pages_core 3.13.0 → 3.15.0

data/app/controllers/admin/invites_controller.rb

@@ -62,11 +62,12 @@ module Admin
       return if @invite && secure_compare(@invite.token, params[:token])
 
       flash[:notice] = t("pages_core.invite_expired")
-      redirect_to(login_admin_users_url) && return
+      redirect_to(admin_login_url)
     end
 
     def user_params
-      params.require(:user).permit(:name, :email, :password, :confirm_password)
+      params.require(:user)
+            .permit(:name, :email, :password, :password_confirmation)
     end
 
     def invite_params

data/app/controllers/admin/otp_secrets_controller.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module Admin
+  class OtpSecretsController < Admin::AdminController
+    before_action :require_otp_disabled, only: %i[new create]
+    before_action :find_otp_secret
+
+    def new
+      @otp_secret.generate
+    end
+
+    def create
+      if @otp_secret.verify(otp_secret_params)
+        @recovery_codes = @otp_secret.generate_recovery_codes
+        @otp_secret.enable!(@recovery_codes)
+      else
+        flash[:error] = t("pages_core.otp.invalid_code")
+        redirect_to new_admin_otp_secret_path
+      end
+    end
+
+    def destroy
+      @otp_secret.disable!
+      flash[:notice] = t("pages_core.otp.disabled")
+      redirect_to edit_admin_user_path(current_user)
+    end
+
+    private
+
+    def find_otp_secret
+      @otp_secret = OtpSecret.new(current_user)
+    end
+
+    def otp_secret_params
+      params.permit(:signed_message, :otp)
+    end
+
+    def require_otp_disabled
+      return unless current_user.otp_enabled?
+
+      flash[:notice] = t("pages_core.otp.already_enabled")
+      redirect_to edit_admin_user_path(current_user)
+    end
+  end
+end

data/app/controllers/admin/pages_controller.rb

@@ -2,9 +2,8 @@
 
 module Admin
   class PagesController < Admin::AdminController
-    include PagesCore::Admin::PageJsonHelper
+    include PagesCore::PageParameters
 
-    before_action :find_categories
     before_action :find_page, only: %i[show edit update destroy move]
 
     require_authorization
@@ -39,26 +38,26 @@ module Admin
     def edit; end
 
     def create
-      @page = build_page(content_locale, page_params,
-                         param_categories).tap(&:save)
-      if @page.valid?
-        respond_with_page(@page) do
+      @page = build_page(content_locale, page_params).tap(&:save)
+
+      respond_with_page(@page) do
+        if @page.valid?
           redirect_to(edit_admin_page_url(content_locale, @page))
+        else
+          render action: :new
         end
-      else
-        render action: :new
       end
     end
 
     def update
-      if @page.update(page_params)
-        @page.categories = param_categories
-        respond_with_page(@page) do
+      @page.update(page_params)
+      respond_with_page(@page) do
+        if @page.valid?
           flash[:notice] = t("pages_core.changes_saved")
           redirect_to edit_admin_page_url(content_locale, @page)
+        else
+          render action: :edit
         end
-      else
-        render action: :edit
       end
     end
 
@@ -75,53 +74,34 @@ module Admin
 
     private
 
-    def build_page(locale, attributes = nil, categories = nil)
+    def build_page(locale, attributes = nil)
       Page.new.localize(locale).tap do |page|
         page.author = default_author || current_user
         page.attributes = attributes if attributes
-        page.categories = categories if categories
       end
     end
 
     def default_author
-      User.find_by_email(PagesCore.config.default_author)
-    end
-
-    def page_attributes
-      %i[template user_id status feed_enabled published_at redirect_to
-         image_link news_page unique_name pinned parent_page_id serialized_tags
-         meta_image_id starts_at ends_at all_day image_id path_segment
-         meta_title meta_description open_graph_title open_graph_description]
+      User.find_by(email: PagesCore.config.default_author)
     end
 
     def page_params
-      params.require(:page).permit(
-        PagesCore::Templates::TemplateConfiguration.all_blocks +
-        page_attributes,
-        page_images_attributes: %i[id position image_id primary _destroy],
-        page_files_attributes: %i[id position attachment_id _destroy]
-      )
-    end
-
-    def param_categories
-      return [] unless params[:category]
-
-      params.permit(category: {})[:category].to_hash
-            .map { |id, _| Category.find(id) }
+      params.require(:page).permit(page_content_attributes)
     end
 
     def find_page
       @page = Page.find(params[:id]).localize(content_locale)
     end
 
-    def find_categories
-      @categories = Category.order("name")
-    end
-
     def respond_with_page(page, &block)
       respond_to do |format|
-        format.html { block.call }
-        format.json { render json: page_json(page) }
+        format.html(&block)
+        format.json do
+          render json: ::Admin::PageResource.new(
+            page,
+            params: { user: current_user }
+          )
+        end
       end
     end
   end

data/app/controllers/admin/recovery_codes_controller.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module Admin
+  class RecoveryCodesController < Admin::AdminController
+    before_action :require_otp_enabled
+    before_action :find_otp_secret
+
+    def new; end
+
+    def create
+      if @otp_secret.validate_otp!(params[:otp])
+        @recovery_codes = @otp_secret.regenerate_recovery_codes!
+      else
+        flash[:error] = t("pages_core.otp.invalid_code")
+        redirect_to new_admin_recovery_codes_path
+      end
+    end
+
+    private
+
+    def find_otp_secret
+      @otp_secret = OtpSecret.new(current_user)
+    end
+
+    def require_otp_enabled
+      return if current_user.otp_enabled?
+
+      flash[:notice] = t("pages_core.otp.required")
+      redirect_to edit_admin_user_path(current_user)
+    end
+  end
+end

data/app/controllers/admin/sessions_controller.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+module Admin
+  class SessionsController < Admin::AdminController
+    before_action :require_authentication, only: %i[destroy]
+    before_action :find_user, only: %i[create]
+    before_action :find_signed_user, only: %i[verify_otp]
+    before_action :require_user, only: %i[create verify_otp]
+
+    def new
+      redirect_to admin_default_url if logged_in?
+    end
+
+    def create
+      if @user.otp_enabled?
+        @signed_user_id = message_verifier.generate(
+          @user.id, expires_in: 1.hour
+        )
+        render template: "admin/sessions/verify_otp"
+      else
+        authenticate!(@user)
+        redirect_to admin_default_url
+      end
+    end
+
+    def destroy
+      flash[:notice] = t("pages_core.logged_out")
+      deauthenticate!
+      redirect_to admin_login_url
+    end
+
+    def verify_otp
+      @otp_secret = OtpSecret.new(@user)
+      if @otp_secret.validate_otp!(params[:otp])
+        authenticate!(@user)
+        redirect_to admin_default_url
+      else
+        flash[:notice] = t("pages_core.otp.invalid_code")
+        render template: "admin/sessions/verify_otp"
+      end
+    end
+
+    private
+
+    def find_signed_user
+      @signed_user_id = params[:signed_user_id]
+      @user = User.find(message_verifier.verify(@signed_user_id))
+    end
+
+    def find_user
+      @user = User.authenticate(params[:email], password: params[:password])
+    end
+
+    def message_verifier
+      Rails.application.message_verifier(:session)
+    end
+
+    def require_user
+      return if @user
+
+      flash[:notice] = t("pages_core.invalid_login")
+      redirect_to admin_login_url
+    end
+  end
+end

data/app/controllers/admin/users_controller.rb

@@ -2,7 +2,7 @@
 
 module Admin
   class UsersController < Admin::AdminController
-    before_action :require_authentication, except: %i[new create login]
+    before_action :require_authentication, except: %i[new create]
     before_action :require_no_users, only: %i[new create]
     before_action(
       :find_user,
@@ -19,12 +19,6 @@ module Admin
       @invites = []
     end
 
-    def login
-      return unless logged_in?
-
-      redirect_to admin_default_url
-    end
-
     def show; end
 
     def new
@@ -81,7 +75,7 @@ module Admin
                              { role_names: [] }]
       end
       if User.none? || (@user && policy(@user).change_password?)
-        permitted_params += %i[password confirm_password]
+        permitted_params += %i[password password_confirmation]
       end
       params.require(:user).permit(permitted_params)
     end

data/app/controllers/concerns/pages_core/authentication.rb

@@ -35,20 +35,22 @@ module PagesCore
       @current_user = user
     end
 
-    def start_authenticated_session
-      if session[:current_user_id]
-        user = User.where(id: session[:current_user_id]).first
-      end
-
-      return unless user&.can_login?
+    def finalize_authenticated_session
+      return unless logged_in?
 
-      authenticated(user)
+      session[:current_user] =
+        { id: current_user.id, token: current_user.session_token }
     end
 
-    def finalize_authenticated_session
-      return unless current_user
+    def start_authenticated_session
+      user_session = session.fetch(:current_user, nil)&.symbolize_keys
+
+      return unless user_session
 
-      session[:current_user_id] = current_user.id
+      user = User.find_by(id: user_session[:id])
+      return unless user && user.session_token == user_session[:token]
+
+      authenticated(user)
     end
   end
 end

data/app/controllers/concerns/pages_core/error_reporting.rb

@@ -11,7 +11,7 @@ module PagesCore
     protected
 
     def configure_sentry_scope
-      return if Rails.env.test? || !Object.const_defined?("Sentry")
+      return if Rails.env.test? || !Object.const_defined?(:Sentry)
 
       Sentry.set_context("params", params.to_unsafe_h)
       Sentry.set_tags(locale: params[:locale] || I18n.default_locale.to_s)

data/app/controllers/concerns/pages_core/page_parameters.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module PagesCore
+  module PageParameters
+    extend ActiveSupport::Concern
+
+    def page_attachment_attributes
+      { page_images_attributes: %i[id position image_id primary _destroy],
+        page_files_attributes: %i[id position attachment_id _destroy] }
+    end
+
+    def page_content_attributes
+      locales = PagesCore.config.locales&.keys || [I18n.default_locale]
+      [page_static_attributes,
+       PagesCore::Templates::TemplateConfiguration.all_blocks,
+       :path_segment,
+       (PagesCore::Templates::TemplateConfiguration
+                  .localized_blocks + %i[path_segment])
+         .index_with { locales },
+       page_attachment_attributes]
+    end
+
+    def page_static_attributes
+      %i[template user_id status feed_enabled published_at redirect_to
+         news_page unique_name pinned parent_page_id serialized_tags
+         meta_image_id starts_at ends_at all_day]
+    end
+  end
+end

data/app/controllers/concerns/pages_core/policies_helper.rb

@@ -35,7 +35,7 @@ module PagesCore
     end
 
     def verify_policy(record)
-      return true if policy(record).public_send("#{action_name}?")
+      return true if policy(record).public_send(:"#{action_name}?")
 
       raise PagesCore::NotAuthorized
     end

data/app/controllers/concerns/pages_core/preview_pages_controller.rb

@@ -3,11 +3,27 @@
 module PagesCore
   module PreviewPagesController
     extend ActiveSupport::Concern
+    include PagesCore::PageParameters
+
+    included do
+      before_action :disable_xss_protection, only: %i[preview]
+    end
 
     def preview?
       @preview || false
     end
 
+    def preview
+      render_error 403 unless logged_in?
+
+      @preview = true
+      @page = Page.find_by(id: params[:page_id]) || Page.new
+      @page.readonly!
+      @page.assign_attributes(preview_page_params)
+
+      render_page
+    end
+
     private
 
     def disable_xss_protection
@@ -17,31 +33,15 @@ module PagesCore
       response.headers["X-XSS-Protection"] = "0"
     end
 
-    def permitted_page_attributes
-      %i[template user_id status feed_enabled published_at
-         redirect_to image_link news_page
-         unique_name pinned parent_page_id]
-    end
-
-    def page_params
-      params.require(:page).permit(
-        Page.localized_attributes + permitted_page_attributes
-      )
-    end
-
-    def preview_page(page)
-      redirect_to(page_url(content_locale, page)) && return unless logged_in?
-
-      disable_xss_protection
-
-      @preview = true
-      page.attributes = page_params.merge(
+    def preview_page_params
+      ActionController::Parameters.new(
+        JSON.parse(params.require(:preview_page))
+      ).permit(:id, page_content_attributes).merge(
         status: 2,
         published_at: Time.zone.now,
         locale: content_locale,
         redirect_to: nil
       )
-      render_page
     end
   end
 end

data/app/controllers/pages_core/admin_controller.rb

@@ -4,8 +4,6 @@
 # authorization and other common code for the Admin set of controllers.
 module PagesCore
   class AdminController < ::ApplicationController
-    include PagesCore::Admin::PersistentParams
-
     protect_from_forgery with: :exception
 
     before_action :set_i18n_locale
@@ -48,7 +46,7 @@ module PagesCore
       if User.count < 1
         redirect_to(new_admin_user_url)
       else
-        redirect_to(login_admin_users_url)
+        redirect_to(admin_login_url)
       end
     end
 

data/app/controllers/pages_core/frontend/pages_controller.rb

@@ -12,8 +12,8 @@ module PagesCore
 
       before_action :load_root_pages
       before_action :find_page_by_path, only: [:show]
-      before_action :find_page, only: %i[show preview]
-      before_action :require_page, only: %i[show preview]
+      before_action :find_page, only: %i[show]
+      before_action :require_page, only: %i[show]
       before_action :canonicalize_url, only: [:show]
       static_cache :index, :show
 
@@ -27,10 +27,6 @@ module PagesCore
         end
       end
 
-      def preview
-        preview_page(@page)
-      end
-
       def show
         respond_to do |format|
           format.html { render_published_page(@page) }

data/app/formatters/pages_core/html_formatter.rb

@@ -38,8 +38,7 @@ module PagesCore
     def find_attachments(str)
       str.match(attachment_expression)[1]
          .split(",")
-         .map { |id| find_attachment(id) }
-         .compact
+         .filter_map { |id| find_attachment(id) }
     end
 
     def find_file(id)
@@ -51,8 +50,7 @@ module PagesCore
     def find_files(str)
       str.match(file_expression)[1]
          .split(",")
-         .map { |id| find_file(id) }
-         .compact
+         .filter_map { |id| find_file(id) }
     end
 
     def fix_markup(str)

data/app/helpers/admin/menu_helper.rb

@@ -5,12 +5,13 @@ module Admin
     include PagesCore::LocalesHelper
 
     def header_tabs(group)
+      return unless menu_items_for(group).any?
+
       tag.ul(class: group.to_s) do
         safe_join(menu_items_for(group).map do |item|
           tag.li do
             path = instance_eval(&item.path)
-            link_to(item.label,
-                    path,
+            link_to(item.label, path,
                     class: (current_menu_item?(item) ? "current" : ""))
           end
         end)
@@ -24,9 +25,9 @@ module Admin
         .select { |_, routing| routing[:controller] == params[:controller] }
     end
 
-    def find_menu_candidate(&block)
+    def find_menu_candidate(&)
       menu_item_candidates
-        .select { |item, routing| block.call(item, routing) }
+        .select(&)
         .try(&:first)
         .try(&:first)
     end

data/app/helpers/admin/pages_helper.rb

@@ -2,8 +2,6 @@
 
 module Admin
   module PagesHelper
-    include PagesCore::Admin::PageBlocksHelper
-
     def autopublish_notice(page)
       return unless page.autopublish?
 
@@ -13,22 +11,8 @@ module Admin
       end
     end
 
-    def available_templates_for_select
-      PagesCore::Templates.names.collect do |template|
-        if template == "index"
-          ["[Default]", "index"]
-        else
-          [template.humanize, template]
-        end
-      end
-    end
-
-    def file_embed_code(file)
-      "[file:#{file.id}]"
-    end
-
     def news_section_name(page, news_pages)
-      if news_pages.select { |p| p.name == page.name }.length > 1
+      if news_pages.count { |p| p.name == page.name } > 1
         page_name(page, include_parents: true)
       else
         page_name(page)
@@ -83,10 +67,6 @@ module Admin
 
     private
 
-    def nested_array?(array)
-      array.present? && array.first.is_a?(Array)
-    end
-
     def page_name_with_fallback(page)
       if page.name?
         page.name.to_s

data/app/helpers/pages_core/admin/admin_helper.rb

@@ -7,7 +7,6 @@ module PagesCore
       include PagesCore::Admin::DateRangeHelper
       include PagesCore::Admin::ImageUploadsHelper
       include PagesCore::Admin::LocalesHelper
-      include PagesCore::Admin::PageJsonHelper
       include PagesCore::Admin::LabelledFieldHelper
       include PagesCore::Admin::TagEditorHelper
 
@@ -18,12 +17,12 @@ module PagesCore
                                       value: content))
       end
 
-      def locale_links(&block)
+      def locale_links
         return unless PagesCore.config.localizations?
 
         safe_join(
           PagesCore.config.locales.map do |locale, name|
-            link_to(name, block.call(locale),
+            link_to(name, yield(locale),
                     class: ("current" if locale == params[:locale].to_sym))
           end
         )
@@ -33,6 +32,17 @@ module PagesCore
         %w[January February March April May June July August September October
            November December][month - 1]
       end
+
+      def qr_code(url)
+        ActiveSupport::SafeBuffer.new(
+          RQRCode::QRCode.new(url)
+                         .as_svg({ color: "000",
+                                   shape_rendering: "crispEdges",
+                                   module_size: 10,
+                                   use_path: true,
+                                   viewbox: true })
+        )
+      end
     end
   end
 end

data/app/helpers/pages_core/admin/content_tabs_helper.rb

@@ -31,8 +31,7 @@ module PagesCore
                 class: "content-tab",
                 id: "content-tab-#{key}",
                 role: "tabpanel",
-                data: { tab: key,
-                        "main-target" => "tab" })
+                data: { tab: key })
       end
     end
   end

data/app/helpers/pages_core/admin/labelled_field_helper.rb

@@ -53,7 +53,7 @@ module PagesCore
 
       def labelled_field_label(label, options = {})
         tag.label do
-          safe_join([label, labelled_field_errors(options[:errors])])
+          safe_join([label, labelled_field_errors(options[:errors])], " ")
         end
       end
 

data/app/helpers/pages_core/frontend_helper.rb

@@ -10,6 +10,6 @@ module PagesCore
       @root_page ||= root_pages.first
     end
 
-    attr_reader :search_query, :search_category_id
+    attr_reader :search_query
   end
 end