ruby_cms 0.1.0

data/app/javascript/controllers/ruby_cms/visual_editor_controller.js

@@ -0,0 +1,321 @@
+import { Controller } from "@hotwired/stimulus"
+
+export default class extends Controller {
+  static targets = [
+    "modal",
+    "modalBody",
+    "previewFrame",
+    "contentType",
+    "contentInput",
+    "richContentInput",
+    "richTextContainer",
+    "textContainer",
+    "blockKey",
+    "charCount",
+    "lastUpdated",
+    "saveButton",
+    "toast",
+    "toastMessage"
+  ]
+  
+  static values = {
+    currentPage: String
+  }
+
+  connect() {
+    this.currentContentBlockKey = null
+    this.currentContentBlockLocale = null
+    this.currentBlockIndex = 0
+    this.editMode = false
+
+    // Listen for messages from iframe
+    this.boundHandleMessage = this.handleMessage.bind(this)
+    window.addEventListener("message", this.boundHandleMessage)
+    
+    // Listen for Escape key globally when modal is open
+    this.boundHandleEscape = this.handleEscape.bind(this)
+    
+    // Listen for iframe load
+    this.previewFrameTarget.addEventListener("load", () => {
+      console.log("Preview frame loaded")
+    })
+  }
+
+  disconnect() {
+    if (this.boundHandleMessage) {
+      window.removeEventListener("message", this.boundHandleMessage)
+    }
+    document.removeEventListener("keydown", this.boundHandleEscape)
+  }
+
+  handleMessage(event) {
+    // Only accept same-origin messages (iframe preview is same app)
+    if (event.origin !== window.location.origin) return
+    
+    const { type, blockId, blockIndex, page } = event.data
+    
+    if (type === "CONTENT_BLOCK_CLICKED") {
+      this.openBlockEditor(blockId, blockIndex)
+    }
+  }
+
+  async openBlockEditor(blockKey, blockIndex = 0) {
+    this.currentContentBlockKey = blockKey
+    this.currentBlockIndex = blockIndex
+    this.blockKeyTarget.textContent = blockKey
+
+    try {
+      const response = await fetch(`/admin/content_blocks?search=${encodeURIComponent(blockKey)}&format=json`, {
+        headers: { "Accept": "application/json" }
+      })
+      if (!response.ok) throw new Error("Failed to fetch content block")
+
+      const data = await response.json()
+      const blocks = data.content_blocks || []
+      const currentLocale = this.getCurrentLocale()
+      // Prefer block matching key and current locale; else first block with same key
+      const block = blocks.find(b => b.key === blockKey && (b.locale === currentLocale || !b.locale)) ||
+                    blocks.find(b => b.key === blockKey) ||
+                    (blocks[blockIndex]?.key === blockKey ? blocks[blockIndex] : null) ||
+                    {}
+
+      this.currentContentBlockLocale = block.locale || currentLocale
+
+      const contentType = String(block.content_type || "text").toLowerCase()
+      this.contentTypeTarget.value = contentType
+      this.changeContentType()
+
+      if (contentType === "rich_text") {
+        let html = String(block.rich_content != null ? block.rich_content : "").trim()
+        if (!html && block.content) {
+          const text = String(block.content).replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;")
+          html = `<p>${text}</p>`
+        }
+        if (html && !html.trimStart().startsWith("<")) {
+          const escaped = html.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;")
+          html = `<p>${escaped}</p>`
+        }
+        this.richContentInputTarget.value = html || ""
+        this.lastUpdatedTarget.textContent = block.updated_at || "Never"
+        this.updateCharCount()
+
+        this.modalTarget.classList.remove("hidden")
+        document.addEventListener("keydown", this.boundHandleEscape)
+
+        const tryLoadHTML = (attempt = 0) => {
+          const editorEl = this.richTextContainerTarget.querySelector("trix-editor")
+          if (editorEl?.editor) {
+            editorEl.editor.loadHTML(html || "")
+            this.updateCharCount()
+            editorEl.focus?.()
+          } else if (attempt < 50) {
+            setTimeout(() => tryLoadHTML(attempt + 1), 80)
+          }
+        }
+        requestAnimationFrame(() => {
+          requestAnimationFrame(() => setTimeout(() => tryLoadHTML(), 120))
+        })
+      } else {
+        this.contentInputTarget.value = block.content || ""
+        this.lastUpdatedTarget.textContent = block.updated_at || "Never"
+        this.updateCharCount()
+        this.modalTarget.classList.remove("hidden")
+        document.addEventListener("keydown", this.boundHandleEscape)
+        setTimeout(() => this.contentInputTarget.focus(), 50)
+      }
+
+      this.sendMessageToPreview({
+        type: "HIGHLIGHT_BLOCK",
+        blockId: blockKey,
+        blockIndex: blockIndex
+      })
+    } catch (error) {
+      console.error("Error loading content block:", error)
+      alert("Failed to load content block")
+    }
+  }
+
+  closeModal() {
+    this.modalTarget.classList.add("hidden")
+    this.currentContentBlockKey = null
+    this.currentContentBlockLocale = null
+    this.currentBlockIndex = 0
+
+    document.removeEventListener("keydown", this.boundHandleEscape)
+    this.sendMessageToPreview({ type: "CLEAR_HIGHLIGHT" })
+  }
+  
+  handleEscape(event) {
+    // Only handle Escape if modal is visible
+    if (event.key === "Escape" && !this.modalTarget.classList.contains("hidden")) {
+      event.preventDefault()
+      event.stopPropagation()
+      this.closeModal()
+    }
+  }
+
+  changeContentType() {
+    const contentType = this.contentTypeTarget.value
+    
+    if (contentType === "rich_text") {
+      this.textContainerTarget.style.display = "none"
+      this.richTextContainerTarget.classList.add("ruby_cms-visual-editor-modal__rich-text-container--visible")
+    } else {
+      this.textContainerTarget.style.display = "block"
+      this.richTextContainerTarget.classList.remove("ruby_cms-visual-editor-modal__rich-text-container--visible")
+    }
+    
+    this.updateCharCount()
+  }
+
+  updateCharCount() {
+    const contentType = this.contentTypeTarget.value
+    let content = ""
+    
+    if (contentType === "rich_text") {
+      const editor = this.richTextContainerTarget.querySelector("trix-editor")
+      if (editor && editor.editor) {
+        content = editor.editor.getDocument().toString()
+      }
+    } else {
+      content = this.contentInputTarget.value
+    }
+    
+    this.charCountTarget.textContent = `${content.length} characters`
+  }
+
+  async saveContent(event) {
+    event.preventDefault()
+    
+    if (!this.currentContentBlockKey) return
+    
+    const contentType = this.contentTypeTarget.value
+    const payload = {
+      key: this.currentContentBlockKey,
+      content_type: contentType,
+      locale: this.currentContentBlockLocale || null
+    }
+    
+    if (contentType === "rich_text") {
+      const editor = this.richTextContainerTarget.querySelector("trix-editor")
+      payload.rich_content = editor ? editor.value : ""
+    } else {
+      payload.content = this.contentInputTarget.value
+    }
+    
+    try {
+      this.saveButtonTarget.disabled = true
+      this.saveButtonTarget.textContent = "Saving..."
+      
+      const response = await fetch("/admin/visual_editor/quick_update", {
+        method: "PATCH",
+        headers: {
+          "Content-Type": "application/json",
+          "Accept": "application/json",
+          "X-CSRF-Token": document.querySelector('meta[name="csrf-token"]').content
+        },
+        body: JSON.stringify(payload)
+      })
+      
+      const data = await response.json()
+      
+      if (!response.ok || !data.success) {
+        throw new Error(data.message || "Failed to save")
+      }
+      
+      // Update last updated time
+      this.lastUpdatedTarget.textContent = data.updated_at
+      
+      // Update content in preview (same message format as app so page_preview_controller works)
+      const contentToDisplay = contentType === "rich_text"
+        ? (data.rich_content_html || data.content || "")
+        : (data.content || "")
+
+      this.sendMessageToPreview({
+        type: "content-updated",
+        key: this.currentContentBlockKey,
+        content: contentToDisplay,
+        blockIndex: this.currentBlockIndex ?? 0
+      })
+      
+      // Close modal
+      this.closeModal()
+      
+      // Show success toast
+      this.showToast(data.message || "Content updated successfully")
+      
+    } catch (error) {
+      console.error("Error saving content:", error)
+      alert(error.message || "Failed to save content")
+    } finally {
+      this.saveButtonTarget.disabled = false
+      this.saveButtonTarget.textContent = "Save Changes"
+    }
+  }
+
+  handleKeydown(event) {
+    // Enter to submit (but Shift+Enter allows newline in textareas)
+    if (event.key === "Enter") {
+      const isTextarea = event.target.matches("textarea")
+      const isTrixEditor = event.target.matches("trix-editor") || event.target.closest("trix-editor")
+      
+      // Allow Shift+Enter for newlines in textareas/trix
+      if ((isTextarea || isTrixEditor) && event.shiftKey) {
+        return // Let the default behavior happen (newline)
+      }
+      
+      // Enter without Shift submits the form
+      if (!isTextarea && !isTrixEditor) {
+        // Enter outside textarea/trix submits
+        event.preventDefault()
+        this.saveContent(event)
+      } else if (!event.shiftKey) {
+        // Enter in textarea/trix without Shift submits
+        event.preventDefault()
+        this.saveContent(event)
+      }
+    }
+    
+    // Ctrl/Cmd + Enter to save (alternative shortcut)
+    if ((event.ctrlKey || event.metaKey) && event.key === "Enter") {
+      event.preventDefault()
+      this.saveContent(event)
+    }
+  }
+
+  refreshPreview() {
+    const iframe = this.previewFrameTarget
+    iframe.src = iframe.src
+  }
+
+  sendMessageToPreview(message) {
+    const iframe = this.previewFrameTarget
+    if (iframe && iframe.contentWindow) {
+      iframe.contentWindow.postMessage(message, window.location.origin)
+    }
+  }
+
+  showToast(message) {
+    this.toastMessageTarget.textContent = message
+    this.toastTarget.classList.remove("hidden")
+    
+    setTimeout(() => {
+      this.toastTarget.classList.add("hidden")
+    }, 3000)
+  }
+
+  getCurrentLocale() {
+    // Try to get locale from meta tag
+    const metaLocale = document.querySelector('meta[name="locale"]')
+    if (metaLocale) {
+      return metaLocale.content
+    }
+    // Try HTML lang attribute
+    const htmlLang = document.documentElement.lang
+    if (htmlLang) {
+      return htmlLang
+    }
+    // Fallback to default
+    return 'en'
+  }
+}

data/app/models/concerns/content_block/publishable.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+# DHH-style concern for publish/unpublish behavior.
+# Extracts publishing logic to a reusable, self-contained module.
+#
+# @example
+#   class ContentBlock < ApplicationRecord
+#     include ContentBlock::Publishable
+#   end
+#
+#   block.publish(user: Current.user)
+#   block.unpublish(user: Current.user)
+#   ContentBlock.published
+#   ContentBlock.unpublished
+module ContentBlock::Publishable # rubocop:disable Style/ClassAndModuleChildren
+  extend ActiveSupport::Concern
+
+  included do
+    scope :published, -> { where(published: true) }
+    scope :unpublished, -> { where(published: false) }
+  end
+
+  # Publish the content block.
+  # @param user [User, nil] The user performing the action
+  # @return [Boolean] True if successfully published
+  def publish(user: nil)
+    transaction do
+      self.updated_by = user if user && respond_to?(:updated_by=)
+      update!(published: true)
+    end
+    true
+  rescue ActiveRecord::RecordInvalid
+    false
+  end
+
+  # Unpublish the content block.
+  # @param user [User, nil] The user performing the action
+  # @return [Boolean] True if successfully unpublished
+  def unpublish(user: nil)
+    transaction do
+      self.updated_by = user if user && respond_to?(:updated_by=)
+      update!(published: false)
+    end
+    true
+  rescue ActiveRecord::RecordInvalid
+    false
+  end
+
+  # Check if content block is currently published.
+  # @return [Boolean]
+  def published?
+    published == true
+  end
+end

data/app/models/concerns/content_block/searchable.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+# DHH-style concern for search behavior.
+# Extracts search and filtering logic to a reusable module.
+#
+# @example
+#   ContentBlock.search_by_term("welcome")
+module ContentBlock::Searchable # rubocop:disable Style/ClassAndModuleChildren
+  extend ActiveSupport::Concern
+
+  included do
+    # Search content blocks by key or title.
+    # @param term [String] The search term
+    # @return [ActiveRecord::Relation]
+    scope :search_by_term, lambda {|term|
+      return all if term.blank?
+
+      search_pattern = "%#{term.to_s.downcase}%"
+      where("LOWER(key) LIKE ? OR LOWER(title) LIKE ?", search_pattern, search_pattern)
+    }
+  end
+end

data/app/models/content_block.rb

@@ -0,0 +1,155 @@
+# frozen_string_literal: true
+
+# Public ContentBlock model exposed to the host app.
+class ContentBlock < ApplicationRecord
+  include Publishable
+  include Searchable
+
+  self.table_name = "content_blocks"
+
+  def self.action_text_available?
+    return false unless defined?(::ActionText::RichText)
+    return false unless ActiveRecord::Base.connected?
+
+    ActiveRecord::Base.connection.data_source_exists?("action_text_rich_texts")
+  rescue ActiveRecord::ConnectionNotEstablished, ActiveRecord::NoDatabaseError
+    false
+  end
+
+  def self.active_storage_available?
+    return false unless defined?(::ActiveStorage::Blob)
+    return false unless ActiveRecord::Base.connected?
+
+    c = ActiveRecord::Base.connection
+    c.data_source_exists?("active_storage_blobs") &&
+      c.data_source_exists?("active_storage_attachments")
+  rescue ActiveRecord::ConnectionNotEstablished, ActiveRecord::NoDatabaseError
+    false
+  end
+
+  has_rich_text :rich_content if action_text_available?
+  has_one_attached :image if active_storage_available?
+
+  belongs_to :updated_by, class_name: "User", optional: true
+
+  CONTENT_TYPES = %w[text rich_text image link list].freeze
+
+  validates :key, presence: true
+  validates :locale, presence: true
+  validates :content_type, inclusion: { in: CONTENT_TYPES }
+  validates :key, uniqueness: { scope: :locale }
+  validate :key_not_reserved
+  validate :image_content_type, if: -> { respond_to?(:image) && image.attached? }
+  validate :image_size, if: -> { respond_to?(:image) && image.attached? }
+
+  scope :chronologically, -> { order(created_at: :asc) }
+  scope :reverse_chronologically, -> { order(created_at: :desc) }
+  scope :alphabetically, -> { order(:key) }
+  scope :for_locale, ->(locale) { where(locale: locale.to_s) }
+  scope :for_current_locale, -> { where(locale: I18n.locale.to_s) }
+  scope :preloaded, -> { includes(:updated_by) }
+
+  scope :indexed_by, lambda {|index|
+    case index.to_s
+    when "published" then published
+    when "unpublished" then unpublished
+    else all
+    end
+  }
+
+  scope :sorted_by, lambda {|sort|
+    case sort.to_s
+    when "latest" then reverse_chronologically
+    when "oldest" then chronologically
+    else alphabetically
+    end
+  }
+
+  def self.accessible_by(_user)
+    all
+  end
+
+  def self.by_key
+    alphabetically
+  end
+
+  def can_edit?(user)
+    user&.can?(:manage_content_blocks, record: self)
+  end
+
+  def can_delete?(user)
+    user&.can?(:manage_content_blocks, record: self)
+  end
+
+  def record_update_by(user)
+    self.updated_by = user if user
+  end
+
+  def content_body
+    if content_type == "rich_text" && self.class.action_text_available? &&
+       respond_to?(:rich_content)
+      rich_content.to_s
+    else
+      content.to_s
+    end
+  end
+
+  def self.find_by_key_and_locale(key, locale: nil, default_locale: nil)
+    locale ||= I18n.locale.to_s
+    default_locale ||= begin
+      I18n.default_locale.to_s
+    rescue StandardError
+      "en"
+    end
+
+    block = find_by(key: key.to_s, locale: locale.to_s)
+    return block if block
+    return nil if locale.to_s == default_locale.to_s
+
+    find_by(key: key.to_s, locale: default_locale.to_s)
+  end
+
+  private
+
+  def key_not_reserved
+    prefixes =
+      Array(RubyCms::Settings.get(:reserved_key_prefixes, default: ["admin_"])).map(&:to_s)
+    return unless key.to_s.start_with?(*prefixes)
+
+    errors.add(:key, :reserved)
+  rescue StandardError
+    errors.add(:key, :reserved) if key.to_s.start_with?("admin_")
+  end
+
+  def image_content_type
+    return unless respond_to?(:image) && image.attached?
+
+    return if image.content_type.in?(allowed_image_content_types)
+
+    errors.add(:image, :content_type_invalid)
+  rescue StandardError
+    errors.add(:image, :content_type_invalid)
+  end
+
+  def allowed_image_content_types
+    Array(
+      RubyCms::Settings.get(
+        :image_content_types,
+        default: ["image/png", "image/jpeg", "image/gif", "image/webp"]
+      )
+    ).map(&:to_s)
+  rescue StandardError
+    ["image/png", "image/jpeg", "image/gif", "image/webp"]
+  end
+
+  def image_size
+    return unless respond_to?(:image) && image.attached?
+
+    limit = RubyCms::Settings.get(:image_max_size, default: 5 * 1024 * 1024).to_i
+    return if image.byte_size <= limit
+
+    errors.add(:image, :file_too_large)
+  rescue StandardError
+    errors.add(:image, :file_too_large)
+  end
+end

data/app/models/ruby_cms/content_block.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+module RubyCms
+  # Backwards-compatible shim: keep RubyCms::ContentBlock working,
+  # but the canonical model is the top-level ::ContentBlock.
+  class ContentBlock < ::ContentBlock
+  end
+end

data/app/models/ruby_cms/permission.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module RubyCms
+  class Permission < ::ApplicationRecord
+    self.table_name = "permissions"
+
+    has_many :user_permissions, dependent: :destroy, class_name: "RubyCms::UserPermission"
+    has_many :users, through: :user_permissions
+
+    validates :key, presence: true, uniqueness: true
+
+    DEFAULT_KEYS = %w[
+      manage_admin
+      manage_permissions
+      manage_content_blocks
+      manage_visitor_errors
+      manage_analytics
+    ].freeze
+
+    class << self
+      def ensure_defaults!
+        DEFAULT_KEYS.each do |k|
+          find_or_create_by!(key: k) {|p| p.name = k.humanize }
+        end
+      end
+    end
+  end
+end

data/app/models/ruby_cms/permittable.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module RubyCms
+  module Permittable
+    extend ActiveSupport::Concern
+
+    # Check if the user has a permission. record: reserved for future record-scoped permissions.
+    # Default-deny: unknown permission key = forbidden. Permission lookups are cached per-request.
+    def can?(permission_key, record: nil)
+      return bootstrap_allowed?(permission_key) if bootstrap?
+
+      k = permission_key.to_s
+      return false unless RubyCms::Permission.exists?(key: k)
+
+      # Treat manage_admin as a super-permission for admin features.
+      cms_permission_keys_cached.include?(k) ||
+        cms_permission_keys_cached.include?("manage_admin") ||
+        record&.can_edit?(self)
+    end
+
+    def bootstrap?
+      RubyCms::Permission.none?
+    end
+
+    def bootstrap_allowed?(permission_key)
+      return false unless Rails.application.config.ruby_cms.bootstrap_admin_with_role
+      return false unless respond_to?(:admin?) && admin?
+
+      permission_key.to_s == "manage_admin"
+    end
+
+    # Per-request cache of this user's permission keys. Never rely on client-side checks.
+    def cms_permission_keys_cached
+      @cms_permission_keys_cached ||=
+        RubyCms::UserPermission.where(user: self)
+                               .joins(:permission).pluck("permissions.key")
+    end
+  end
+end