thecore_auth_commons 2.2.2 → 2.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9188aab4fb99d33cb6c49e95752406c7eac5f9e2096752f94c688ef447070079
-  data.tar.gz: 53423ae9b99ffe34b078a04be259825bb023ce643e1487ad7848546dc338f86e
+  metadata.gz: 502bc9400ed04c0c637b9298e1997c8f310535d76edb06324bf495b044e32267
+  data.tar.gz: bc1d951e09c235f4907a6f67bf287fdb3d4703f47b4b32c4662e0d2b2b95c337
 SHA512:
-  metadata.gz: 8c86e8003839386365889c8c1890d4c8fc1f61a65228259a854e00933198d00d385da75018c02885bca975d55e8afcfb2f2244902f045ce2017312405ca7a87a
-  data.tar.gz: 13bb3dbae5695a7cf16e937d8d2fb881d1cae47ad59e22cf57efcd822c327ffb1024868a5efed179c9898cac7de5ed5c2c1297ca90eaac0e176460b7b78efe9d
+  metadata.gz: 4cad4cd8fb0864c65afb9b14dfcafe7f89209f8607d608de029ed8128f470f42c57c6dcdee1aa0bc2706e4f42a83119ce7c3e87dd50e47fdea316b90ae4a3729
+  data.tar.gz: 9de160e2037cae69e75dd41a520b6bad75ab7445136a337328288dd3bcd3e1e15cbd91e0bfd080a7232908f57958cf658df298068052bb9cb0164d267fbf87ab

data/app/models/ability.rb

@@ -1,5 +1,4 @@
 # frozen_string_literal: true
-require 'abilities/thecore_auth_commons'
 
 class Ability
   include CanCan::Ability
@@ -41,5 +40,10 @@ class Ability
         self.merge const.new(user) if const.is_a? Class
       end
     end
+    # Overrides from the database defined permissions
+    ::Permission.joins(roles: :users).where(users: {id: user.id}).order(:id).each do |permission|
+      # E.g. can :manage, :all
+      self.send(permission.predicate.name.to_sym, permission.action.name.to_sym, (permission.target.name.classify.constantize rescue permission.target.name.to_sym))
+    end unless user.blank?
   end
 end

data/app/models/action.rb

@@ -0,0 +1,3 @@
+class Action < ApplicationRecord
+    has_many :permissions, dependent: :destroy, inverse_of: :action
+end

data/app/models/permission.rb

@@ -0,0 +1,20 @@
+class Permission < ApplicationRecord
+    # REFERENCES
+    has_many :permission_roles, dependent: :destroy, inverse_of: :permission
+    has_many :roles, through: :permission_roles, inverse_of: :permissions
+    belongs_to :predicate, inverse_of: :permissions
+    belongs_to :action, inverse_of: :permissions
+    belongs_to :target, inverse_of: :permissions
+
+    # VALIDATIONS
+    validates :predicate_id, presence: true, uniqueness: {scope: [:action_id, :target_id]}
+    validates :action_id, presence: true
+    validates :target_id, presence: true
+
+    def display_name
+        p = (I18n.t "permissions.predicates.#{predicate.name}", default: predicate.name.titleize rescue nil)
+        a = (I18n.t "permissions.actions.#{action.name}", default: action.name.titleize rescue nil)
+        m = (I18n.t "activerecord.models.#{target.name}", default: target.name.titleize rescue nil)
+        [ p, a, m ].join(" ")
+    end
+end

data/app/models/permission_role.rb

@@ -0,0 +1,4 @@
+class PermissionRole < ApplicationRecord
+  belongs_to :role, inverse_of: :permission_roles
+  belongs_to :permission, inverse_of: :permission_roles
+end

data/app/models/predicate.rb

@@ -0,0 +1,3 @@
+class Predicate < ApplicationRecord
+    has_many :permissions, dependent: :destroy, inverse_of: :predicate
+end

data/app/models/role.rb

@@ -4,8 +4,10 @@ class Role < ApplicationRecord
     # REFERENCES
     has_many :role_users, dependent: :destroy, inverse_of: :role
     has_many :users, through: :role_users, inverse_of: :roles
+    has_many :permission_roles, dependent: :destroy, inverse_of: :role
+    has_many :permissions, through: :permission_roles, inverse_of: :roles
     
     def display_name
-        I18n.t name.parameterize.underscore, default: name.titleize
+        (I18n.t name.parameterize.underscore, default: name.titleize rescue nil)
     end
 end

data/app/models/target.rb

@@ -0,0 +1,3 @@
+class Target < ApplicationRecord
+    has_many :permissions, dependent: :destroy, inverse_of: :target
+end

data/app/models/user.rb

@@ -23,17 +23,25 @@ class User < ApplicationRecord
     # Don't want admin == false if the current user is the only admin
     record.errors.add(attr, I18n.t("validation.errors.cannot_unadmin_last_admin")) if record.admin_changed? && record.admin_was == true && User.where(admin: true).count == 1
   end
-
+  validates_each :locked do |record, attr, value|
+    # Don't want locked == true if the current user is the only admin
+    record.errors.add(attr, I18n.t("validation.errors.cannot_lock_last_admin")) if record.locked_changed? && record.locked_was == false && User.where(locked: false).count == 1
+  end
+  
   def display_name
     email
   end
-
+  
   def has_role? role
-    roles.include? role
+    roles.include? role.to_s
+  end
+  
+  def authenticate password
+    self&.valid_password?(password) ? self : nil
   end
-
+  
   protected
-
+  
   def check_password_and_confirmation_equal
     errors.add(:password, I18n.t("validation.errors.password_and_confirm_must_be_the_same")) unless password == password_confirmation
   end

data/config/initializers/after_initialize_thecore_auth_commons.rb

@@ -1,10 +1,10 @@
 require 'thecore_auth_commons_actioncontroller_concerns'
 
+# App Config
 Rails.application.configure do
     config.after_initialize do
         # In development be sure to load all the namespaces
         # in order to have working reflection and meta-programming.
-        # 
         if Rails.env.development?
             Rails.configuration.eager_load_namespaces.each(&:eager_load!) if Rails.version.to_i == 5 #Rails 5
             Zeitwerk::Loader.eager_load_all if Rails.version.to_i >= 6 #Rails 6

data/config/locales/en.activerecord.yml

@@ -0,0 +1,11 @@
+en:
+  activerecord:
+    models:
+      user:
+        one: User
+        other: Users
+    descriptions:
+      user: Section to manage users.
+      role: Section to manage Roles
+      permission: Section to manage Permissions
+    

data/config/locales/it.activerecord.yml

@@ -0,0 +1,36 @@
+it:
+  activerecord:
+    models:
+      user:
+        one: Utente
+        other: Utenti
+      role:
+        one: Ruolo
+        other: Ruoli
+      permission:
+        one: Permesso
+        other: Permessi
+    attributes:
+      user:
+        email: E-Mail
+        username: Nome Utente
+        code: Codice
+        roles: Ruoli
+        admin: Amministratore?
+        created_at: Data di Creazione
+        locked: Bloccato?
+        third_party: Ente Terzo?
+        password: Password
+        password_confirmation: Conferma Password
+      role:
+        users: Utenti
+        name: Nome
+        permissions: Permessi
+      permission:
+        predicate: Predicato
+        action: Azione
+        model: Modello
+    descriptions:
+      user: In questa sezione dell'applicazione potete cercare nella lista degli utenti in diversi modi usando i filtri o ordinare la lista secondo diversi campi.
+      role: In questa sezione si possono creare dei ruoli da usare nell'RBAC gestito dai file abilities, per definire le autorizzazioni CRUD e non solo.
+      permission: Il predicato definisce se è un permesso di poter fare o non fare, l'azione è il tipo definisce cosa si possa fare o non fare, mentre il modello definisce su chi.

data/config/locales/it.permissions.yml

@@ -0,0 +1,10 @@
+it:
+    permissions:
+        predicates:
+            can: Può
+            cannot: Non può
+        actions:
+            manage: Gestire
+            read: Leggere
+            update: Modificare
+            destroy: Eliminare

data/db/migrate/20200306143408_create_users.rb

@@ -34,7 +34,7 @@ class CreateUsers < ActiveRecord::Migration[6.0]
 
 
       # Uncomment below if timestamps were not included in your original model.
-      # t.timestamps null: false
+      t.timestamps null: false
     end
 
     add_index :users, :email,                unique: true

data/db/migrate/20200306151541_add_first_admin_user.rb

@@ -1,4 +1,43 @@
 class AddFirstAdminUser < ActiveRecord::Migration[6.0]
+  class User < ApplicationRecord
+    # Include default devise modules. Others available are:
+    # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
+    devise :database_authenticatable, :trackable, :validatable
+    # TODO: If it works, these must be added to another gem one which deal 
+    # more with sessions
+    # devise :database_authenticatable
+    # devise :rememberable
+    # devise :trackable
+    # devise :validatable
+    # devise :timeoutable, timeout_in: 30.minutes 
+    # REFERENCES
+    has_many :role_users, dependent: :destroy, inverse_of: :user
+    has_many :roles, through: :role_users, inverse_of: :users
+    # VALIDATIONS
+    validates :email, uniqueness: { case_sensitive: false }, presence: true, format: { with: /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\Z/i }
+    validates :password, presence: true, on: :create
+    validates :password_confirmation, presence: true, on: :create
+    validate :check_password_and_confirmation_equal
+    validates_each :admin do |record, attr, value|
+      # Don't want admin == false if the current user is the only admin
+      record.errors.add(attr, I18n.t("validation.errors.cannot_unadmin_last_admin")) if record.admin_changed? && record.admin_was == true && User.where(admin: true).count == 1
+    end
+  
+    def display_name
+      email
+    end
+  
+    def has_role? role
+      roles.include? role
+    end
+  
+    protected
+  
+    def check_password_and_confirmation_equal
+      errors.add(:password, I18n.t("validation.errors.password_and_confirm_must_be_the_same")) unless password == password_confirmation
+    end
+  end
+
   def up
     email = "admin@example.com"
     User.reset_column_information

data/db/migrate/20200516215346_add_locked_to_user.rb

@@ -0,0 +1,5 @@
+class AddLockedToUser < ActiveRecord::Migration[6.0]
+  def change
+    add_column :users, :locked, :boolean, null: false, default: false
+  end
+end

data/db/migrate/20200518082821_create_permissions.rb

@@ -0,0 +1,48 @@
+class CreatePermissions < ActiveRecord::Migration[6.0]
+  def change
+    @values = {
+      predicates: %i[can cannot],
+      actions: %i[manage create read update destroy],
+      targets: ApplicationRecord.subclasses.map {|d| d.to_s.underscore}.to_a.unshift(:all)
+    }
+
+    def create_and_fill table
+      create_table table do |t|
+        t.string :name
+        t.bigint :lock_version
+
+        t.timestamps
+      end
+      add_index table, :name, unique: true
+      model = table.to_s.classify.constantize
+      model.reset_column_information
+      model.upsert_all @values[table].map { |p| {name: p, created_at: Time.now, updated_at: Time.now} }, unique_by: [:name]
+    end
+
+    # Predicates
+    create_and_fill :predicates
+    
+    # Actions
+    create_and_fill :actions
+    
+    # Targets
+    create_and_fill :targets
+
+    create_table :permissions do |t|
+      t.references :predicate, null: false, foreign_key: true
+      t.references :action, null: false, foreign_key: true
+      t.references :target, null: false, foreign_key: true
+      t.bigint :lock_version
+
+      t.timestamps
+    end
+    # Association table
+    create_table :permission_roles do |t|
+      t.references :role, null: false, foreign_key: true
+      t.references :permission, null: false, foreign_key: true
+      t.bigint :lock_version
+
+      t.timestamps
+    end
+  end
+end

data/lib/thecore_auth_commons.rb

@@ -1,6 +1,7 @@
 require 'devise'
 require 'cancancan'
 require 'kaminari'
+require 'abilities/thecore_auth_commons'
 
 require "thecore_auth_commons/engine"
 

data/lib/thecore_auth_commons/version.rb

@@ -1,3 +1,3 @@
 module ThecoreAuthCommons
-  VERSION = '2.2.2'.freeze
+  VERSION = "#{`git describe --tags $(git rev-list --tags --max-count=1)`.chomp}"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: thecore_auth_commons
 version: !ruby/object:Gem::Version
-  version: 2.2.2
+  version: 2.3.0
 platform: ruby
 authors:
 - Gabriele Tassoni
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-15 00:00:00.000000000 Z
+date: 2021-02-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -98,14 +98,19 @@ files:
 - README.md
 - Rakefile
 - app/models/ability.rb
+- app/models/action.rb
+- app/models/permission.rb
+- app/models/permission_role.rb
+- app/models/predicate.rb
 - app/models/role.rb
 - app/models/role_user.rb
+- app/models/target.rb
 - app/models/user.rb
 - config/initializers/after_initialize_thecore_auth_commons.rb
 - config/initializers/devise.rb
-- config/locales/devise.en.yml
-- config/locales/en.devise.custom.yml
-- config/locales/it.devise.custom.yml
+- config/locales/en.activerecord.yml
+- config/locales/it.activerecord.yml
+- config/locales/it.permissions.yml
 - config/routes.rb
 - db/migrate/20200306143408_create_users.rb
 - db/migrate/20200306151046_add_admin_field_to_user.rb
@@ -114,6 +119,8 @@ files:
 - db/migrate/20200306152816_create_role_users.rb
 - db/migrate/20200306153125_add_lock_version_to_user.rb
 - db/migrate/20200306153136_add_lock_version_to_role.rb
+- db/migrate/20200516215346_add_locked_to_user.rb
+- db/migrate/20200518082821_create_permissions.rb
 - lib/abilities/thecore_auth_commons.rb
 - lib/tasks/thecore_auth_commons_tasks.rake
 - lib/thecore_auth_commons.rb

data/config/locales/devise.en.yml

@@ -1,65 +0,0 @@
-# Additional translations at https://github.com/plataformatec/devise/wiki/I18n
-
-en:
-  devise:
-    confirmations:
-      confirmed: "Your email address has been successfully confirmed."
-      send_instructions: "You will receive an email with instructions for how to confirm your email address in a few minutes."
-      send_paranoid_instructions: "If your email address exists in our database, you will receive an email with instructions for how to confirm your email address in a few minutes."
-    failure:
-      already_authenticated: "You are already signed in."
-      inactive: "Your account is not activated yet."
-      invalid: "Invalid %{authentication_keys} or password."
-      locked: "Your account is locked."
-      last_attempt: "You have one more attempt before your account is locked."
-      not_found_in_database: "Invalid %{authentication_keys} or password."
-      timeout: "Your session expired. Please sign in again to continue."
-      unauthenticated: "You need to sign in or sign up before continuing."
-      unconfirmed: "You have to confirm your email address before continuing."
-    mailer:
-      confirmation_instructions:
-        subject: "Confirmation instructions"
-      reset_password_instructions:
-        subject: "Reset password instructions"
-      unlock_instructions:
-        subject: "Unlock instructions"
-      email_changed:
-        subject: "Email Changed"
-      password_change:
-        subject: "Password Changed"
-    omniauth_callbacks:
-      failure: "Could not authenticate you from %{kind} because \"%{reason}\"."
-      success: "Successfully authenticated from %{kind} account."
-    passwords:
-      no_token: "You can't access this page without coming from a password reset email. If you do come from a password reset email, please make sure you used the full URL provided."
-      send_instructions: "You will receive an email with instructions on how to reset your password in a few minutes."
-      send_paranoid_instructions: "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes."
-      updated: "Your password has been changed successfully. You are now signed in."
-      updated_not_active: "Your password has been changed successfully."
-    registrations:
-      destroyed: "Bye! Your account has been successfully cancelled. We hope to see you again soon."
-      signed_up: "Welcome! You have signed up successfully."
-      signed_up_but_inactive: "You have signed up successfully. However, we could not sign you in because your account is not yet activated."
-      signed_up_but_locked: "You have signed up successfully. However, we could not sign you in because your account is locked."
-      signed_up_but_unconfirmed: "A message with a confirmation link has been sent to your email address. Please follow the link to activate your account."
-      update_needs_confirmation: "You updated your account successfully, but we need to verify your new email address. Please check your email and follow the confirmation link to confirm your new email address."
-      updated: "Your account has been updated successfully."
-      updated_but_not_signed_in: "Your account has been updated successfully, but since your password was changed, you need to sign in again"
-    sessions:
-      signed_in: "Signed in successfully."
-      signed_out: "Signed out successfully."
-      already_signed_out: "Signed out successfully."
-    unlocks:
-      send_instructions: "You will receive an email with instructions for how to unlock your account in a few minutes."
-      send_paranoid_instructions: "If your account exists, you will receive an email with instructions for how to unlock it in a few minutes."
-      unlocked: "Your account has been unlocked successfully. Please sign in to continue."
-  errors:
-    messages:
-      already_confirmed: "was already confirmed, please try signing in"
-      confirmation_period_expired: "needs to be confirmed within %{period}, please request a new one"
-      expired: "has expired, please request a new one"
-      not_found: "not found"
-      not_locked: "was not locked"
-      not_saved:
-        one: "1 error prohibited this %{resource} from being saved:"
-        other: "%{count} errors prohibited this %{resource} from being saved:"

data/config/locales/en.devise.custom.yml

@@ -1,19 +0,0 @@
-en:
-  devise:
-    failure:
-      user:
-        invalid: Incorrect login credentials.
-        not_found_in_database: Incorrect login credentials.
-    mailer:
-      password_changed_instructions:
-        greeting: Welcome %{recipient}!
-        instruction: We sent you this email to inform about password change.
-        instruction_2: If you didn't changed password, we ask you to contact our customer service, please.
-    shared:
-      links:
-        sign_out: Log out
-      descriptions:
-        current_password_needed: (we need your current password to confirm your changes)
-        leave_blank: (leave blank if you don't want to change it)
-    validations:
-      minimum_length: "%{length} characters minimum"

data/config/locales/it.devise.custom.yml

@@ -1,19 +0,0 @@
-it:
-  devise:
-    failure:
-      user: 
-        invalid: Credenziali di accesso errate.
-        not_found_in_database: Credenziali di accesso errate.
-    mailer:
-      password_changed_instructions:
-        greeting: Benvenuto %{recipient}!
-        instruction: Le abbiamo inviato questa email per notificarle il fatto che la sua password è stata cambiata.
-        instruction_2: Se non è stato lei a richiedere la modifica della password, la preghiamo di contattare il servizio clienti.
-    shared:
-      links:
-        sign_out: Esci
-      descriptions:
-        current_password_needed: (è necessario inserire la password corrente per autorizzare la modifica)
-        leave_blank: (lasciare vuota se non la si vuole modificare)
-    validations:
-      minimum_length: la lunghezza minima è di %{length} caratteri