RubyGems - pages_core - Versions diffs - 3.5.1 → 3.6.0 - Mend

pages_core 3.5.1 → 3.6.0

Files changed (312) hide show

data/app/controllers/admin/users_controller.rb CHANGED Viewed

@@ -1,19 +1,10 @@
-# encoding: utf-8
 module Admin
   class UsersController < Admin::AdminController
-    before_action :require_authentication, except: [:new, :create, :login]
-    before_action :require_no_users, only: [:new, :create]
+    before_action :require_authentication, except: %i[new create login]
+    before_action :require_no_users, only: %i[new create]
     before_action(
       :find_user,
-      only: [:edit, :update, :show, :destroy, :delete_image]
-    )
-    require_authorization(
-      User,
-      proc { @user },
-      member:     [:delete_image, :update, :destroy, :edit],
-      collection: [:index, :deactivated, :new, :create]
+      only: %i[edit update show destroy delete_image]
     )
     def index
@@ -36,7 +27,7 @@ module Admin
     end
     def create
-      @user = User.create(user_params)
+      @user = PagesCore::CreateUserService.call(user_params)
       if @user.valid?
         authenticate!(@user)
         redirect_to admin_default_url
@@ -45,14 +36,12 @@ module Admin
       end
     end
-    def show
-    end
+    def show; end
-    def edit
-    end
+    def edit; end
     def update
-      if @user.update(user_params)
+      if @user.update(user_params_with_roles)
         flash[:notice] = "Your changed to #{@user.name} were saved."
         redirect_to admin_users_url
       else
@@ -83,16 +72,21 @@ module Admin
     end
     def user_params
-      permitted_params = [
-        :name, :email, :image
+      permitted_params = %i[
+        name email image image_id
       ]
       permitted_params += [:activated, role_names: []] if policy(User).manage?
-      if !User.any? || (@user && policy(@user).change_password?)
-        permitted_params += [:password, :confirm_password]
+      if User.none? || (@user && policy(@user).change_password?)
+        permitted_params += %i[password confirm_password]
       end
       params.require(:user).permit(permitted_params)
     end
+    def user_params_with_roles
+      return user_params unless policy(User).manage?
+      { role_names: [] }.merge(user_params)
+    end
     def require_no_users
       return unless User.any?
       flash[:error] = "Account holder already exists"

data/app/controllers/concerns/pages_core/admin/news_page_controller.rb CHANGED Viewed

@@ -1,5 +1,3 @@
-# encoding: utf-8
 module PagesCore
   module Admin
     module NewsPageController
@@ -7,16 +5,27 @@ module PagesCore
       included do
         before_action :require_news_pages, only: [:news]
-        before_action :find_news_pages, only: [:news, :new_news]
+        before_action :find_news_pages, only: %i[news new_news]
       end
       def news
         @archive_finder = archive_finder(@news_pages, @locale)
-        @year, @month = year_and_month(@archive_finder)
-        @year ||= Time.zone.now.year
-        @month ||= Time.zone.now.month
-        @pages = @archive_finder.by_year_and_month(@year, @month)
+        unless params[:year]
+          redirect_to(news_admin_pages_path(@locale,
+                                            (@archive_finder.latest_year ||
+                                             Time.zone.now.year)))
+          return
+        end
+        @year = params[:year]&.to_i
+        @month = params[:month]&.to_i
+        @pages = (if @month
+                    @archive_finder.by_year_and_month(@year, @month)
+                  else
+                    @archive_finder.by_year(@year)
+                  end).paginate(per_page: 50, page: params[:page])
       end
       def new_news
@@ -35,7 +44,9 @@ module PagesCore
       end
       def find_news_pages
-        @news_pages = Page.news_pages.in_locale(@locale)
+        @news_pages = Page.news_pages
+                          .in_locale(@locale)
+                          .reorder("parent_page_id ASC, position ASC")
         return if @news_pages.any?
         redirect_to(admin_pages_url(@locale))
       end
@@ -46,12 +57,8 @@ module PagesCore
         redirect_to(admin_pages_url(@locale))
       end
-      def year_and_month(archive_finder)
-        if params[:year] && params[:month]
-          [params[:year], params[:month]].map(&:to_i)
-        else
-          archive_finder.latest_year_and_month
-        end
+      def latest_year
+        archive_finder.latest_year_and_month.first || Time.zone.now.year
       end
     end
   end

data/app/controllers/concerns/pages_core/authentication.rb CHANGED Viewed

@@ -1,5 +1,3 @@
-# encoding: utf-8
 module PagesCore
   module Authentication
     extend ActiveSupport::Concern

data/app/controllers/concerns/pages_core/domain_based_cache.rb CHANGED Viewed

@@ -1,5 +1,3 @@
-# encoding: utf-8
 module PagesCore
   module DomainBasedCache
     extend ActiveSupport::Concern

data/app/controllers/concerns/pages_core/error_renderer.rb ADDED Viewed

@@ -0,0 +1,33 @@
+module PagesCore
+  module ErrorRenderer
+    extend ActiveSupport::Concern
+    # Renders a fancy error page from app/views/errors. If the error name
+    # is numeric, it will also be set as the response status. Example:
+    #
+    #   render_error 404
+    #
+    def render_error(error, options = {})
+      options[:status] ||= error if error.is_a? Numeric
+      respond_to do |format|
+        format.html do
+          options[:layout] = error_layout(error, options)
+          @email = current_user.try(&:email) || ""
+          render({ template: "errors/#{error}" }.merge(options))
+        end
+        format.any { head options[:status] }
+      end
+      true
+    end
+    protected
+    def error_layout(error, options = {})
+      return options[:layout] if options.key?(:layout)
+      if error == 404 && PagesCore.config.error_404_layout?
+        PagesCore.config.error_404_layout
+      else
+        "errors"
+      end
+    end
+  end
+end

data/app/controllers/concerns/pages_core/policies_helper.rb CHANGED Viewed

@@ -7,23 +7,19 @@ module PagesCore
     end
     module ClassMethods
-      def require_authorization(collection, member, options = {})
-        options = default_options.merge(options)
+      def require_authorization(object: nil, instance: nil)
+        object ||= inferred_policy_class
         before_action do |controller|
-          action = params[:action].to_sym
-          if options[:collection].include?(action)
-            verify_policy_with_proc(controller, collection)
-          elsif options[:member].include?(action)
-            verify_policy_with_proc(controller, member)
-          end
+          instance_name = "@#{object.name.underscore}"
+          record = instance || controller.instance_variable_get(instance_name)
+          verify_policy_with_proc(controller, record || object)
         end
       end
-      def default_options
-        {
-          collection: [:index, :new, :create],
-          member:     [:show, :edit, :update, :destroy]
-        }
+      def inferred_policy_class
+        const_get(name.demodulize.gsub(/Controller$/, "").singularize)
       end
     end

data/app/controllers/concerns/pages_core/preview_pages_controller.rb CHANGED Viewed

@@ -1,5 +1,3 @@
-# encoding: utf-8
 module PagesCore
   module PreviewPagesController
     extend ActiveSupport::Concern
@@ -29,9 +27,9 @@ module PagesCore
     end
     def permitted_page_attributes
-      [:template, :user_id, :status, :feed_enabled, :published_at,
-       :redirect_to, :comments_allowed, :image_link, :news_page,
-       :unique_name, :pinned, :parent_page_id]
+      %i[template user_id status feed_enabled published_at
+         redirect_to image_link news_page
+         unique_name pinned parent_page_id]
     end
     def page_params

data/app/controllers/concerns/pages_core/process_titler.rb CHANGED Viewed

@@ -1,5 +1,3 @@
-# encoding: utf-8
 module PagesCore
   module ProcessTitler
     extend ActiveSupport::Concern
@@ -10,7 +8,7 @@ module PagesCore
     end
     class << self
-      attr_accessor :number_of_requests
+      attr_writer :number_of_requests
       def original_title
         @original_title ||= $PROGRAM_NAME

data/app/controllers/concerns/pages_core/rss_controller.rb CHANGED Viewed

@@ -1,5 +1,3 @@
-# encoding: utf-8
 module PagesCore
   module RssController
     extend ActiveSupport::Concern

data/app/controllers/errors_controller.rb CHANGED Viewed

@@ -1,24 +1,21 @@
-# encoding: utf-8
 class ErrorsController < ::ApplicationController
   layout "errors"
-  skip_before_action :verify_authenticity_token
   def report
-    return unless session[:error_report]
-    deliver_error_report(
-      find_error_report,
-      params[:email],
-      params[:description]
-    )
-    @error_id = session[:error_report]
+    report = decrypt_report(params[:error_report])
+    report[:user] = User.find_by(id: report[:user_id]) if report.key?(:user_id)
+    deliver_error_report(report, params[:email], params[:description])
   end
   def show
     render_error params[:id].to_i
   end
+  def forbidden
+    render_error 403
+  end
   def not_found
     render_error 404
   end
@@ -27,8 +24,21 @@ class ErrorsController < ::ApplicationController
     render_error 422
   end
+  def unauthorized
+    render_error 401
+  end
   def internal_error
-    render_error 500
+    exception = request.env["action_dispatch.exception"]
+    if !exception
+      render_error 500
+    elsif exception.is_a?(PagesCore::NotAuthorized)
+      render_error 403
+    else
+      @report = encrypt_report(error_report(request, exception))
+      wrapper = ActionDispatch::ExceptionWrapper.new(nil, exception)
+      render_error wrapper.status_code
+    end
   end
   private
@@ -37,21 +47,37 @@ class ErrorsController < ::ApplicationController
     AdminMailer.error_report(report, from, description).deliver_now
   end
-  def find_error_report
-    report = YAML.load_file(error_report_path)
-    if report[:user_id]
-      report[:user] = begin
-                        User.find(report[:user_id])
-                      rescue
-                        nil
-                      end
-    end
-    report
+  def decrypt_report(str)
+    YAML.safe_load(report_encryptor.decrypt_and_verify(str))
+  end
+  def encrypt_report(report)
+    report_encryptor.encrypt_and_sign(report.to_yaml)
+  end
+  def error_report(request, exception)
+    { message:   exception.to_s,
+      url:       request.original_url,
+      env:       request.env.select { |_, v| v.is_a?(String) },
+      params:    params.to_unsafe_h,
+      session:   session.to_hash,
+      backtrace: exception_backtrace(exception),
+      timestamp: Time.now.utc,
+      user_id:   current_user.try(&:id) }
+  end
+  def exception_backtrace(exception)
+    Rails.backtrace_cleaner.send(:filter, exception.backtrace)
   end
-  def error_report_path
-    Rails.root
-         .join("log", "error_reports")
-         .join("#{session[:error_report]}.yml")
+  def report_encryptor
+    ActiveSupport::MessageEncryptor.new(
+      ActiveSupport::CachingKeyGenerator.new(
+        ActiveSupport::KeyGenerator.new(
+          Rails.application.secrets.secret_key_base,
+          iterations: 1000
+        )
+      ).generate_key("encrypted error report")
+    )
   end
 end

data/app/controllers/pages_core/admin_controller.rb CHANGED Viewed

@@ -1,9 +1,9 @@
-# encoding: utf-8
 # All admin controllers inherit Admin::AdminController, which provides layout,
 # authorization and other common code for the Admin set of controllers.
 module PagesCore
   class AdminController < ::ApplicationController
+    protect_from_forgery with: :exception
     before_action :set_i18n_locale
     before_action :require_authentication
     before_action :restore_persistent_params
@@ -59,15 +59,15 @@ module PagesCore
       current_user.save
     end
-    def secure_compare(a, b)
-      return false unless a && b
-      return false unless a.bytesize == b.bytesize
+    def secure_compare(compare, other)
+      return false unless compare && other
+      return false unless compare.bytesize == other.bytesize
-      l = a.unpack "C#{a.bytesize}"
+      l = compare.unpack "C#{compare.bytesize}"
       res = 0
-      b.each_byte { |byte| res |= byte ^ l.shift }
-      res == 0
+      other.each_byte { |byte| res |= byte ^ l.shift }
+      res.zero?
     end
     # --- HELPERS ---
@@ -84,25 +84,34 @@ module PagesCore
       session[:persistent_params][namespace]
     end
-    def coerce_persistent_param(v)
-      case v
+    def coerce_persistent_param(value)
+      case value
       when "true"
         true
       when "false"
         false
       else
-        v
+        value
       end
     end
     # Get a persistent param
     def persistent_param(key, default = nil, options = {})
+      key = key.to_s
       namespace = options[:namespace] || self.class.to_s
-      value = coerce_persistent_param(params.key?(key) ? params[key] : default)
+      value = coerce_persistent_param(
+        if params.key?(key)
+          params[key]
+        elsif persistent_params(namespace).key?(key)
+          persistent_params(namespace)[key]
+        else
+          default
+        end
+      )
       if !value.nil? || options[:preserve_nil]
-        persistent_params(namespace)[key] = value
+        persistent_params(namespace)[key.to_s] = value
       end
       value

data/app/controllers/pages_core/attachments_controller.rb ADDED Viewed

@@ -0,0 +1,36 @@
+module PagesCore
+  class AttachmentsController < ::ApplicationController
+    before_action :verify_signed_params
+    before_action :find_attachment, only: %i[show download]
+    caches_page :show
+    def show
+      send_attachment
+    end
+    def download
+      send_attachment disposition: "attachment"
+    end
+    private
+    def find_attachment
+      @attachment = Attachment.find(params[:id])
+    end
+    def send_attachment(disposition: "inline")
+      if stale?(etag: @attachment, last_modified: @attachment.updated_at)
+        send_data(@attachment.data,
+                  filename: @attachment.filename,
+                  type: @attachment.content_type,
+                  disposition: disposition)
+      end
+    end
+    def verify_signed_params
+      key = params[:id].to_i.to_s
+      Attachment.verifier.verify(key, params[:digest])
+    end
+  end
+end