thecore_auth_commons 2.2.0 → 2.2.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bab5c3a03e54c5b9acaa15124041d2da1ea52d4750d3dccf03cc98c2b8a4b217
-  data.tar.gz: 1480ddcb37546c92ca7cc1056efbcbff7e51c9d7661e43a5cda056bc41267fd8
+  metadata.gz: ac4e91fe3af44efcbd1803f1e86a3c94657a8c6a93a814a2ab4ffe15807eebcc
+  data.tar.gz: fb0c2d42d24bf3a69022ede32fa4ed93c601976e3df880313a2cd99ff6d72727
 SHA512:
-  metadata.gz: 6d3b38a11eb96c5d84e29a7b68c1b9d3e811c117260a0838a7fbf3e4cb690e0f16616e05ebc977fcd1f09a4fd34c84ffe936d3a28f59c6dc8f0c74a3798a2b9a
-  data.tar.gz: 0b273d2bc6c8ac77b5e247d3e2a565ea0fb452df7d177660e49231ac5e796856f477916075cf6421a9e68e5103888eac5e6baab8345dca71cb7c2f5ada9bf94c
+  metadata.gz: 8a90d799e33bffeed7d09b5ef3cc7c94eff71981fb6239740b6d95c757c9b4605315067dc76d755ab5c6bb66c7774fed14189d2cc457ab941b568802a38faee9
+  data.tar.gz: 79f182bce1831a7958c777eb6aeac0ea13c7801d902f6e87cbba22ed2acceef0133647880f3df6ffe812b6c18e7dc921b3a25c173d756c96375764b64150cbef

data/app/models/ability.rb

@@ -1,5 +1,4 @@
 # frozen_string_literal: true
-require 'abilities/thecore_auth_commons'
 
 class Ability
   include CanCan::Ability
@@ -41,5 +40,10 @@ class Ability
         self.merge const.new(user) if const.is_a? Class
       end
     end
+    # Overrides from the database defined permissions
+    ::Permission.joins(roles: :users).where(users: {id: user.id}).order(:id).each do |permission|
+      # E.g. can :manage, :all
+      self.send(permission.predicate.name.to_sym, permission.action.name.to_sym, (permission.target.name.classify.constantize rescue permission.target.name.to_sym))
+    end
   end
 end

data/app/models/action.rb

@@ -0,0 +1,3 @@
+class Action < ApplicationRecord
+    has_many :permissions, dependent: :destroy, inverse_of: :action
+end

data/app/models/permission.rb

@@ -0,0 +1,20 @@
+class Permission < ApplicationRecord
+    # REFERENCES
+    has_many :permission_roles, dependent: :destroy, inverse_of: :permission
+    has_many :roles, through: :permission_roles, inverse_of: :permissions
+    belongs_to :predicate, inverse_of: :permissions
+    belongs_to :action, inverse_of: :permissions
+    belongs_to :target, inverse_of: :permissions
+
+    # VALIDATIONS
+    validates :predicate_id, presence: true, uniqueness: {scope: [:action_id, :target_id]}
+    validates :action_id, presence: true
+    validates :target_id, presence: true
+
+    def display_name
+        p = (I18n.t "permissions.predicates.#{predicate.name}", default: predicate.name.titleize rescue nil)
+        a = (I18n.t "permissions.actions.#{action.name}", default: action.name.titleize rescue nil)
+        m = (I18n.t "activerecord.models.#{target.name}", default: target.name.titleize rescue nil)
+        [ p, a, m ].join(" ")
+    end
+end

data/app/models/permission_role.rb

@@ -0,0 +1,4 @@
+class PermissionRole < ApplicationRecord
+  belongs_to :role, inverse_of: :permission_roles
+  belongs_to :permission, inverse_of: :permission_roles
+end

data/app/models/predicate.rb

@@ -0,0 +1,3 @@
+class Predicate < ApplicationRecord
+    has_many :permissions, dependent: :destroy, inverse_of: :predicate
+end

data/app/models/role.rb

@@ -4,8 +4,10 @@ class Role < ApplicationRecord
     # REFERENCES
     has_many :role_users, dependent: :destroy, inverse_of: :role
     has_many :users, through: :role_users, inverse_of: :roles
+    has_many :permission_roles, dependent: :destroy, inverse_of: :role
+    has_many :permissions, through: :permission_roles, inverse_of: :roles
     
     def display_name
-        I18n.t name.parameterize.underscore, default: name.titleize
+        (I18n.t name.parameterize.underscore, default: name.titleize rescue nil)
     end
 end

data/app/models/target.rb

@@ -0,0 +1,3 @@
+class Target < ApplicationRecord
+    has_many :permissions, dependent: :destroy, inverse_of: :target
+end

data/app/models/user.rb

@@ -2,6 +2,8 @@ class User < ApplicationRecord
   # Include default devise modules. Others available are:
   # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
   devise :database_authenticatable
+  devise :trackable
+  devise :validatable
   # TODO: If it works, these must be added to another gem one which deal 
   # more with sessions
   # devise :database_authenticatable
@@ -21,17 +23,26 @@ class User < ApplicationRecord
     # Don't want admin == false if the current user is the only admin
     record.errors.add(attr, I18n.t("validation.errors.cannot_unadmin_last_admin")) if record.admin_changed? && record.admin_was == true && User.where(admin: true).count == 1
   end
-
+  validates_each :locked do |record, attr, value|
+    # Don't want locked == true if the current user is the only admin
+    record.errors.add(attr, I18n.t("validation.errors.cannot_lock_last_admin")) if record.locked_changed? && record.locked_was == false && User.where(locked: false).count == 1
+  end
+  
   def display_name
     email
   end
-
+  
   def has_role? role
-    roles.include? role
+    roles.include? role.to_s
+  end
+  
+  def authenticate password
+    puts "PASSWORD: #{password}"
+    self&.valid_password?(password) ? self : nil
   end
-
+  
   protected
-
+  
   def check_password_and_confirmation_equal
     errors.add(:password, I18n.t("validation.errors.password_and_confirm_must_be_the_same")) unless password == password_confirmation
   end

data/config/initializers/after_initialize_thecore_auth_commons.rb

@@ -1,10 +1,10 @@
 require 'thecore_auth_commons_actioncontroller_concerns'
 
+# App Config
 Rails.application.configure do
     config.after_initialize do
         # In development be sure to load all the namespaces
         # in order to have working reflection and meta-programming.
-        # 
         if Rails.env.development?
             Rails.configuration.eager_load_namespaces.each(&:eager_load!) if Rails.version.to_i == 5 #Rails 5
             Zeitwerk::Loader.eager_load_all if Rails.version.to_i >= 6 #Rails 6

data/config/locales/en.activerecord.yml

@@ -0,0 +1,11 @@
+en:
+  activerecord:
+    models:
+      user:
+        one: User
+        other: Users
+    descriptions:
+      user: Section to manage users.
+      role: Section to manage Roles
+      permission: Section to manage Permissions
+    

data/config/locales/it.activerecord.yml

@@ -0,0 +1,36 @@
+it:
+  activerecord:
+    models:
+      user:
+        one: Utente
+        other: Utenti
+      role:
+        one: Ruolo
+        other: Ruoli
+      permission:
+        one: Permesso
+        other: Permessi
+    attributes:
+      user:
+        email: E-Mail
+        username: Nome Utente
+        code: Codice
+        roles: Ruoli
+        admin: Amministratore?
+        created_at: Data di Creazione
+        locked: Bloccato?
+        third_party: Ente Terzo?
+        password: Password
+        password_confirmation: Conferma Password
+      role:
+        users: Utenti
+        name: Nome
+        permissions: Permessi
+      permission:
+        predicate: Predicato
+        action: Azione
+        model: Modello
+    descriptions:
+      user: In questa sezione dell'applicazione potete cercare nella lista degli utenti in diversi modi usando i filtri o ordinare la lista secondo diversi campi.
+      role: In questa sezione si possono creare dei ruoli da usare nell'RBAC gestito dai file abilities, per definire le autorizzazioni CRUD e non solo.
+      permission: Il predicato definisce se è un permesso di poter fare o non fare, l'azione è il tipo definisce cosa si possa fare o non fare, mentre il modello definisce su chi.

data/config/locales/it.permissions.yml

@@ -0,0 +1,10 @@
+it:
+    permissions:
+        predicates:
+            can: Può
+            cannot: Non può
+        actions:
+            manage: Gestire
+            read: Leggere
+            update: Modificare
+            destroy: Eliminare

data/db/migrate/20200306143408_create_users.rb

@@ -14,12 +14,12 @@ class CreateUsers < ActiveRecord::Migration[6.0]
       ## Rememberable
       # t.datetime :remember_created_at
 
-      ## Trackable
-      # t.integer  :sign_in_count, default: 0, null: false
-      # t.datetime :current_sign_in_at
-      # t.datetime :last_sign_in_at
-      # t.string   :current_sign_in_ip
-      # t.string   :last_sign_in_ip
+      # Trackable
+      t.integer  :sign_in_count, default: 0, null: false
+      t.datetime :current_sign_in_at
+      t.datetime :last_sign_in_at
+      t.string   :current_sign_in_ip
+      t.string   :last_sign_in_ip
 
       ## Confirmable
       # t.string   :confirmation_token
@@ -34,7 +34,7 @@ class CreateUsers < ActiveRecord::Migration[6.0]
 
 
       # Uncomment below if timestamps were not included in your original model.
-      # t.timestamps null: false
+      t.timestamps null: false
     end
 
     add_index :users, :email,                unique: true

data/db/migrate/20200306151541_add_first_admin_user.rb

@@ -1,4 +1,43 @@
 class AddFirstAdminUser < ActiveRecord::Migration[6.0]
+  class User < ApplicationRecord
+    # Include default devise modules. Others available are:
+    # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
+    devise :database_authenticatable, :trackable, :validatable
+    # TODO: If it works, these must be added to another gem one which deal 
+    # more with sessions
+    # devise :database_authenticatable
+    # devise :rememberable
+    # devise :trackable
+    # devise :validatable
+    # devise :timeoutable, timeout_in: 30.minutes 
+    # REFERENCES
+    has_many :role_users, dependent: :destroy, inverse_of: :user
+    has_many :roles, through: :role_users, inverse_of: :users
+    # VALIDATIONS
+    validates :email, uniqueness: { case_sensitive: false }, presence: true, format: { with: /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\Z/i }
+    validates :password, presence: true, on: :create
+    validates :password_confirmation, presence: true, on: :create
+    validate :check_password_and_confirmation_equal
+    validates_each :admin do |record, attr, value|
+      # Don't want admin == false if the current user is the only admin
+      record.errors.add(attr, I18n.t("validation.errors.cannot_unadmin_last_admin")) if record.admin_changed? && record.admin_was == true && User.where(admin: true).count == 1
+    end
+  
+    def display_name
+      email
+    end
+  
+    def has_role? role
+      roles.include? role
+    end
+  
+    protected
+  
+    def check_password_and_confirmation_equal
+      errors.add(:password, I18n.t("validation.errors.password_and_confirm_must_be_the_same")) unless password == password_confirmation
+    end
+  end
+
   def up
     email = "admin@example.com"
     User.reset_column_information

data/db/migrate/20200516215346_add_locked_to_user.rb

@@ -0,0 +1,5 @@
+class AddLockedToUser < ActiveRecord::Migration[6.0]
+  def change
+    add_column :users, :locked, :boolean, null: false, default: false
+  end
+end

data/db/migrate/20200518082821_create_permissions.rb

@@ -0,0 +1,48 @@
+class CreatePermissions < ActiveRecord::Migration[6.0]
+  def change
+    @values = {
+      predicates: %i[can cannot],
+      actions: %i[manage create read update destroy],
+      targets: ApplicationRecord.subclasses.map {|d| d.to_s.underscore}.to_a.unshift(:all)
+    }
+
+    def create_and_fill table
+      create_table table do |t|
+        t.string :name
+        t.bigint :lock_version
+
+        t.timestamps
+      end
+      add_index table, :name, unique: true
+      model = table.to_s.classify.constantize
+      model.reset_column_information
+      model.upsert_all @values[table].map { |p| {name: p, created_at: Time.now, updated_at: Time.now} }, unique_by: [:name]
+    end
+
+    # Predicates
+    create_and_fill :predicates
+    
+    # Actions
+    create_and_fill :actions
+    
+    # Targets
+    create_and_fill :targets
+
+    create_table :permissions do |t|
+      t.references :predicate, null: false, foreign_key: true
+      t.references :action, null: false, foreign_key: true
+      t.references :target, null: false, foreign_key: true
+      t.bigint :lock_version
+
+      t.timestamps
+    end
+    # Association table
+    create_table :permission_roles do |t|
+      t.references :role, null: false, foreign_key: true
+      t.references :permission, null: false, foreign_key: true
+      t.bigint :lock_version
+
+      t.timestamps
+    end
+  end
+end

data/lib/thecore_auth_commons.rb

@@ -1,8 +1,9 @@
-require "thecore_auth_commons/engine"
-
 require 'devise'
 require 'cancancan'
 require 'kaminari'
+require 'abilities/thecore_auth_commons'
+
+require "thecore_auth_commons/engine"
 
 module ThecoreAuthCommons
   # Your code goes here...

data/lib/thecore_auth_commons/version.rb

@@ -1,3 +1,3 @@
 module ThecoreAuthCommons
-  VERSION = '2.2.0'.freeze
+  VERSION = '2.2.8'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: thecore_auth_commons
 version: !ruby/object:Gem::Version
-  version: 2.2.0
+  version: 2.2.8
 platform: ruby
 authors:
 - Gabriele Tassoni
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-04-27 00:00:00.000000000 Z
+date: 2020-10-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -98,12 +98,19 @@ files:
 - README.md
 - Rakefile
 - app/models/ability.rb
+- app/models/action.rb
+- app/models/permission.rb
+- app/models/permission_role.rb
+- app/models/predicate.rb
 - app/models/role.rb
 - app/models/role_user.rb
+- app/models/target.rb
 - app/models/user.rb
 - config/initializers/after_initialize_thecore_auth_commons.rb
 - config/initializers/devise.rb
-- config/locales/devise.en.yml
+- config/locales/en.activerecord.yml
+- config/locales/it.activerecord.yml
+- config/locales/it.permissions.yml
 - config/routes.rb
 - db/migrate/20200306143408_create_users.rb
 - db/migrate/20200306151046_add_admin_field_to_user.rb
@@ -112,6 +119,8 @@ files:
 - db/migrate/20200306152816_create_role_users.rb
 - db/migrate/20200306153125_add_lock_version_to_user.rb
 - db/migrate/20200306153136_add_lock_version_to_role.rb
+- db/migrate/20200516215346_add_locked_to_user.rb
+- db/migrate/20200518082821_create_permissions.rb
 - lib/abilities/thecore_auth_commons.rb
 - lib/tasks/thecore_auth_commons_tasks.rake
 - lib/thecore_auth_commons.rb

data/config/locales/devise.en.yml

@@ -1,65 +0,0 @@
-# Additional translations at https://github.com/plataformatec/devise/wiki/I18n
-
-en:
-  devise:
-    confirmations:
-      confirmed: "Your email address has been successfully confirmed."
-      send_instructions: "You will receive an email with instructions for how to confirm your email address in a few minutes."
-      send_paranoid_instructions: "If your email address exists in our database, you will receive an email with instructions for how to confirm your email address in a few minutes."
-    failure:
-      already_authenticated: "You are already signed in."
-      inactive: "Your account is not activated yet."
-      invalid: "Invalid %{authentication_keys} or password."
-      locked: "Your account is locked."
-      last_attempt: "You have one more attempt before your account is locked."
-      not_found_in_database: "Invalid %{authentication_keys} or password."
-      timeout: "Your session expired. Please sign in again to continue."
-      unauthenticated: "You need to sign in or sign up before continuing."
-      unconfirmed: "You have to confirm your email address before continuing."
-    mailer:
-      confirmation_instructions:
-        subject: "Confirmation instructions"
-      reset_password_instructions:
-        subject: "Reset password instructions"
-      unlock_instructions:
-        subject: "Unlock instructions"
-      email_changed:
-        subject: "Email Changed"
-      password_change:
-        subject: "Password Changed"
-    omniauth_callbacks:
-      failure: "Could not authenticate you from %{kind} because \"%{reason}\"."
-      success: "Successfully authenticated from %{kind} account."
-    passwords:
-      no_token: "You can't access this page without coming from a password reset email. If you do come from a password reset email, please make sure you used the full URL provided."
-      send_instructions: "You will receive an email with instructions on how to reset your password in a few minutes."
-      send_paranoid_instructions: "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes."
-      updated: "Your password has been changed successfully. You are now signed in."
-      updated_not_active: "Your password has been changed successfully."
-    registrations:
-      destroyed: "Bye! Your account has been successfully cancelled. We hope to see you again soon."
-      signed_up: "Welcome! You have signed up successfully."
-      signed_up_but_inactive: "You have signed up successfully. However, we could not sign you in because your account is not yet activated."
-      signed_up_but_locked: "You have signed up successfully. However, we could not sign you in because your account is locked."
-      signed_up_but_unconfirmed: "A message with a confirmation link has been sent to your email address. Please follow the link to activate your account."
-      update_needs_confirmation: "You updated your account successfully, but we need to verify your new email address. Please check your email and follow the confirmation link to confirm your new email address."
-      updated: "Your account has been updated successfully."
-      updated_but_not_signed_in: "Your account has been updated successfully, but since your password was changed, you need to sign in again"
-    sessions:
-      signed_in: "Signed in successfully."
-      signed_out: "Signed out successfully."
-      already_signed_out: "Signed out successfully."
-    unlocks:
-      send_instructions: "You will receive an email with instructions for how to unlock your account in a few minutes."
-      send_paranoid_instructions: "If your account exists, you will receive an email with instructions for how to unlock it in a few minutes."
-      unlocked: "Your account has been unlocked successfully. Please sign in to continue."
-  errors:
-    messages:
-      already_confirmed: "was already confirmed, please try signing in"
-      confirmation_period_expired: "needs to be confirmed within %{period}, please request a new one"
-      expired: "has expired, please request a new one"
-      not_found: "not found"
-      not_locked: "was not locked"
-      not_saved:
-        one: "1 error prohibited this %{resource} from being saved:"
-        other: "%{count} errors prohibited this %{resource} from being saved:"