pages_core 3.13.0 → 3.15.0

data/app/views/admin/pages/_form.html.erb

@@ -1,31 +1,11 @@
-<%= content_tab "Content" do %>
-  <%= render partial: "edit_content", locals: { f: f } %>
-<% end %>
-
-<% if @page.unconfigured_blocks.any? %>
-  <%= content_tab "Unconfigured content" do %>
-    <p>
-      This page has additional content fields not enabled by the
-      selected template.
-    </p>
-    <% @page.unconfigured_blocks do |block_name, block_options| %>
-      <%= page_block_field(f, block_name, block_options) %>
-    <% end %>
-  <% end %>
-<% end %>
-
-<% if @page.template_config.value(:images) || @page.template_config.value(:image) %>
-  <%= content_tab "Images" do %>
-    <%= render partial: "edit_images", locals: { f: f } %>
-  <% end %>
-<% end %>
-
-<% if @page.template_config.value(:files) %>
-  <%= content_tab "Files" do %>
-    <%= render partial: "edit_files", locals: { f: f } %>
-  <% end %>
-<% end %>
-
-<%= content_tab "Metadata" do %>
-  <%= render partial: "edit_metadata", locals: { f: f } %>
+<% content_for :main_wrapper do %>
+  <%= react_component(
+    "PageForm",
+    { locale: content_locale,
+      locales: locales_with_dir,
+      page: Admin::PageResource.new(page, params: { user: current_user }),
+      templates: PagesCore::Templates.all.map { |t| Admin::TemplateConfigurationResource.new(t) },
+      authors: page_authors(page).map{ |a| [a.name, a.id] },
+      statuses: Page.status_labels }
+  ) %>
 <% end %>

data/app/views/admin/pages/_search_bar.html.erb

@@ -1,7 +1,7 @@
 <% query ||= "" %>
 <%= form_tag(search_admin_pages_path(content_locale),
              method: "get",
-             class: "search-bar") do %>
+             class: "search-bar inline-form") do %>
   <%= text_field_tag(:q, query,
                      placeholder: "Search all pages",
                      aria: { label: "Search all pages" }) %>

data/app/views/admin/pages/edit.html.erb

@@ -5,60 +5,4 @@
     Edit page
   <% end %>
 <% end %>
-<% content_for :page_description do %>
-  Editing
-  <% @page.ancestors.reverse.each do |page| %>
-    <%= link_to(page.name? ? page.name : tag.i("Untitled"),
-                edit_admin_page_path(content_locale, page)) %>
-    &raquo;
-  <% end %>
-  <%= link_to(@page.name? ? @page.name : tag.i("Untitled"),
-              edit_admin_page_path(content_locale, @page)) %>
-<% end %>
-
-<% content_for :page_description_links do %>
-  <%= locale_links { |l| edit_admin_page_path(l, @page.localize(l)) } %>
-<% end %>
-
-<% content_for :main_wrapper do %>
-  <%= form_for(@page,
-               url: admin_page_url(content_locale, @page),
-               builder: PagesCore::Admin::FormBuilder,
-               html: {
-                 class: "edit-page main-wrapper",
-                 method: :put,
-                 data: {
-                   controller: "edit-page",
-                   "edit-page-target": "form",
-                   "preview-url": preview_page_url(@page.locale, @page)
-                 }
-               }) do |f| %>
-
-    <% content_for :main do %>
-      <div class="content">
-        <%= render(partial: "form", locals: { f: f }) %>
-
-        <div class="buttons">
-          <button type="button"
-                  id="previewButton"
-                  data-action="click->edit-page#preview"
-                  data-url="<%= preview_page_url(@page.locale, @page) %>">
-            Preview
-          </button>
-          <button type="submit">
-            Save
-          </button>
-        </div>
-      </div>
-    <% end %>
-
-    <main data-controller="main">
-      <%= render(partial: "layouts/admin/page_header") %>
-      <%= yield :main %>
-    </main>
-
-    <aside class="sidebar" id="page-form-sidebar">
-      <%= render partial: 'edit_options', locals: { f: f } %>
-    </aside>
-  <% end %>
-<% end %>
+<%= render(partial: "form", locals: { page: @page }) %>

data/app/views/admin/pages/index.html.erb

@@ -16,7 +16,7 @@
   <% cache Page.visible.roots.to_a + [current_user, content_locale] do %>
     <%= react_component(
       "PageTree", {
-        pages: @pages.map { |p| page_json(p) },
+        pages: @pages.map { |p| ::Admin::PageTreeResource.new(p, params: { user: current_user }) },
         locale: content_locale,
         dir: locale_direction(content_locale),
         permissions: [(:create if policy(Page).create?)] }

data/app/views/admin/pages/new.html.erb

@@ -1,45 +1,2 @@
 <% content_for :page_title, "New page" %>
-<% content_for :page_description do %>
-  <% if @page.parent %>
-    <em><%= @page.parent.name %></em> &raquo; New Page
-  <% else %>
-    You are creating a new root page
-  <% end %>
-<% end %>
-
-<% content_for :main_wrapper do %>
-  <%= form_for(@page,
-               url: admin_pages_url(content_locale),
-               builder: PagesCore::Admin::FormBuilder,
-               html: {
-                 class: "edit-page main-wrapper",
-                 data: {
-                   controller: "edit-page",
-                   "edit-page-target": "form"
-                 }
-               }) do |f| %>
-
-    <% content_for :main do %>
-      <div class="content">
-        <%= f.hidden_field "parent_page_id" if @page.parent %>
-
-        <%= render(partial: "form", locals: { f: f }) %>
-
-        <div class="buttons">
-          <button type="submit">
-            Save
-          </button>
-        </div>
-      </div>
-    <% end %>
-
-    <main data-controller="main">
-      <%= render(partial: "layouts/admin/page_header") %>
-      <%= yield :main %>
-    </main>
-
-    <aside class="sidebar" id="page-form-sidebar">
-      <%= render partial: "edit_options", locals: { f: f } %>
-    </aside>
-  <% end %>
-<% end %>
+<%= render(partial: "form", locals: { page: @page }) %>

data/app/views/admin/recovery_codes/_codes.html.erb

@@ -0,0 +1,14 @@
+<h2>
+  Recovery codes
+</h2>
+<p>
+  Please save the recovery codes below in a safe place, ideally
+  using a secure password manager.<br>
+  Without them, you will lose access to your account if you lose your device.
+</p>
+
+<ul class="recovery-codes">
+  <% recovery_codes.each do |c| %>
+    <li><%= c %></li>
+  <% end %>
+</ul>

data/app/views/admin/recovery_codes/create.html.erb

@@ -0,0 +1,7 @@
+<% content_for :page_title, "New recovery codes" %>
+<% content_for :page_description, "Recovery codes updated" %>
+
+<div class="content">
+  <%= render(partial: "admin/recovery_codes/codes",
+             locals: { recovery_codes: @recovery_codes }) %>
+</div>

data/app/views/admin/recovery_codes/new.html.erb

@@ -0,0 +1,11 @@
+<% content_for :page_title, "New recovery codes" %>
+<% content_for :page_description, "Generate new recovery codes" %>
+
+<%= form_tag(admin_recovery_codes_path, method: :post) do |f| %>
+  <%= render(partial: "admin/sessions/otp_form") %>
+  <p>
+    <button type="submit">
+      Verify
+    </button>
+  </p>
+<% end %>

data/app/views/admin/sessions/_otp_form.html.erb

@@ -0,0 +1,13 @@
+<h2>
+  Two-factor authentication
+</h2>
+<p>
+  Enter a one-time code from your authenticator app to proceed.
+</p>
+<div class="field">
+  <label for="otp">6 digit code</label>
+  <%= text_field_tag(:otp, "",
+                     autofocus: true,
+                     autocomplete: "one-time-code",
+                     size: 6) %>
+</div>

data/app/views/admin/sessions/new.html.erb

@@ -0,0 +1,31 @@
+<% content_for :page_title, "Sign in" %>
+<% content_for(:page_description,
+               "Please enter your email address and password to sign in") %>
+<% content_for :body_class, "login" %>
+
+<% content_for :sidebar do %>
+  <h2>Please note</h2>
+  <p>
+    Please contact support if you experience problems logging in or using Pages.
+  </p>
+<% end %>
+
+<div class="login-form">
+  <%= form_tag admin_session_path do %>
+    <div class="field">
+      <label>Email address</label>
+      <%= text_field_tag(:email, "", autocomplete: "email") %>
+    </div>
+    <div class="field">
+      <label>Password</label>
+      <%= password_field_tag(:password, "", autocomplete: "current-password") %>
+    </div>
+    <div class="buttons">
+      <button type="submit">Sign in</button>
+    </div>
+    <p>
+      <%= link_to("<b>Help!</b> I forgot my password!".html_safe,
+                  new_admin_account_recovery_path) %>
+    </p>
+  <% end %>
+</div>

data/app/views/admin/sessions/verify_otp.html.erb

@@ -0,0 +1,19 @@
+<% content_for :page_title, "Two-factor authentication" %>
+<% content_for :page_description, "Two-factor authentication" %>
+
+<%= form_tag(verify_otp_admin_session_path, method: :post) do |f| %>
+  <%= hidden_field_tag :signed_user_id, @signed_user_id %>
+  <%= render(partial: "admin/sessions/otp_form") %>
+
+  <p>
+    <button type="submit">
+      Verify
+    </button>
+  </p>
+
+  <p>
+    Lost your authenticator device?
+    <%= link_to("Recover your account here",
+                new_admin_account_recovery_path) %>.
+  </p>
+<% end %>

data/app/views/admin/users/_access_control.html.erb

@@ -4,7 +4,11 @@
   </h2>
   <p>
     <% if f.object.kind_of?(User) && f.object != current_user %>
-      <%= f.check_box :activated %> The user account is activated<br />
+      <%= f.check_box :activated %>
+      <label for="user_activated">
+        The user account is activated
+      </label>
+      <br />
     <% end %>
     <% Role.roles.each do |role| %>
       <%= check_box_tag("#{model_name_from_record_or_class(f.object).param_key}[role_names][]",

data/app/views/admin/users/_list.html.erb

@@ -3,8 +3,9 @@
     <th>Name</th>
     <th>Email</th>
     <th>Can access</th>
+    <th>2FA</th>
     <th>Last seen</th>
-    <th></th>
+    <th colspan="2"></th>
   </tr>
 <% @invites.each do |invite| %>
   <tr class="invite">
@@ -15,13 +16,14 @@
     <td>
       <%= invite.roles.map(&:to_s).sort.to_sentence %>
     </td>
+    <td></td>
     <td>
       <% if invite.sent_at? %>
         Invited
         <%= time_ago_in_words(invite.sent_at) %> ago
       <% end %>
     </td>
-    <td>
+    <td colspan="2">
       <% if current_user.role?(:users) %>
         <%= link_to("View invite",
                     admin_invite_with_token_url(invite, invite.token)) %> /
@@ -36,16 +38,14 @@
 <% end %>
 <% @users.each do |user| -%>
   <tr class="user-<%= user.id %>">
-    <td>
-      <strong><%= link_to user.name, admin_user_url( user ) %></strong>
-      <% if policy(user).edit? %>
-        (<%= link_to "edit", edit_admin_user_url( user ), class: :edit %>)
-      <% end %>
+    <td class="name">
+      <%= link_to user.name, admin_user_url( user ) %>
     </td>
     <td>
       <%= user.email %>
     </td>
     <td><%= user.roles.map(&:to_s).sort.to_sentence %></td>
+    <td><%= user.otp_enabled? ? "Enabled" : "" %></td>
     <td>
       <% if user.online? -%>
         <strong>Online now</strong>
@@ -62,6 +62,11 @@
         notes.join( ", " )
       %>
     </td>
+    <td>
+      <% if policy(user).edit? %>
+        <%= link_to("Edit", edit_admin_user_url(user), class: :edit) %>
+      <% end %>
+    </td>
   </tr>
 <% end -%>
 </table>

data/app/views/admin/users/edit.html.erb

@@ -31,12 +31,42 @@
   <% if policy(@user).change_password? %>
     <h2>Password</h2>
     <%= f.labelled_password_field :password, 'Change password' %>
-    <%= f.labelled_password_field :confirm_password, 'Confirm password' %>
+    <%= f.labelled_password_field :password_confirmation, 'Confirm password' %>
     <p>
       Leave the password blank if you do not wish to change the password.
     </p>
   <% end %>
 
+  <% if policy(@user).otp? %>
+    <h2>Two-factor authentication</h2>
+    <% if @user.otp_enabled? %>
+      <p>
+        Two-factor authentication has been enabled.
+        <%= link_to("Disable",
+                    admin_otp_secret_path,
+                    class: :delete,
+                    method: :delete,
+                    data: { confirm: "Are you sure you want to disable 2FA?" }) %>
+      </p>
+      <p>
+
+        You have
+        <%= t("pages_core.recovery_codes",
+              count: @user.hashed_recovery_codes.length) %>
+        remaining.
+        <%= link_to("Generate new codes", new_admin_recovery_codes_path) %>
+      </p>
+    <% else %>
+      <p>
+        Protect your account with an additional layer of security by
+        requiring an authentication app to sign in.
+      </p>
+      <p>
+        <%= link_to("Enable 2FA", new_admin_otp_secret_path) %>
+      </p>
+    <% end %>
+  <% end %>
+
   <%= render partial: "access_control", locals: { user: @user, f: f } %>
 
   <p>

data/app/views/admin/users/new.html.erb

@@ -11,7 +11,7 @@
   <%= f.labelled_text_field(:email, autocomplete: "email") %>
   <%= f.labelled_password_field(:password,
                                 autocomplete: "new-password") %>
-  <%= f.labelled_password_field(:confirm_password,
+  <%= f.labelled_password_field(:password_confirmation,
                                 autocomplete: "new-password") %>
 
   <p>

data/app/views/admin_mailer/account_recovery.text.erb

@@ -0,0 +1,10 @@
+Hi, <%= @user.name %>!
+
+We've received a request to recover your account on <%= PagesCore.config(:site_name) %>.
+
+Please click the following link to continue:
+<%= @url %>
+
+The link will expire in 24 hours.
+
+If you do not want to recover your password, please ignore this email.

data/app/views/layouts/admin/_header.html.erb

@@ -1,16 +1,14 @@
 <header>
-  <div class="logo">
-    <%= link_to image_tag("pages/admin/icon.svg"), '/admin' %>
-  </div>
   <div class="site-name">
     <h1>
-      <%= link_to "Pages", "/admin" %> <%= PagesCore.config :site_name %>
+      <%= link_to("Pages", "/admin", class: "logo") %>
+      <%= PagesCore.config :site_name %>
     </h1>
   </div>
   <% if logged_in? %>
     <div class="user">
       Hello, <%= link_to(current_user.name, admin_user_url(current_user)) %>
-      <%= link_to("Log out", session_path, method: "delete") %>
+      <%= link_to("Log out", admin_session_path, method: "delete") %>
     </div>
   <% end %>
   <nav class="tabs">

data/app/views/layouts/admin/_page_header.html.erb

@@ -13,8 +13,7 @@
           role="tablist">
         <% content_tabs.map do |t| %>
           <li id="content-tab-link-<%= t[:key] %>"
-              data-tab="<%= t[:key] %>"
-              data-main-target="link">
+              data-tab="<%= t[:key] %>">
             <% if t[:options][:disabled] == true %>
               <%= t[:name] %>
             <% else %>

data/app/views/layouts/admin/_toast.html.erb

@@ -0,0 +1,12 @@
+<%= react_component "Toast", { notice: flash[:notice], error: flash[:error] } %>
+<% if Rails.env.test? && flash.any? %>
+  <div class="flash-test-helper">
+    <% %i[notice error].each do |type| %>
+      <% if flash[type] || true %>
+        <div class="<%= type %>">
+          <%= flash[type] %>
+        </div>
+      <% end %>
+    <% end %>
+  </div>
+<% end %>

data/app/views/layouts/admin.html.erb

@@ -44,7 +44,7 @@
         <%= yield :main_wrapper %>
       <% else %>
         <div class="main-wrapper">
-          <main data-controller="main">
+          <main>
             <%= render(partial: "layouts/admin/page_header") %>
             <%= yield %>
           </main>
@@ -58,6 +58,6 @@
       <% end %>
     </div>
     <%= react_component "Modal", {} %>
-    <%= react_component "Toast", { notice: flash[:notice], error: flash[:error] } %>
+    <%= render(partial: "layouts/admin/toast") %>
   </body>
 </html>

data/config/locales/en.yml

@@ -19,22 +19,26 @@ en:
         image: Profile picture
   pages_core:
     account_holder_exists: Account holder already exists
-    categories_controller:
-      created: New category created
-      deleted: Category was deleted
-      updated: Category was updated
     changes_saved: Your changes were saved
     invalid_login: >
       The provided email address and password combination was not valid
     invite_expired: This invite is no longer valid.
     logged_out: You have been logged out
-    password_reset:
+    otp:
+      already_enabled: 2FA has already been enabled
+      disabled: 2FA has been disabled
+      invalid_code: Invalid 2FA code
+      required: 2FA is required for this
+    account_recovery:
       changed: Your password has been changed
-      expired: Your password reset link has expired
-      invalid_request: Invalid password reset request
+      invalid_request: This link is no longer valid
       not_found: Couldn't find a user with that email address
       sent: An email with further instructions has been sent
       problems_saving: There were problems saving your changes
+    recovery_codes:
+      zero: "no recovery codes"
+      one: "one recovery code"
+      other: "%{count} recovery codes"
   templates:
     default:
       blocks:

data/config/routes.rb

@@ -17,9 +17,7 @@ Rails.application.routes.draw do
     collection do
       get "search"
       post "search"
-    end
-    member do
-      put "preview"
+      post "preview"
     end
     resources :files, controller: "page_files"
   end
@@ -33,13 +31,12 @@ Rails.application.routes.draw do
   get "pages/:locale/*glob" => redirect("/%{locale}/pages/%{glob}"),
       locale: /\w\w\w/
 
-  # Authentication
-  resource :session, only: %i[create destroy]
-
   # Sitemap
   resource :sitemap, only: [:show]
 
   namespace :admin do
+    get "users/login" => redirect("/admin/login")
+
     # Invites
     resources :invites do
       member do
@@ -51,9 +48,9 @@ Rails.application.routes.draw do
     end
 
     # Password resets
-    resources :password_resets, only: %i[create show update]
-    controller :password_resets do
-      get "/password_resets/:id/:token" => :show, as: :password_reset_with_token
+    resource :account_recovery
+    controller :account_recoveries do
+      get "/account_recovery/:token" => :show, as: :account_recovery_with_token
     end
 
     # Attachments
@@ -66,15 +63,19 @@ Rails.application.routes.draw do
     resources :users do
       collection do
         get "deactivated"
-        get "login"
       end
       member do
         delete "delete_image"
       end
     end
 
-    # Categories
-    resources :categories
+    # Authentication
+    resource :session, only: %i[create destroy] do
+      member { post :verify_otp }
+    end
+    resource :otp_secret, only: %i[new create destroy]
+    resource :recovery_codes, only: %i[new create]
+    get "login" => "sessions#new", as: "login"
 
     # Pages
     scope ":locale" do

data/db/migrate/20240126160700_add_2fa_fields.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+class Add2faFields < ActiveRecord::Migration[7.0]
+  class User < ApplicationRecord; end
+
+  def change
+    change_table :users do |t|
+      t.boolean :otp_enabled, null: false, default: false
+      t.string :otp_secret
+      t.datetime :last_otp_at
+      t.jsonb :hashed_recovery_codes, null: false, default: []
+      t.string :session_token
+    end
+
+    rename_column :users, :hashed_password, :password_digest
+
+    reversible do |dir|
+      dir.up do
+        User.find_each do |u|
+          u.update_columns(session_token: SecureRandom.hex(32))
+        end
+        change_column_null :users, :session_token, false
+      end
+    end
+  end
+end

data/db/migrate/20240129201300_remove_password_reset_tokens.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+class RemovePasswordResetTokens < ActiveRecord::Migration[7.0]
+  def change
+    drop_table :password_reset_tokens do |t|
+      t.integer :user_id
+      t.string :token
+      t.datetime :expires_at
+      t.datetime :created_at
+      t.datetime :updated_at
+    end
+  end
+end

data/db/migrate/20240131140700_change_email_to_citext.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+class ChangeEmailToCitext < ActiveRecord::Migration[7.0]
+  def up
+    enable_extension "citext"
+    %i[users invites].each do |t|
+      change_column t, :email, :citext
+      add_index t, :email, unique: true, name: "index_#{t}_on_email"
+    end
+  end
+
+  def down
+    %i[users invites].each do |t|
+      change_column t, :email, :string
+      remove_index t, name: "index_#{t}_on_email"
+    end
+  end
+end

data/db/migrate/20240201160700_remove_persistent_data.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class RemovePersistentData < ActiveRecord::Migration[7.0]
+  def change
+    remove_column :users, :persistent_data, :text
+  end
+end

data/db/migrate/20240508145300_remove_categories.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+class RemoveCategories < ActiveRecord::Migration[7.0]
+  def change
+    drop_table :page_categories do |t|
+      t.integer :page_id
+      t.integer :category_id
+      t.index :category_id
+      t.index :page_id
+    end
+
+    drop_table :categories do |t|
+      t.string :name
+      t.string :slug
+      t.integer :position
+      t.datetime :created_at, null: false
+      t.datetime :updated_at, null: false
+      t.index :slug
+    end
+  end
+end