plutonium 0.42.0 → 0.43.0

data/lib/plutonium/profile/security_section.rb

@@ -0,0 +1,118 @@
+# frozen_string_literal: true
+
+module Plutonium
+  module Profile
+    # Renders security settings links based on enabled Rodauth features.
+    class SecuritySection < Plutonium::UI::Component::Base
+      FEATURES = {
+        change_password: {
+          label: "Change Password",
+          description: "Update your account password",
+          icon: Phlex::TablerIcons::Key,
+          path_method: :change_password_path
+        },
+        change_login: {
+          label: "Change Email",
+          description: "Update your email address",
+          icon: Phlex::TablerIcons::Mail,
+          path_method: :change_login_path
+        },
+        otp: {
+          label: "Two-Factor Authentication",
+          description: "Add an extra layer of security",
+          icon: Phlex::TablerIcons::DeviceMobile,
+          path_method: :otp_setup_path
+        },
+        recovery_codes: {
+          label: "Recovery Codes",
+          description: "View or regenerate backup codes",
+          icon: Phlex::TablerIcons::FileCode,
+          path_method: :recovery_codes_path
+        },
+        webauthn: {
+          label: "Security Keys",
+          description: "Manage passkeys and security keys",
+          icon: Phlex::TablerIcons::Fingerprint,
+          path_method: :webauthn_setup_path
+        },
+        active_sessions: {
+          label: "Active Sessions",
+          description: "View and manage your sessions",
+          icon: Phlex::TablerIcons::DevicesCheck,
+          path_method: :active_sessions_path
+        },
+        close_account: {
+          label: "Close Account",
+          description: "Permanently delete your account",
+          icon: Phlex::TablerIcons::Trash,
+          path_method: :close_account_path,
+          danger: true
+        }
+      }.freeze
+
+      def view_template
+        div(class: "mt-8") do
+          render_section_header
+          render_feature_links
+        end
+      end
+
+      private
+
+      def render_section_header
+        div(class: "mb-4") do
+          h2(class: "text-lg font-semibold text-[var(--pu-text)]") { "Security Settings" }
+          p(class: "text-sm text-[var(--pu-text-muted)]") { "Manage your account security" }
+        end
+      end
+
+      def render_feature_links
+        div(
+          class: "bg-[var(--pu-card-bg)] border border-[var(--pu-card-border)] rounded-[var(--pu-radius-lg)] divide-y divide-[var(--pu-border)]",
+          style: "box-shadow: var(--pu-shadow-sm)"
+        ) do
+          enabled_features.each do |feature, config|
+            render_feature_link(feature, config)
+          end
+        end
+      end
+
+      def render_feature_link(feature, config)
+        path = helpers.rodauth.send(config[:path_method])
+        danger = config[:danger]
+
+        a(
+          href: path,
+          class: tokens(
+            "flex items-center gap-4 p-4 hover:bg-[var(--pu-surface-alt)] transition-colors first:rounded-t-[var(--pu-radius-lg)] last:rounded-b-[var(--pu-radius-lg)]",
+            danger ? "text-[var(--pu-text-danger)]" : "text-[var(--pu-text)]"
+          )
+        ) do
+          # Icon
+          div(class: "flex-shrink-0") do
+            render config[:icon].new(class: "w-5 h-5")
+          end
+
+          # Content
+          div(class: "flex-grow") do
+            div(class: "font-medium") { config[:label] }
+            div(class: "text-sm text-[var(--pu-text-muted)]") { config[:description] }
+          end
+
+          # Arrow
+          div(class: "flex-shrink-0 text-[var(--pu-text-muted)]") do
+            render Phlex::TablerIcons::ChevronRight.new(class: "w-5 h-5")
+          end
+        end
+      end
+
+      def enabled_features
+        FEATURES.select { |feature, _config| feature_enabled?(feature) }
+      end
+
+      def feature_enabled?(feature)
+        helpers.rodauth.features.include?(feature)
+      end
+    end
+  end
+end

data/lib/plutonium/resource/controller.rb

@@ -104,6 +104,13 @@ module Plutonium
         end
       end
 
+      # Returns true if current resource is registered as a singular route
+      # (e.g., `resource :profile` vs `resources :users`)
+      # @return [Boolean]
+      def singular_resource_context?
+        current_resource_route_config&.[](:route_type) == :resource
+      end
+
       # Extracts the association name from the current nested route
       # e.g., for route /posts/:post_id/nested_comments, returns :comments
       # @return [Symbol, nil] The association name
@@ -242,14 +249,17 @@ module Plutonium
       # Overrides entity scoping parameters
       # @param [Hash] input_params The input parameters
       def override_entity_scoping_params(input_params)
-        if scoped_to_entity?
-          if input_params.key?(scoped_entity_param_key) || resource_class.method_defined?(:"#{scoped_entity_param_key}=")
-            input_params[scoped_entity_param_key] = current_scoped_entity
-          end
+        return unless scoped_to_entity?
 
-          if input_params.key?(:"#{scoped_entity_param_key}_id") || resource_class.method_defined?(:"#{scoped_entity_param_key}_id=")
-            input_params[:"#{scoped_entity_param_key}_id"] = current_scoped_entity.id
-          end
+        # Use the detected association if available, otherwise fall back to param_key
+        assoc_name = scoped_entity_association || scoped_entity_param_key
+
+        if input_params.key?(assoc_name) || resource_class.method_defined?(:"#{assoc_name}=")
+          input_params[assoc_name] = current_scoped_entity
+        end
+
+        if input_params.key?(:"#{assoc_name}_id") || resource_class.method_defined?(:"#{assoc_name}_id=")
+          input_params[:"#{assoc_name}_id"] = current_scoped_entity.id
         end
       end
 

data/lib/plutonium/resource/controllers/interactive_actions.rb

@@ -29,12 +29,7 @@ module Plutonium
         # GET /resources/1/record_actions/:interactive_action
         def interactive_record_action
           build_interactive_record_action_interaction
-
-          if helpers.current_turbo_frame == "remote_modal"
-            render layout: false, formats: [:html]
-          else
-            render :interactive_record_action, formats: [:html]
-          end
+          render :interactive_record_action, layout: modal_layout, formats: [:html]
         end
 
         # POST /resources/1/record_actions/:interactive_action
@@ -67,7 +62,7 @@ module Plutonium
                 end
               else
                 format.any(:html, :turbo_stream) do
-                  render :interactive_record_action, formats: [:html], status: :unprocessable_content
+                  render :interactive_record_action, layout: modal_layout, formats: [:html], status: :unprocessable_content
                 end
                 format.any do
                   @errors = @interaction.errors
@@ -82,16 +77,7 @@ module Plutonium
         def interactive_resource_action
           skip_verify_current_authorized_scope!
           build_interactive_resource_action_interaction
-
-          respond_to do |format|
-            format.any(:html, :turbo_stream) do
-              if helpers.current_turbo_frame == "remote_modal"
-                render layout: false, formats: [:html]
-              else
-                render :interactive_resource_action, formats: [:html]
-              end
-            end
-          end
+          render :interactive_resource_action, layout: modal_layout, formats: [:html]
         end
 
         # POST /resources/resource_actions/:interactive_action
@@ -125,7 +111,7 @@ module Plutonium
                 end
               else
                 format.any(:html, :turbo_stream) do
-                  render :interactive_resource_action, formats: [:html], status: :unprocessable_content
+                  render :interactive_resource_action, layout: modal_layout, formats: [:html], status: :unprocessable_content
                 end
                 format.any do
                   @errors = @interaction.errors
@@ -139,12 +125,7 @@ module Plutonium
         # GET /resources/bulk_actions/:interactive_action?ids[]=1&ids[]=2
         def interactive_bulk_action
           build_interactive_bulk_action_interaction
-
-          if helpers.current_turbo_frame == "remote_modal"
-            render layout: false, formats: [:html]
-          else
-            render :interactive_bulk_action, formats: [:html]
-          end
+          render :interactive_bulk_action, layout: modal_layout, formats: [:html]
         end
 
         # POST /resources/bulk_actions/:interactive_action?ids[]=1&ids[]=2
@@ -177,7 +158,7 @@ module Plutonium
                 end
               else
                 format.any(:html, :turbo_stream) do
-                  render :interactive_bulk_action, formats: [:html], status: :unprocessable_content
+                  render :interactive_bulk_action, layout: modal_layout, formats: [:html], status: :unprocessable_content
                 end
                 format.any do
                   @errors = @interaction.errors
@@ -190,6 +171,11 @@ module Plutonium
 
         private
 
+        # Returns false for modal requests (skip layout), nil otherwise (use default layout)
+        def modal_layout
+          helpers.current_turbo_frame.present? ? false : nil
+        end
+
         def current_interactive_action
           @current_interactive_action = interactive_resource_actions[params[:interactive_action].to_sym]
         end

data/lib/plutonium/resource/controllers/presentable.rb

@@ -17,7 +17,7 @@ module Plutonium
               presentable_attributes -= [parent_input_param, :"#{parent_input_param}_id"]
             end
             if scoped_to_entity? && !present_scoped_entity?
-              presentable_attributes -= [scoped_entity_param_key, :"#{scoped_entity_param_key}_id"]
+              presentable_attributes -= scoped_entity_field_names
             end
             presentable_attributes
           end
@@ -33,11 +33,49 @@ module Plutonium
             submittable_attributes -= [parent_input_param, :"#{parent_input_param}_id"]
           end
           if scoped_to_entity? && !submit_scoped_entity?
-            submittable_attributes -= [scoped_entity_param_key, :"#{scoped_entity_param_key}_id"]
+            submittable_attributes -= scoped_entity_field_names
           end
           submittable_attributes
         end
 
+        # Returns all field names related to the scoped entity.
+        # Finds associations by class to handle cases where param_key differs from association name.
+        def scoped_entity_field_names
+          field_names = [scoped_entity_param_key, :"#{scoped_entity_param_key}_id"]
+
+          assoc_name = scoped_entity_association
+          if assoc_name
+            field_names << assoc_name
+            field_names << :"#{assoc_name}_id"
+          end
+
+          field_names.uniq
+        end
+
+        # Returns the name of the belongs_to association pointing to the scoped entity class.
+        # Raises if multiple associations exist (ambiguous - user must configure manually).
+        # @return [Symbol, nil] the association name or nil if not found
+        def scoped_entity_association
+          return @scoped_entity_association if defined?(@scoped_entity_association)
+
+          matching_assocs = resource_class.reflect_on_all_associations(:belongs_to).select do |assoc|
+            assoc.klass.name == scoped_entity_class.name
+          rescue NameError
+            false
+          end
+
+          if matching_assocs.size > 1
+            assoc_names = matching_assocs.map(&:name).join(", ")
+            raise <<~MSG.squish
+              #{resource_class} has multiple associations to #{scoped_entity_class}: #{assoc_names}.
+              Plutonium cannot auto-detect which one to use for entity scoping.
+              Override `scoped_entity_association` in your controller to specify the association.
+            MSG
+          end
+
+          @scoped_entity_association = matching_assocs.first&.name
+        end
+
         def build_collection
           current_definition.collection_class.new(@resource_records, resource_fields: presentable_attributes, resource_definition: current_definition)
         end
@@ -47,7 +85,12 @@ module Plutonium
         end
 
         def build_form(record = resource_record!, action: action_name, form_action: nil, **)
-          form_options = {resource_fields: submittable_attributes_for(action), resource_definition: current_definition, **}
+          form_options = {
+            resource_fields: submittable_attributes_for(action),
+            resource_definition: current_definition,
+            singular_resource: singular_resource_context?,
+            **
+          }
           form_options[:action] = form_action unless form_action.nil?
           current_definition.form_class.new(record, **form_options)
         end

data/lib/plutonium/resource/record/associated_with.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-# lib/plutonium/resource/associations.rb
 module Plutonium
   module Resource
     module Record
@@ -9,6 +8,13 @@ module Plutonium
 
         included do
           scope :associated_with, ->(record) do
+            # If scoping to same class, just match by ID (e.g., Team scoped to Team)
+            # Compare by name to handle Rails class reloading (different object_id after reload)
+            if klass.name == record.class.name
+              pk = klass.primary_key
+              return where(pk => record.public_send(pk))
+            end
+
             named_scope = :"associated_with_#{record.model_name.singular}"
             return send(named_scope, record) if respond_to?(named_scope)
 

data/lib/plutonium/routing/mapper_extensions.rb

@@ -44,16 +44,28 @@ module Plutonium
         end
       end
 
+      # Draws routes wrapped in entity scope when using path-based entity scoping.
+      #
+      # @param scope_params [Hash, nil] Scope params from RouteSetExtensions, or nil if no scoping
+      # @param block [Proc] The block containing route definitions.
+      # @return [void]
+      def draw_routes_with_entity_scope(scope_params, &block)
+        if scope_params
+          scope scope_params[:name], **scope_params[:options] do
+            instance_exec(&block)
+            materialize_resource_routes
+          end
+        else
+          instance_exec(&block)
+          materialize_resource_routes
+        end
+      end
+
       # Materializes all registered resource routes.
       #
       # @return [void]
       def materialize_resource_routes
-        engine = route_set.engine
-        scope_params = determine_scope_params(engine)
-
-        scope scope_params[:name], scope_params[:options] do
-          concerns resource_route_concern_names.sort
-        end
+        concerns resource_route_concern_names.sort
       end
 
       # @return [ActionDispatch::Routing::RouteSet] The current route set.
@@ -149,18 +161,6 @@ module Plutonium
             as: :commit_interactive_resource_action
         end
       end
-
-      # Determines the scope parameters based on the engine configuration.
-      #
-      # @param engine [Class] The current engine.
-      # @return [Hash] Scope name and options.
-      def determine_scope_params(engine)
-        scoped_entity_param_key = engine.scoped_entity_param_key if engine.scoped_entity_strategy == :path
-        {
-          name: scoped_entity_param_key.present? ? ":#{scoped_entity_param_key}" : "",
-          options: scoped_entity_param_key.present? ? {as: scoped_entity_param_key} : {}
-        }
-      end
     end
   end
 end

data/lib/plutonium/routing/route_set_extensions.rb

@@ -34,11 +34,11 @@ module Plutonium
       # @yield Executes the given block in the context of route drawing.
       def draw(&block)
         if self.class.supported_engine?(engine)
+          scope_params = entity_scope_params_for_path_strategy
           ActiveSupport::Notifications.instrument("plutonium.resource_routes.draw", app: engine.to_s) do
             super do
               setup_shared_resource_concerns
-              instance_exec(&block)
-              materialize_resource_routes
+              draw_routes_with_entity_scope(scope_params, &block)
             end
           end
         else
@@ -46,6 +46,19 @@ module Plutonium
         end
       end
 
+      # Determines entity scope parameters for path-based scoping.
+      #
+      # @return [Hash, nil] Scope params if path-based scoping is enabled, nil otherwise
+      def entity_scope_params_for_path_strategy
+        return nil unless engine.scoped_entity_strategy == :path
+
+        param_key = engine.scoped_entity_param_key
+        {
+          name: ":#{param_key}",
+          options: {as: param_key}
+        }
+      end
+
       # Registers a resource for routing.
       #
       # @param resource [Class] The resource class to be registered.
@@ -75,6 +88,14 @@ module Plutonium
         resource_route_config_lookup.slice(*routes).values
       end
 
+      # Checks if a resource is registered as a singular route.
+      #
+      # @param route_key [String] The route key (e.g., "users" or "users/profiles")
+      # @return [Boolean] true if the resource is a singular route, false otherwise
+      def singular_resource_route?(route_key)
+        resource_route_config_for(route_key)[0]&.[](:route_type) == :resource
+      end
+
       # Returns the current engine for the routes.
       #
       # @return [Class] The engine class (Rails application or custom engine).