plan_my_stuff 0.1.0 → 1.0.0

data/app/controllers/plan_my_stuff/application_controller.rb

@@ -1,11 +1,12 @@
 # frozen_string_literal: true
 
 module PlanMyStuff
-  class ApplicationController < ::ApplicationController
+  class ApplicationController < PlanMyStuff.configuration.parent_controller.constantize
     protect_from_forgery with: :exception
     helper Rails.application.routes.url_helpers
 
     before_action :authenticate_pms_user!
+    before_action :set_support_user
 
     private
 
@@ -23,8 +24,12 @@ module PlanMyStuff
         instance_exec(&pms_auth) if pms_auth
       end
 
-      # Returns the current user for PMS visibility checks.
-      # Delegates to the consuming app's current_user method.
+      # @return [void]
+      def set_support_user
+        @support_user = support_user?
+      end
+
+      # Returns the current user for PMS visibility checks. Delegates to the consuming app's current_user method.
       #
       # @return [Object, nil]
       #
@@ -34,7 +39,7 @@ module PlanMyStuff
 
       # @return [Boolean]
       def support_user?
-        pms_current_user.present? && PMS::UserResolver.support?(pms_current_user)
+        pms_current_user.present? && PlanMyStuff::UserResolver.support?(pms_current_user)
       end
 
       # Redirects non-support users back with an error.
@@ -49,6 +54,20 @@ module PlanMyStuff
         redirect_to(path)
       end
 
+      # Logs +error+ and invokes the consuming app's +PlanMyStuff.configuration.controller_rescue+ hook so monitoring
+      # can fire even when the rescue swallows the error and redirects to a flash. Wired into every user-facing
+      # controller +rescue+.
+      #
+      # @param error [StandardError]
+      #
+      # @return [void]
+      #
+      def pms_handle_rescue(error)
+        Rails.logger.error("[PlanMyStuff] #{error.class}: #{error.message}")
+        Rails.logger.error(error.backtrace.join("\n")) if error.backtrace
+        PlanMyStuff.configuration.controller_rescue&.call(error)
+      end
+
       # Splits a comma-separated labels string into an array.
       #
       # @param labels_string [String, nil]
@@ -70,7 +89,10 @@ module PlanMyStuff
       def parse_viewer_ids(ids_string)
         return [] if ids_string.blank?
 
-        ids_string.split(',').filter_map { |id| id.strip.presence&.to_i }
+        ids_string.split(',').filter_map do |id|
+          token = id.strip
+          token.to_i if token.match?(/\A\d+\z/)
+        end
       end
   end
 end

data/app/controllers/plan_my_stuff/comments_controller.rb

@@ -1,56 +1,78 @@
 # frozen_string_literal: true
 
 module PlanMyStuff
-  class CommentsController < ApplicationController
+  class CommentsController < PlanMyStuff::ApplicationController
     # POST /issues/:issue_id/comments
     def create
-      @issue = PMS::Issue.find(params[:issue_id].to_i, repo: params[:repo]&.to_sym)
+      @issue = PlanMyStuff::Issue.find(params[:issue_id])
 
-      PMS::Comment.create!(
+      comment = PlanMyStuff::Comment.create!(
         issue: @issue,
         body: comment_params[:body],
         user: pms_current_user,
         visibility: comment_params[:visibility]&.to_sym || :public,
+        waiting_on_reply: comment_params[:waiting_on_reply] == '1',
       )
 
+      yield(comment) if block_given?
+      return if performed?
+
       flash[:success] = 'Comment was successfully created.'
-      redirect_to(plan_my_stuff.issue_path(@issue.number))
+      redirect_to(plan_my_stuff.issue_path(@issue))
+    rescue PlanMyStuff::LockedIssueError => e
+      pms_handle_rescue(e)
+      flash[:error] = 'This issue is locked; no new comments can be posted.'
+      redirect_to(plan_my_stuff.issue_path(@issue))
     end
 
     # GET /issues/:issue_id/comments/:id/edit
     def edit
       load_comment
       return unless @comment
+      return redirect_to_issue if issue_body_comment?
+
+      unless can_edit?(@comment)
+        redirect_to_unauthorized(plan_my_stuff.issue_path(@issue))
+
+        return
+      end
 
-      @support_user = support_user?
-      return redirect_to_unauthorized(plan_my_stuff.issue_path(@issue.number)) unless can_edit?(@comment)
+      yield(@comment) if block_given?
     end
 
     # PATCH/PUT /issues/:issue_id/comments/:id
     def update
       load_comment
       return unless @comment
+      return redirect_to_issue if issue_body_comment?
 
-      @support_user = support_user?
-      return redirect_to_unauthorized(plan_my_stuff.issue_path(@issue.number)) unless can_edit?(@comment)
+      unless can_edit?(@comment)
+        redirect_to_unauthorized(plan_my_stuff.issue_path(@issue))
+
+        return
+      end
 
       update_attrs = { body: comment_params[:body] }
       update_attrs[:visibility] = comment_params[:visibility].to_sym if @support_user && comment_params[:visibility]
 
-      @comment.update!(**update_attrs)
+      @comment.update!(**update_attrs, user: pms_current_user)
+
+      yield(@comment) if block_given?
+      return if performed?
 
       flash[:success] = 'Comment was successfully updated.'
-      redirect_to(plan_my_stuff.issue_path(@issue.number))
-    rescue PMS::StaleObjectError
+      redirect_to(plan_my_stuff.issue_path(@issue))
+    rescue PlanMyStuff::StaleObjectError => e
+      pms_handle_rescue(e)
       flash.now[:error] = 'Comment was modified by someone else. Please review the latest changes and try again.'
-      render(:edit, status: PMS.unprocessable_status)
+      render(:edit, status: PlanMyStuff.unprocessable_status)
     end
 
     private
 
       # @return [ActionController::Parameters]
       def comment_params
-        params.require(:comment).permit(:body, :visibility)
+        params.require(:comment).permit(:body, :visibility, :waiting_on_reply)
       end
 
       # Loads the issue and comment from params.
@@ -58,13 +80,12 @@ module PlanMyStuff
       # @return [void]
       #
       def load_comment
-        @issue = PMS::Issue.find(params[:issue_id].to_i, repo: params[:repo]&.to_sym)
-        @comment = PMS::Comment.find(params[:id].to_i, issue: @issue)
+        @issue = PlanMyStuff::Issue.find(params[:issue_id])
+        @comment = PlanMyStuff::Comment.find(params[:id].to_i, issue: @issue)
       end
 
-      # Returns true if the current user can edit the given comment.
-      # Support users can edit any comment. Regular users can only edit
-      # their own comments.
+      # Returns true if the current user can edit the given comment. Support users can edit any comment. Regular users
+      # can only edit their own comments.
       #
       # @param comment [PlanMyStuff::Comment]
       #
@@ -76,7 +97,17 @@ module PlanMyStuff
         user = pms_current_user
         return false if user.blank?
 
-        comment.metadata.created_by == PMS::UserResolver.user_id(user)
+        comment.metadata.created_by == PlanMyStuff::UserResolver.user_id(user)
+      end
+
+      # @return [Boolean]
+      def issue_body_comment?
+        @comment.metadata.issue_body?
+      end
+
+      # @return [void]
+      def redirect_to_issue
+        redirect_to(plan_my_stuff.issue_path(@issue))
       end
   end
 end

data/app/controllers/plan_my_stuff/issues/approvals_controller.rb

@@ -0,0 +1,127 @@
+# frozen_string_literal: true
+
+module PlanMyStuff
+  module Issues
+    # CRUD for manager approvals on an issue. Backs the approvals panel on the issue show view.
+    #
+    # POST   /issues/:issue_id/approvals      -> create  (adds approver(s))
+    # PATCH  /issues/:issue_id/approvals/:id  -> update  (approves or revokes)
+    # DELETE /issues/:issue_id/approvals/:id  -> destroy (removes an approver)
+    #
+    class ApprovalsController < PlanMyStuff::ApplicationController
+      # POST /issues/:issue_id/approvals
+      def create
+        unless support_user?
+          redirect_to_unauthorized(show_path)
+          return
+        end
+
+        user_ids = parse_viewer_ids(approval_params[:user_ids])
+        if user_ids.blank?
+          flash[:error] = 'No valid user IDs provided.'
+          redirect_to(show_path)
+          return
+        end
+
+        find_issue
+
+        @issue.request_approvals!(user_ids: user_ids, user: pms_current_user)
+
+        yield(@issue) if block_given?
+        return if performed?
+
+        flash[:success] = 'Approvers were successfully added.'
+        redirect_to(show_path)
+      rescue PlanMyStuff::AuthorizationError, PlanMyStuff::ValidationError => e
+        pms_handle_rescue(e)
+        flash[:error] = e.message
+        redirect_to(show_path)
+      end
+
+      # PATCH /issues/:issue_id/approvals/:id
+      def update
+        status = approval_params[:status].to_s
+        target_id = params[:id].to_i
+
+        if PlanMyStuff::Approval::STATUSES.exclude?(status)
+          head(:bad_request)
+          return
+        end
+
+        find_issue
+        caller_id = pms_current_user.present? ? PlanMyStuff::UserResolver.user_id(pms_current_user) : nil
+
+        case status
+        when 'approved'
+          unless caller_id == target_id
+            redirect_to_unauthorized(show_path)
+            return
+          end
+          @issue.approve!(user: pms_current_user)
+          flash[:success] = 'Approval recorded.'
+        when 'rejected'
+          unless caller_id == target_id
+            redirect_to_unauthorized(show_path)
+            return
+          end
+          @issue.reject!(user: pms_current_user)
+          flash[:success] = 'Rejection recorded.'
+        else
+          if caller_id != target_id && !support_user?
+            redirect_to_unauthorized(show_path)
+            return
+          end
+          @issue.revoke_approval!(user: pms_current_user, target_user_id: target_id)
+          flash[:success] = 'Response revoked.'
+        end
+
+        yield(@issue) if block_given?
+        return if performed?
+
+        redirect_to(show_path)
+      rescue PlanMyStuff::AuthorizationError, PlanMyStuff::ValidationError => e
+        pms_handle_rescue(e)
+        flash[:error] = e.message
+        redirect_to(show_path)
+      end
+
+      # DELETE /issues/:issue_id/approvals/:id
+      def destroy
+        unless support_user?
+          redirect_to_unauthorized(show_path)
+          return
+        end
+
+        find_issue
+        @issue.remove_approvers!(user_ids: [params[:id].to_i], user: pms_current_user)
+
+        yield(@issue) if block_given?
+        return if performed?
+
+        flash[:success] = 'Approver was successfully removed.'
+        redirect_to(show_path)
+      rescue PlanMyStuff::AuthorizationError, PlanMyStuff::ValidationError => e
+        pms_handle_rescue(e)
+        flash[:error] = e.message
+        redirect_to(show_path)
+      end
+
+      private
+
+        # @return [ActionController::Parameters]
+        def approval_params
+          params.fetch(:approval, {}).permit(:status, :user_ids)
+        end
+
+        # :nodoc:
+        def find_issue
+          @issue = PlanMyStuff::Issue.find(params[:issue_id])
+        end
+
+        # @return [String]
+        def show_path
+          plan_my_stuff.issue_path(@issue || params[:issue_id])
+        end
+    end
+  end
+end

data/app/controllers/plan_my_stuff/issues/closures_controller.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+module PlanMyStuff
+  module Issues
+    # Handles closing and reopening issues via CRUD-style routes.
+    # Backs the Close/Reopen buttons on the issue show view (T-044).
+    #
+    # POST   /issues/:issue_id/closure -> create  (closes)
+    # DELETE /issues/:issue_id/closure -> destroy (reopens)
+    #
+    class ClosuresController < PlanMyStuff::ApplicationController
+      # POST /issues/:issue_id/closure
+      def create
+        issue = PlanMyStuff::Issue.find(params[:issue_id])
+        to_update = {}
+        if PlanMyStuff.configuration.issue_fields_enabled
+          to_update[:issue_fields] = { 'Issue Status' => 'Fixed' }
+        end
+        issue.update!(state: :closed, **to_update)
+
+        yield(issue) if block_given?
+        return if performed?
+
+        flash[:success] = 'Issue was successfully closed.'
+        redirect_to(plan_my_stuff.issue_path(issue))
+      rescue PlanMyStuff::Error, ArgumentError => e
+        pms_handle_rescue(e)
+        flash[:error] = e.message
+        redirect_to(plan_my_stuff.issue_path(params[:issue_id]))
+      end
+
+      # DELETE /issues/:issue_id/closure
+      def destroy
+        issue = PlanMyStuff::Issue.find(params[:issue_id])
+        to_update = {}
+        if PlanMyStuff.configuration.issue_fields_enabled
+          to_update[:issue_fields] = { 'Issue Status' => 'Reopened' }
+        end
+        issue.update!(state: :open, **to_update)
+
+        yield(issue) if block_given?
+        return if performed?
+
+        flash[:success] = 'Issue was successfully reopened.'
+        redirect_to(plan_my_stuff.issue_path(issue))
+      rescue PlanMyStuff::Error, ArgumentError => e
+        pms_handle_rescue(e)
+        flash[:error] = e.message
+        redirect_to(plan_my_stuff.issue_path(params[:issue_id]))
+      end
+    end
+  end
+end

data/app/controllers/plan_my_stuff/issues/links_controller.rb

@@ -0,0 +1,129 @@
+# frozen_string_literal: true
+
+module PlanMyStuff
+  module Issues
+    # CRUD for ticket relationships: +:related+ (metadata-backed) and +:blocked_by+ / +:parent+ / +:sub_ticket+ /
+    # +:duplicate_of+ (native GitHub APIs). Backs the links panel on the issue show view.
+    #
+    # POST   /issues/:issue_id/links      -> create  (adds a link)
+    # DELETE /issues/:issue_id/links/:id  -> destroy (removes a link)
+    #
+    class LinksController < PlanMyStuff::ApplicationController
+      NATIVE_DISPATCH = {
+        'related' => { add: :add_related!, remove: :remove_related! },
+        'blocked_by' => { add: :add_blocker!, remove: :remove_blocker! },
+        'sub_ticket' => { add: :add_sub_issue!, remove: :remove_sub_issue! },
+        'parent' => { add: :set_parent!, remove: :remove_parent! },
+        'duplicate_of' => { add: :mark_duplicate! },
+      }.freeze
+
+      # POST /issues/:issue_id/links
+      def create
+        type = link_params[:type].to_s
+        unless dispatch_allowed?(type, :add)
+          redirect_to_unauthorized(plan_my_stuff.issue_path(params[:issue_id]))
+          return
+        end
+
+        issue = PlanMyStuff::Issue.find(params[:issue_id])
+        link = add_link(issue, type)
+
+        yield(issue) if block_given?
+        return if performed?
+
+        flash[:success] = "Linked #{link}"
+        redirect_to(plan_my_stuff.issue_path(issue))
+      rescue PlanMyStuff::ValidationError, ActiveModel::ValidationError, ArgumentError => e
+        pms_handle_rescue(e)
+        flash[:error] = e.message
+        redirect_to(plan_my_stuff.issue_path(params[:issue_id]))
+      end
+
+      # DELETE /issues/:issue_id/links/:id
+      def destroy
+        type, repo, number = parse_composite_id(params[:id])
+        unless dispatch_allowed?(type, :remove)
+          redirect_to_unauthorized(plan_my_stuff.issue_path(params[:issue_id]))
+          return
+        end
+
+        issue = PlanMyStuff::Issue.find(params[:issue_id])
+        remove_link(issue, type, repo: repo, number: number)
+
+        yield(issue) if block_given?
+        return if performed?
+
+        flash[:success] = "Unlinked #{repo}##{number}"
+        redirect_to(plan_my_stuff.issue_path(issue))
+      rescue PlanMyStuff::ValidationError, ActiveModel::ValidationError, ArgumentError => e
+        pms_handle_rescue(e)
+        flash[:error] = e.message
+        redirect_to(plan_my_stuff.issue_path(params[:issue_id]))
+      end
+
+      private
+
+        # @return [ActionController::Parameters]
+        def link_params
+          params.require(:link).permit(:type, :issue_number, :repo)
+        end
+
+        # All link mutations require a support user. +destroy+ is not defined for +:duplicate_of+ (reopen via GitHub).
+        #
+        # @return [Boolean]
+        #
+        def dispatch_allowed?(type, action)
+          entry = NATIVE_DISPATCH[type]
+          return false if entry.nil? || entry[action].nil?
+
+          support_user?
+        end
+
+        # @return [PlanMyStuff::Link]
+        def add_link(issue, type)
+          method = NATIVE_DISPATCH.dig(type, :add)
+          target = {
+            type: type,
+            issue_number: link_params[:issue_number].to_i,
+            repo: link_params[:repo].presence || issue.repo.to_s,
+          }
+          case type
+          when 'related', 'duplicate_of'
+            issue.public_send(method, target, user: pms_current_user)
+          else
+            issue.public_send(method, target)
+          end
+        end
+
+        # @return [void]
+        def remove_link(issue, type, repo:, number:)
+          method = NATIVE_DISPATCH.dig(type, :remove)
+          target = { type: type, issue_number: number, repo: repo }
+          case type
+          when 'parent'
+            issue.public_send(method)
+          when 'related'
+            issue.public_send(method, target, user: pms_current_user)
+          else
+            issue.public_send(method, target)
+          end
+        end
+
+        # Parses +"{type}:{owner/repo}:{number}"+ out of +params[:id]+. The route helper URL-encodes outgoing segments,
+        # but Rack's default path decoder intentionally leaves +%2F+ escaped in path params (anti-path-traversal), so
+        # the repo portion can still contain +%2F+. Decode before splitting.
+        #
+        # @param id [String]
+        #
+        # @return [Array(String, String, Integer)] type, repo, number
+        #
+        def parse_composite_id(id)
+          decoded = CGI.unescape(id.to_s)
+          type, repo, number = decoded.split(':', 3)
+          raise(ArgumentError, "Invalid link id: #{id.inspect}") if number.blank?
+
+          [type, repo, number.to_i]
+        end
+    end
+  end
+end

data/app/controllers/plan_my_stuff/issues/takes_controller.rb

@@ -0,0 +1,161 @@
+# frozen_string_literal: true
+
+module PlanMyStuff
+  module Issues
+    # Moves an issue's pipeline ProjectItem to "Started" via +PlanMyStuff::Pipeline.take!+. Backs the "Take" button on
+    # the mounted issue show view (T-RC-017). The primary UI path for a dev picking up work on an issue they've been
+    # assigned to.
+    #
+    class TakesController < PlanMyStuff::ApplicationController
+      before_action :require_support_user
+
+      # POST /issues/:issue_id/take
+      def create
+        issue = PlanMyStuff::Issue.find(params[:issue_id])
+        guard_already_taken!(issue)
+
+        project_item = PlanMyStuff::Pipeline::IssueLinker.find_project_item(issue.number)
+        project_item ||= add_to_pipeline(issue)
+
+        PlanMyStuff::Pipeline.take!(project_item, user: pms_current_user)
+        assign_current_user(project_item)
+
+        yield(project_item) if block_given?
+        return if performed?
+
+        flash[:success] ||= "Issue ##{issue.number} taken."
+
+        redirect_to(plan_my_stuff.issue_path(issue))
+      rescue ArgumentError, PlanMyStuff::Error => e
+        pms_handle_rescue(e)
+        flash[:error] = e.message
+        redirect_to(plan_my_stuff.issue_path(params[:issue_id]))
+      end
+
+      # DELETE /issues/:issue_id/take
+      def destroy
+        issue = PlanMyStuff::Issue.find(params[:issue_id])
+        login = current_user_login
+        guard_release!(issue, login)
+
+        remaining = issue.assignees - [login]
+        project_item = PlanMyStuff::Pipeline::IssueLinker.find_project_item(issue.number)
+
+        if project_item.present?
+          if remaining.empty?
+            issue.update!(assignees: [])
+            project_item.destroy!
+          else
+            project_item.assign!(remaining)
+          end
+        else
+          issue.update!(assignees: remaining)
+        end
+
+        yielded = project_item.presence || issue
+        yield(yielded) if block_given?
+        return if performed?
+
+        flash[:success] = "Issue ##{issue.number} released."
+        redirect_to(plan_my_stuff.issue_path(issue))
+      rescue ArgumentError, PlanMyStuff::Error => e
+        pms_handle_rescue(e)
+        flash[:error] = e.message
+        redirect_to(plan_my_stuff.issue_path(params[:issue_id]))
+      end
+
+      private
+
+        # Redirects non-support users back to the issue page. Mirrors +Issues::ViewersController+'s authorization check.
+        #
+        # @return [void]
+        #
+        def require_support_user
+          return if support_user?
+
+          redirect_to_unauthorized(
+            plan_my_stuff.issue_path(params[:issue_id]),
+          )
+        end
+
+        # Best-effort race guard for two users clicking Take on the same issue. GitHub allows multiple assignees so a
+        # naive second take would silently pile on; refuse instead and let the second user see who already has it.
+        #
+        # @raise [PlanMyStuff::Error] if the issue already has assignees
+        #
+        # @param issue [PlanMyStuff::Issue]
+        #
+        # @return [void]
+        #
+        def guard_already_taken!(issue)
+          return if issue.assignees.blank?
+
+          raise(
+            PlanMyStuff::Error,
+            "Issue ##{issue.number} is already taken by @#{issue.assignees.join(', @')}.",
+          )
+        end
+
+        # Adds an issue to the pipeline project so +Pipeline.take!+ has something to operate on when the user clicks
+        # "Take" on an issue that hasn't been submitted to the pipeline yet.
+        #
+        # @param issue [PlanMyStuff::Issue]
+        #
+        # @return [PlanMyStuff::ProjectItem]
+        #
+        def add_to_pipeline(issue)
+          pipeline_number = PlanMyStuff::Pipeline.resolve_pipeline_project_number!
+          PlanMyStuff::ProjectItem.create!(issue, project_number: pipeline_number)
+        end
+
+        # Looks up the current user's GitHub login in +config.github_login_for+ (a +{user_id => login}+ hash) and
+        # assigns them on the project item. Assignment failures are logged and surfaced as a flash warning but do not
+        # revert the status move.
+        #
+        # @param project_item [PlanMyStuff::ProjectItem]
+        #
+        # @return [void]
+        #
+        def assign_current_user(project_item)
+          login = current_user_login
+
+          if login.blank?
+            Rails.logger.info('[PlanMyStuff] No github_login_for mapping for current user; skipping Take assignment')
+            return
+          end
+
+          project_item.assign!(login)
+        rescue PlanMyStuff::Error => e
+          Rails.logger.warn("[PlanMyStuff] Take assignment failed: #{e.message}")
+          flash[:warning] = "Issue taken but assignment failed: #{e.message}"
+        end
+
+        # GitHub login for the current user via +config.github_login_for+ (a +{user_id => login}+ hash), or +nil+ if the
+        # user is unmapped or unauthenticated.
+        #
+        # @return [String, nil]
+        #
+        def current_user_login
+          user = pms_current_user
+          user_id = user.present? ? PlanMyStuff::UserResolver.user_id(user) : nil
+          PlanMyStuff.configuration.github_login_for[user_id]
+        end
+
+        # Refuses the release when the current user has no login mapping or is not in the issue's assignees. Mirrors the
+        # +guard_already_taken!+ check on +#create+.
+        #
+        # @raise [PlanMyStuff::Error] if the user cannot release the issue
+        #
+        # @param issue [PlanMyStuff::Issue]
+        # @param login [String, nil]
+        #
+        # @return [void]
+        #
+        def guard_release!(issue, login)
+          raise(PlanMyStuff::Error, 'No GitHub login mapping for current user; cannot release.') if login.blank?
+
+          raise(PlanMyStuff::Error, "Issue ##{issue.number} is not assigned to you.") if issue.assignees.exclude?(login)
+        end
+    end
+  end
+end