padrino-admin 0.8.5 → 0.9.0

data/README.rdoc

@@ -2,12 +2,11 @@
 
 === Overview
 
-Padrino has a beautiful Ajax Admin, with these fatures:
+Padrino has a beautiful Admin, with these fatures:
 
 Orm Agnostic:: Adapters for datamapper, activerecord, mongomapper, couchdb (now only: datamapper and activerecord)
 Authentication:: Support for Account authentication, Account Permission managment
 Scaffold:: You can simply create a new "admin interface" simply providing a Model
-Ajax Uploads:: You can upload file, manage them and attach them to any model in a quick and simple way (coming soon)
 
 === Admin Usage
 
@@ -23,118 +22,75 @@ For create the admin application:
 Now follow admin instructions so:
 
 * edit your config/database.rb
-* run padrino rake dm:auto:migrate
+* run padrino rake dm:migrate # or ar:migrate if you use activerecord
 * run padrino rake seed
 
 Your admin now is "complete", you can start your server with <tt>padrino start</tt> and point your browser to /admin!
 
 For create a new "scaffold" you need to provide only a Model for them like:
 
-  fun-test$ padrino-gen model post --skip-migration // edit your post.rb model and add some fields
+  fun-test$ padrino-gen model post --skip-migration # edit your post.rb model and add some fields
   fun-test$ padrino-gen rake dm:auto:migrate
-  fun-test$ padrino-gen admin_page Post
-  fun-test$ padrino start // and go to yourserver.local/admin
+  fun-test$ padrino-gen admin_page post
+  fun-test$ padrino start # and go to http://localhost:3000/admin
   
 That's all!!
 
 === Admin Authentication
 
-Padrino Admin use a model Account for manage role, membership and permissions take the following example:
+Padrino Admin use a model Account for manage role, membership and permissions.
 
-  access_control.roles_for :any do |role|
-    role.allow "/sessions"
-    # role.deny "/deny/this/always"
-  end
 
-  access_control.roles_for :admin do |role, account|
-    role.allow "/"
+==== Scenario Ecommerce
 
-    role.project_module :accounts do |project|
-      project.menu :list, "/admin/accounts.js"
-      project.menu :new,  "/admin/accounts/new"
-    end
-  end
+For an ecommerce we usually deny some controllers/actions like
 
-  access_control.roles_for :editor do |role, account|
-    role.project_module :posts do |project|
-      project.menu :list, "/admin/posts.js"
-      project.menu :new,  "/admin/posts/new"
-    end
+  class MyEcommerce < Padrino::Application
+    enable :authentication
+    enable :store_location
+    set    :login_page, "/login"
 
-    role.project_module :comments do |project|
-      project.menu :list, "/admin/comments.js"
-      project.menu :new,  "/admin/comments/new"
+    access_control.roles_for :any do |role|
+      role.protect "/customer/orders"
+      role.protect "/cart/checkout"
     end
   end
 
-In this example we <tt>grant</tt> "/session" (and each subpaths like /sessions/new) for all users logged and unlogged.
-
-Account with role <tt>admin</tt> can manage <tt>only</tt> accounts because have access to "/admin/accounts/**" paths
-Account with role <tt>editor</tt> can manage <tt>only</tt> post/comments because have access to "/admin/posts/**", "/admin/posts/**" paths
-
-Another good fature of Padrino admin is that when you define a <tt>Project Module</tt> role you also build the Menu Tree of the Admin. 
-Trust us that in future you appreciate so much this feature.
-
-=== Admin Uploads
-
-Padrino admin has a builtin upload managment that leave you to be free as possible.
-
-  fun-test$ padrino-gen admin_uploader
-  fun-test$ rake dm:auto:upgrade # or ar:migrate
-
-Finish! Now you can browse into your admin and you can see a new menu called +upload+ where you can see all your uploads,
-upload other file, delete ...
-
-All upload definitions are defined in lib/uploader.rb, here you can preproces your attachments (like resize) or manage versions.
-
-See http://github.com/jnicklas/carrierwave
+In this example +if+ we visit urls that start with /+customer+/+orders+ or /+cart/checkout+ we will be redirected
+to our :+login_page+ "/login". Once we are correctly logged in we can visit these pages.
 
-==== Attach Many Uploads to a Model
+==== Scenario Admin
 
-If you want attach in a model ex: Account many uploads you can do that in a simple way add a habtm relation!
+Suppose that you need to some actions for +admin+ accounts and others for +editors+
 
-  # app/models/account.rb
-  has n, :uploads
+When you generate padrino-admin will be created for you an +Account+ model that have a +role+ attribute. So:
 
-or for ActiveRecord
+  class Admin < Padrino::Application
+    enable :authentication
+    disable :store_location
+    set :login_page, "/admin/sessions/new"
 
-  # app/models/account.rb
-  has_and_belongs_to_many :uploads
-
-Now edit the form and add these lines:
-
-  # admin/views/accounts/_form.haml
-  %tr
-    %td=f.label :uploads
-    %td=f.open_window_grid :upload_ids, :with => :uploads, :get => :id, :show => :file, :multiple => true, :item => :panel
-
-*open_window_grid* is a padrino-admin method that open an extjs window contains your +grids+ so in this case:
-
-open window grid for :+account+ model in method :+upload_ids+ with the help of controller :+uploads+ and 
-get as a value the :+id+ and display :+file+.
-
-:+multiple+ indicate that we need more than one :+id+.
-:+item+ tell to the grid who is the container, we need to explicit this because we have two container in our upload.js
-
-See view helpers[http://github.com/padrino/padrino-framework/blob/master/padrino-admin/lib/padrino-admin/helpers/view.rb#L145] for more docs.
-
-That's all! Now run mingrations and browse accounts for see our uploader.
-
-==== Attach One Upload to a Model
+    access_control.roles_for :any do |role|
+      role.protect "/"
+      role.allow "/sessions"
+    end
 
-The process is the same as above you need only define in your model:
+    access_control.roles_for :admin do |role|
+      role.project_module :settings, "/settings"
+    end
 
-  # app/models/account.rb
-  belongs_to :upload
+    access_control.roles_for :editor do |role|
+      role.project_module :posts, "/posts"
+      role.project_module :categories, "/categories"
+    end
+  end
 
-and add this to your account form:
+In this case we +protect+ the entire admin (all paths that start with "/") except paths that start with /+sessions+ so
+an +unauthenticated+ user can login.
 
-  # admin/views/accounts/_form.haml
-  %tr
-    %td=f.label :upload
-    %td=f.open_window_grid :upload_id, :with => :uploads, :get => :id, :show => :file, :item => :panel
+If we login as +admin+ (account.role == 'admin') we have access *only* to paths that start with /+settings+.
 
-Remember to run migrations before start your server.
+If we login as +editor+ (account.role == 'editor') we have access *only* to paths that start with /+posts+ and /+categories+
 
 == Copyright
 

data/VERSION

@@ -1 +1 @@
-0.8.5
+0.9.0

data/lib/padrino-admin.rb

@@ -3,7 +3,7 @@ require 'padrino-gen'
 require 'padrino-helpers'
 
 Dir[File.dirname(__FILE__) + '/padrino-admin/*.rb'].each {|file| require file }
-Dir[File.dirname(__FILE__) + '/padrino-admin/{helpers,orm,middleware,utils}/*.rb'].each {|file| require file }
+Dir[File.dirname(__FILE__) + '/padrino-admin/{helpers,middleware,utils}/*.rb'].each {|file| require file }
 
 module Padrino
   ##
@@ -21,35 +21,18 @@ end
 # We need to apply Padrino::Admin::Utils::Extensions
 # 
 String.send(:include, Padrino::Admin::Utils::Crypt)
-String.send(:include, Padrino::Admin::Utils::Literal)
 
 ##
 # We need to add to Padrino::Application a +access_control+ class
 # 
-Padrino::Application.send(:cattr_accessor, :access_control)
-Padrino::Application.send(:access_control=, Class.new(Padrino::Admin::AccessControl::Base))
-
-##
-# If CarrierWave is defined we set the root directory
-# 
-CarrierWave.root = Padrino.root("public") if defined?(CarrierWave)
-
-##
-# Extend Abastract Form builder
-# 
-Padrino::Helpers::FormBuilder::AbstractFormBuilder.send(:include, Padrino::Admin::Helpers::ViewHelpers::AbstractFormBuilder)
+Padrino::Application.extend(Padrino::Admin::AccessControl::ClassMethods)
 
 ##
 # Load our Padrino::Admin locales
 # 
 I18n.load_path += Dir["#{File.dirname(__FILE__)}/padrino-admin/locale/**/*.yml"]
 
-##
-# Load our databases extensions
-# 
-Padrino::Admin::Orm.register!
-
 ##
 # Now we need to add admin generators to padrino-gen
 # 
-Padrino::Generators.load_paths << Dir[File.dirname(__FILE__) + '/padrino-admin/generators/{actions,admin_app,admin_page,admin_uploader}.rb']
+Padrino::Generators.load_paths << Dir[File.dirname(__FILE__) + '/padrino-admin/generators/{actions,orm,admin_app,admin_page}.rb']

data/lib/padrino-admin/access_control.rb

@@ -2,396 +2,148 @@ module Padrino
   module Admin
     class AccessControlError < StandardError #:nodoc:
     end
-
     ##
-    # This module give to a padrino application an access control functionality like:
-    #   
-    #   class EcommerceDemo < Padrino::Application
-    #     enable :authentication
-    #     set :login_page, "/login" # or your login page
-    #     enable :store_location # if you want know what is the page that need authentication
-    # 
-    #     access_control.roles_for :any do
-    #       role.require_login "/cart"
-    #       role.require_login "/account"
-    #       role.allow "/account/create"
-    #     end
-    #   end
-    # 
-    # In the EcommerceDemo, we +only+ require logins for all paths that start with "/cart" like:
-    # 
-    #   - "/cart/add"
-    #   - "/cart/empty"
-    #   - "/cart/checkout"
-    # 
-    # same thing for "/account" so we require a login for:
-    # 
-    #   - "/account"
-    #   - "/account/edit"
-    #   - "/account/update"
-    # 
-    # but if we call "/account/create" we don't need to be logged in our site for do that.
-    # In EcommerceDemo example we set +redirect_back_or_default+ so if a +unlogged+ 
-    # user try to access "/account/edit" will be redirected to "/login" when login is done will be 
-    # redirected to "/account/edit".
-    # 
-    # If we need something more complex aka roles/permissions we can do that in the same simple way
-    # 
-    #   class AdminDemo < Padrino::Application
-    #     enable :authentication
-    #     set :login_page, "/sessions/new" # or your page
-    #     
-    #     access_control.roles_for :any do |role|
-    #       role.allow "/sessions"
-    #     end
-    #   
-    #     access_control.roles_for :admin do |role, account|
-    #       role.allow "/"
-    #       role.deny  "/posts"
-    #     end
-    #     
-    #     access_control.roles_for :editor do |role, account|
-    #       role.allow "/posts"
-    #     end
-    #   end
-    # 
-    #   If a user logged with role admin can:
-    #   
-    #   - Access to all paths that start with "/session" like "/sessions/{new,create}"
-    #   - Access to any page except those that start with "/posts"
-    # 
-    #   If a user logged with role editor can:
-    # 
-    #   - Access to all paths that start with "/session" like "/sessions/{new,create}"
-    #   - Access +only+ to paths that start with "/posts" like "/post/{new,edit,destroy}"
-    # 
-    # Finally we have another good fatures, the possibility in the same time we build role build also +tree+.
-    # Figure this scenario: in my admin every account need their own menu, so an Account with role editor have
-    # a menu different than an Account with role admin.
-    # 
-    # So:
-    # 
-    #   class AdminDemo < Padrino::Application
-    #     enable :authentication
-    #     
-    #     access_control.roles_for :any do |role|
-    #       role.allow "/sessions"
-    #     end
-    #     
-    #     access_control.roles_for :admin do |role, current_account|
-    #       
-    #       role.project_module :settings do |project|
-    #         project.menu :accounts, "/accounts" do |accounts|
-    #           accounts.add :new, "/accounts/new" do |account|
-    #             account.add :administrator, "/account/new/?role=administrator"               
-    #             account.add :editor,        "/account/new/?role=editor"
-    #           end
-    #         end
-    #         project.menu :spam_rules, "/manage_spam"
-    #       end
-    #       
-    #       role.project_module :categories do |project|
-    #         current_account.categories.each do |category|
-    #           project.menu category.name, "/categories/#{category.id}.js"
-    #         end
-    #       end
-    #     end
-    #     
-    #     access_control.roles_for :editor do |role, current_account|
-    #       
-    #       role.project_module :posts do |posts|
-    #         post.menu :list, "/posts"
-    #         post.menu :new,  "/posts/new"
-    #       end
-    #     end
-    # 
-    # In this example when we build our menu tree we are also defining roles so:
-    # 
-    # An Admin Account have access to:
-    # 
-    # - All paths that start with "/sessions"
-    # - All paths that start with "/accounts"
-    # - All paths that start with "/manage_spam"
-    # 
-    # An Editor Account have access to:
-    # 
-    # - All paths that start with "/posts"
-    # 
-    # Remember that you always deny a specific actions or allow globally others.
-    # 
-    # Remember that when you define role_for :a_role, you have also access to the Model Account.
+    # This module give to a padrino application an access control functionality
     #
     module AccessControl
-
       ##
       # Method used by Padrino::Application when we register the extension
       # 
       def self.registered(app)
         app.set :session_id, "_padrino_#{File.basename(Padrino.root)}_#{app.app_name}".to_sym
-        app.helpers Padrino::Admin::Helpers::ViewHelpers
         app.helpers Padrino::Admin::Helpers::AuthenticationHelpers
-        app.before { login_required }
+        app.helpers Padrino::Admin::Helpers::ViewHelpers
         app.use Padrino::Admin::Middleware::FlashMiddleware, app.session_id  # make sure that is the same of session_name in helpers
-        Padrino::Admin::Orm.extend_account!
+        app.before { login_required }
       end
 
-      class Base
-        class << self
-          attr_reader :roles
-
-          def inherited(base) #:nodoc:
-            base.class_eval("@@cache={}; @authorizations=[]; @roles=[]; @mappers=[]")
-            base.send(:cattr_reader, :cache)
-            super(base)
-          end
-
-          ##
-          # We map project modules for a given role or roles
-          # 
-          def roles_for(*roles, &block)
-            raise Padrino::Admin::AccessControlError, "Role #{role} must be present and must be a symbol!" if roles.any? { |r| !r.kind_of?(Symbol) } || roles.empty?
-            raise Padrino::Admin::AccessControlError, "You can't merge :any with other roles"              if roles.size > 1 && roles.any? { |r| r == :any }
-
-            if roles == [:any]
-              @authorizations << Authorization.new(&block)
-            else
-              raise Padrino::Admin::AccessControlError, "For use custom roles you need to define an Account Class" unless defined?(Account)
-              @roles.concat(roles)
-              @mappers << Proc.new { |account| Mapper.new(account, *roles, &block) }
-            end
-          end
-
-          ##
-          # Returns (allowed && denied paths).
-          # If an account given we also give allowed & denied paths for their role.
-          # 
-          def auths(account=nil)
-            if account
-              cache[account.id] ||= Auths.new(@authorizations, @mappers, account)
-            else
-              cache[:any] ||= Auths.new(@authorizations)
-            end
-          end
+      module ClassMethods #:nodoc:
+        def inherited(base)
+          base.send(:cattr_accessor, :access_control)
+          base.send(:access_control=, Padrino::Admin::AccessControl::Base.new)
+          super(base)
         end
-      end # Base
-
-      class Auths #:nodoc:
-        attr_reader :account, :allowed, :denied, :project_modules
+      end
 
-        def initialize(authorizations, mappers=nil, account=nil) #:nodoc:
-          @allowed, @denied, @account = [], [], account
-          unless authorizations.empty?
-            @allowed = authorizations.collect(&:allowed).flatten
-            @denied  = authorizations.collect(&:denied).flatten
-          end
-          if mappers && !mappers.empty?
-            maps = mappers.collect { |m|  m.call(account) }.reject { |m| !m.allowed? }
-            @allowed.concat(maps.collect(&:allowed).flatten)
-            @denied.concat(maps.collect(&:denied).flatten)
-            @project_modules = maps.collect(&:project_modules).flatten.uniq
-          else
-            @project_modules = []
-          end
-          @allowed.uniq!
-          @denied.uniq!
+      class Base
+        def initialize #:nodoc:
+          @roles, @authorizations, @project_modules = [], [], []
         end
-
         ##
-        # Return true if the requested path (like request.path_info) is allowed.
+        # We map project modules for a given role or roles
         # 
-        def can?(request_path)
-          return true if @allowed.empty?
-          request_path = "/" if request_path.blank?
-          @allowed.any? { |path| request_path =~ /^#{path}/ } && !cannot?(request_path)
+        def roles_for(*roles, &block)
+          raise Padrino::Admin::AccessControlError, "You must define an Account Model!" unless defined?(Account)
+          raise Padrino::Admin::AccessControlError, "Role #{role} must be present and must be a symbol!" if roles.any? { |r| !r.kind_of?(Symbol) } || roles.empty?
+          raise Padrino::Admin::AccessControlError, "You can't merge :any with other roles" if roles.size > 1 && roles.any? { |r| r == :any }
+
+          @roles += roles
+          @authorizations << Authorization.new(*roles, &block)
         end
 
         ##
-        # Return false if we don't have +denied+ path +or+ if we have a logged account and empty project modules.
-        # Return true if the requested path (like request.path_info) is +not+ allowed
+        # Return an array of roles
         # 
-        def cannot?(request_path)
-          return false if @denied.empty? || (@project_modules.empty? && @account)
-          request_path = "/" if request_path.blank?
-          @denied.any? { |path| request_path =~ /^#{path}/ }
-        end
-      end # Auths
-
-      class Authorization
-        attr_reader :allowed, :denied
-
-        def initialize(&block) #:nodoc:
-          @allowed = []
-          @denied  = []
-          yield self
+        def roles
+          @roles.uniq.reject { |r| r == :any }
         end
 
         ##
-        # Allow a specified path
+        # Return an array of project_modules
         # 
-        def allow(path)
-          @allowed << path unless @allowed.include?(path)
+        def project_modules(account)
+          role = account ? account.role.to_sym : :any
+          authorizations = @authorizations.find_all { |auth| auth.roles.include?(role) }
+          authorizations.collect(&:project_modules).flatten.uniq
         end
 
         ##
-        # Deny a specified path
+        # Return true if the given account is allowed to see the given path.
         # 
-        def require_login(path)
-          @denied << path unless @denied.include?(path)
+        def allowed?(account=nil, path=nil)
+          path = "/" if path.blank?
+          authorizations = @authorizations.find_all { |auth| auth.roles.include?(:any) }
+          allowed_paths  = authorizations.collect(&:allowed).flatten.uniq
+          denied_paths   = authorizations.collect(&:denied).flatten.uniq
+          if account
+            denied_paths.clear
+            authorizations = @authorizations.find_all { |auth| auth.roles.include?(account.role.to_sym) }
+            allowed_paths += authorizations.collect(&:allowed).flatten.uniq
+            authorizations = @authorizations.find_all { |auth| !auth.roles.include?(account.role.to_sym) && !auth.roles.include?(:any) }
+            denied_paths  += authorizations.collect(&:allowed).flatten.uniq
+            denied_paths  += authorizations.collect(&:denied).flatten.uniq
+          end
+          return true  if allowed_paths.any? { |p| path =~ /^#{p}/ }
+          return false if denied_paths.any?  { |p| path =~ /^#{p}/ }
+          true
         end
-        alias :deny :require_login
-      end # Authorization
+      end # Base
 
-      class Mapper
-        attr_reader :project_modules, :roles, :denied
+      class Authorization
+        attr_reader :allowed, :denied, :project_modules, :roles
 
-        def initialize(account, *roles, &block) #:nodoc:
-          @project_modules = []
+        def initialize(*roles, &block) #:nodoc:
+          @roles           = roles
           @allowed         = []
           @denied          = []
-          @roles           = roles
-          @account         = account.dup
-          yield(self, @account)
-        end
-
-        ##
-        # Create a new project module
-        # 
-        def project_module(name, path=nil, &block)
-          @project_modules << ProjectModule.new(name, path, &block)
+          @project_modules = []
+          yield self
         end
 
         ##
-        # Globally allow an paths for the current role
+        # Allow a specified path
         # 
         def allow(path)
           @allowed << path unless @allowed.include?(path)
         end
 
         ##
-        # Globally deny an pathsfor the current role
-        # 
-        def deny(path)
-          @denied << path unless @allowed.include?(path)
-        end
-
-        ##
-        # Return true if role is included in given roles
+        # Protect access from
         # 
-        def allowed?
-          @roles.any? { |r| r == @account.role.to_s.downcase.to_sym }
+        def protect(path)
+          @denied << path unless @denied.include?(path)
         end
 
         ##
-        # Return allowed paths
+        # Create a project module
         # 
-        def allowed
-          @project_modules.each { |pm| @allowed.concat(pm.allowed)  }
-          @allowed.uniq
+        def project_module(name, path)
+          allow(path)
+          @project_modules << ProjectModule.new(name, path)
         end
-      end # Mapper
+      end # Authorization
 
+      ##
+      # Project Module class
+      # 
       class ProjectModule
-        attr_reader :name, :menus, :path
-
-        def initialize(name, path=nil, options={}, &block) #:nodoc:
-          @name     = name
-          @options  = options
-          @allowed  = []
-          @menus    = []
-          @path     = path
-          @allowed << path if path
-          yield self if block_given?
-        end
+        attr_reader :name
 
-        ##
-        # Build a new menu and automaitcally add the action on the allowed actions.
-        # 
-        def menu(name, path=nil, options={}, &block)
-          @menus << Menu.new(name, path, options, &block)
+        def initialize(name, path) #:nodoc:
+          @name, @path = name, path
         end
 
         ##
-        # Return allowed controllers
-        # 
-        def allowed
-          @menus.each { |m| @allowed.concat(m.allowed) }
-          @allowed.uniq
-        end
-
-        ##
-        # Return the original name or try to translate or humanize the symbol
+        # Returns the name of the project module. If a symbol it translate/humanize them for you.
         # 
         def human_name
-          @name.is_a?(Symbol) ? I18n.t("admin.menus.#{@name}", :default => @name.to_s.humanize) : @name
+          @name.is_a?(Symbol) ? I18n.t("padrino.admin.menu.#{@name}", :default => @name.to_s.humanize) : @name
         end
 
         ##
-        # Return symbol for the given project module
+        # Return the path of the project module. If a prefix given will be prepended.
         # 
-        def uid
-          @name.to_s.downcase.gsub(/[^a-z0-9]+/, '').gsub(/-+$/, '').gsub(/^-+$/, '').to_sym
-        end
-
-        ##
-        # Return ExtJs Config for this project module
+        # ==== Examples
         # 
-        def config
-          options = @options.merge(:text => human_name)
-          options.merge!(:menu => @menus.collect(&:config)) if @menus.size > 0
-          options.merge!(:handler => Padrino::Admin::Config::Variable.new("function(){ Admin.app.load('#{path}') }")) if @path
-          options
-        end
-      end # ProjectModule
-
-      class Menu
-        attr_reader :name, :options, :items, :path
-
-        def initialize(name, path=nil, options={}, &block) #:nodoc:
-          @name    = name
-          @path    = path
-          @options = options
-          @allowed = []
-          @items   = []        
-          @allowed << path if path
-          yield self if block_given?
-        end
-
-        ##
-        # Add a new submenu to the menu
+        #   # => /accounts/new
+        #   project_module.path
+        #   # => /admin/accounts
+        #   project_module.path("/admin")
         # 
-        def add(name, path=nil, options={}, &block)
-          @items << Menu.new(name, path, options, &block)
+        def path(prefix=nil)
+          prefix ? File.join(prefix, @path) : @path
         end
-
-        ##
-        # Return allowed controllers
-        # 
-        def allowed
-          @items.each { |i| @allowed.concat(i.allowed) }
-          @allowed.uniq
-        end
-
-        ##
-        # Return the original name or try to translate or humanize the symbol
-        # 
-        def human_name
-          @name.is_a?(Symbol) ? I18n.t("admin.menus.#{@name}", :default => @name.to_s.humanize) : @name
-        end
-
-        ##
-        # Return ExtJs Config for this menu
-        # 
-        def config
-          if @path.blank? && @items.empty?
-            options = human_name
-          else
-            options = @options.merge(:text => human_name)
-            options.merge!(:menu => @items.collect(&:config)) if @items.size > 0
-            options.merge!(:handler => "function(){ Admin.app.load('#{path}') }".to_l) if @path
-          end
-          options
-        end
-      end # Menu
+      end # ProjectModule
     end # AccessControl
   end # Admin
 end # Padrino