rsb-admin 0.9.1

data/app/controllers/rsb/admin/resources_controller.rb

@@ -0,0 +1,386 @@
+# frozen_string_literal: true
+
+module RSB
+  module Admin
+    class ResourcesController < AdminController
+      prepend_before_action :resolve_registry_entry
+      before_action :authorize_resource
+
+      # Display the index page for a resource or page.
+      #
+      # Behavior depends on the type of entry:
+      # - If it's a page, delegates to the page's controller
+      # - If it's a resource with a custom controller, delegates to that controller
+      # - Otherwise, loads records with filtering, sorting, and pagination
+      #
+      # Filtering is applied from params[:q] using registered FilterDefinitions.
+      # Sorting is applied from params[:sort] and params[:dir], with fallback to default_sort.
+      # Pagination uses per_page from registration or global config, with 1-based page numbers.
+      #
+      # @return [void]
+      # @raise [ActionController::RoutingError] if the resource doesn't support the index action
+      def index
+        if @page
+          dispatch_to_page_controller(:index)
+          return
+        end
+
+        return dispatch_to_custom_controller(:index) if @registration&.custom_controller?
+
+        authorize_resource
+
+        scope = @registration.model_class.all
+
+        # Apply filters (rule #3: only if registration has filters)
+        if @registration.filters&.any? && params[:q].present?
+          @registration.filters.each do |filter|
+            value = params[:q][filter.key.to_s]
+            scope = filter.apply(scope, value)
+          end
+        end
+
+        # Apply sorting (rule #11)
+        sort_column = params[:sort]
+        sort_direction = params[:dir]&.downcase == 'desc' ? 'DESC' : 'ASC'
+
+        scope = if sort_column.present? && @registration.columns&.any? { |c| c.key.to_s == sort_column && c.sortable }
+                  scope.order(Arel.sql("#{sort_column} #{sort_direction}"))
+                elsif @registration.default_sort
+                  scope.order(@registration.default_sort[:column] => @registration.default_sort[:direction])
+                else
+                  scope.order(id: :desc)
+                end
+
+        # Pagination (rule #10)
+        per_page = @registration.per_page || RSB::Admin.configuration.per_page
+        @current_page = [params[:page].to_i, 1].max
+        @total_count = scope.count
+        @total_pages = (@total_count.to_f / per_page).ceil
+        @total_pages = 1 if @total_pages < 1
+        @records = scope.limit(per_page).offset((@current_page - 1) * per_page)
+
+        # Store filter values for view
+        @filter_values = params[:q] || {}
+
+        # Set page title
+        @rsb_page_title = @registration.label
+      end
+
+      # Display the show page for a specific resource record.
+      #
+      # If the resource has a custom controller, delegates to it.
+      # Otherwise, loads the record and renders the generic show view.
+      # The view uses @registration.show_columns to determine which fields to display.
+      #
+      # @return [void]
+      # @raise [ActionController::RoutingError] if the resource doesn't support the show action
+      # @raise [ActiveRecord::RecordNotFound] if the record doesn't exist
+      def show
+        return dispatch_to_custom_controller(:show) if @registration&.custom_controller?
+
+        authorize_resource
+        @record = @registration.model_class.find(params[:id])
+        @rsb_page_title = "#{@registration.label.singularize} ##{@record.id}"
+      end
+
+      # Display the new page for creating a resource record.
+      #
+      # If the resource has a custom controller, delegates to it.
+      # Otherwise, instantiates a new record and renders the generic new view.
+      # The view uses @registration.new_form_fields to determine which fields to display.
+      #
+      # @return [void]
+      # @raise [ActionController::RoutingError] if the resource doesn't support the new action
+      def new
+        return dispatch_to_custom_controller(:new) if @registration&.custom_controller?
+
+        authorize_resource
+        @record = @registration.model_class.new
+      end
+
+      # Create a new resource record.
+      #
+      # If the resource has a custom controller, delegates to it.
+      # Otherwise, creates a new record with the submitted params and either
+      # redirects to the show page on success or re-renders the form on failure.
+      # Flash message is localized using i18n key "rsb.admin.resources.created".
+      #
+      # @return [void]
+      # @raise [ActionController::RoutingError] if the resource doesn't support the create action
+      def create
+        return dispatch_to_custom_controller(:create) if @registration&.custom_controller?
+
+        authorize_resource
+        @record = @registration.model_class.new(resource_params)
+        if @record.save
+          redirect_to rsb_admin_resource_show_path(@registration.route_key, @record.id),
+                      notice: I18n.t('rsb.admin.resources.created', resource: @registration.label.singularize)
+        else
+          render :new, status: :unprocessable_entity
+        end
+      end
+
+      # Display the edit page for a resource record.
+      #
+      # If the resource has a custom controller, delegates to it.
+      # Otherwise, loads the record and renders the generic edit view.
+      # The view uses @registration.edit_form_fields to determine which fields to display.
+      #
+      # @return [void]
+      # @raise [ActionController::RoutingError] if the resource doesn't support the edit action
+      # @raise [ActiveRecord::RecordNotFound] if the record doesn't exist
+      def edit
+        return dispatch_to_custom_controller(:edit) if @registration&.custom_controller?
+
+        authorize_resource
+        @record = @registration.model_class.find(params[:id])
+      end
+
+      # Update a resource record.
+      #
+      # If the resource has a custom controller, delegates to it.
+      # Otherwise, updates the record with the submitted params and either
+      # redirects to the show page on success or re-renders the edit form on failure.
+      # Flash message is localized using i18n key "rsb.admin.resources.updated".
+      #
+      # @return [void]
+      # @raise [ActionController::RoutingError] if the resource doesn't support the update action
+      # @raise [ActiveRecord::RecordNotFound] if the record doesn't exist
+      def update
+        return dispatch_to_custom_controller(:update) if @registration&.custom_controller?
+
+        authorize_resource
+        @record = @registration.model_class.find(params[:id])
+        if @record.update(resource_params)
+          redirect_to rsb_admin_resource_show_path(@registration.route_key, @record.id),
+                      notice: I18n.t('rsb.admin.resources.updated', resource: @registration.label.singularize)
+        else
+          render :edit, status: :unprocessable_entity
+        end
+      end
+
+      # Delete a resource record.
+      #
+      # If the resource has a custom controller, delegates to it.
+      # Otherwise, destroys the record and redirects to the index.
+      # Flash message is localized using i18n key "rsb.admin.resources.deleted".
+      #
+      # @return [void]
+      # @raise [ActionController::RoutingError] if the resource doesn't support the destroy action
+      # @raise [ActiveRecord::RecordNotFound] if the record doesn't exist
+      def destroy
+        if @page
+          dispatch_to_page_controller(:destroy)
+        elsif @registration&.custom_controller?
+          dispatch_to_custom_controller(:destroy)
+        elsif @registration
+          authorize_resource
+          @record = @registration.model_class.find(params[:id])
+          @record.destroy!
+          redirect_to rsb_admin_resource_path(@registration.route_key),
+                      notice: I18n.t('rsb.admin.resources.deleted', resource: @registration.label.singularize)
+        end
+      end
+
+      # Generic fallback for pages without a controller.
+      #
+      # @return [void]
+      def page
+        # Renders the generic page view
+      end
+
+      # Handle static page sub-actions.
+      #
+      # Routes like `/admin/dashboard/export` are dispatched to the page's
+      # controller with the action key. Returns 404 if the page or action
+      # is not found.
+      #
+      # @return [void]
+      # @raise [ActionController::RoutingError] if the page or action doesn't exist
+      def page_action
+        @page = RSB::Admin.registry.find_page_by_key(params[:resource_key])
+
+        unless @page
+          head :not_found
+          return
+        end
+
+        authorize_admin_action!(resource: @page.key.to_s, action: params[:action_key])
+
+        action = @page.find_action(params[:action_key])
+        unless action
+          head :not_found
+          return
+        end
+
+        # Build page breadcrumbs and pass to dispatched controller
+        build_page_action_breadcrumbs
+        request.env['rsb.admin.breadcrumbs'] = @breadcrumbs
+
+        # Dispatch to the page's controller with the action key
+        controller_name = @page.controller
+        controller_class_name = "#{controller_name}_controller".classify
+        controller_class = controller_class_name.constantize
+        dispatch_action = params[:action_key].to_sym
+
+        status, headers, body = controller_class.action(dispatch_action).call(request.env)
+        self.status = status
+        self.response_body = body
+        headers.each { |k, v| response.headers[k] = v }
+      end
+
+      # Handle custom member actions for resources with custom controllers.
+      #
+      # Custom actions are PATCH routes like `/admin/identities/:id/suspend`.
+      # The action name is extracted from params and delegated to the resource's
+      # custom controller if it exists and the action is registered.
+      #
+      # @return [void]
+      # @raise [ActionController::RoutingError] if no custom controller is configured
+      #   or the action is not registered for this resource
+      def custom_action
+        action = params[:custom_action].to_sym
+        unless @registration&.custom_controller? && @registration.action?(action)
+          raise ActionController::RoutingError, 'Not Found'
+        end
+
+        dispatch_to_custom_controller(action)
+      end
+
+      private
+
+      # Builds breadcrumbs for dynamic resource and page routes.
+      #
+      # For resources: AppName > Category > Resource Label > #ID (if show/edit) > New/Edit
+      # For pages: AppName > Category > Page Label
+      #
+      # Uses prepend_before_action :resolve_registry_entry to ensure @registration
+      # and @page are set before this runs (ahead of inherited AdminController callbacks).
+      #
+      # @return [void]
+      def build_breadcrumbs
+        super
+        if @registration
+          add_breadcrumb(@registration.category_name)
+          add_breadcrumb(@registration.label, rsb_admin_resource_path(@registration.route_key))
+          if params[:id].present?
+            add_breadcrumb("##{params[:id]}",
+                           rsb_admin_resource_show_path(@registration.route_key, params[:id]))
+          end
+          if action_name.in?(%w[new create])
+            add_breadcrumb(I18n.t('rsb.admin.shared.new', resource: @registration.label.singularize))
+          end
+          add_breadcrumb(I18n.t('rsb.admin.shared.edit')) if action_name.in?(%w[edit update])
+        elsif @page
+          add_breadcrumb(@page.category_name)
+          add_breadcrumb(@page.label)
+        end
+      end
+
+      # Builds breadcrumbs for page sub-actions dispatched via page_action.
+      #
+      # Since page_action bypasses the normal build_breadcrumbs flow (it's a
+      # separate action on ResourcesController), we manually construct the
+      # breadcrumb trail: Root > Category > Page Label
+      #
+      # The page label includes a path since sub-actions may append additional
+      # breadcrumb items after it.
+      #
+      # @return [void]
+      def build_page_action_breadcrumbs
+        @breadcrumbs = [
+          RSB::Admin::BreadcrumbItem.new(
+            label: RSB::Settings.get('admin.app_name').to_s.presence || RSB::Admin.configuration.app_name,
+            path: rsb_admin.dashboard_path
+          )
+        ]
+        add_breadcrumb(@page.category_name)
+        add_breadcrumb(@page.label, rsb_admin_page_path(@page.key))
+      end
+
+      def resolve_registry_entry
+        @registration = RSB::Admin.registry.find_resource_by_route_key(params[:resource_key])
+
+        return if @registration
+
+        @page = RSB::Admin.registry.find_page_by_key(params[:resource_key])
+        raise ActionController::RoutingError, 'Not Found' unless @page
+      end
+
+      def authorize_resource
+        resource_name = @page ? @page.key.to_s : params[:resource_key]
+        action = if action_name == 'custom_action' && params[:custom_action].present?
+                   params[:custom_action]
+                 else
+                   action_name
+                 end
+        authorize_admin_action!(resource: resource_name, action: action)
+      end
+
+      # Dispatch a request to a page's custom controller.
+      #
+      # Uses the Rack interface to invoke the controller action and copy the
+      # response (status, headers, body) into the current controller's response.
+      # Falls back to rendering the generic page view if the controller doesn't exist.
+      #
+      # @param action [Symbol] the action to invoke (default: :index)
+      # @return [void]
+      def dispatch_to_page_controller(action = :index)
+        controller_name = @page.controller
+        controller_class_name = "#{controller_name}_controller".classify
+
+        begin
+          controller_class = controller_class_name.constantize
+          # Pass breadcrumb context to the dispatched controller
+          request.env['rsb.admin.breadcrumbs'] = @breadcrumbs
+          status, headers, body = controller_class.action(action).call(request.env)
+          self.status = status
+          self.response_body = body
+          headers.each { |k, v| response.headers[k] = v }
+        rescue NameError
+          # Controller class doesn't exist, render generic fallback
+          render :page
+        end
+      end
+
+      # Dispatch a request to a resource's custom controller.
+      #
+      # Uses the Rack interface to invoke the controller action and copy the
+      # response (status, headers, body) into the current controller's response.
+      # This allows resources to have dedicated controllers while maintaining
+      # a single routing structure.
+      #
+      # @param action [Symbol] the action to invoke
+      # @return [void]
+      # @raise [NameError] if the controller class doesn't exist
+      def dispatch_to_custom_controller(action)
+        controller_name = @registration.controller
+        controller_class_name = "#{controller_name}_controller".classify
+        controller_class = controller_class_name.constantize
+        # Pass breadcrumb context to the dispatched controller
+        request.env['rsb.admin.breadcrumbs'] = @breadcrumbs
+        status, headers, body = controller_class.action(action).call(request.env)
+        self.status = status
+        self.response_body = body
+        headers.each { |k, v| response.headers[k] = v }
+      end
+
+      # Extract permitted params for the resource model.
+      #
+      # Uses form_fields from registration when available, otherwise auto-detects
+      # editable columns from the model's schema (excluding sensitive columns,
+      # ID, and timestamps).
+      #
+      # @return [ActionController::Parameters] the permitted parameters
+      def resource_params
+        if @registration.form_fields
+          permitted_keys = @registration.form_fields.map(&:key)
+        else
+          # Fallback: auto-detect (existing behavior)
+          permitted_keys = @registration.model_class.column_names - ResourceRegistration::SENSITIVE_COLUMNS - ResourceRegistration::SKIP_FORM_COLUMNS
+        end
+        params.require(@registration.model_class.model_name.param_key).permit(*permitted_keys)
+      end
+    end
+  end
+end

data/app/controllers/rsb/admin/roles_controller.rb

@@ -0,0 +1,99 @@
+# frozen_string_literal: true
+
+module RSB
+  module Admin
+    class RolesController < AdminController
+      before_action :authorize_roles
+      before_action :set_role, only: %i[show edit update destroy]
+
+      def index
+        @rsb_page_title = I18n.t('rsb.admin.roles.index.page_title', default: 'Roles')
+        @roles = Role.all.order(:name)
+      end
+
+      def show
+        @registry = RSB::Admin.registry
+      end
+
+      def new
+        @role = Role.new(permissions: {})
+        @registry = RSB::Admin.registry
+      end
+
+      def create
+        @role = Role.new(role_params)
+        @registry = RSB::Admin.registry
+        if @role.save
+          redirect_to rsb_admin.role_path(@role), notice: 'Role created.'
+        else
+          render :new, status: :unprocessable_entity
+        end
+      end
+
+      def edit
+        @registry = RSB::Admin.registry
+      end
+
+      def update
+        @registry = RSB::Admin.registry
+        if @role.update(role_params)
+          redirect_to rsb_admin.role_path(@role), notice: 'Role updated.'
+        else
+          render :edit, status: :unprocessable_entity
+        end
+      end
+
+      def destroy
+        if @role.destroy
+          redirect_to rsb_admin.roles_path, notice: 'Role deleted.'
+        else
+          redirect_to rsb_admin.roles_path, alert: "Cannot delete role: #{@role.errors.full_messages.join(', ')}"
+        end
+      end
+
+      private
+
+      # Builds breadcrumbs for role management pages.
+      # Dashboard > System > Roles > #ID (if applicable) > New/Edit
+      #
+      # @return [void]
+      def build_breadcrumbs
+        super
+        add_breadcrumb(I18n.t('rsb.admin.shared.system'))
+        add_breadcrumb(I18n.t('rsb.admin.roles.title'), rsb_admin.roles_path)
+        add_breadcrumb("##{params[:id]}", rsb_admin.role_path(params[:id])) if params[:id].present?
+        add_breadcrumb(I18n.t('rsb.admin.shared.new', resource: 'Role')) if action_name.in?(%w[new create])
+        return unless action_name.in?(%w[edit update])
+
+        add_breadcrumb(I18n.t('rsb.admin.shared.edit'))
+      end
+
+      def set_role
+        @role = Role.find(params[:id])
+      end
+
+      def role_params
+        permitted = params.require(:role).permit(
+          :name,
+          :permissions_json,
+          :superadmin_toggle,
+          permissions_checkboxes: {}
+        )
+
+        # Rails strong params cannot cleanly permit a hash-of-arrays,
+        # so we manually extract permissions_checkboxes
+        if params[:role][:permissions_checkboxes].present?
+          permitted[:permissions_checkboxes] = params[:role][:permissions_checkboxes]
+                                               .to_unsafe_h
+                                               .transform_values { |v| Array(v) }
+        end
+
+        permitted
+      end
+
+      def authorize_roles
+        authorize_admin_action!(resource: 'roles', action: action_name)
+      end
+    end
+  end
+end

data/app/controllers/rsb/admin/sessions_controller.rb

@@ -0,0 +1,139 @@
+# frozen_string_literal: true
+
+module RSB
+  module Admin
+    class SessionsController < ActionController::Base
+      layout 'rsb/admin/application'
+
+      helper RSB::Admin::BrandingHelper
+      helper RSB::Settings::LocaleHelper
+      include RSB::Settings::LocaleHelper
+      helper RSB::Settings::SeoHelper
+      include RSB::Settings::SeoHelper
+      helper_method :current_admin_user
+
+      before_action :set_seo_context
+      before_action :check_admin_enabled
+      before_action :redirect_if_signed_in, only: [:new]
+
+      def new
+        @rsb_page_title = I18n.t('rsb.admin.sessions.new.page_title', default: 'Admin Sign In')
+      end
+
+      def create
+        admin = AdminUser.find_by(email: params[:email])
+        if admin&.authenticate(params[:password])
+          if admin.otp_enabled?
+            # Store pending state — admin must complete 2FA
+            session[:rsb_admin_pending_user_id] = admin.id
+            session[:rsb_admin_pending_at] = Time.current.to_i
+            session[:rsb_admin_2fa_attempts] = 0
+            redirect_to rsb_admin.two_factor_login_path
+          elsif ActiveModel::Type::Boolean.new.cast(RSB::Settings.get('admin.require_two_factor'))
+            # Check if force 2FA is enabled
+            admin_session = AdminSession.create_from_request!(admin_user: admin, request: request)
+            session[:rsb_admin_session_token] = admin_session.session_token
+            admin.record_sign_in!(ip: request.remote_ip)
+            redirect_to rsb_admin.new_profile_two_factor_path,
+                        alert: 'Two-factor authentication is required. Please set up 2FA to continue.'
+          # Create session but redirect to enrollment
+          else
+            complete_sign_in!(admin)
+          end
+        else
+          @email = params[:email]
+          flash.now[:alert] = 'Invalid email or password.'
+          render :new, status: :unprocessable_entity
+        end
+      end
+
+      def two_factor
+        return if valid_pending_session?
+
+        redirect_to rsb_admin.login_path, alert: pending_expired? ? 'Session expired. Please sign in again.' : nil
+        nil
+      end
+
+      def verify_two_factor
+        unless valid_pending_session?
+          redirect_to rsb_admin.login_path, alert: pending_expired? ? 'Session expired. Please sign in again.' : nil
+          return
+        end
+
+        if session[:rsb_admin_2fa_attempts].to_i >= 5
+          clear_pending_session!
+          redirect_to rsb_admin.login_path, alert: 'Too many attempts. Please sign in again.'
+          return
+        end
+
+        admin = AdminUser.find_by(id: session[:rsb_admin_pending_user_id])
+        unless admin
+          clear_pending_session!
+          redirect_to rsb_admin.login_path
+          return
+        end
+
+        if admin.verify_otp(params[:otp_code]) || admin.verify_backup_code(params[:otp_code].to_s)
+          clear_pending_session!
+          complete_sign_in!(admin)
+        else
+          session[:rsb_admin_2fa_attempts] = session[:rsb_admin_2fa_attempts].to_i + 1
+          flash.now[:alert] = 'Invalid verification code.'
+          render :two_factor, status: :unprocessable_entity
+        end
+      end
+
+      def destroy
+        token = session[:rsb_admin_session_token]
+        AdminSession.find_by(session_token: token)&.destroy if token
+        session.delete(:rsb_admin_session_token)
+        redirect_to rsb_admin.login_path, notice: 'Signed out.'
+      end
+
+      private
+
+      def set_seo_context
+        @rsb_seo_context = :admin
+      end
+
+      def complete_sign_in!(admin)
+        admin_session = AdminSession.create_from_request!(admin_user: admin, request: request)
+        session[:rsb_admin_session_token] = admin_session.session_token
+        admin.record_sign_in!(ip: request.remote_ip)
+        redirect_to rsb_admin.dashboard_path, notice: 'Signed in successfully.'
+      end
+
+      def valid_pending_session?
+        session[:rsb_admin_pending_user_id].present? && !pending_expired?
+      end
+
+      def pending_expired?
+        pending_at = session[:rsb_admin_pending_at].to_i
+        pending_at.positive? && Time.at(pending_at) < 5.minutes.ago
+      end
+
+      def clear_pending_session!
+        session.delete(:rsb_admin_pending_user_id)
+        session.delete(:rsb_admin_pending_at)
+        session.delete(:rsb_admin_2fa_attempts)
+      end
+
+      def check_admin_enabled
+        return if RSB::Admin.enabled?
+
+        render template: 'rsb/admin/shared/disabled', layout: false, status: :service_unavailable
+      end
+
+      def redirect_if_signed_in
+        redirect_to rsb_admin.dashboard_path if current_admin_user
+      end
+
+      def current_admin_user
+        return @current_admin_user if defined?(@current_admin_user)
+
+        token = session[:rsb_admin_session_token]
+        @current_admin_user = token ? AdminSession.find_by(session_token: token)&.admin_user : nil
+      end
+    end
+  end
+end