ruby_cms 0.1.0

data/app/models/ruby_cms/preference.rb

@@ -0,0 +1,111 @@
+# frozen_string_literal: true
+
+module RubyCms
+  # Stores configuration preferences for the CMS admin interface.
+  # Preferences are key-value pairs with optional type casting.
+  class Preference < ::ApplicationRecord
+    self.table_name = "preferences"
+
+    VALUE_TYPES = %w[string integer boolean json].freeze
+
+    validates :key, presence: true, uniqueness: true
+    validates :value_type, inclusion: { in: VALUE_TYPES }
+
+    def self.get(key, default: nil)
+      pref = find_by(key: key.to_s)
+      return default if pref.nil?
+
+      pref.typed_value
+    end
+
+    def self.set(key, value)
+      pref = find_or_initialize_by(key: key.to_s)
+      pref.assign_value(value)
+      pref.save!
+      pref.typed_value
+    end
+
+    def self.all_as_hash
+      all.to_h {|pref| [pref.key.to_sym, pref.typed_value] }
+    end
+
+    def self.ensure_defaults!
+      defaults.each do |key, config|
+        next if exists?(key: key.to_s)
+
+        create!(
+          key: key.to_s,
+          value: serialize_seed_value(config[:value], config[:type]),
+          value_type: config[:type],
+          description: config[:description],
+          category: config[:category] || "general"
+        )
+      end
+    end
+
+    def self.by_category
+      all.group_by(&:category)
+    end
+
+    def self.defaults
+      RubyCms::SettingsRegistry.defaults_hash
+    end
+
+    def typed_value
+      case value_type
+      when "integer" then value.to_i
+      when "boolean" then boolean_cast(value)
+      when "json" then parse_json_value(value)
+      else value
+      end
+    rescue JSON::ParserError, TypeError
+      value.to_s
+    end
+
+    def assign_value(new_value)
+      self.value_type ||= detect_type(new_value)
+      self.value = serialize_value(new_value)
+    end
+
+    class << self
+      private
+
+      def serialize_seed_value(val, type)
+        case type.to_s
+        when "json"
+          val.to_json
+        when "boolean"
+          ActiveModel::Type::Boolean.new.cast(val).to_s
+        else
+          val.to_s
+        end
+      end
+    end
+
+    private
+
+    def boolean_cast(val)
+      ActiveModel::Type::Boolean.new.cast(val)
+    end
+
+    def parse_json_value(val)
+      JSON.parse(val.to_s)
+    end
+
+    def detect_type(val)
+      case val
+      when Integer then "integer"
+      when TrueClass, FalseClass then "boolean"
+      when Hash, Array then "json"
+      else "string"
+      end
+    end
+
+    def serialize_value(val)
+      case val
+      when Hash, Array then val.to_json
+      else val.to_s
+      end
+    end
+  end
+end

data/app/models/ruby_cms/user_permission.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module RubyCms
+  class UserPermission < ::ApplicationRecord
+    self.table_name = "user_permissions"
+
+    belongs_to :user, class_name: "User", optional: false
+    belongs_to :permission, class_name: "RubyCms::Permission"
+
+    validates :user_id, uniqueness: { scope: :permission_id }
+  end
+end

data/app/models/ruby_cms/visitor_error.rb

@@ -0,0 +1,109 @@
+# frozen_string_literal: true
+
+require "uri"
+
+module RubyCms
+  class VisitorError < ::ApplicationRecord
+    self.table_name = "visitor_errors"
+
+    scope :recent, -> { order(created_at: :desc) }
+    scope :unresolved, -> { where(resolved: false) }
+    scope :by_page, ->(path) { where(request_path: path) }
+    scope :today, -> { where(created_at: Date.current.beginning_of_day..) }
+
+    def self.log_error(exception, request)
+      create!(
+        **base_request_attrs(request),
+        **exception_attrs(exception),
+        request_params: sanitize_params(request.params)
+      )
+    rescue StandardError => e
+      Rails.logger.error "Failed to log visitor error: #{e.message}"
+    end
+
+    # Log routing errors (404s) from catch-all route.
+    # Called by RubyCms::ErrorsController#not_found
+    def self.log_routing_error(request)
+      return if Rails.env.development?
+      return if request.path.start_with?("/admin")
+
+      create!(
+        **base_request_attrs(request),
+        error_class: "ActionController::RoutingError",
+        error_message: routing_error_message(request),
+        backtrace: nil,
+        request_params: nil
+      )
+    rescue StandardError => e
+      Rails.logger.error "Failed to log routing error: #{e.message}"
+    end
+
+    # Returns the code path: backtrace for exceptions, or synthetic path for routing errors
+    def codepath
+      if backtrace.present?
+        backtrace
+      elsif error_class == "ActionController::RoutingError"
+        <<~TEXT.strip
+          Request → Router (no matching route) → RubyCms::ErrorsController#not_found
+          (Routing errors don't generate stack traces; the request never reached a controller action.)
+        TEXT
+      else
+        "No stack trace available."
+      end
+    end
+
+    def browser_info
+      return "Unknown" if user_agent.blank?
+
+      case user_agent
+      when /Chrome/ then "Chrome"
+      when /Firefox/ then "Firefox"
+      when /Safari(?!.*Chrome)/ then "Safari"
+      when /Edge/ then "Edge"
+      else "Other"
+      end
+    end
+
+    class << self
+      private
+
+      def sanitize_params(params)
+        return nil unless params
+
+        h = params.respond_to?(:to_unsafe_h) ? params.to_unsafe_h : params.to_h
+        filtered = h.except("password", "password_confirmation", "authenticity_token")
+        filtered.to_json.truncate(500)
+      end
+
+      def base_request_attrs(request)
+        {
+          request_path: request.path,
+          request_method: request.request_method,
+          ip_address: request.remote_ip,
+          user_agent: request.user_agent,
+          session_id: safe_session_id(request),
+          referer: request.referer.presence&.truncate(500),
+          query_string: request.query_string.presence&.truncate(500)
+        }
+      end
+
+      def exception_attrs(exception)
+        {
+          error_class: exception.class.name,
+          error_message: exception.message,
+          backtrace: exception.backtrace&.first(10)&.join("\n")
+        }
+      end
+
+      def routing_error_message(request)
+        "No route matches [#{request.request_method}] \"#{request.path}\""
+      end
+
+      def safe_session_id(request)
+        request.session.id
+      rescue StandardError
+        nil
+      end
+    end
+  end
+end

data/app/services/ruby_cms/analytics/report.rb

@@ -0,0 +1,362 @@
+# frozen_string_literal: true
+
+module RubyCms
+  module Analytics
+    class Report
+      DEFAULT_CACHE_DURATION_SECONDS = 600
+      DEFAULT_MAX_POPULAR_PAGES = 10
+      DEFAULT_MAX_TOP_VISITORS = 10
+      DEFAULT_MAX_REFERRERS = 10
+      DEFAULT_MAX_LANDING_PAGES = 10
+      DEFAULT_MAX_UTM_SOURCES = 10
+      DEFAULT_HIGH_VOLUME_THRESHOLD = 1000
+      DEFAULT_RAPID_REQUEST_THRESHOLD = 50
+      DEFAULT_RECENT_PAGE_VIEWS_LIMIT = 25
+      DEFAULT_PAGE_DETAILS_LIMIT = 100
+      DEFAULT_VISITOR_DETAILS_LIMIT = 100
+
+      def initialize(start_date:, end_date:, period: nil)
+        @start_date = start_date.to_date.beginning_of_day
+        @end_date = end_date.to_date.end_of_day
+        @period = period.presence || RubyCms::Settings.get(:analytics_default_period,
+                                                           default: "week").to_s
+        @range = @start_date..@end_date
+      end
+
+      def dashboard_stats
+        Rails.cache.fetch(cache_key("dashboard"), expires_in: cache_duration) do
+          {
+            total_page_views: page_view_events.count,
+            unique_visitors: visits.distinct.count(:visitor_token),
+            total_sessions: visits.distinct.count(:visit_token),
+            popular_pages: popular_pages_data,
+            top_visitors: top_visitors_data,
+            hourly_activity: hourly_activity_data,
+            daily_activity: daily_activity_data,
+            daily_visitors: daily_visitors_data,
+            top_referrers: referrer_data,
+            landing_pages: landing_pages_data,
+            utm_sources: utm_sources_data,
+            browser_stats: visits.where.not(browser: [nil, ""]).group(:browser).count,
+            device_stats: visits.where.not(device_type: [nil, ""]).group(:device_type).count,
+            os_stats: visits.where.not(os: [nil, ""]).group(:os).count,
+            suspicious_activity: suspicious_activity_data,
+            recent_page_views: page_view_events.order(time: :desc).limit(recent_page_views_limit),
+            extra_cards: extra_cards_data
+          }
+        end
+      end
+
+      def page_stats(page_name)
+        scoped = page_view_events.where(page_name:)
+
+        {
+          page_views: scoped.order(time: :desc).limit(page_details_limit),
+          stats: {
+            total_views: scoped.count,
+            unique_visitors: scoped.joins(:visit).distinct.count("ahoy_visits.visitor_token"),
+            avg_views_per_day: (scoped.count.to_f / days_in_range).round(2)
+          }
+        }
+      end
+
+      def visitor_stats(ip_address)
+        visitor_visits = visits.where(ip: ip_address)
+        visitor_events = page_view_events.joins(:visit).where(ahoy_visits: { ip: ip_address })
+
+        {
+          visitor_views: visitor_events.order(time: :desc).limit(visitor_details_limit),
+          stats: {
+            total_views: visitor_events.count,
+            unique_pages: visitor_events.where.not(page_name: [nil, ""]).distinct.count(:page_name),
+            first_visit: visitor_visits.minimum(:started_at),
+            last_visit: visitor_visits.maximum(:started_at)
+          }
+        }
+      end
+
+      private
+
+      def ruby_cms_config
+        Rails.application.config.ruby_cms
+      end
+
+      def cache_duration
+        RubyCms::Settings.get(
+          :analytics_cache_duration_seconds,
+          default: DEFAULT_CACHE_DURATION_SECONDS
+        ).to_i.seconds
+      rescue StandardError
+        DEFAULT_CACHE_DURATION_SECONDS.seconds
+      end
+
+      def cache_key(suffix)
+        "ruby_cms:analytics:#{@start_date.to_date}:#{@end_date.to_date}:#{@period}:#{suffix}"
+      end
+
+      def visits
+        base = Ahoy::Visit.where(started_at: @range)
+        # Use all visits by default so existing DB records are included. Bot exclusion
+        # can be applied via config.analytics_visit_scope (e.g. ->(s) { s.exclude_bots }).
+        apply_visit_scope_hook(base)
+      end
+
+      def page_view_events
+        base = Ahoy::Event.where(name: "page_view", time: @range).joins(:visit).merge(visits)
+        apply_event_scope_hook(base)
+      end
+
+      def apply_visit_scope_hook(scope)
+        hook = ruby_cms_config.analytics_visit_scope
+        return scope unless hook.respond_to?(:call)
+
+        hook.call(scope)
+      rescue StandardError
+        scope
+      end
+
+      def apply_event_scope_hook(scope)
+        hook = ruby_cms_config.analytics_event_scope
+        return scope unless hook.respond_to?(:call)
+
+        hook.call(scope)
+      rescue StandardError
+        scope
+      end
+
+      def popular_pages_data
+        limit = RubyCms::Settings.get(:analytics_max_popular_pages,
+                                      default: DEFAULT_MAX_POPULAR_PAGES).to_i
+
+        page_view_events
+          .where.not(page_name: [nil, ""])
+          .group(:page_name)
+          .order(Arel.sql("count_all DESC"))
+          .limit(limit)
+          .count
+      end
+
+      def top_visitors_data
+        limit = RubyCms::Settings.get(:analytics_max_top_visitors,
+                                      default: DEFAULT_MAX_TOP_VISITORS).to_i
+        visits.group(:ip).order(Arel.sql("COUNT(*) DESC")).limit(limit).count
+      end
+
+      def hourly_activity_data
+        # Portable: group in Ruby so we work on SQLite, PostgreSQL, MySQL
+        raw = page_view_events.pluck(:time).each_with_object(Hash.new(0)) do |t, acc|
+          acc[t.utc.strftime("%H")] += 1
+        end
+        ("00".."23").index_with {|h| raw[h] || 0 }.sort.to_h
+      end
+
+      def daily_activity_data
+        case @period
+        when "day"
+          hourly_activity_data
+        when "year"
+          group_by_month
+        else
+          group_by_date
+        end
+      end
+
+      def group_by_date
+        result = Hash.new(0)
+        page_view_events.pluck(:time).each do |time|
+          result[time.to_date.strftime("%Y-%m-%d")] += 1
+        end
+        fill_date_gaps(result)
+      end
+
+      def group_by_month
+        raw = page_view_events.pluck(:time).each_with_object(Hash.new(0)) do |t, acc|
+          acc[t.strftime("%Y-%m")] += 1
+        end
+        fill_month_gaps(raw)
+      end
+
+      def fill_month_gaps(data)
+        result = {}
+        current = @start_date.to_date.beginning_of_month
+        end_month = @end_date.to_date.beginning_of_month
+        while current <= end_month
+          key = current.strftime("%Y-%m")
+          result[key] = data[key] || 0
+          current = current.next_month
+        end
+        result
+      end
+
+      def daily_visitors_data
+        case @period
+        when "day"
+          {}
+        when "year"
+          group_visitors_by_month
+        else
+          group_visitors_by_date
+        end
+      end
+
+      def group_visitors_by_date
+        h = visits.pluck(:visitor_token, :started_at).each_with_object(Hash.new do |hash, k|
+          hash[k] = Set.new
+        end) do |(vt, st), acc|
+          next if st.blank?
+
+          key = st.respond_to?(:strftime) ? st.strftime("%Y-%m-%d") : st.to_s[0, 10]
+          acc[key] << vt
+        end
+        fill_date_gaps(h.transform_values(&:size))
+      end
+
+      def group_visitors_by_month
+        h = visits.pluck(:visitor_token, :started_at).each_with_object(Hash.new do |hash, k|
+          hash[k] = Set.new
+        end) do |(vt, st), acc|
+          next if st.blank?
+
+          key = st.respond_to?(:strftime) ? st.strftime("%Y-%m") : st.to_s[0, 7]
+          acc[key] << vt
+        end
+        raw = h.transform_values(&:size)
+        fill_month_gaps(raw)
+      end
+
+      def referrer_data
+        limit = RubyCms::Settings.get(:analytics_max_referrers, default: DEFAULT_MAX_REFERRERS).to_i
+        return {} unless Ahoy::Visit.column_names.include?("referrer")
+
+        visits.where.not(referrer: [nil, ""])
+              .group(:referrer)
+              .order(Arel.sql("COUNT(*) DESC"))
+              .limit(limit)
+              .count
+      end
+
+      def landing_pages_data
+        limit = RubyCms::Settings.get(:analytics_max_landing_pages,
+                                      default: DEFAULT_MAX_LANDING_PAGES).to_i
+        return {} unless Ahoy::Visit.column_names.include?("landing_page")
+
+        visits.where.not(landing_page: [nil, ""])
+              .group(:landing_page)
+              .order(Arel.sql("COUNT(*) DESC"))
+              .limit(limit)
+              .count
+      end
+
+      def utm_sources_data
+        limit = RubyCms::Settings.get(:analytics_max_utm_sources,
+                                      default: DEFAULT_MAX_UTM_SOURCES).to_i
+        return {} unless Ahoy::Visit.column_names.include?("utm_source")
+
+        raw = visits.where.not(utm_source: [nil, ""])
+                    .group(:utm_source, :utm_medium)
+                    .order(Arel.sql("COUNT(*) DESC"))
+                    .limit(limit)
+                    .count
+        raw.transform_keys do |(source, medium)|
+          "#{source}#{" / #{medium}" if medium.present?}"
+        end
+      end
+
+      def suspicious_activity_data
+        [].tap do |items|
+          add_high_volume_ips(items)
+          add_rapid_requests(items)
+        end
+      end
+
+      def add_high_volume_ips(items)
+        threshold = RubyCms::Settings.get(
+          :analytics_high_volume_threshold,
+          default: DEFAULT_HIGH_VOLUME_THRESHOLD
+        ).to_i
+
+        visits.group(:ip).having("COUNT(*) > ?", threshold).count.each do |ip, count|
+          items << {
+            type: "high_volume",
+            ip: ip,
+            count: count,
+            description: "High volume traffic from IP #{ip}"
+          }
+        end
+      end
+
+      def add_rapid_requests(items)
+        threshold = RubyCms::Settings.get(
+          :analytics_rapid_request_threshold,
+          default: DEFAULT_RAPID_REQUEST_THRESHOLD
+        ).to_i
+
+        per_ip_per_minute = Hash.new(0)
+        visits.pluck(:ip, :started_at).each do |ip, started_at|
+          next if started_at.blank?
+
+          minute_key = if started_at.respond_to?(:strftime)
+                         started_at.strftime("%Y-%m-%d %H:%M")
+                       else
+                         started_at.to_s[0,
+                                         16]
+                       end
+          per_ip_per_minute[[ip, minute_key]] += 1
+        end
+
+        per_ip_per_minute.each do |(ip, minute_key), count|
+          next unless count > threshold
+
+          items << {
+            type: "rapid_requests",
+            ip: ip,
+            count: count,
+            description: "Rapid requests from #{ip} at #{minute_key}"
+          }
+        end
+      end
+
+      def fill_date_gaps(data)
+        (@start_date.to_date..@end_date.to_date).each_with_object({}) do |date, acc|
+          key = date.strftime("%Y-%m-%d")
+          acc[key] = data[key] || 0
+        end
+      end
+
+      def extra_cards_data
+        hook = ruby_cms_config.analytics_extra_cards
+        return [] unless hook.respond_to?(:call)
+
+        cards = hook.call(
+          start_date: @start_date.to_date,
+          end_date: @end_date.to_date,
+          period: @period,
+          visits_scope: visits,
+          events_scope: page_view_events
+        )
+        Array(cards)
+      rescue StandardError
+        []
+      end
+
+      def days_in_range
+        (@end_date.to_date - @start_date.to_date + 1).to_i
+      end
+
+      def recent_page_views_limit
+        RubyCms::Settings.get(:analytics_recent_page_views_limit,
+                              default: DEFAULT_RECENT_PAGE_VIEWS_LIMIT).to_i
+      end
+
+      def page_details_limit
+        RubyCms::Settings.get(:analytics_page_details_limit,
+                              default: DEFAULT_PAGE_DETAILS_LIMIT).to_i
+      end
+
+      def visitor_details_limit
+        RubyCms::Settings.get(:analytics_visitor_details_limit,
+                              default: DEFAULT_VISITOR_DETAILS_LIMIT).to_i
+      end
+    end
+  end
+end

data/app/services/ruby_cms/security_tracker.rb

@@ -0,0 +1,92 @@
+# frozen_string_literal: true
+
+module RubyCms
+  # Tracks security events to Ahoy::Event for analytics and monitoring.
+  # Use from host app controllers: RubyCms::SecurityTracker.track(...)
+  #
+  # Example:
+  #   RubyCms::SecurityTracker.track("failed_login", description: "Invalid password", request: request)
+  class SecurityTracker
+    EVENT_TYPES = %w[
+      failed_login
+      successful_login
+      logout
+      admin_access_denied
+      suspicious_user_agent
+      unusual_request_pattern
+      session_hijack_attempt
+      rate_limit_exceeded
+      csrf_token_mismatch
+      unauthorized_admin_attempt
+      contact_honeypot_triggered
+      contact_blocked_email_attempt
+      email_blocklist_error
+      ip_blocklist_error
+      ip_blocklist_blocked
+    ].freeze
+
+    def self.track(event_type, description:, user: nil, request: nil, ip_address: nil,
+                   user_agent: nil, request_path: nil)
+      return nil unless EVENT_TYPES.include?(event_type)
+
+      attrs = {
+        name: event_type,
+        ip_address: ip_address || request&.remote_ip,
+        request_path: request_path || request&.path,
+        user_agent: user_agent || request&.user_agent,
+        properties: { description: },
+        time: Time.current,
+        user: user
+      }
+
+      Ahoy::Event.create!(**attrs)
+    rescue StandardError => e
+      Rails.logger.error "Failed to track security event: #{e.message}"
+      nil
+    end
+
+    def self.risk_level(event_type)
+      case event_type
+      when "session_hijack_attempt", "unauthorized_admin_attempt" then "high"
+      when "failed_login", "csrf_token_mismatch" then "medium"
+      when "successful_login", "logout" then "info"
+      else "low"
+      end
+    end
+
+    def self.risk_color(event_type)
+      case risk_level(event_type)
+      when "high" then "red"
+      when "medium" then "yellow"
+      when "info" then "green"
+      else "blue"
+      end
+    end
+
+    def self.formatted_description(event)
+      event_type = event.name
+      ip = event.ip_address
+      user_agent = event.user_agent
+      path = event.request_path
+      description = event.properties&.dig("description") || event.try(:description)
+
+      case event_type
+      when "failed_login" then "Failed login attempt from #{ip}"
+      when "successful_login" then "Successful admin login from #{ip}"
+      when "logout" then "Admin logout from #{ip}"
+      when "admin_access_denied" then "Unauthorized admin access attempt from #{ip}"
+      when "unauthorized_admin_attempt" then "Non-admin user attempted admin login"
+      when "suspicious_user_agent" then "Suspicious user agent: #{user_agent&.truncate(50)}"
+      when "unusual_request_pattern" then "Unusual request pattern: #{path}"
+      when "session_hijack_attempt" then "Potential session hijacking from #{ip}"
+      when "rate_limit_exceeded" then "Rate limit exceeded from #{ip}"
+      when "csrf_token_mismatch" then "CSRF token mismatch on #{path}"
+      when "contact_honeypot_triggered" then "Contact honeypot triggered from #{ip}"
+      when "contact_blocked_email_attempt" then "Blocked contact email: #{description}"
+      when "email_blocklist_error" then "Error adding email to blocklist: #{description}"
+      when "ip_blocklist_blocked" then "Blocked IP #{ip} attempting #{path}"
+      else description.presence || event_type.humanize
+      end
+    end
+  end
+end