radiant-reader-extension 1.3.13 → 2.0.0.rc4

data/lib/grouped_model.rb

@@ -0,0 +1,125 @@
+module GroupedModel
+  def self.included(base)
+    base.extend ClassMethods
+  end
+
+  module ClassMethods
+    def has_groups?
+      false
+    end
+    alias :has_group? :has_groups?
+    
+    def has_groups(options={})
+      return if has_groups?
+      
+      class_eval {
+        include GroupedModel::GroupedInstanceMethods
+
+        def self.has_groups?
+          true
+        end
+        
+        def self.visible
+          ungrouped
+        end
+      }
+      
+      has_many :permissions, :as => :permitted
+      has_many :groups, :through => :permissions
+      Group.define_retrieval_methods(self.to_s)
+
+      named_scope :visible_to, lambda { |reader| 
+        conditions = "pp.group_id IS NULL"
+        if reader && reader.groups.any?
+          ids = reader.group_ids
+          conditions = ["#{conditions} OR pp.group_id IS NULL OR pp.group_id IN(#{ids.map{"?"}.join(',')})", *ids]
+        end
+        {
+          :joins => "LEFT OUTER JOIN permissions as pp on pp.permitted_id = #{self.table_name}.id AND pp.permitted_type = '#{self.to_s}'",
+          :group => column_names.map { |n| self.table_name + '.' + n }.join(','),
+          :conditions => conditions,
+          :readonly => false
+        } 
+      }
+
+      named_scope :ungrouped, {
+        :select => "#{self.table_name}.*, count(pp.id) as group_count",
+        :joins => "LEFT OUTER JOIN permissions as pp on pp.permitted_id = #{self.table_name}.id AND pp.permitted_type = '#{self.to_s}'", 
+        :having => "group_count = 0",
+        :group => column_names.map { |n| self.table_name + '.' + n }.join(','),    # postgres requires that we group by all selected (but not aggregated) columns
+        :readonly => false
+      } do
+        def count
+          length
+        end
+      end
+
+      named_scope :grouped, {
+        :select => "#{self.table_name}.*, count(pp.id) as group_count",
+        :joins => "LEFT OUTER JOIN permissions as pp on pp.permitted_id = #{self.table_name}.id AND pp.permitted_type = '#{self.to_s}'", 
+        :having => "group_count > 0",
+        :group => column_names.map { |n| self.table_name + '.' + n }.join(','),
+        :readonly => false
+      } do
+        def count
+          length
+        end
+      end
+      
+      named_scope :belonging_to, lambda { |group| 
+        {
+          :joins => "INNER JOIN permissions as pp on pp.permitted_id = #{self.table_name}.id AND pp.permitted_type = '#{self.to_s}'", 
+          :group => column_names.map { |n| self.table_name + '.' + n }.join(','),
+          :conditions => ["pp.group_id = ?", group.id],
+          :readonly => false
+        }
+      }
+            
+    end
+    alias :has_group :has_groups
+  end
+
+  module GroupedInstanceMethods
+
+    # in GroupedPage this is chained to include inherited groups
+    def permitted_groups
+      groups
+    end
+
+    def visible_to?(reader)
+      Rails.logger.warn "grouped_model#visible_to?"
+      return true if self.permitted_groups.empty?
+      return false if reader.nil?
+      return true if reader.is_admin?
+      return (reader.groups & self.permitted_groups).any?
+    end
+
+    def group
+      if self.permitted_groups.length == 1
+        self.permitted_groups.first
+      else
+        nil
+      end
+    end
+    
+    def visible?
+      permitted_groups.empty?
+    end
+
+    def permitted_readers
+      permitted_groups.any? ? Reader.in_groups(permitted_groups) : Reader.all
+    end
+    
+    def has_group?(group)
+      return self.permitted_groups.include?(group)
+    end
+    
+    def permit(group)
+      self.groups << group unless self.has_group?(group)
+    end
+
+    def group_ids=(ids)
+      self.groups = Group.from_list(ids)
+    end
+  end
+end

data/lib/grouped_page.rb

@@ -0,0 +1,39 @@
+module GroupedPage
+
+  def self.included(base)
+    base.class_eval {
+      has_groups
+      has_one :homegroup, :foreign_key => 'homepage_id', :class_name => 'Group'
+      include InstanceMethods
+      alias_method_chain :permitted_groups, :inheritance
+    }
+  end
+  
+  module InstanceMethods
+    
+    attr_reader :inherited_groups
+    def inherited_groups
+      @inherited_groups ||= self.parent ? Group.attached_to(self.ancestors) : []
+    end
+
+    def permitted_groups_with_inheritance
+      permitted_groups_without_inheritance + inherited_groups
+    end
+
+    def cache?
+      self.permitted_groups.empty?
+    end        
+
+    def has_inherited_group?(group)
+      return self.inherited_groups.include?(group)
+    end
+    
+    def group_is_inherited?(group)
+      return self.has_inherited_group?(group) && !self.has_group?(group)
+    end
+    
+  end
+
+end
+
+

data/lib/message_tags.rb

@@ -0,0 +1,183 @@
+module MessageTags
+  include Radiant::Taggable
+  include ReaderHelper
+  
+  class TagError < StandardError; end
+
+  # I can see this causing problems: will change soon
+
+  desc %{
+    The root 'site' tag is not meant to be called directly. 
+    All it does is to prepare the way for eg.
+    <pre><code><r:site:url /></code></pre>
+  }
+  tag 'site' do |tag|
+    raise TagError, "r:site currently only works in email" unless @mailer_vars
+    raise TagError, "no site" unless tag.locals.site = @mailer_vars[:@site]
+    tag.expand
+  end
+  tag 'site:name' do |tag|
+    if defined?(Site) && tag.locals.site.is_a?(Site)
+      tag.locals.site.name
+    else
+      tag.locals.site[:name]
+    end
+  end
+  tag 'site:url' do |tag|
+    if defined?(Site) && tag.locals.site.is_a?(Site)
+      tag.locals.site.base_domain
+    else
+      tag.locals.site[:url]
+    end
+  end
+  tag 'site:login_url' do |tag|
+    reader_login_url(:host => @mailer_vars[:@host])
+  end
+
+  desc %{
+    The root 'recipient' tag is not meant to be called directly. 
+    All it does is summon a reader object so that its fields can be displayed with eg.
+    <pre><code><r:recipient:name /></code></pre>
+  }
+  tag 'recipient' do |tag|
+    raise TagError, "r:recipient only works in email" unless @mailer_vars
+    raise TagError, "no recipient" unless tag.locals.recipient = @mailer_vars[:@reader]
+    tag.expand
+  end
+
+  [:name, :forename, :email, :description, :login].each do |field|
+    desc %{
+      Only for use in email messages. Displays the #{field} field of the reader currently being emailed.
+      <pre><code><r:recipient:#{field} /></code></pre>
+    }
+    tag "recipient:#{field}" do |tag|
+      tag.locals.recipient.send(field)
+    end
+  end
+
+  desc %{
+    Only for use in email messages. Displays the password of the reader currently being emailed, if we still have it.
+
+    (After the first successful login we forget the cleartext version of their password, so you only want to use this 
+    tag in welcome and activation messages.)
+  
+    <pre><code><r:recipient:url /></code></pre>
+  }
+  tag "recipient:password" do |tag|
+    tag.locals.recipient.clear_password || "<encrypted>"
+  end
+
+  desc %{
+    Only for use in email messages. Displays the me-page url of the reader currently being emailed.
+    <pre><code><r:recipient:url /></code></pre>
+  }
+  tag "recipient:url" do |tag|
+    reader_url(tag.locals.recipient, :host => @mailer_vars[:@host])
+  end
+
+  desc %{
+    Only for use in email messages. Displays the preferences url of the reader currently being emailed.
+    <pre><code><r:recipient:url /></code></pre>
+  }
+  tag "recipient:edit_url" do |tag|
+    edit_reader_url(tag.locals.recipient, :host => @mailer_vars[:@host])
+  end
+
+  desc %{
+    Only for use in email messages. Displays the address that will activate the current reader account.
+    <pre><code><r:recipient:activation_url /></code></pre>
+  }
+  tag "recipient:activation_url" do |tag|
+    activate_me_url(tag.locals.recipient, :activation_code => tag.locals.recipient.perishable_token, :host => @mailer_vars[:@host])
+  end
+
+  desc %{
+    Only for use in email messages. Displays the address that will bring up a new-password form for the current reader account.
+    <pre><code><r:recipient:repassword_url /></code></pre>
+  }
+  tag "recipient:repassword_url" do |tag|
+    repassword_me_url(tag.locals.recipient, :confirmation_code => tag.locals.recipient.perishable_token, :host => @mailer_vars[:@host])
+  end
+
+  desc %{
+    The root 'sender' tag is not meant to be called directly. 
+    All it does is summon a sender object so that its fields can be displayed with eg.
+    <pre><code><r:sender:name /></code></pre>
+  }
+  tag 'sender' do |tag|
+    raise TagError, "r:sender only works in email" unless @mailer_vars
+    tag.expand
+  end
+
+  desc %{
+    Only for use in email messages. Displays the name of the email-sender (which is probably configured in `email.name`)
+    <pre><code><r:sender:name /></code></pre>
+  }
+  tag "sender:name" do |tag|
+    @mailer_vars['sender']
+  end
+
+  desc %{
+    Only for use in email messages. Displays the address of the email-sender (which is probably configured in `email.address`)
+    <pre><code><r:sender:address /></code></pre>
+  }
+  tag "sender:address" do |tag|
+    @mailer_vars['reply_to']
+  end
+
+  # and for referring to messages on pages
+  # at the moment this only works inside r:reader:messages:each or r:group:messages:each, 
+  # both of which are defined in reader_group
+  # but soon there will be a conditional r:messages:each tag here too
+
+  desc %{
+    The root 'message' tag is not meant to be called directly. 
+    All it does is summon a message object so that its fields can be displayed with eg.
+    <pre><code><r:message:subject /></code></pre>
+  }
+  tag 'message' do |tag|
+    raise TagError, "no message!" unless tag.locals.message
+    tag.expand
+  end
+
+  desc %{
+    Displays the message subject.
+  
+    <pre><code><r:message:subject /></code></pre>
+  }
+  tag "message:subject" do |tag|
+    tag.locals.message.subject
+  end
+
+  desc %{
+    Displays the formatted message body.
+  
+    <pre><code><r:message:body /></code></pre>
+  }
+  tag "message:body" do |tag|
+    tag.locals.message.filtered_body
+  end
+
+  desc %{
+    Returns the url of the show-message page.
+  
+    <pre><code><r:message:url /></code></pre>
+  }
+  tag "message:url" do |tag|
+    preview_message_path(tag.locals.message)
+  end
+
+  desc %{
+    Displays a link to the show-message page.
+  
+    <pre><code><r:message:link /></code></pre>
+  }
+  tag "message:link" do |tag|
+    options = tag.attr.dup
+    attributes = options.inject('') { |s, (k, v)| s << %{#{k.downcase}="#{v}" } }.strip
+    attributes = " #{attributes}" unless attributes.empty?
+    text = tag.double? ? tag.expand : tag.render('message:subject')
+    %{<a href="#{tag.render('message:url')}"#{attributes}>#{text}</a>}
+  end
+
+end

data/lib/radiant-reader-extension.rb

@@ -0,0 +1,8 @@
+module RadiantReaderExtension
+  VERSION = '2.0.0.rc4'
+  SUMMARY = %q{Reader/viewer/visitor registration, login and access-control for Radiant CMS}
+  DESCRIPTION = %q{Provides reader/member/user registration and management functions including password-reminder, group-based page access control and administrative email.}
+  URL = "http://radiant.spanner.org/reader"
+  AUTHORS = ["William Ross"]
+  EMAIL = ["radiant@spanner.org"]
+end

data/lib/reader_admin_ui.rb

@@ -3,13 +3,15 @@ module ReaderAdminUI
  def self.included(base)
    base.class_eval do
 
-      attr_accessor :reader, :message, :reader_configuration
+      attr_accessor :reader, :message, :group, :reader_configuration
       alias_method :readers, :reader
       alias_method :messages, :message
+      alias_method :groups, :group
 
       def load_reader_extension_regions
         @reader = load_default_reader_regions
         @message = load_default_message_regions
+        @group = load_default_group_regions
         @reader_configuration = load_default_reader_configuration_regions
       end
 
@@ -22,10 +24,10 @@ module ReaderAdminUI
     protected
 
       def load_default_reader_regions
-        returning OpenStruct.new do |reader|
+        OpenStruct.new.tap do |reader|
           reader.edit = Radiant::AdminUI::RegionSet.new do |edit|
             edit.main.concat %w{edit_header edit_form}
-            edit.form.concat %w{edit_name edit_email edit_username edit_password edit_description edit_notes}
+            edit.form.concat %w{edit_name edit_email edit_username edit_password reader_groups edit_description edit_notes}
             edit.form_bottom.concat %w{edit_timestamp edit_buttons}
           end
           reader.index = Radiant::AdminUI::RegionSet.new do |index|
@@ -39,7 +41,7 @@ module ReaderAdminUI
       end
 
       def load_default_reader_configuration_regions
-        returning OpenStruct.new do |reader_configuration|
+        OpenStruct.new.tap do |reader_configuration|
           reader_configuration.show = Radiant::AdminUI::RegionSet.new do |show|
             show.settings.concat %w{administration}
             show.messages.concat %w{administration}
@@ -53,10 +55,10 @@ module ReaderAdminUI
       end
 
       def load_default_message_regions
-        returning OpenStruct.new do |message|
+        OpenStruct.new.tap do |message|
           message.edit = Radiant::AdminUI::RegionSet.new do |edit|
             edit.main.concat %w{edit_header edit_form edit_footer}
-            edit.form.concat %w{edit_subject edit_body}
+            edit.form.concat %w{edit_subject edit_body edit_group}
             edit.form_bottom.concat %w{edit_timestamp edit_buttons}
           end
           message.index = Radiant::AdminUI::RegionSet.new do |index|
@@ -73,6 +75,27 @@ module ReaderAdminUI
           message.new = message.edit
         end
       end
+
+      def load_default_group_regions
+        OpenStruct.new.tap do |group|
+          group.edit = Radiant::AdminUI::RegionSet.new do |edit|
+            edit.main.concat %w{edit_header edit_form}
+            edit.form.concat %w{edit_group edit_timestamp edit_buttons}
+          end
+          group.show = Radiant::AdminUI::RegionSet.new do |show|
+            show.header.concat %w{title}
+            show.main.concat %w{messages pages members}
+            show.footer.concat %w{notes javascript}
+          end
+          group.index = Radiant::AdminUI::RegionSet.new do |index|
+            index.thead.concat %w{name_header home_header members_header pages_header modify_header}
+            index.tbody.concat %w{name_cell home_cell members_cell pages_cell modify_cell}
+            index.bottom.concat %w{buttons}
+          end
+          group.remove = group.index
+          group.new = group.edit
+        end
+      end
     end
   end
 end

data/lib/reader_tags.rb

@@ -1,183 +1,19 @@
 module ReaderTags
   include Radiant::Taggable
   include ReaderHelper
+  include GroupTags
+  include MessageTags
   
   class TagError < StandardError; end
 
-  # I can see this causing problems: will change soon
+  # I need to find a better way to do this, but this gives a starting point
 
-  desc %{
-    The root 'site' tag is not meant to be called directly. 
-    All it does is to prepare the way for eg.
-    <pre><code><r:site:url /></code></pre>
-  }
-  tag 'site' do |tag|
-    raise TagError, "r:site currently only works in email" unless @mailer_vars
-    raise TagError, "no site" unless tag.locals.site = @mailer_vars[:@site]
-    tag.expand
-  end
-  tag 'site:name' do |tag|
-    if defined?(Site) && tag.locals.site.is_a?(Site)
-      tag.locals.site.name
-    else
-      tag.locals.site[:name]
-    end
-  end
-  tag 'site:url' do |tag|
-    if defined?(Site) && tag.locals.site.is_a?(Site)
-      tag.locals.site.base_domain
-    else
-      tag.locals.site[:url]
-    end
-  end
-  tag 'site:login_url' do |tag|
-    reader_login_url(:host => @mailer_vars[:@host])
-  end
-
-  desc %{
-    The root 'recipient' tag is not meant to be called directly. 
-    All it does is summon a reader object so that its fields can be displayed with eg.
-    <pre><code><r:recipient:name /></code></pre>
-  }
-  tag 'recipient' do |tag|
-    raise TagError, "r:recipient only works in email" unless @mailer_vars
-    raise TagError, "no recipient" unless tag.locals.recipient = @mailer_vars[:@reader]
-    tag.expand
-  end
-  
-  [:name, :forename, :email, :description, :login].each do |field|
-    desc %{
-      Only for use in email messages. Displays the #{field} field of the reader currently being emailed.
-      <pre><code><r:recipient:#{field} /></code></pre>
-    }
-    tag "recipient:#{field}" do |tag|
-      tag.locals.recipient.send(field)
-    end
-  end
-  
-  desc %{
-    Only for use in email messages. Displays the password of the reader currently being emailed, if we still have it.
-
-    (After the first successful login we forget the cleartext version of their password, so you only want to use this 
-    tag in welcome and activation messages.)
-    
-    <pre><code><r:recipient:url /></code></pre>
-  }
-  tag "recipient:password" do |tag|
-    tag.locals.recipient.clear_password || "<encrypted>"
-  end
-  
-  desc %{
-    Only for use in email messages. Displays the me-page url of the reader currently being emailed.
-    <pre><code><r:recipient:url /></code></pre>
-  }
-  tag "recipient:url" do |tag|
-    reader_url(tag.locals.recipient, :host => @mailer_vars[:@host])
-  end
-
-  desc %{
-    Only for use in email messages. Displays the preferences url of the reader currently being emailed.
-    <pre><code><r:recipient:url /></code></pre>
-  }
-  tag "recipient:edit_url" do |tag|
-    edit_reader_url(tag.locals.recipient, :host => @mailer_vars[:@host])
-  end
-
-  desc %{
-    Only for use in email messages. Displays the address that will activate the current reader account.
-    <pre><code><r:recipient:activation_url /></code></pre>
-  }
-  tag "recipient:activation_url" do |tag|
-    activate_me_url(tag.locals.recipient, :activation_code => tag.locals.recipient.perishable_token, :host => @mailer_vars[:@host])
-  end
-
-  desc %{
-    Only for use in email messages. Displays the address that will bring up a new-password form for the current reader account.
-    <pre><code><r:recipient:repassword_url /></code></pre>
-  }
-  tag "recipient:repassword_url" do |tag|
-    repassword_me_url(tag.locals.recipient, :confirmation_code => tag.locals.recipient.perishable_token, :host => @mailer_vars[:@host])
-  end
-
-  desc %{
-    The root 'sender' tag is not meant to be called directly. 
-    All it does is summon a sender object so that its fields can be displayed with eg.
-    <pre><code><r:sender:name /></code></pre>
-  }
-  tag 'sender' do |tag|
-    raise TagError, "r:sender only works in email" unless @mailer_vars
-    tag.expand
+  tag 'reader_css' do |tag|
+    %{<link rel="stylesheet" href="/stylesheets/reader.css" media="all" />}
   end
 
-  desc %{
-    Only for use in email messages. Displays the name of the email-sender (which is probably configured in `email.name`)
-    <pre><code><r:sender:name /></code></pre>
-  }
-  tag "sender:name" do |tag|
-    @mailer_vars['sender']
-  end
-
-  desc %{
-    Only for use in email messages. Displays the address of the email-sender (which is probably configured in `email.address`)
-    <pre><code><r:sender:address /></code></pre>
-  }
-  tag "sender:address" do |tag|
-    @mailer_vars['reply_to']
-  end
-
-  # and for referring to messages on pages
-  # at the moment this only works inside r:reader:messages:each or r:group:messages:each, 
-  # both of which are defined in reader_group
-  # but soon there will be a conditional r:messages:each tag here too
-
-  desc %{
-    The root 'message' tag is not meant to be called directly. 
-    All it does is summon a message object so that its fields can be displayed with eg.
-    <pre><code><r:message:subject /></code></pre>
-  }
-  tag 'message' do |tag|
-    raise TagError, "no message!" unless tag.locals.message
-    tag.expand
-  end
-
-  desc %{
-    Displays the message subject.
-    
-    <pre><code><r:message:subject /></code></pre>
-  }
-  tag "message:subject" do |tag|
-    tag.locals.message.subject
-  end
-
-  desc %{
-    Displays the formatted message body.
-    
-    <pre><code><r:message:body /></code></pre>
-  }
-  tag "message:body" do |tag|
-    tag.locals.message.filtered_body
-  end
-
-  desc %{
-    Returns the url of the show-message page.
-    
-    <pre><code><r:message:url /></code></pre>
-  }
-  tag "message:url" do |tag|
-    preview_message_path(tag.locals.message)
-  end
-
-  desc %{
-    Displays a link to the show-message page.
-    
-    <pre><code><r:message:link /></code></pre>
-  }
-  tag "message:link" do |tag|
-    options = tag.attr.dup
-    attributes = options.inject('') { |s, (k, v)| s << %{#{k.downcase}="#{v}" } }.strip
-    attributes = " #{attributes}" unless attributes.empty?
-    text = tag.double? ? tag.expand : tag.render('message:subject')
-    %{<a href="#{tag.render('message:url')}"#{attributes}>#{text}</a>}
+  tag 'reader_js' do |tag|
+    %{<script type="text/javascript" src="/javascripts/reader.js"></script>}
   end
 
   desc %{
@@ -295,16 +131,4 @@ module ReaderTags
   tag "unless_reader" do |tag|
     tag.expand unless Reader.current && !tag.locals.page.cache?
   end
-  
-  # work in progress
-  tag "truncated" do |tag|
-    limit = tag.attr['limit'] || 64
-    omission = tag.attr['omission'] || '&hellip;'
-    content = tag.expand
-    
-    Rails.logger.warn "!! truncating #{content} to #{limit}#{omission}"
-    
-    truncate_words(content, limit, omission)
-  end
-
 end

data/lib/sanitize/config/generous.rb

@@ -0,0 +1,49 @@
+#--
+# Copyright (c) 2011 Ryan Grove <ryan@wonko.com>
+# 
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the 'Software'), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+# 
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+# 
+# THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+#++
+
+class Sanitize
+  module Config
+    GENEROUS = {
+      :elements => %w[
+        a b blockquote br caption cite code dd del dl dt em h1 h2 h3 h4 h5 h6 i img li ol p pre small span strike strong sub sup table tbody td th thead tr u ul
+      ],
+
+      :attributes => {
+        :all         => ['dir', 'lang', 'title', 'class'],
+        'a'          => ['href'],
+        'blockquote' => ['cite'],
+        'img'        => ['align', 'alt', 'height', 'src', 'width'],
+        'ol'         => ['start', 'reversed', 'type'],
+        'ul'         => ['type'],
+        'th'         => ['colspan', 'rowspan'],
+        'td'         => ['colspan', 'rowspan']
+      },
+
+      :protocols => {
+        'a'          => {'href' => ['ftp', 'http', 'https', 'mailto', :relative]},
+        'blockquote' => {'cite' => ['http', 'https', :relative]},
+        'del'        => {'cite' => ['http', 'https', :relative]},
+        'img'        => {'src'  => ['http', 'https', :relative]},
+      }
+    }
+  end
+end