spontaneous 0.1.0.alpha1 → 0.2.0.alpha1

data/lib/spontaneous/publishing/simultaneous.rb

@@ -0,0 +1,70 @@
+# encoding: UTF-8
+
+require 'simultaneous'
+
+module Spontaneous
+  module Publishing
+    class Simultaneous
+
+      def self.task_name
+        # TODO: add site name to this to make it unique on a server
+        :publish
+      end
+
+      def self.register_task
+        publish_binary = (Pathname.new(Spontaneous.gem_dir) + "bin/spot site:publish").expand_path.to_s
+        site_root = Pathname.new(Spontaneous.root).expand_path.to_s
+        niceness = S.config.publish_niceness || 15
+        logfile =  "#{site_root}/log/publish.log"
+        # TODO: make nice value configurable
+        task_options = {
+          :niceness => niceness,
+          :logfile => logfile,
+          :pwd => site_root
+        }
+        task_params = {
+          "site" => site_root,
+          "logfile" => logfile,
+          "environment" => Spontaneous.env
+        }
+        ::Simultaneous.add_task(task_name, publish_binary, task_options, task_params, {})
+      end
+
+      def self.simultaneous_setup
+        ::Simultaneous.connection = ::Spontaneous.config.simultaneous_connection
+        ::Simultaneous.domain = ::Spontaneous.config.site_domain
+      end
+
+      simultaneous_setup
+      register_task
+
+      # def self.status
+      #   FAF.get_status(task_name)
+      # end
+
+      # def self.status=(status)
+      #   FAF.set_status(task_name, status)
+      # end
+
+      attr_reader :revision
+
+      def initialize(revision)
+        @revision = revision
+      end
+
+      def task_name
+        self.class.task_name
+      end
+
+      def publish_changes(change_list)
+        ::Simultaneous.fire(task_name, {"changes" => change_list})
+      end
+
+      def publish_all
+        ::Simultaneous.fire(task_name)
+      end
+    end # Simultaneous
+  end # Publishing
+end # Spontaneous
+
+

data/lib/spontaneous/rack.rb

@@ -6,6 +6,14 @@ require 'sinatra/base'
 
 module Spontaneous
   module Rack
+    NAMESPACE   = "/@spontaneous".freeze
+    ACTIVE_USER = "SPONTANEOUS_USER".freeze
+    ACTIVE_KEY  = "SPONTANEOUS_KEY".freeze
+    AUTH_COOKIE = "spontaneous_api_key".freeze
+    KEY_PARAM   = "__key".freeze
+
+    EXPIRES_MAX = DateTime.parse("Thu, 31 Dec 2037 23:55:55 GMT").httpdate
+
     class << self
       def application
         case Spontaneous.mode
@@ -19,37 +27,41 @@ module Spontaneous
       def port
         Site.config.port
       end
+
+      def make_front_controller(controller_class)
+        controller_class.use(Spontaneous::Rack::AroundFront)
+      end
+
+      def make_back_controller(controller_class)
+        controller_class.helpers Spontaneous::Rack::Helpers
+        controller_class.helpers Spontaneous::Rack::UserHelpers
+        controller_class.use Spontaneous::Rack::CookieAuthentication
+        controller_class.use Spontaneous::Rack::AroundBack
+        controller_class.register Spontaneous::Rack::Authentication
+      end
     end
 
     class ServerBase < ::Sinatra::Base
       set :environment, Proc.new { Spontaneous.environment }
-
-      # serve static files from the app's public dir
-
-      ## removed these as sinatra now sets utf-8 by default
-      # mime_type :js,  'text/javascript; charset=utf-8'
-      # mime_type :css, 'text/css; charset=utf-8'
-
-      # before do
-      #   ## globally setting this screws up auto content type setting by send_file
-      #   # content_type 'text/html', :charset => 'utf-8'
-      #   if Spontaneous.development?
-      #     # Templates.clear_cache!
-      #   end
-      # end
     end
 
-    autoload :HTTP, 'spontaneous/rack/http'
-    autoload :Assets, 'spontaneous/rack/assets'
-    autoload :Back, 'spontaneous/rack/back'
-    autoload :Front, 'spontaneous/rack/front'
-    autoload :Public, 'spontaneous/rack/public'
-    autoload :Media, 'spontaneous/rack/media'
-    autoload :Static, 'spontaneous/rack/static'
-    autoload :AroundBack, 'spontaneous/rack/around_back'
-    autoload :AroundFront, 'spontaneous/rack/around_front'
-    autoload :AroundPreview, 'spontaneous/rack/around_preview'
-    autoload :Reloader, 'spontaneous/rack/reloader'
+    autoload :HTTP,                 'spontaneous/rack/http'
+    autoload :Assets,               'spontaneous/rack/assets'
+    autoload :Back,                 'spontaneous/rack/back'
+    autoload :Front,                'spontaneous/rack/front'
+    autoload :Public,               'spontaneous/rack/public'
+    autoload :Authentication,       'spontaneous/rack/authentication'
+    autoload :CacheableFile,        'spontaneous/rack/cacheable_file'
+    autoload :Static,               'spontaneous/rack/static'
+    autoload :UserHelpers,          'spontaneous/rack/user_helpers'
+    autoload :Helpers,              'spontaneous/rack/helpers'
+    autoload :CookieAuthentication, 'spontaneous/rack/cookie_authentication'
+    autoload :QueryAuthentication,  'spontaneous/rack/query_authentication'
+    autoload :AroundBack,           'spontaneous/rack/around_back'
+    autoload :AroundFront,          'spontaneous/rack/around_front'
+    autoload :AroundPreview,        'spontaneous/rack/around_preview'
+    autoload :Reloader,             'spontaneous/rack/reloader'
+    autoload :EventSource,          'spontaneous/rack/event_source'
+    autoload :CSS,                  'spontaneous/rack/css'
   end
 end
-

data/lib/spontaneous/rack/around_back.rb

@@ -1,7 +1,5 @@
 # encoding: UTF-8
 
-require 'less'
-
 module Spontaneous
   module Rack
     class AroundBack
@@ -9,36 +7,18 @@ module Spontaneous
         @app = app
       end
 
-      def user(env)
-        if login = Site.config.auto_login
-          user = Spontaneous::Permissions::User[:login => login]
-        else
-          request = ::Rack::Request.new(env)
-          api_key = request.cookies[Spontaneous::Rack::Back::AUTH_COOKIE]
-          if api_key && key = Spontaneous::Permissions::AccessKey.authenticate(api_key)
-            key.user
-          else
-            nil
-          end
-        end
-      end
 
       def call(env)
         response = nil
         Content.with_identity_map do
-          Spontaneous::Permissions.with_user(user(env)) do
-            S::Render.with_preview_renderer do
-              Change.record do
-                response = @app.call(env)
-              end
+          S::Render.with_preview_renderer do
+            Change.record do
+              response = @app.call(env)
             end
           end
         end
         response
       end
-
     end
-
   end
 end
-

data/lib/spontaneous/rack/around_preview.rb

@@ -1,9 +1,8 @@
 # encoding: UTF-8
 
-
 module Spontaneous
   module Rack
-    class AroundPreview < AroundBack
+    class AroundPreview
       def initialize(app)
         @app = app
       end
@@ -11,16 +10,12 @@ module Spontaneous
       def call(env)
         response = nil
         Content.with_identity_map do
-          Spontaneous::Permissions.with_user(user(env)) do
-            S::Render.with_preview_renderer do
-              response = @app.call(env)
-            end
+          S::Render.with_preview_renderer do
+            response = @app.call(env)
           end
         end
         response
       end
-
     end
   end
 end
-

data/lib/spontaneous/rack/assets.rb

@@ -68,11 +68,11 @@ module Spontaneous
           compress_js(filelist)
         end
 
-        JQUERY = %w(min/492a209de8ee955fa9c729a765377495001e11b1)
-        COMPATIBILITY = %w(min/f07f2bd6630ee31e1c2288ec223383d8f0658ba6)
+        JQUERY = %w(min/2a0c2962537a3181fedfff5c92596ba6d3122dc9)
+        COMPATIBILITY = %w(min/4cf1c493d3379ecba5287758c61238034c0893f9)
         REQUIRE = %w(min/b8abf302a824c35385ff517b34111e1710ff3b37)
-        LOGIN_JS = %w(min/c7140ec9475e5bf868b901e0621338d7d162358b)
-        EDITING_JS = %w(min/80f684d77c940887a1d4a63e3a96102e993baa98)
+        LOGIN_JS = %w(min/78ac6b99d96750bb6b9f9aad4cb9cd91cd03f391)
+        EDITING_JS = %w(min/c8efb9b9f7c3f6613fcebc6be60f605b6570a382)
       end
 
       module CSS
@@ -89,8 +89,9 @@ module Spontaneous
           compress_css(filelist)
         end
 
-        LOGIN_CSS = %w(min/54ee0ed3c7fac7632bd5c020d69e9a2503e0c88c)
-        EDITING_CSS = %w(min/c256adc144e2bdd0b0539356b04eb62db01e1dc3)
+        LOGIN_CSS = %w(min/565d4c25e82148acb01c45c8d675b37a08676d77)
+        EDITING_CSS = %w(min/d1b54ff4847c613618267ca1c15658e2aee0a4e5)
+        SCHEMA_MODIFICATION_CSS = %w(min/84dbe894ea96eafd321c30823d630817bfc4b03b)
       end
 
     end # Assets

data/lib/spontaneous/rack/authentication.rb

@@ -0,0 +1,21 @@
+# encoding: UTF-8
+
+require 'rack'
+
+module Spontaneous::Rack
+  module Authentication
+
+    def requires_authentication!(options = {})
+      first_level_exceptions = (options[:except_all] || []).concat(["#{NAMESPACE}/login", "#{NAMESPACE}/reauthenticate"] )
+      second_level_exceptions = (options[:except_key] || [])
+      before {
+        unless first_level_exceptions.any? { |e| e === request.path }
+          ignore_key = second_level_exceptions.any? { |e| e === request.path }
+          valid_key = ignore_key || Spontaneous::Permissions::AccessKey.valid?(params[KEY_PARAM], user)
+          halt(401, erb(:login, :views => Spontaneous.application_dir('/views'), :locals => { :login => '' })) unless (user and valid_key)
+          show_login_page( :login => '' ) unless (user and valid_key)
+        end
+      }
+    end
+  end
+end

data/lib/spontaneous/rack/back.rb

@@ -8,103 +8,87 @@ module Spontaneous
     module Back
       include Assets
 
-      NAMESPACE = "/@spontaneous".freeze
-      AUTH_COOKIE = "spontaneous_api_key".freeze
-
-
-      module Authentication
-        module Helpers
-          def authorised?
-            if cookie = request.cookies[AUTH_COOKIE]
-              true
-            else
-              false
-            end
-          end
-
-          def unauthorised!
-            halt 401#, "You do not have the necessary permissions to update the '#{name}' field"
-          end
-
-          def api_key
-            request.cookies[AUTH_COOKIE]
-          end
-
-          def user
-            @user ||= load_user
-          end
-
-          def load_user
-            Spontaneous::Permissions.active_user
-          end
-        end
-
-        def self.registered(app)
-          app.helpers Authentication::Helpers
-
-          app.post "/reauthenticate" do
-            if key = Spot::Permissions::AccessKey.authenticate(params[:api_key])
-              response.set_cookie(AUTH_COOKIE, {
-                :value => key.key_id,
-                :path => '/'
-              })
-              redirect NAMESPACE, 302
-            else
-              halt(401, erubis(:login, :locals => { :invalid_key => true }))
-            end
-          end
-
-          app.post "/login" do
-            login = params[:user][:login]
-            password = params[:user][:password]
-            if key = Spontaneous::Permissions::User.authenticate(login, password)
-              response.set_cookie(AUTH_COOKIE, {
-                :value => key.key_id,
-                :path => '/'
-              })
-              if request.xhr?
-                json({
-                  :key => key.key_id,
-                  :redirect => NAMESPACE
-                })
-              else
-                redirect NAMESPACE, 302
-              end
-            else
-              halt(401, erubis(:login, :locals => { :login => login, :failed => true }))
-            end
-          end
-        end
-
-        KEY_PARAM = "__key".freeze
-
-        def requires_authentication!(options = {})
-          first_level_exceptions = (options[:except_all] || []).concat(["#{NAMESPACE}/login", "#{NAMESPACE}/reauthenticate"] )
-          second_level_exceptions = (options[:except_key] || [])
-          before do
-            unless first_level_exceptions.any? { |e| e === request.path }
-              ignore_key = second_level_exceptions.any? { |e| e === request.path }
-              valid_key = ignore_key || Spontaneous::Permissions::AccessKey.valid?(params[KEY_PARAM], user)
-              unless (user and valid_key)
-                halt(401, erubis(:login, :locals => { :login => '' }))
-              end
-            end
-          end
-        end
+      def self.messenger
+        @messenger ||= ::Spontaneous::Rack::EventSource.new
+        # Find a way to move this into a more de-centralised place
+        # at some point we are going to want to have some configurable, extendable
+        # list of event handlers
+        Simultaneous.on_event("publish_progress") { |event|
+          @messenger.deliver_event(event)
+        }
+        @messenger
       end
 
-
       def self.application
+        messenger = self.messenger
         app = ::Rack::Builder.new do
-          use ::Rack::Lint
-          use ::Rack::ShowExceptions if Spontaneous.development?
+          # use ::Rack::ShowExceptions if Spontaneous.development?
+          # AFAIK the only non-thread-safe part of the stack are the renderer calls
+          # because they rely on the global values of renderer and also Content.with_visible
+          # I'm not sure that using Rack::Lock here would fix any problems that this causes,
+          # or even if there are any problems that would be caused
+          #
+          # use ::Rack::Lock
+          # ###################
+          # Looking at the three Around* middlewares, there shouldn't actually be a problem with
+          # the renderers, as the only conflict would come from the back server which provides two
+          # outputs: the preview and the editing interface. Luckily both the preview and the editing
+          # interface share the same renderer.
+          # The real problem is the Content::with_visible wrapper as the editing interface and the preview
+          # renderer use different values for this. As the only way to solve this would be using a global
+          # to replace the model class (as we need to be able to issue thread save Model.select calls)
+          # I don't know how to fix this.
+          # One solution would be to always use the Content::_unfiltered_dataset call within the editing interface
+          # and then we'd be free (I think) to wrap it in the with_visible call, though I don't know how this would
+          # affect the loading of content within the page.
+          #
+          # Needs testing...
+          # ###################
 
           use Spontaneous::Rack::Static, :root => Spontaneous.root / "public",
             :urls => %w[/],
             :try => ['.html', 'index.html', '/index.html']
 
+          ################### REMOVE THIS
+          # map "#{NAMESPACE}/lock" do
+          #   run proc {
+          #     Spontaneous.database.transaction do
+          #       Spontaneous.database.run("LOCK TABLES content WRITE, spontaneous_access_keys READ")
+          #       puts S::Content.first
+          #       Spontaneous.database.run("SELECT SLEEP(10)")
+          #       Spontaneous.database.run("UNLOCK TABLES")
+          #     end
+          #   }
+          # end
+          # map "#{NAMESPACE}/unlock" do
+          #   run proc { Spontaneous.database.run("UNLOCK TABLES") }
+          # end
+          ################### END REMOVE THIS
+
+          Spontaneous.instance.back_controllers.each do |namespace, controller_class|
+            map namespace do
+              run controller_class
+            end
+          end if Spontaneous.instance
+
+          # Make all the files available under plugin_name/public/**
+          # available under the URL /plugin_name/**
+          Spontaneous.instance.plugins.each do |plugin|
+            root = plugin.paths.expanded(:public)
+            map "/#{plugin.file_namespace}" do
+              use Spontaneous::Rack::CSS, :root => root
+              run ::Rack::File.new(root)
+            end
+          end if Spontaneous.instance
+
+          map "#{NAMESPACE}/events" do
+            use CookieAuthentication
+            use QueryAuthentication
+            run messenger.app
+          end
 
           map NAMESPACE do
+            use ::Rack::Lint
             use Spontaneous::Rack::Static, :root => Spontaneous.application_dir, :urls => %W(/static /js)
             use AssetsHandler
             use UnsupportedBrowserHandler
@@ -113,10 +97,13 @@ module Spontaneous
           end
 
           map "/media" do
-            run Spontaneous::Rack::Media.new
+            use ::Rack::Lint
+            run Spontaneous::Rack::CacheableFile.new(Spontaneous.media_dir)
           end
 
           map "/" do
+            use ::Rack::Lint
+            use Spontaneous::Rack::CSS, :root => Spontaneous.instance.paths.expanded(:public)
             run Preview
           end
         end
@@ -124,56 +111,40 @@ module Spontaneous
 
       class EditingBase < ServerBase
         set :views, Proc.new { Spontaneous.application_dir + '/views' }
+        set :environment, Proc.new { Spontaneous.env }
+        enable :dump_errors, :raise_errors, :show_exceptions if Spontaneous.development?
 
-        helpers do
-
-          def style_url(style)
-            "#{NAMESPACE}/css/#{style}.css"
-          end
-
-          def script_url(script)
-            "#{NAMESPACE}/js/#{script}.js"
-          end
-
-          def script_list(scripts)
-            if Spontaneous.development?
-              scripts.map do |script|
-                src = "/js/#{script}.js"
-                path = Spontaneous.application_dir(src)
-                size = File.size(path)
-                ["#{NAMESPACE}#{src}", size]
-                # %(<script src="#{NAMESPACE}/js/#{script}.js" type="text/javascript"></script>)
-              end.to_json
-            else
-              # script bundling + compression
-            end
-          end
-        end
+        helpers Spontaneous::Rack::UserHelpers
+        helpers Spontaneous::Rack::Helpers
 
         def json(response)
           content_type 'application/json', :charset => 'utf-8'
-          response.serialise_http
+          response.serialise_http(user)
         end
       end
 
       class UnsupportedBrowserHandler < EditingBase
         get '/unsupported' do
-          erubis :unsupported
+          erb :unsupported
         end
       end
 
-      class AuthenticatedHandler < EditingBase
+      class BackControllerBase < EditingBase
+        # use CookieAuthentication
+        # use AroundBack
+        # register Authentication
+      end
+      Spontaneous::Rack.make_back_controller(BackControllerBase)
 
-        use AroundBack
-        register Authentication
-        requires_authentication! :except_all => [%r(^#{NAMESPACE}/unsupported)], :except_key => [%r(^#{NAMESPACE}/?$)]
+      class AuthenticatedHandler < BackControllerBase
+        requires_authentication! :except_all => [%r(^#{NAMESPACE}/unsupported)], :except_key => [%r(^#{NAMESPACE}/?(/\d+/?.*)?$)]
       end
 
       class SchemaModification < AuthenticatedHandler
 
         post "/schema/delete" do
           begin
-            Spontaneous::Schema.apply_fix(:delete, params[:uid])
+            Spontaneous.schema.apply_fix(:delete, params[:uid])
           rescue Spot::SchemaModificationError # ignore remaining errors - they will be fixed later
           end
           redirect(params[:origin])
@@ -181,8 +152,8 @@ module Spontaneous
 
         post "/schema/rename" do
           begin
-            Spontaneous::Schema.apply_fix(:rename, params[:uid], params[:ref])
-          rescue Spot::SchemaModificationError # ignore remaining errors - they will be fixed later
+            Spontaneous.schema.apply_fix(:rename, params[:uid], params[:ref])
+          rescue Spot::SchemaModificationError => e # ignore remaining errors - they will be fixed later
           end
           redirect(params[:origin])
         end
@@ -200,10 +171,10 @@ module Spontaneous
           if field_data
             field_data.each do |id, values|
               field = model.fields.sid(id)
-              if model.field_writable?(field.name.to_sym)
+              if model.field_writable?(user, field.name.to_sym)
                 # version = values.delete("version").to_i
                 # if version == field.version
-                  field.update(values)
+                field.update(values)
                 # else
                 #   conflicts << [field, values]
                 # end
@@ -224,20 +195,61 @@ module Spontaneous
           end
         end
 
-        def content_for_request
-          content = Content[params[:id]]
-          halt 404 if content.nil?
-          if box_id = Spontaneous::Schema::UID[params[:box_id]]
-            box = content.boxes.detect { |b| b.schema_id == box_id }
-            [content, box]
+        def content_for_request(lock = false)
+          Content.db.transaction {
+            dataset = lock ? Content.for_update : Content
+            content = dataset.first(:id => params[:id])
+            halt 404 if content.nil?
+            if box_id = Spontaneous.schema.uids[params[:box_id]]
+              box = content.boxes.detect { |b| b.schema_id == box_id }
+              yield(content, box)
+            else
+              yield(content)
+            end
+          }
+        end
+
+        post "/reauthenticate" do
+          if key = Spot::Permissions::AccessKey.authenticate(params[:api_key])
+            response.set_cookie(AUTH_COOKIE, {
+              :value => key.key_id,
+              :path => '/'
+            })
+            origin = "#{NAMESPACE}#{params[:origin]}"
+            redirect origin, 302
           else
-            content
+            show_login_page( :invalid_key => true )
           end
         end
 
+        post "/login" do
+          login = params[:user][:login]
+          password = params[:user][:password]
+          origin = "#{NAMESPACE}#{params[:origin]}"
+          if key = Spontaneous::Permissions::User.authenticate(login, password)
+            response.set_cookie(AUTH_COOKIE, {
+              :value => key.key_id,
+              :path => '/'
+            })
+            if request.xhr?
+              json({
+                :key => key.key_id,
+                :redirect => origin
+              })
+            else
+              redirect origin, 302
+            end
+          else
+            show_login_page( :login => login, :failed => true )
+          end
+        end
 
         get '/?' do
-          erubis :index
+          erb :index
+        end
+
+        get %r{^/(\d+/?.*)?$} do
+          erb :index
         end
 
         get '/root' do
@@ -250,11 +262,11 @@ module Spontaneous
         # TODO: check for perms on the particular bit of content
         # and pass user level into returned JSON
         get '/page/:id' do
-          json(content_for_request)
+          content_for_request { |content| json(content)}
         end
 
         get '/types' do
-          json Schema
+          json Site.schema
         end
 
         # get '/type/:type' do
@@ -287,7 +299,7 @@ module Spontaneous
 
         post '/root' do
           if Site.root.nil?
-            type = Spontaneous::Schema[params[:type]]
+            type = Spontaneous.schema[params[:type]]
             root = type.create(:title => "Home")
             Spontaneous::Change.push(root)
             json({:id => root.id})
@@ -296,14 +308,10 @@ module Spontaneous
           end
         end
 
-        post '/version/:id' do
-          content = content_for_request
-          generate_conflict_list(content)
-        end
-
-        post '/version/:id/:box_id' do
-          content, box = content_for_request
-          generate_conflict_list(box)
+        post '/version/:id/?:box_id?' do
+          content_for_request(true) do |content, box|
+            generate_conflict_list(box || content)
+          end
         end
 
         def generate_conflict_list(content)
@@ -326,109 +334,101 @@ module Spontaneous
         end
 
         post '/save/:id' do
-          update_fields(content_for_request, params[:field])
+          content_for_request(true) do |content|
+            update_fields(content, params[:field])
+          end
         end
 
         post '/savebox/:id/:box_id' do
-          content, box = content_for_request
-          if box.writable?
-            update_fields(box, params[:field])
-          else
-            unauthorised!
+          content_for_request(true) do |content, box|
+            if box.writable?(user)
+              update_fields(box, params[:field])
+            else
+              unauthorised!
+            end
           end
         end
 
 
         post '/content/:id/position/:position' do
-          content = content_for_request
-          if content.box.writable?
-            content.update_position(params[:position].to_i)
-            json( {:message => 'OK'} )
-          else
-            unauthorised!
+          content_for_request(true) do |content|
+            if content.box.writable?(user)
+              content.update_position(params[:position].to_i)
+              json( {:message => 'OK'} )
+            else
+              unauthorised!
+            end
           end
         end
 
         post '/toggle/:id' do
-          content = content_for_request
-          if content.box && content.box.writable?
-            content.toggle_visibility!
-            json({:id => content.id, :hidden => (content.hidden? ? true : false) })
-          else
-            unauthorised!
-          end
-        end
-
-
-        # Don't think this is actually used
-        post '/file/upload/:id' do
-          file = params['file']
-          media_file = Spontaneous::Media.upload_path(file[:filename])
-          FileUtils.mkdir_p(File.dirname(media_file))
-          FileUtils.mv(file[:tempfile].path, media_file)
-          json({ :id => params[:id], :src => Spontaneous::Media.to_urlpath(media_file), :path => media_file})
-        end
-
-
-        # TODO: DRY this up
-        post '/file/replace/:id' do
-          target = content_for_request
-          file = params['file']
-          field = target.fields.sid(params['field'])
-          if target.field_writable?(field.name)
-            # version = params[:version].to_i
-            # if version == field.version
-              field.unprocessed_value = file
-              target.save
-              json({ :id => target.id, :src => field.src, :version => field.version})
-            # else
-            #   errors = [[field.schema_id.to_s, [field.version, field.conflicted_value]]]
-            #   [409, json(Hash[errors])]
-            # end
-          else
-            unauthorised!
+          content_for_request(true) do |content|
+            if content.box && content.box.writable?(user)
+              content.toggle_visibility!
+              json({:id => content.id, :hidden => (content.hidden? ? true : false) })
+            else
+              unauthorised!
+            end
           end
         end
 
-        post '/file/replace/:id/:box_id' do
-          content, box = content_for_request
-          target = box || content
-          file = params[:file]
-          field = target.fields.sid(params['field'])
-          if target.field_writable?(field.name)
-            # version = params[:version].to_i
-            # if version == field.version
+        post '/file/replace/:id/?:box_id?' do
+          content_for_request(true) do |content, box|
+            target = box || content
+            file = params[:file]
+            field = target.fields.sid(params['field'])
+            if target.field_writable?(user, field.name)
+              # version = params[:version].to_i
+              # if version == field.version
               field.unprocessed_value = file
               content.save
-              json({ :id => content.id, :src => field.src, :version => field.version})
-            # else
-            #   errors = [[field.schema_id.to_s, [field.version, field.conflicted_value]]]
-            #   [409, json(Hash[errors])]
-            # end
-          else
-            unauthorised!
+              json(field.export(user))
+              # else
+              #   errors = [[field.schema_id.to_s, [field.version, field.conflicted_value]]]
+              #   [409, json(Hash[errors])]
+              # end
+            else
+              unauthorised!
+            end
           end
         end
 
 
         post '/file/wrap/:id/:box_id' do
-          content, box = content_for_request
-          file = params['file']
-          type = box.type_for_mime_type(file[:type])
-          if type
-            if box.writable?(type)
-              position = 0
+          content_for_request(true) do |content, box|
+            file = params['file']
+            type = box.type_for_mime_type(file[:type])
+            if type
+              if box.writable?(user, type)
+                position = 0
+                instance = type.new
+                box.insert(position, instance)
+                field = instance.field_for_mime_type(file[:type])
+                field.unprocessed_value = file
+                instance.save
+                content.save
+                json({
+                  :position => position,
+                  :entry => instance.entry.export(user)
+                })
+              else
+                unauthorised!
+              end
+            end
+          end
+        end
+
+        post '/add/:id/:box_id/:type_name' do
+          content_for_request(true) do |content, box|
+            position = (params[:position] || 0).to_i
+            type = Spontaneous.schema[params[:type_name]]#.constantize
+            if box.writable?(user, type)
               instance = type.new
               box.insert(position, instance)
-              field = instance.field_for_mime_type(file[:type])
-              media_file = Spontaneous::Media.upload_path(file[:filename])
-              FileUtils.mkdir_p(File.dirname(media_file))
-              FileUtils.mv(file[:tempfile].path, media_file)
-              field.unprocessed_value = media_file
               content.save
               json({
                 :position => position,
-                :entry => instance.entry.export
+                :entry => instance.entry.export(user)
               })
             else
               unauthorised!
@@ -436,95 +436,85 @@ module Spontaneous
           end
         end
 
-        post '/add/:id/:box_id/:type_name' do
-          content, box = content_for_request
-          position = 0
-          type = Spontaneous::Schema[params[:type_name]]#.constantize
-          if box.writable?(type)
-            instance = type.new
-            box.insert(position, instance)
-            content.save
-            json({
-              :position => position,
-              :entry => instance.entry.export
-            })
-          else
-            unauthorised!
-          end
-        end
-
         post '/destroy/:id' do
-          content = content_for_request
-          if content.box.writable?
-            content.destroy
-            json({})
-          else
-            unauthorised!
+          content_for_request(true) do |content|
+            if content.box.writable?(user)
+              content.destroy
+              json({})
+            else
+              unauthorised!
+            end
           end
         end
 
         post '/slug/:id' do
-          content = content_for_request
-          if params[:slug].nil? or params[:slug].empty?
-            406 # Not Acceptable
-          else
-            content.slug = params[:slug]
-            if content.siblings.detect { |s| s.slug == content.slug }
-              409 # Conflict
+          content_for_request(true) do |content|
+            if params[:slug].nil? or params[:slug].empty?
+              406 # Not Acceptable
             else
-              content.save
-              json({:path => content.path })
+              content.slug = params[:slug]
+              if content.siblings.detect { |s| s.slug == content.slug }
+                409 # Conflict
+              else
+                content.save
+                json({:path => content.path, :slug => content.slug })
+              end
             end
           end
         end
 
         get '/slug/:id/unavailable' do
-          content = content_for_request
-          json(content.siblings.map { |c| c.slug })
+          content_for_request do |content|
+            json(content.siblings.map { |c| c.slug })
+          end
         end
 
         post '/uid/:id' do
           if user.developer?
-            content = content_for_request
-            content.uid = params[:uid]
-            content.save
-            json({:uid => content.uid })
+            content_for_request(true) do |content|
+              content.uid = params[:uid]
+              content.save
+              json({:uid => content.uid })
+            end
           else
             unauthorised!
           end
         end
 
-        get '/targets/:schema_id' do
-          klass = Spontaneous::Schema[params[:schema_id]]
+        get '/targets/:schema_id/:id/:box_id' do
+          klass = Spontaneous.schema[params[:schema_id]]
           if klass.alias?
-            targets = klass.targets.map do |t|
-              {
-                :id => t.id,
-                :title => t.alias_title,
-                :icon => t.alias_icon_field.export
-              }
+            content_for_request do |content, box|
+              targets = klass.targets(content, box).map do |t|
+                {
+                  :id => t.id,
+                  :title => t.alias_title,
+                  :icon => t.exported_alias_icon
+                }
+              end
+              json(targets)
             end
-            json(targets)
           end
         end
 
         post '/alias/:id/:box_id' do
-          content, box = content_for_request
-          type = Spontaneous::Schema[params[:alias_id]]
-          position = 0
-          if box.writable?(type)
-            target = Spontaneous::Content[params[:target_id]]
-            if target
-              instance = type.create(:target => target)
-              box.insert(position, instance)
-              content.save
-              json({
-                :position => position,
-                :entry => instance.entry.export
-              })
+          content_for_request(true) do |content, box|
+            type = Spontaneous.schema[params[:alias_id]]
+            position = (params[:position] || 0).to_i
+            if box.writable?(user, type)
+              target = Spontaneous::Content[params[:target_id]]
+              if target
+                instance = type.create(:target => target)
+                box.insert(position, instance)
+                content.save
+                json({
+                  :position => position,
+                  :entry => instance.entry.export(user)
+                })
+              end
+            else
+              unauthorised!
             end
-          else
-            unauthorised!
           end
         end
 
@@ -552,10 +542,6 @@ module Spontaneous
           end
         end
 
-        get '/publish/status' do
-          json(Spontaneous::Site.publishing_status)
-        end
-
         get '/shard/:sha1' do
           shard = Spontaneous.shard_path(params[:sha1])
           if ::File.file?(shard)
@@ -580,29 +566,26 @@ module Spontaneous
           end
         end
 
-        post '/shard/replace/:id' do
-          content = content_for_request
-          replace_with_shard(content, content.id)
-        end
-
-        post '/shard/replace/:id/:box_id' do
-          content, box = content_for_request
-          replace_with_shard(box, content.id)
+        post '/shard/replace/:id/?:box_id?' do
+          content_for_request(true) do |content, box|
+            target = box || content
+            replace_with_shard(target, content.id)
+          end
         end
 
         def replace_with_shard(target, target_id)
           field = target.fields.sid(params[:field])
-          if target.field_writable?(field.name)
+          if target.field_writable?(user, field.name)
             # version = params[:version].to_i
             # if version == field.version
-              Spontaneous::Media.combine_shards(params[:shards]) do |combined|
-                field.unprocessed_value = {
-                  :filename => params[:filename],
-                  :tempfile => combined
-                }
-                target.save
-              end
-              json({ :id => target_id, :src => field.src, :version => field.version})
+            Spontaneous::Media.combine_shards(params[:shards]) do |combined|
+              field.unprocessed_value = {
+                :filename => params[:filename],
+                :tempfile => combined
+              }
+              target.save
+            end
+            json(field.export(user))
             # else
             #   errors = [[field.schema_id.to_s, [field.version, field.conflicted_value]]]
             #   [409, json(Hash[errors])]
@@ -614,27 +597,28 @@ module Spontaneous
 
         # TODO: remove duplication here
         post '/shard/wrap/:id/:box_id' do
-          content, box = content_for_request
-          type = box.type_for_mime_type(params[:mime_type])
-          if type
-            if box.writable?(type)
-              position = 0
-              instance = type.new
-              box.insert(position, instance)
-              field = instance.field_for_mime_type(params[:mime_type])
-              Spontaneous::Media.combine_shards(params[:shards]) do |combined|
-                field.unprocessed_value = {
-                  :filename => params[:filename],
-                  :tempfile => combined
-                }
-                content.save
+          content_for_request(true) do |content, box|
+            type = box.type_for_mime_type(params[:mime_type])
+            if type
+              if box.writable?(user, type)
+                position = 0
+                instance = type.new
+                box.insert(position, instance)
+                field = instance.field_for_mime_type(params[:mime_type])
+                Spontaneous::Media.combine_shards(params[:shards]) do |combined|
+                  field.unprocessed_value = {
+                    :filename => params[:filename],
+                    :tempfile => combined
+                  }
+                  content.save
+                end
+                json({
+                  :position => position,
+                  :entry => instance.entry.export(user)
+                })
+              else
+                unauthorised!
               end
-              json({
-                :position => position,
-                :entry => instance.entry.export
-              })
-            else
-              unauthorised!
             end
           end
         end
@@ -689,23 +673,19 @@ module Spontaneous
       end
 
       class Preview < Sinatra::Base
+        use Reloader if Site.config.reload_classes
         include Spontaneous::Rack::Public
+        helpers Spontaneous::Rack::UserHelpers
 
+        use CookieAuthentication
         use AroundPreview
-        register Authentication
 
         set :views, Proc.new { Spontaneous.application_dir + '/views' }
 
-        # I don't want this because I'm redirecting everything to /@spontaneous unless
-        # we're logged in
-        # requires_authentication! :except => ['/', '/favicon.ico']
-
         # redirect to /@spontaneous unless we're logged in
-        before do
-          unless user
-            redirect NAMESPACE, 302
-          end
-        end
+        before {
+          redirect NAMESPACE, 302 unless user
+        }
 
 
         get '*' do
@@ -726,4 +706,3 @@ module Spontaneous
     end
   end
 end
-