spree_admin_roles_and_access 2.0.0 → 3.2.1.beta

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 64146eca6e414833fc625640dbcf12effbd80543
-  data.tar.gz: f611e1895d9ca6dbde6c3dfeca952b06f3461690
+  metadata.gz: a17455fffb63fe6f9be0ea4e21d5c55676c485ae
+  data.tar.gz: 3e7af0767d716a00d0b2ee0260a0e32bf756456e
 SHA512:
-  metadata.gz: a45920143eb48b5918613f6f607ec98a749300f9a7814ed11d64c5ff42544c7da2ac268f5aa64032b8cec1cbdf572d5a1174342f434163468ec1f9975f3017e2
-  data.tar.gz: 3f26e89a3a966d30a58f19b329b095c59dcc2496e992229b7da4415c2b4f011b0e7e1bff39e9875be1d75ccbf89172ceaa33773ad24c79cba1221b4c39841cb7
+  metadata.gz: bac48fa3b25d9b140376843107a32ee10d4a536343d9c5b456d6f3fbfe6cf8ef3aa1a71659f7fd70f0b0de782630b640f0b5aa84e4f3a6f711a3a2b3a751e439
+  data.tar.gz: 25a2c4997fc9d53a1c524b5f69c3bf8895d33855c188c584994d4d4ac1e7414256352a763f9eefbb4855393661f97b7a9d4d0ea30617b29486d3e88abe064c07

data/README.md

@@ -1,7 +1,14 @@
 SpreeAdminRolesAndAccess [![Code Climate](https://codeclimate.com/github/vinsol/spree_admin_roles_and_access.png)](https://codeclimate.com/github/vinsol/spree_admin_roles_and_access) [![Build Status](https://travis-ci.org/vinsol/spree_admin_roles_and_access.png?branch=master)](https://travis-ci.org/vinsol/spree_admin_roles_and_access)
 ========================
 
-This spree extension is build on CanCan to dynamically add new roles and define its access through permissions.
+This spree extension is built on CanCan to dynamically add new roles and define its access through permissions.
+
+Screenshots
+-----------
+
+![Permission Sets](/screenshots/admin1.png "Creating Permission Sets")
+![Roles](/screenshots/admin2.png "Creating Roles from permission sets")
+
 
 Installation
 ------------
@@ -12,62 +19,58 @@ Add spree_admin_roles_and_access to your Gemfile:
 gem 'spree_admin_roles_and_access'
 ```
 
-But if you are using older version of spree
-
-
-```ruby
-# Spree 2.4.0-rc3
-gem 'spree_admin_roles_and_access', '1.3.0'
-```
-
-
-```ruby
-# Spree 2.1.x
-gem 'spree_admin_roles_and_access', '1.1.0'
-```
-
-```ruby
-# Spree 2.0.x
-gem 'spree_admin_roles_and_access', '1.0.0'
-```
-
 Bundle your dependencies and run the installation generator:
 
 ```shell
 bundle
 bundle exec rails g spree_admin_roles_and_access:install
 bundle exec rake spree_roles:permissions:populate # To populate user and admin roles with their permissions
+bundle exec rake spree_roles:permissions:populate_permission_sets # To set up some convenient permission sets.
 ```
 
 Usage
 -----
 
-From Admin end, there is a role menu in configuration tab(admin end).
-A new Role can be added and its corresponding permissions can also be selected there.
-Permission to be chosen can be made only with rails console or a ruby script.
+From Admin end, There are three menu's in the configuration Tab:
+
+  1. **Permission:** Describes what the user can do.
+  2. **Permission Set:** A collection of permission describing an aspect of role.
+  3. **Role:** Collection of multiple permission sets which describe the role of user in the organisation. A role can be marked as `admin_accessible` in the role edit page.
+     A role marked as such will get a default admin dashboard page in case they land on an admin page on which they do not have access.
 
 Types of Permission
+-------------------
+
+  1. **Default Permission** - Basic permissions required by a user to perform task on user end, like creating an order etc. Every role should be provided with this permissions.
+  2. **Can Manage All** - Role with this permission can do everything. This permission is also invisible at admin end. And it should only be given to admin and super admin.
+  3. **Resource Manage Permission** - Each Resource has an associated admin permission that is required for accessing it. i.e. `can-admin-spree/products`
+  4. **Resource Permission** - What the user is allowed to do with the resource. i.e. `Create`, `Update`, `Delete`, `List` or `Show`.
+
+
 
-  1. Default Permission - Basic permissions required by a user to perform task on user end, like creating an order etc. Every role should be provided with this permissions.
+Pattern of the permissions
+--------------------------
 
-  2. Default Admin Permission - Because of this permission an admin can go to '/admin' route.
+  1. **Can/cannot** - specifies whether the user with that permission can do or cannot do that task.
+  2. **Action** - specifies the action which can be done by that model or subject like update, index, create etc. There is a special action called manage which matches every action.
+  3. **Subject** - specified the model like products, users etc. of which the permission is given. There is an special subject called all which matches every subject.
+  4. **Attributes** - specifies the attributes for which the permission is specified. Read-only actions shouldn't require this like index, read etc. But it is more secure if we specify them in other actions like create or update.
 
-  3. Can Manage All - Role with this permission can do everything. This permission is also invisible at admin end. And it should only be given to admin and super admin.
+Some Examples
+-------------
 
-Pattern of the permissions :-
+  1. **can-manage-spree/product** - can perform every action on Spree::Product but not on any other model or subject.
+  2. **can-update-all** - can update all models or subjects.
+  3. **can-update-spree/product** - can update only products, and not users, orders and other things.
+  4. **can-update-spree/product-price** - can update only price of products.
+  5. **can-manage-all** - can perform every action on all models.
 
-  1. Can/cannot - specifies whether the user with that permission can do or cannot do that task.
-  2. Action - specifies the action which can be done by that model or subject like update, index, create etc. There is a special action called manage which matches every action.
-  3. Subject - specified the model like products, users etc. of which the permission is given. There is an special subject called all which matches every subject.
-  4. Attributes - specifies the attributes for which the permission is specified. Read-only actions shouldn't require this like index, read etc. But it is more secure if we specify them in other actions like create or update.
 
-Some Examples :-
+Permission Sets
+---------------
+
+Once permissions are created you can organize groups of them into permission sets, These permission sets can then be assigned to the user's role which requires them.
 
-  1. can-manage-spree/product - can perform every action on Spree::Product but not on any other model or subject.
-  2. can-update-all - can update all models or subjects.
-  3. can-update-spree/product - can update only products, and not users, orders and other things.
-  4. can-update-spree/product-price - can update only price of products.
-  5. can-manage-all - can perform every action on all models.
 
 Points to remember
 
@@ -78,8 +81,21 @@ Points to remember
     To create a product, can-admin-spree/product is also needed along with can-create-spree/product.
 
   3. To define custom cancan permissions, which can not be made with the pattern adopted.
-    Override a module Permission. And define the permission in a method, and create a permission in the database.
+    Override the module Permission. And define the permission in a method, and create a permission in the database. See example of `default-permission`.
+
+
+Migration from older version
+----------------------------
+
+__v3.2.1 introduces some breaking changes.__
+
+After updating the gem version. Run `rails g spree_admin_roles_and_access:install` to get the latest migrations. This includes a migration that generates a permission set per user role. With this, you should be able to continue using the original roles as you were earlier.
+
+Additionally you may want to run the rake task `populate_permission_sets` to seed some initial permission sets. You can now gradually opt into seperating user role permissions into appropriate permission sets.
+
+The original relationship between roles and permissions can be accessed via, `legacy_roles` & `legacy_permissions`. They are not supported or editable via the admin interfaces and are only mantained for use in our migration task.
 
+**Note in the previous version read action was only for show. That has been superseded by read action now implying both show and index.**
 
 Testing
 -------
@@ -92,6 +108,27 @@ bundle exec rake test_app
 bundle exec rspec spec
 ```
 
+For older versions of spree
+----------------------------
+
+If you are using older version of spree. You can use the following version, please check the relavent readme for version specific installation guide.
+
+
+```ruby
+# Spree 2.4.0-rc3
+gem 'spree_admin_roles_and_access', '1.3.0'
+```
+
+```ruby
+# Spree 2.1.x
+gem 'spree_admin_roles_and_access', '1.1.0'
+```
+
+```ruby
+# Spree 2.0.x
+gem 'spree_admin_roles_and_access', '1.0.0'
+```
+
 Contributing
 ------------
 
@@ -109,4 +146,4 @@ Credits
 
 [![vinsol.com: Ruby on Rails, iOS and Android developers](http://vinsol.com/vin_logo.png "Ruby on Rails, iOS and Android developers")](http://vinsol.com)
 
-Copyright (c) 2014 [vinsol.com](http://vinsol.com "Ruby on Rails, iOS and Android developers"), released under the New MIT License
+Copyright (c) 2017 [vinsol.com](http://vinsol.com "Ruby on Rails, iOS and Android developers"), released under the New MIT License

data/app/assets/javascripts/spree/backend/spree_admin_roles_and_access.js

@@ -1 +1,84 @@
-//= require spree/backend
+//= require spree/backend
+
+var SearchableList = (function() {
+  var SearchableCheckboxList = function(container) {
+    this.$searchBox = $("<div class='input-group input-group-lg col-xs-12'>\
+                           <input type='text' placeholder='Search..' class='narrow-down-list form-control'></input>\
+                            <div class='input-group-btn search-icon-btn'>\
+                              <button class='btn btn-default' type='submit'><i class='glyphicon glyphicon-search'></i></button>\
+                            </div>\
+                         </div>");
+    this.$container = container;
+    container.before(this.$searchBox);
+    this.bindEvents();
+  };
+
+  SearchableCheckboxList.prototype.bindEvents = function() {
+    this.bindSearch();
+    this.bindCheck();
+    this.formChange();
+  };
+
+  SearchableCheckboxList.prototype.bindCheck = function() {
+    this.$container.find('.list-group-item').on('click', function(e) {
+      if (this == e.target) {
+        $(this).find('input:checkbox').click();
+      }
+    });
+
+    this.$container.find('input:checkbox').on('change', function() {
+      var checkbox     = $(this);
+      var lgItem       = checkbox.parents('.list-group-item');
+      var lg           = checkbox.parents('.list-group');
+      var total        = lg.find('.list-group-item').length;
+      var totalChecked = lg.find('input:checked').length;
+      lgItem.toggleClass('list-group-item-success');
+      checkbox.parents('.panel').find('.count').text(totalChecked + '/' + total);
+    });
+  };
+
+  SearchableCheckboxList.prototype.bindSearch = function() {
+    var that = this;
+    this.$searchBox.on('keyup', function(e) {
+      var value = $(this).find('input').val();
+      var pattern = new RegExp(value, "i");
+
+      that.$container.find('.list-group-item').each(function() {
+        if (!($(this).text().search(pattern) >= 0)) {
+          $(this).hide();
+        } else {
+          $(this).show();
+        }
+      });
+    });
+  };
+
+  SearchableCheckboxList.prototype.formChange = function() {
+    var that = this;
+    var form = this.$container.closest('form');
+    var buttons = form.find('button');
+    buttons.attr('disabled', true);
+    form.find('input:not(.narrow-down-list)').one('keyup', function() {
+      buttons.attr('disabled', false);
+    });
+    form.find('input').on('change', function() {
+      buttons.attr('disabled', false);
+    });
+
+    form.on('keypress', function(e) {
+      if (e.which === 13){
+        e.preventDefault();
+        e.stopPropagation();
+        return false;
+      }
+    });
+  };
+
+
+
+  return SearchableCheckboxList;
+})();
+
+$(document).ready(function() {
+  $('.searchable-scrollable-list').each(function() { new SearchableList($(this)); });
+});

data/app/assets/stylesheets/spree/backend/spree_admin_roles_and_access.css

@@ -1,3 +1,133 @@
 /*
  *= require spree/backend
-*/
+ */
+
+.searchable-scrollable-list {
+    padding-top: 10px;
+    width: 100%;
+    vertical-align: top;
+    display: flex;
+}
+
+.scrollable-list-group-item {
+    padding-left: 2px;
+    padding-right: 2px;
+    flex: 1;
+    display: inline-block;
+}
+
+.inline-input-row {
+    width: 100%;
+    padding-left: 0px;
+    padding-right: 0px;
+    padding-top: 10px;
+    padding-bottom: 10px;
+    margin-left: 0px;
+    margin-right: 0px;
+}
+
+.inline-input-row > .input-group {
+    vertical-align: top;
+    width: 49.8%;
+    margin: 0;
+    padding: 0;
+}
+
+.scrollable-list-group-item > .panel > .list-group {
+    max-height: 400px;
+    overflow-y: scroll;
+}
+
+.list-group-item > label {
+    text-transform: none;
+}
+
+.scrollable-list-group-item > .panel > .list-group > .list-group-item {
+    user-select: none;
+    cursor: pointer;
+}
+
+.scrollable-list-group-item label {
+    cursor: pointer;
+}
+
+
+.centered-floating-buttons {
+}
+
+.form-fields-group {
+    padding-bottom: 58px;
+}
+
+.fixed-bottom-button-group {
+    background: #fff;
+    text-align: left;
+    position: fixed;
+    bottom: 0;
+    left: 0;
+    right: 0;
+    padding: 10px;
+    z-index: 999;
+    padding-left: calc(16% + 45px);
+}
+
+.full-width-input {
+    min-width: 100%;
+}
+
+.help-block-inline {
+    display: inline-block;
+    padding: 10px;
+}
+
+
+#permission_set_display_permission {
+    margin-left: 20px;
+}
+
+#permission_set_permissions_field {
+    padding-top: 20px;
+}
+
+.checkbox-list-pane.list-group-item  label {
+    color: #555555;
+}
+
+.checkbox-list-pane.list-group-item > label > p {
+    padding-top: 0.6em;
+    margin-bottom: -0.6em;
+}
+
+.checkbox-list-pane.list-group-item > label > p > strong {
+    font-size: 1.3em;
+    font-weight: 300;
+}
+
+
+.add-on .input-group-btn > .btn {
+  border-left-width:0;left:-2px;
+  -webkit-box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
+  box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075);
+}
+/* stop the glowing blue shadow */
+.add-on .form-control:focus {
+    box-shadow:none;
+    -webkit-box-shadow:none;
+    border-color:#cccccc;
+}
+
+div.withError > .searchable-scrollable-list > .panel-group > .panel {
+    border: 1px solid #F55753;
+}
+
+div.withError > div.input-group > input.narrow-down-list {
+    border-color: #e0e0e0
+}
+
+#main-part.sidebar-collapsed .fixed-bottom-button-group {
+    padding-left: 85px;
+}
+
+.input-group-btn.search-icon-btn {
+    width: 1% !important;
+}

data/app/controllers/spree/admin/base_controller_decorator.rb

@@ -17,6 +17,10 @@ Spree::Admin::BaseController.class_eval do
   end
 
   private
+    def unauthorized
+      redirect_unauthorized_access
+    end
+
     def new_action?
       NEW_ACTIONS.include?(params[:action].to_sym)
     end

data/app/controllers/spree/admin/default_admin_dashboards_controller.rb

@@ -0,0 +1,13 @@
+class Spree::Admin::DefaultAdminDashboardsController < Spree::Admin::BaseController
+  skip_before_action :authorize_admin, only: :show
+  before_action :authorize_user_has_admin_role, only: :show
+
+  def show
+  end
+
+  private def authorize_user_has_admin_role
+    user = try_spree_current_user
+    raise CanCan::AccessDenied unless user.present?
+    raise CanCan::AccessDenied unless user.roles.any? { |role| role.admin_accessible? }
+  end
+end

data/app/controllers/spree/admin/permission_sets_controller.rb

@@ -0,0 +1,26 @@
+module Spree
+  module Admin
+    class PermissionSetsController < ResourceController
+      before_action :load_permissions, only: [:edit, :new, :create, :update]
+
+      def index
+        if params[:q]
+          params[:q][:s] = params[:q][:s] || 'updated_at desc'
+        else
+          params[:q] = {}
+          params[:q][:s] = "updated_at desc"
+        end
+        @search = Spree::PermissionSet.ransack(params[:q])
+        @permission_sets = @search.result(distinct: true)
+      end
+
+      private def permitted_resource_params
+        params.require(:permission_set).permit(:name, :description, :display_permission, permission_ids: [])
+      end
+
+      private def load_permissions
+        @permissions = Spree::Permission.visible.all
+      end
+    end
+  end
+end