+      do_get
+    end
+  
+    it "should assign the found <%= file_name %> for the view" do
+      do_get
+      assigns[:<%= file_name %>].should equal(@<%= file_name %>)
+    end
+  end
+
+  describe "handling GET /<%= table_name %>/new" do
+
+    before(:each) do
+      @<%= file_name %> = mock_model(<%= controller_class_name.singularize %>)
+      <%= controller_class_name.singularize %>.stub!(:new).and_return(@<%= file_name %>)
+    end
+  
+    def do_get
+      get :new
+    end
+
+    it "should be successful" do
+      do_get
+      response.should be_success
+    end
+  
+    it "should render new template" do
+      do_get
+      response.should render_template('new')
+    end
+  
+    it "should create an new <%= file_name %>" do
+      <%= controller_class_name.singularize %>.should_receive(:new).and_return(@<%= file_name %>)
+      do_get
+    end
+  
+    it "should not save the new <%= file_name %>" do
+      @<%= file_name %>.should_not_receive(:save)
+      do_get
+    end
+  
+    it "should assign the new <%= file_name %> for the view" do
+      do_get
+      assigns[:<%= file_name %>].should equal(@<%= file_name %>)
+    end
+  end
+
+  describe "handling GET /<%= table_name %>/1/edit" do
+
+    before(:each) do
+      @<%= file_name %> = mock_model(<%= controller_class_name.singularize %>)
+      <%= controller_class_name.singularize %>.stub!(:find).and_return(@<%= file_name %>)
+    end
+  
+    def do_get
+      get :edit, :id => "1"
+    end
+
+    it "should be successful" do
+      do_get
+      response.should be_success
+    end
+  
+    it "should render edit template" do
+      do_get
+      response.should render_template('edit')
+    end
+  
+    it "should find the <%= file_name %> requested" do
+      <%= controller_class_name.singularize %>.should_receive(:find).and_return(@<%= file_name %>)
+      do_get
+    end
+  
+    it "should assign the found <%= controller_class_name %> for the view" do
+      do_get
+      assigns[:<%= file_name %>].should equal(@<%= file_name %>)
+    end
+  end
+
+  describe "handling POST /<%= table_name %>" do
+
+    before(:each) do
+      @<%= file_name %> = mock_model(<%= controller_class_name.singularize %>, :to_param => "1")
+      <%= controller_class_name.singularize %>.stub!(:new).and_return(@<%= file_name %>)
+    end
+    
+    describe "with successful save" do
+  
+      def do_post
+        @<%= file_name %>.should_receive(:save).and_return(true)
+        post :create, :<%= file_name %> => {}
+      end
+  
+      it "should create a new <%= file_name %>" do
+        <%= controller_class_name.singularize %>.should_receive(:new).with({}).and_return(@<%= file_name %>)
+        do_post
+      end
+
+      it "should redirect to the new <%= file_name %>" do
+        do_post
+        response.should redirect_to(<%= table_name.singularize %>_url("1"))
+      end
+      
+    end
+    
+    describe "with failed save" do
+
+      def do_post
+        @<%= file_name %>.should_receive(:save).and_return(false)
+        post :create, :<%= file_name %> => {}
+      end
+  
+      it "should re-render 'new'" do
+        do_post
+        response.should render_template('new')
+      end
+      
+    end
+  end
+
+  describe "handling PUT /<%= table_name %>/1" do
+
+    before(:each) do
+      @<%= file_name %> = mock_model(<%= controller_class_name.singularize %>, :to_param => "1")
+      <%= controller_class_name.singularize %>.stub!(:find).and_return(@<%= file_name %>)
+    end
+    
+    describe "with successful update" do
+
+      def do_put
+        @<%= file_name %>.should_receive(:update_attributes).and_return(true)
+        put :update, :id => "1"
+      end
+
+      it "should find the <%= file_name %> requested" do
+        <%= controller_class_name.singularize %>.should_receive(:find).with("1").and_return(@<%= file_name %>)
+        do_put
+      end
+
+      it "should update the found <%= file_name %>" do
+        do_put
+        assigns(:<%= file_name %>).should equal(@<%= file_name %>)
+      end
+
+      it "should assign the found <%= file_name %> for the view" do
+        do_put
+        assigns(:<%= file_name %>).should equal(@<%= file_name %>)
+      end
+
+      it "should redirect to the <%= file_name %>" do
+        do_put
+        response.should redirect_to(<%= table_name.singularize %>_url("1"))
+      end
+
+    end
+    
+    describe "with failed update" do
+
+      def do_put
+        @<%= file_name %>.should_receive(:update_attributes).and_return(false)
+        put :update, :id => "1"
+      end
+
+      it "should re-render 'edit'" do
+        do_put
+        response.should render_template('edit')
+      end
+
+    end
+  end
+
+  describe "handling DELETE /<%= table_name %>/1" do
+
+    before(:each) do
+      @<%= file_name %> = mock_model(<%= controller_class_name.singularize %>, :destroy => true)
+      <%= controller_class_name.singularize %>.stub!(:find).and_return(@<%= file_name %>)
+    end
+  
+    def do_delete
+      delete :destroy, :id => "1"
+    end
+
+    it "should find the <%= file_name %> requested" do
+      <%= controller_class_name.singularize %>.should_receive(:find).with("1").and_return(@<%= file_name %>)
+      do_delete
+    end
+  
+    it "should call destroy on the found <%= file_name %>" do
+      @<%= file_name %>.should_receive(:destroy).and_return(true) 
+      do_delete
+    end
+  
+    it "should redirect to the <%= table_name %> list" do
+      do_delete
+      response.should redirect_to(<%= table_name %>_url)
+    end
+  end
+end