RubyGems - pages_core - Versions diffs - 3.5.1 → 3.6.0 - Mend

pages_core 3.5.1 → 3.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (312) hide show

data/app/controllers/admin/users_controller.rb CHANGED Viewed

@@ -1,19 +1,10 @@
-# encoding: utf-8
 module Admin
   class UsersController < Admin::AdminController
-    before_action :require_authentication, except: [:new, :create, :login]
-    before_action :require_no_users, only: [:new, :create]
+    before_action :require_authentication, except: %i[new create login]
+    before_action :require_no_users, only: %i[new create]
     before_action(
       :find_user,
-      only: [:edit, :update, :show, :destroy, :delete_image]
-    )
-    require_authorization(
-      User,
-      proc { @user },
-      member:     [:delete_image, :update, :destroy, :edit],
-      collection: [:index, :deactivated, :new, :create]
+      only: %i[edit update show destroy delete_image]
     )
     def index
@@ -36,7 +27,7 @@ module Admin
     end
     def create
-      @user = User.create(user_params)
+      @user = PagesCore::CreateUserService.call(user_params)
       if @user.valid?
         authenticate!(@user)
         redirect_to admin_default_url
@@ -45,14 +36,12 @@ module Admin
       end
     end
-    def show
-    end
+    def show; end
-    def edit
-    end
+    def edit; end
     def update
-      if @user.update(user_params)
+      if @user.update(user_params_with_roles)
         flash[:notice] = "Your changed to #{@user.name} were saved."
         redirect_to admin_users_url
       else
@@ -83,16 +72,21 @@ module Admin
     end
     def user_params
-      permitted_params = [
-        :name, :email, :image
+      permitted_params = %i[
+        name email image image_id
       ]
       permitted_params += [:activated, role_names: []] if policy(User).manage?
-      if !User.any? || (@user && policy(@user).change_password?)
-        permitted_params += [:password, :confirm_password]
+      if User.none? || (@user && policy(@user).change_password?)
+        permitted_params += %i[password confirm_password]
       end
       params.require(:user).permit(permitted_params)
     end
+    def user_params_with_roles
+      return user_params unless policy(User).manage?
+      { role_names: [] }.merge(user_params)
+    end
     def require_no_users
       return unless User.any?
       flash[:error] = "Account holder already exists"

data/app/controllers/concerns/pages_core/admin/news_page_controller.rb CHANGED Viewed

@@ -1,5 +1,3 @@
-# encoding: utf-8
 module PagesCore
   module Admin
     module NewsPageController
@@ -7,16 +5,27 @@ module PagesCore
       included do
         before_action :require_news_pages, only: [:news]
-        before_action :find_news_pages, only: [:news, :new_news]
+        before_action :find_news_pages, only: %i[news new_news]
       end
       def news
         @archive_finder = archive_finder(@news_pages, @locale)
-        @year, @month = year_and_month(@archive_finder)
-        @year ||= Time.zone.now.year
-        @month ||= Time.zone.now.month
-        @pages = @archive_finder.by_year_and_month(@year, @month)
+        unless params[:year]
+          redirect_to(news_admin_pages_path(@locale,
+                                            (@archive_finder.latest_year ||
+                                             Time.zone.now.year)))
+          return
+        end
+        @year = params[:year]&.to_i
+        @month = params[:month]&.to_i
+        @pages = (if @month
+                    @archive_finder.by_year_and_month(@year, @month)
+                  else
+                    @archive_finder.by_year(@year)
+                  end).paginate(per_page: 50, page: params[:page])
       end
       def new_news
@@ -35,7 +44,9 @@ module PagesCore
       end
       def find_news_pages
-        @news_pages = Page.news_pages.in_locale(@locale)
+        @news_pages = Page.news_pages
+                          .in_locale(@locale)
+                          .reorder("parent_page_id ASC, position ASC")
         return if @news_pages.any?
         redirect_to(admin_pages_url(@locale))
       end
@@ -46,12 +57,8 @@ module PagesCore
         redirect_to(admin_pages_url(@locale))
       end
-      def year_and_month(archive_finder)
-        if params[:year] && params[:month]
-          [params[:year], params[:month]].map(&:to_i)
-        else
-          archive_finder.latest_year_and_month
-        end
+      def latest_year
+        archive_finder.latest_year_and_month.first || Time.zone.now.year
       end
     end
   end

data/app/controllers/concerns/pages_core/authentication.rb CHANGED Viewed

@@ -1,5 +1,3 @@
-# encoding: utf-8
 module PagesCore
   module Authentication
     extend ActiveSupport::Concern

data/app/controllers/concerns/pages_core/domain_based_cache.rb CHANGED Viewed

@@ -1,5 +1,3 @@
-# encoding: utf-8
 module PagesCore
   module DomainBasedCache
     extend ActiveSupport::Concern

data/app/controllers/concerns/pages_core/error_renderer.rb ADDED Viewed

@@ -0,0 +1,33 @@
+module PagesCore
+  module ErrorRenderer
+    extend ActiveSupport::Concern
+    # Renders a fancy error page from app/views/errors. If the error name
+    # is numeric, it will also be set as the response status. Example:
+    #
+    #   render_error 404
+    #
+    def render_error(error, options = {})
+      options[:status] ||= error if error.is_a? Numeric
+      respond_to do |format|
+        format.html do
+          options[:layout] = error_layout(error, options)
+          @email = current_user.try(&:email) || ""
+          render({ template: "errors/#{error}" }.merge(options))
+        end
+        format.any { head options[:status] }
+      end
+      true
+    end
+    protected
+    def error_layout(error, options = {})
+      return options[:layout] if options.key?(:layout)
+      if error == 404 && PagesCore.config.error_404_layout?
+        PagesCore.config.error_404_layout
+      else
+        "errors"
+      end
+    end
+  end
+end

data/app/controllers/concerns/pages_core/policies_helper.rb CHANGED Viewed

@@ -7,23 +7,19 @@ module PagesCore
     end
     module ClassMethods
-      def require_authorization(collection, member, options = {})
-        options = default_options.merge(options)
+      def require_authorization(object: nil, instance: nil)
+        object ||= inferred_policy_class
         before_action do |controller|
-          action = params[:action].to_sym
-          if options[:collection].include?(action)
-            verify_policy_with_proc(controller, collection)
-          elsif options[:member].include?(action)
-            verify_policy_with_proc(controller, member)
-          end
+          instance_name = "@#{object.name.underscore}"
+          record = instance || controller.instance_variable_get(instance_name)
+          verify_policy_with_proc(controller, record || object)
         end
       end
-      def default_options
-        {
-          collection: [:index, :new, :create],
-          member:     [:show, :edit, :update, :destroy]
-        }
+      def inferred_policy_class
+        const_get(name.demodulize.gsub(/Controller$/, "").singularize)
       end
     end

data/app/controllers/concerns/pages_core/preview_pages_controller.rb CHANGED Viewed

@@ -1,5 +1,3 @@
-# encoding: utf-8
 module PagesCore
   module PreviewPagesController
     extend ActiveSupport::Concern
@@ -29,9 +27,9 @@ module PagesCore
     end
     def permitted_page_attributes
-      [:template, :user_id, :status, :feed_enabled, :published_at,
-       :redirect_to, :comments_allowed, :image_link, :news_page,
-       :unique_name, :pinned, :parent_page_id]
+      %i[template user_id status feed_enabled published_at
+         redirect_to image_link news_page
+         unique_name pinned parent_page_id]
     end
     def page_params

data/app/controllers/concerns/pages_core/process_titler.rb CHANGED Viewed

@@ -1,5 +1,3 @@
-# encoding: utf-8
 module PagesCore
   module ProcessTitler
     extend ActiveSupport::Concern
@@ -10,7 +8,7 @@ module PagesCore
     end
     class << self
-      attr_accessor :number_of_requests
+      attr_writer :number_of_requests
       def original_title
         @original_title ||= $PROGRAM_NAME

data/app/controllers/concerns/pages_core/rss_controller.rb CHANGED Viewed

@@ -1,5 +1,3 @@
-# encoding: utf-8
 module PagesCore
   module RssController
     extend ActiveSupport::Concern

data/app/controllers/errors_controller.rb CHANGED Viewed

@@ -1,24 +1,21 @@
-# encoding: utf-8
 class ErrorsController < ::ApplicationController
   layout "errors"
-  skip_before_action :verify_authenticity_token
   def report
-    return unless session[:error_report]
-    deliver_error_report(
-      find_error_report,
-      params[:email],
-      params[:description]
-    )
-    @error_id = session[:error_report]
+    report = decrypt_report(params[:error_report])
+    report[:user] = User.find_by(id: report[:user_id]) if report.key?(:user_id)
+    deliver_error_report(report, params[:email], params[:description])
   end
   def show
     render_error params[:id].to_i
   end
+  def forbidden
+    render_error 403
+  end
   def not_found
     render_error 404
   end
@@ -27,8 +24,21 @@ class ErrorsController < ::ApplicationController
     render_error 422
   end
+  def unauthorized
+    render_error 401
+  end
   def internal_error
-    render_error 500
+    exception = request.env["action_dispatch.exception"]
+    if !exception
+      render_error 500
+    elsif exception.is_a?(PagesCore::NotAuthorized)
+      render_error 403
+    else
+      @report = encrypt_report(error_report(request, exception))
+      wrapper = ActionDispatch::ExceptionWrapper.new(nil, exception)
+      render_error wrapper.status_code
+    end
   end
   private
@@ -37,21 +47,37 @@ class ErrorsController < ::ApplicationController
     AdminMailer.error_report(report, from, description).deliver_now
   end
-  def find_error_report
-    report = YAML.load_file(error_report_path)
-    if report[:user_id]
-      report[:user] = begin
-                        User.find(report[:user_id])
-                      rescue
-                        nil
-                      end
-    end
-    report
+  def decrypt_report(str)
+    YAML.safe_load(report_encryptor.decrypt_and_verify(str))
+  end
+  def encrypt_report(report)
+    report_encryptor.encrypt_and_sign(report.to_yaml)
+  end
+  def error_report(request, exception)
+    { message:   exception.to_s,
+      url:       request.original_url,
+      env:       request.env.select { |_, v| v.is_a?(String) },
+      params:    params.to_unsafe_h,
+      session:   session.to_hash,
+      backtrace: exception_backtrace(exception),
+      timestamp: Time.now.utc,
+      user_id:   current_user.try(&:id) }
+  end
+  def exception_backtrace(exception)
+    Rails.backtrace_cleaner.send(:filter, exception.backtrace)
   end
-  def error_report_path
-    Rails.root
-         .join("log", "error_reports")
-         .join("#{session[:error_report]}.yml")
+  def report_encryptor
+    ActiveSupport::MessageEncryptor.new(
+      ActiveSupport::CachingKeyGenerator.new(
+        ActiveSupport::KeyGenerator.new(
+          Rails.application.secrets.secret_key_base,
+          iterations: 1000
+        )
+      ).generate_key("encrypted error report")
+    )
   end
 end

data/app/controllers/pages_core/admin_controller.rb CHANGED Viewed

@@ -1,9 +1,9 @@
-# encoding: utf-8
 # All admin controllers inherit Admin::AdminController, which provides layout,
 # authorization and other common code for the Admin set of controllers.
 module PagesCore
   class AdminController < ::ApplicationController
+    protect_from_forgery with: :exception
     before_action :set_i18n_locale
     before_action :require_authentication
     before_action :restore_persistent_params
@@ -59,15 +59,15 @@ module PagesCore
       current_user.save
     end
-    def secure_compare(a, b)
-      return false unless a && b
-      return false unless a.bytesize == b.bytesize
+    def secure_compare(compare, other)
+      return false unless compare && other
+      return false unless compare.bytesize == other.bytesize
-      l = a.unpack "C#{a.bytesize}"
+      l = compare.unpack "C#{compare.bytesize}"
       res = 0
-      b.each_byte { |byte| res |= byte ^ l.shift }
-      res == 0
+      other.each_byte { |byte| res |= byte ^ l.shift }
+      res.zero?
     end
     # --- HELPERS ---
@@ -84,25 +84,34 @@ module PagesCore
       session[:persistent_params][namespace]
     end
-    def coerce_persistent_param(v)
-      case v
+    def coerce_persistent_param(value)
+      case value
       when "true"
         true
       when "false"
         false
       else
-        v
+        value
       end
     end
     # Get a persistent param
     def persistent_param(key, default = nil, options = {})
+      key = key.to_s
       namespace = options[:namespace] || self.class.to_s
-      value = coerce_persistent_param(params.key?(key) ? params[key] : default)
+      value = coerce_persistent_param(
+        if params.key?(key)
+          params[key]
+        elsif persistent_params(namespace).key?(key)
+          persistent_params(namespace)[key]
+        else
+          default
+        end
+      )
       if !value.nil? || options[:preserve_nil]
-        persistent_params(namespace)[key] = value
+        persistent_params(namespace)[key.to_s] = value
       end
       value

data/app/controllers/pages_core/attachments_controller.rb ADDED Viewed

@@ -0,0 +1,36 @@
+module PagesCore
+  class AttachmentsController < ::ApplicationController
+    before_action :verify_signed_params
+    before_action :find_attachment, only: %i[show download]
+    caches_page :show
+    def show
+      send_attachment
+    end
+    def download
+      send_attachment disposition: "attachment"
+    end
+    private
+    def find_attachment
+      @attachment = Attachment.find(params[:id])
+    end
+    def send_attachment(disposition: "inline")
+      if stale?(etag: @attachment, last_modified: @attachment.updated_at)
+        send_data(@attachment.data,
+                  filename: @attachment.filename,
+                  type: @attachment.content_type,
+                  disposition: disposition)
+      end
+    end
+    def verify_signed_params
+      key = params[:id].to_i.to_s
+      Attachment.verifier.verify(key, params[:digest])
+    end
+  end
+end