rsb-admin 0.9.1

data/app/controllers/concerns/rsb/admin/authorization.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module RSB
+  module Admin
+    module Authorization
+      extend ActiveSupport::Concern
+
+      private
+
+      def authorize_admin_action!(resource: nil, action: nil)
+        resource ||= controller_name
+        action ||= action_name
+
+        return if current_admin_user.can?(resource, action)
+
+        render template: 'rsb/admin/shared/forbidden', status: :forbidden
+        nil
+      end
+    end
+  end
+end

data/app/controllers/rsb/admin/admin_controller.rb

@@ -0,0 +1,138 @@
+# frozen_string_literal: true
+
+module RSB
+  module Admin
+    class AdminController < ActionController::Base
+      layout -> { RSB::Admin.configuration.layout }
+
+      include Authorization
+
+      helper RSB::Admin::IconsHelper
+      helper RSB::Admin::ThemeHelper
+      helper RSB::Admin::FormattingHelper
+      helper RSB::Admin::I18nHelper
+      helper RSB::Admin::TableHelper
+      helper RSB::Admin::AuthorizationHelper
+      helper RSB::Admin::BrandingHelper
+      helper RSB::Admin::UrlHelper
+      include RSB::Admin::UrlHelper
+      helper RSB::Settings::LocaleHelper
+      include RSB::Settings::LocaleHelper
+      helper RSB::Settings::SeoHelper
+      include RSB::Settings::SeoHelper
+
+      before_action :set_seo_context
+      before_action :check_admin_enabled
+      before_action :require_admin_authentication
+      before_action :enforce_two_factor_enrollment
+      before_action :build_breadcrumbs
+      before_action :track_session_activity
+
+      helper_method :current_admin_user, :admin_registry, :breadcrumbs, :current_admin_session
+
+      private
+
+      def set_seo_context
+        @rsb_seo_context = :admin
+      end
+
+      def check_admin_enabled
+        return if RSB::Admin.enabled?
+
+        render template: 'rsb/admin/shared/disabled', layout: false, status: :service_unavailable
+      end
+
+      def require_admin_authentication
+        return if current_admin_user
+
+        redirect_to rsb_admin.login_path, alert: 'Please sign in.'
+      end
+
+      def enforce_two_factor_enrollment
+        return unless current_admin_user
+        return unless ActiveModel::Type::Boolean.new.cast(RSB::Settings.get('admin.require_two_factor'))
+        return if current_admin_user.otp_enabled?
+
+        # Allow access to TwoFactorController and logout
+        return if is_a?(RSB::Admin::TwoFactorController)
+        return if controller_name == 'sessions' && action_name == 'destroy'
+
+        redirect_to rsb_admin.new_profile_two_factor_path,
+                    alert: 'Two-factor authentication is required. Please set up 2FA to continue.'
+      end
+
+      def current_admin_user
+        return @current_admin_user if defined?(@current_admin_user)
+
+        token = session[:rsb_admin_session_token]
+        @current_admin_session = token ? AdminSession.find_by(session_token: token) : nil
+        @current_admin_user = @current_admin_session&.admin_user
+      end
+
+      # Returns the current admin session record for this request.
+      # Must call current_admin_user first to populate.
+      #
+      # @return [AdminSession, nil]
+      def current_admin_session
+        current_admin_user unless defined?(@current_admin_session)
+        @current_admin_session
+      end
+
+      # Touches the current session's last_active_at timestamp.
+      # Runs on every authenticated request. Uses update_column
+      # to avoid callbacks/timestamps overhead.
+      #
+      # @return [void]
+      def track_session_activity
+        current_admin_session&.touch_activity!
+      end
+
+      def admin_registry
+        RSB::Admin.registry
+      end
+
+      def breadcrumbs
+        @breadcrumbs || []
+      end
+
+      # Builds the initial breadcrumb trail with the app name as root.
+      # The root item links to the dashboard path as the home destination.
+      # Subclasses call super and then add their own items via add_breadcrumb.
+      #
+      # If breadcrumbs were passed via request.env (from Rack dispatch),
+      # those are used instead of building from scratch.
+      #
+      # @return [void]
+      def build_breadcrumbs
+        if request.env['rsb.admin.breadcrumbs']
+          @breadcrumbs = request.env['rsb.admin.breadcrumbs'].dup
+          return
+        end
+
+        @breadcrumbs = [
+          RSB::Admin::BreadcrumbItem.new(
+            label: RSB::Settings.get('admin.app_name').to_s.presence || RSB::Admin.configuration.app_name,
+            path: rsb_admin.dashboard_path
+          )
+        ]
+      end
+
+      # Appends a breadcrumb item to the current trail.
+      #
+      # @param label [String] the text to display
+      # @param path [String, nil] the URL path (nil for current/last item)
+      # @return [void]
+      def add_breadcrumb(label, path = nil)
+        @breadcrumbs << RSB::Admin::BreadcrumbItem.new(label: label, path: path)
+      end
+
+      # Replaces the entire breadcrumb trail.
+      #
+      # @param items [Array<RSB::Admin::BreadcrumbItem>] the new breadcrumb items
+      # @return [void]
+      def set_breadcrumbs(items)
+        @breadcrumbs = items
+      end
+    end
+  end
+end

data/app/controllers/rsb/admin/admin_users_controller.rb

@@ -0,0 +1,110 @@
+# frozen_string_literal: true
+
+module RSB
+  module Admin
+    # Handles CRUD operations for admin user accounts.
+    # Provides listing, viewing, creating, editing, updating,
+    # and deleting admin users, with self-deletion protection.
+    class AdminUsersController < AdminController
+      before_action :authorize_admin_users
+      before_action :set_admin_user, only: %i[show edit update destroy]
+
+      # GET /admin/admin_users
+      # Lists all admin users ordered by email, eagerly loading roles.
+      def index
+        @rsb_page_title = I18n.t('rsb.admin.admin_users.index.page_title', default: 'Admin Users')
+        @admin_users = AdminUser.includes(:role).order(:email)
+      end
+
+      # GET /admin/admin_users/:id
+      # Displays details for a single admin user.
+      def show; end
+
+      # GET /admin/admin_users/new
+      # Renders the form for creating a new admin user.
+      def new
+        @admin_user = AdminUser.new
+      end
+
+      # POST /admin/admin_users
+      # Creates a new admin user with the given params.
+      # Redirects to show on success, re-renders form on failure.
+      def create
+        @admin_user = AdminUser.new(admin_user_params)
+        if @admin_user.save
+          redirect_to rsb_admin.admin_user_path(@admin_user), notice: 'Admin user created.'
+        else
+          render :new, status: :unprocessable_entity
+        end
+      end
+
+      # GET /admin/admin_users/:id/edit
+      # Renders the edit form for an existing admin user.
+      def edit; end
+
+      # PATCH /admin/admin_users/:id
+      # Updates an existing admin user.
+      # Blank password fields are stripped so the existing password is not cleared.
+      def update
+        update_params = admin_user_params
+        if update_params[:password].blank?
+          update_params.delete(:password)
+          update_params.delete(:password_confirmation)
+        end
+
+        if @admin_user.update(update_params)
+          redirect_to rsb_admin.admin_user_path(@admin_user), notice: 'Admin user updated.'
+        else
+          render :edit, status: :unprocessable_entity
+        end
+      end
+
+      # DELETE /admin/admin_users/:id
+      # Deletes an admin user. Self-deletion is prevented.
+      def destroy
+        if @admin_user == current_admin_user
+          redirect_to rsb_admin.admin_users_path, alert: 'You cannot delete your own account.'
+          return
+        end
+
+        @admin_user.destroy!
+        redirect_to rsb_admin.admin_users_path, notice: 'Admin user deleted.'
+      end
+
+      private
+
+      # Builds breadcrumbs for admin user pages.
+      # Dashboard > System > Admin Users > #ID (if applicable) > New/Edit
+      #
+      # @return [void]
+      def build_breadcrumbs
+        super
+        add_breadcrumb(I18n.t('rsb.admin.shared.system'))
+        add_breadcrumb(I18n.t('rsb.admin.admin_users.title'), rsb_admin.admin_users_path)
+        add_breadcrumb("##{params[:id]}", rsb_admin.admin_user_path(params[:id])) if params[:id].present?
+        add_breadcrumb(I18n.t('rsb.admin.shared.new', resource: 'Admin User')) if action_name.in?(%w[new create])
+        return unless action_name.in?(%w[edit update])
+
+        add_breadcrumb(I18n.t('rsb.admin.shared.edit'))
+      end
+
+      # Finds the admin user by ID from the URL params.
+      # @return [void]
+      def set_admin_user
+        @admin_user = AdminUser.find(params[:id])
+      end
+
+      # Permits the allowed admin user params from the request.
+      # @return [ActionController::Parameters]
+      def admin_user_params
+        params.require(:admin_user).permit(:email, :password, :password_confirmation, :role_id)
+      end
+
+      # Authorizes the current admin user for admin_users actions.
+      # @return [void]
+      def authorize_admin_users
+        authorize_admin_action!(resource: 'admin_users', action: action_name)
+      end
+    end
+  end
+end

data/app/controllers/rsb/admin/dashboard_controller.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+module RSB
+  module Admin
+    class DashboardController < AdminController
+      before_action :authorize_dashboard, only: :index
+
+      def index
+        @rsb_page_title = I18n.t('rsb.admin.dashboard.page_title', default: 'Dashboard')
+        dashboard_page = RSB::Admin.registry.dashboard_page
+
+        return unless dashboard_page
+
+        dispatch_to_dashboard(dashboard_page, :index)
+      end
+
+      def dashboard_action
+        dashboard_page = RSB::Admin.registry.dashboard_page
+
+        unless dashboard_page
+          head :not_found
+          return
+        end
+
+        action_key = params[:action_key]
+        action = dashboard_page.find_action(action_key)
+
+        unless action
+          head :not_found
+          return
+        end
+
+        authorize_admin_action!(resource: 'dashboard', action: action_key)
+        return if performed?
+
+        request.env['rsb.admin.breadcrumbs'] = @breadcrumbs
+        dispatch_to_dashboard(dashboard_page, action_key.to_sym)
+      end
+
+      private
+
+      # Builds breadcrumbs for the dashboard page.
+      # Admin > Dashboard
+      #
+      # @return [void]
+      def build_breadcrumbs
+        super
+        add_breadcrumb(I18n.t('rsb.admin.dashboard.title'))
+      end
+
+      def authorize_dashboard
+        authorize_admin_action!(resource: 'dashboard', action: 'index')
+      end
+
+      # Dispatch to a custom dashboard controller via Rack interface.
+      #
+      # Uses the same Rack dispatch pattern as ResourcesController for pages.
+      # Passes breadcrumbs via request.env and copies the response (status,
+      # headers, body) back to the current controller.
+      #
+      # @param dashboard_page [PageRegistration] the dashboard page registration
+      # @param action [Symbol] the action to invoke on the custom controller
+      # @return [void]
+      def dispatch_to_dashboard(dashboard_page, action)
+        request.env['rsb.admin.breadcrumbs'] = @breadcrumbs
+        controller_name = dashboard_page.controller
+        controller_class_name = "#{controller_name}_controller".classify
+        controller_class = controller_class_name.constantize
+        status, headers, body = controller_class.action(action).call(request.env)
+        self.status = status
+        self.response_body = body
+        headers.each { |k, v| response.headers[k] = v }
+      end
+    end
+  end
+end

data/app/controllers/rsb/admin/profile_controller.rb

@@ -0,0 +1,146 @@
+# frozen_string_literal: true
+
+module RSB
+  module Admin
+    # Handles the admin user profile page where authenticated admins
+    # can view and edit their own email and password.
+    #
+    # Unlike other admin controllers, ProfileController does NOT perform
+    # RBAC authorization — any authenticated admin can access their profile.
+    # This is intentional: even admins with no role can change their
+    # credentials and sign out.
+    class ProfileController < AdminController
+      skip_before_action :require_admin_authentication, only: [:verify_email]
+      skip_before_action :build_breadcrumbs, only: [:verify_email]
+      skip_before_action :track_session_activity, only: [:verify_email]
+      # GET /admin/profile
+      # Displays the current admin user's profile information.
+      #
+      # @return [void]
+      def show
+        @rsb_page_title = I18n.t('rsb.admin.profile.show.page_title', default: 'Profile')
+        @admin_user = current_admin_user
+      end
+
+      # GET /admin/profile/edit
+      # Renders the profile edit form for email and password changes.
+      #
+      # @return [void]
+      def edit
+        @rsb_page_title = I18n.t('rsb.admin.profile.edit.page_title', default: 'Edit Profile')
+        @admin_user = current_admin_user
+      end
+
+      # PATCH /admin/profile
+      # Updates the current admin user's email and/or password.
+      # Requires current password confirmation for all changes.
+      #
+      # Email changes: stores new email as pending_email and sends verification.
+      # Password changes: updates immediately and destroys other sessions.
+      # If email unchanged: only password is updated (if provided).
+      #
+      # @return [void]
+      def update
+        @admin_user = current_admin_user
+
+        unless @admin_user.authenticate(params[:current_password].to_s)
+          flash.now[:alert] = I18n.t('rsb.admin.profile.password_incorrect')
+          render :edit, status: :unprocessable_entity
+          return
+        end
+
+        new_email = params[:admin_user][:email]&.strip&.downcase
+        email_changed = new_email.present? && new_email != @admin_user.email
+
+        # Handle password update
+        password_params = {}
+        if params[:admin_user][:password].present?
+          password_params[:password] = params[:admin_user][:password]
+          password_params[:password_confirmation] = params[:admin_user][:password_confirmation]
+        end
+
+        if password_params.any?
+          unless @admin_user.update(password_params)
+            render :edit, status: :unprocessable_entity
+            return
+          end
+          # Revoke all other sessions on password change (rule #15)
+          @admin_user.admin_sessions.where.not(session_token: session[:rsb_admin_session_token]).destroy_all
+        end
+
+        # Handle email change — initiate verification
+        if email_changed
+          begin
+            @admin_user.generate_email_verification!(new_email)
+            AdminMailer.email_verification(@admin_user).deliver_later
+            redirect_to rsb_admin.profile_path, notice: I18n.t('rsb.admin.profile.verification_sent')
+          rescue ActiveRecord::RecordInvalid
+            render :edit, status: :unprocessable_entity
+          end
+        else
+          redirect_to rsb_admin.profile_path, notice: I18n.t('rsb.admin.profile.updated')
+        end
+      end
+
+      # GET /admin/profile/verify_email?token=...
+      # Confirms a pending email change if the token is valid and not expired.
+      # Does not require authentication — the token itself is the proof.
+      #
+      # @return [void]
+      def verify_email
+        admin = AdminUser.find_by(email_verification_token: params[:token])
+
+        if admin.nil?
+          redirect_to rsb_admin.login_path, alert: I18n.t('rsb.admin.profile.verification_invalid')
+          return
+        end
+
+        if admin.email_verification_expired?
+          redirect_to rsb_admin.profile_path, alert: I18n.t('rsb.admin.profile.verification_expired')
+          return
+        end
+
+        admin.verify_email!
+        redirect_to rsb_admin.profile_path, notice: I18n.t('rsb.admin.profile.email_verified')
+      end
+
+      # POST /admin/profile/resend_verification
+      # Regenerates verification token and resends the verification email.
+      #
+      # @return [void]
+      def resend_verification
+        @admin_user = current_admin_user
+
+        if @admin_user.email_verification_pending?
+          @admin_user.generate_email_verification!(@admin_user.pending_email)
+          AdminMailer.email_verification(@admin_user).deliver_later
+          redirect_to rsb_admin.profile_path, notice: I18n.t('rsb.admin.profile.verification_resent')
+        else
+          redirect_to rsb_admin.profile_path
+        end
+      end
+
+      private
+
+      # Builds breadcrumbs for profile pages.
+      # Admin > Profile (show) or Admin > Profile > Edit (edit/update)
+      #
+      # @return [void]
+      def build_breadcrumbs
+        super
+        add_breadcrumb(I18n.t('rsb.admin.profile.title'), rsb_admin.profile_path)
+        return unless action_name.in?(%w[edit update])
+
+        add_breadcrumb(I18n.t('rsb.admin.shared.edit'))
+      end
+
+      # Permits the allowed profile params from the request.
+      # Note: role_id is NOT permitted — admins cannot change their own role.
+      #
+      # @return [ActionController::Parameters]
+      def profile_params
+        params.require(:admin_user).permit(:email, :password, :password_confirmation)
+      end
+    end
+  end
+end

data/app/controllers/rsb/admin/profile_sessions_controller.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module RSB
+  module Admin
+    # Handles session revocation from the admin profile page.
+    #
+    # Like ProfileController, this does NOT perform RBAC authorization —
+    # any authenticated admin can manage their own sessions.
+    class ProfileSessionsController < AdminController
+      # DELETE /admin/profile/sessions/:id
+      # Revokes a single session belonging to the current admin user.
+      # Cannot revoke the current session (safety check).
+      #
+      # @return [void]
+      def destroy
+        admin_session = current_admin_user.admin_sessions.find_by(id: params[:id])
+
+        if admin_session.nil?
+          redirect_to rsb_admin.profile_path, alert: I18n.t('rsb.admin.profile.session_not_found')
+          return
+        end
+
+        if admin_session.current?(session[:rsb_admin_session_token])
+          redirect_to rsb_admin.profile_path, alert: I18n.t('rsb.admin.profile.cannot_revoke_current')
+          return
+        end
+
+        admin_session.destroy
+        redirect_to rsb_admin.profile_path, notice: I18n.t('rsb.admin.profile.session_revoked')
+      end
+
+      # DELETE /admin/profile/sessions
+      # Revokes all sessions except the current one.
+      #
+      # @return [void]
+      def destroy_all
+        current_token = session[:rsb_admin_session_token]
+        count = current_admin_user.admin_sessions.where.not(session_token: current_token).count
+        current_admin_user.admin_sessions.where.not(session_token: current_token).destroy_all
+
+        redirect_to rsb_admin.profile_path, notice: I18n.t('rsb.admin.profile.all_sessions_revoked', count: count)
+      end
+    end
+  end
+end