trusty-cms 7.0.2 → 7.0.4

data/app/assets/javascripts/admin/validations/scheduled_status_validation.js

@@ -0,0 +1,60 @@
+$(document).ready(function() {
+  function isValidDateTime(value) {
+    return !isNaN(new Date(value).getTime());
+  }
+
+  function showError(message) {
+    $('#published-at-error').text(message);
+    $('.error').removeClass('hidden');
+  }
+
+  function hideError() {
+    $('.error').addClass('hidden');
+  }
+
+  function validateScheduledStatus(publishedTime, currentTime) {
+    if (!isValidDateTime(publishedTime)) {
+      showError('Select a valid Date & Time.');
+      return false;
+    }
+    if (publishedTime < currentTime) {
+      showError('Scheduled Date & Time cannot be in the past.');
+      return false;
+    }
+
+    hideError();
+    return true;
+  }
+
+  function validatePublishedStatus(publishedTime, currentTime) {
+    if (publishedTime > currentTime) {
+      showError('Published Date & Time cannot be in the future. Clear the date and time to publish now, or set the status to Scheduled.');
+      return false;
+    }
+
+    hideError();
+    return true;
+  }
+
+  function validateDateTime() {
+    const publishedAt = $('#page_published_at').val();
+    const status = $('#page_status_id').val();
+    const publishedTime = new Date(publishedAt);
+    const currentTime = new Date();
+
+    if (status === '90') {
+      return validateScheduledStatus(publishedTime, currentTime);
+    }
+
+    if (status === '100') {
+      return validatePublishedStatus(publishedTime, currentTime);
+    }
+  }
+
+  $('#save-button, #save-and-continue-button').on('click', function(event) {
+    if (!validateDateTime()) {
+      event.preventDefault();
+      event.stopImmediatePropagation();
+    }
+  });
+});

data/app/assets/stylesheets/admin/main.scss

@@ -20,7 +20,8 @@
 @import "partials/footer";
 @import "partials/popup";
 @import "partials/tabcontrol";
-@import "partials/dateinput";
+@import "partials/date_input";
+@import "partials/datetime_input";
 @import "partials/toolbar";
 @import "partials/validations";
 @import "partials/preferences";

data/app/assets/stylesheets/admin/partials/_datetime_input.scss

@@ -0,0 +1,5 @@
+.datetime {
+  border: 1px solid #919191;
+  margin: 0.5em;
+  padding: 0.5em 1em;
+}

data/app/assets/stylesheets/admin/partials/_forms.scss

@@ -60,6 +60,19 @@ select {
   transition: border-color ease-in-out 0.15s, box-shadow ease-in-out 0.15s;
 }
 
+select[multiple] {
+  height: auto;
+
+  option {
+    padding: 0.5em;
+
+    &:checked {
+      background-color: #e5e6e7;
+      font-weight: 700;
+    }
+  }
+}
+
 label {
   display: block;
 }

data/app/assets/stylesheets/admin/partials/_messages.scss

@@ -10,6 +10,10 @@
 .error {
   background-color: #f3c2c2;
   color: $alt-link-color;
+
+  &.hidden {
+    display: none;
+  }
 }
 
 .warning {

data/app/controllers/admin/configuration_controller.rb

@@ -5,7 +5,7 @@ class Admin::ConfigurationController < ApplicationController
   # and the show and edit views determine what set of config values is shown and made editable.
 
   before_action :initialize_config
-
+  before_action :authorize_role
   only_allow_access_to :edit, :update,
                        when: [:admin],
                        denied_url: { controller: 'admin/configuration', action: 'show' },

data/app/controllers/admin/extensions_controller.rb

@@ -1,4 +1,5 @@
 class Admin::ExtensionsController < ApplicationController
+  before_action :authorize_role
   only_allow_access_to :index,
                        when: :admin,
                        denied_url: { controller: 'pages', action: 'index' },

data/app/controllers/admin/layouts_controller.rb

@@ -1,7 +1,8 @@
 class Admin::LayoutsController < Admin::ResourceController
   paginate_models
+  before_action :authorize_role
   only_allow_access_to :index, :show, :new, :create, :edit, :update, :remove, :destroy,
                        when: %i[designer admin],
                        denied_url: { controller: 'admin/pages', action: 'index' },
-                       denied_message: 'You must have designer privileges to perform this action.'
+                       denied_message: 'You must have at least editor privileges to perform this action.'
 end

data/app/controllers/admin/resource_controller.rb

@@ -1,4 +1,5 @@
 require 'trusty_cms/resource_responses'
+
 class Admin::ResourceController < ApplicationController
   extend TrustyCms::ResourceResponses
 
@@ -95,6 +96,7 @@ class Admin::ResourceController < ApplicationController
   def will_paginate_options
     self.class.will_paginate_options || {}
   end
+
   helper_method :will_paginate_options
 
   # a convenience method that returns true if paginate_models has been called on this controller class
@@ -102,6 +104,7 @@ class Admin::ResourceController < ApplicationController
   def paginated?
     self.class.paginated == true && params[:pp] != 'all'
   end
+
   helper_method :paginated?
 
   # return a hash of page and per_page that can be used to build a will_paginate collection
@@ -145,7 +148,9 @@ class Admin::ResourceController < ApplicationController
   def model
     instance_variable_get("@#{model_symbol}") || load_model
   end
+
   alias :current_object :model
+
   def model=(object)
     instance_variable_set("@#{model_symbol}", object)
   end
@@ -155,13 +160,15 @@ class Admin::ResourceController < ApplicationController
                    model_class.find(params[:id])
                  else
                    model_class.new
-    end
+                 end
   end
 
   def models
     instance_variable_get("@#{plural_model_symbol}") || load_models
   end
+
   alias :current_objects :models
+
   def models=(objects)
     instance_variable_set("@#{plural_model_symbol}", objects)
   end
@@ -177,6 +184,7 @@ class Admin::ResourceController < ApplicationController
   def plural_model_name
     model_name.pluralize
   end
+
   alias :models_name :plural_model_name
 
   def model_symbol
@@ -186,6 +194,7 @@ class Admin::ResourceController < ApplicationController
   def plural_model_symbol
     model_name.pluralize.underscore.intern
   end
+
   alias :models_symbol :plural_model_symbol
 
   def humanized_model_name

data/app/controllers/admin/sites_controller.rb

@@ -1,5 +1,6 @@
 class Admin::SitesController < Admin::ResourceController
   helper :sites
+  before_action :authorize_role
   only_allow_access_to :index, :show, :new, :create, :edit, :update, :remove, :destroy,
                        when: :admin,
                        denied_url: { controller: 'pages', action: 'index' },

data/app/controllers/admin/snippets_controller.rb

@@ -1,7 +1,8 @@
 class Admin::SnippetsController < Admin::ResourceController
   paginate_models
+  before_action :authorize_role
   only_allow_access_to :index, :show, :new, :create, :edit, :update, :remove, :destroy,
                        when: %i[designer admin],
                        denied_url: { controller: 'admin/pages', action: 'index' },
-                       denied_message: 'You must have designer privileges to perform this action.'
+                       denied_message: 'You must have at least editor privileges to perform this action.'
 end

data/app/controllers/admin/users_controller.rb

@@ -1,5 +1,6 @@
 class Admin::UsersController < Admin::ResourceController
   paginate_models
+  before_action :authorize_role
   only_allow_access_to :index, :show, :new, :create, :edit, :update, :remove, :destroy,
                        when: :admin,
                        denied_url: { controller: 'pages', action: 'index' },
@@ -48,7 +49,7 @@ class Admin::UsersController < Admin::ResourceController
 
   def user_params
     params.require(:user).permit(:first_name, :last_name, :admin, :designer,
-                                 :password, :password_confirmation, :email, :site_id, :notes)
+                                 :password, :password_confirmation, :email, :site_id, :notes, site_ids: [])
   end
 
   def announce_cannot_delete_self

data/app/controllers/page_status_controller.rb

@@ -0,0 +1,61 @@
+class PageStatusController < ApplicationController
+  skip_before_action :verify_authenticity_token, only: [:refresh]
+  skip_before_action :authenticate_user!, only: [:refresh]
+  before_action :authenticate_bearer_token
+
+  def refresh
+    pages = Page.where(status_id: Status[:scheduled].id)
+
+    updated_pages, remaining_pages = process_pages(pages)
+
+    render json: refresh_response(updated_pages, remaining_pages), status: :ok
+  end
+
+  private
+
+  def authenticate_bearer_token
+    provided_token = request.headers['Authorization']&.split(' ')&.last
+    expected_token = Rails.application.credentials[:trusty_cms][:page_status_bearer_token]
+
+    if provided_token.blank?
+      render json: { error: 'Missing Bearer Token' }, status: :unauthorized and return
+    end
+
+    unless ActiveSupport::SecurityUtils.secure_compare(provided_token, expected_token)
+      render json: { error: 'Invalid Bearer Token' }, status: :unauthorized
+    end
+  end
+
+  def process_pages(pages)
+    updated_pages = []
+    remaining_pages = []
+
+    pages.each do |page|
+      page_id = page.id
+      if page.published_at <= Time.now
+        page.update(status_id: Status[:published].id)
+        updated_pages << page_id
+      else
+        remaining_pages << page_id
+      end
+    end
+
+    [updated_pages, remaining_pages]
+  end
+
+  def refresh_response(updated_pages, remaining_pages)
+    if updated_pages.any?
+      updated_pages_count = updated_pages.count
+      {
+        message: "Successfully updated status of #{updated_pages_count} #{'page'.pluralize(updated_pages_count)}.",
+        updated_page_ids: updated_pages,
+        remaining_scheduled_page_ids: remaining_pages,
+      }
+    else
+      {
+        message: 'No scheduled pages matched the criteria for status refresh.',
+        remaining_scheduled_page_ids: remaining_pages,
+      }
+    end
+  end
+end

data/app/controllers/site_controller.rb

@@ -23,7 +23,6 @@ class SiteController < ApplicationController
             url.to_s
           end
     if @page = find_page(url)
-      batch_page_status_refresh if url == '/' || url == ''
       # This is a bit of a hack to get Vanity URL pages working in another extension
       # In Rails 2, redirect_to halted execution, so process_page could be aliased and
       # a redirect could be used. This no longer works. There's a better fix for this,
@@ -61,20 +60,6 @@ class SiteController < ApplicationController
 
   private
 
-  def batch_page_status_refresh
-    @changed_pages = []
-    @pages = Page.where({ status_id: Status[:scheduled].id })
-    @pages.each do |page|
-      if page.published_at <= Time.now
-        page.status_id = Status[:published].id
-        page.save
-        @changed_pages << page.id
-      end
-    end
-
-    expires_in nil, :private => true, 'no-cache' => true if @changed_pages.length > 0
-  end
-
   def set_cache_control
     response_cache_director(@page).set_cache_control
   end

data/app/helpers/admin/pages_helper.rb

@@ -14,11 +14,6 @@ module Admin::PagesHelper
     !!(@page.errors[:slug] or @page.errors[:breadcrumb])
   end
 
-  def status_to_display
-    @page.status_id = 100 if @page.status_id == 90
-    @display_status = Status.selectable.map { |s| [I18n.translate(s.name.downcase), s.id] }
-  end
-
   def clean_page_description(page)
     page.description.to_s.strip.gsub(/\t/, '').gsub(/\s+/, ' ')
   end

data/app/helpers/admin/users_helper.rb

@@ -2,7 +2,8 @@ module Admin::UsersHelper
   def roles(user)
     roles = []
     roles << I18n.t('admin') if user.admin?
-    roles << I18n.t('designer') if user.designer?
+    roles << I18n.t('editor') if user.editor?
+    roles << I18n.t('content_editor') if user.content_editor?
     roles.join(', ')
   end
 end

data/app/helpers/application_helper.rb

@@ -33,11 +33,12 @@ module ApplicationHelper
       t('buttons.save_changes', default: 'Save Changes')
     options[:class] ||= 'button'
     options[:accesskey] ||= 'S'
+    options[:id] ||= 'save-button'
     submit_tag options.delete(:label), options
   end
 
   def save_model_and_continue_editing_button(_model)
-    submit_tag t('buttons.save_and_continue'), name: 'continue', class: 'button', accesskey: 's'
+    submit_tag t('buttons.save_and_continue'), name: 'continue', class: 'button', accesskey: 's', id: 'save-and-continue-button'
   end
 
   def current_item?(item)

data/app/models/admins_site.rb

@@ -0,0 +1,6 @@
+class AdminsSite < ActiveRecord::Base
+  self.table_name = 'admins_sites'
+
+  belongs_to :admin, class_name: 'User'
+  belongs_to :site
+end

data/app/models/page.rb

@@ -8,7 +8,7 @@ class Page < ActiveRecord::Base
   end
 
   # Callbacks
-  before_save :update_virtual, :update_status, :set_allowed_children_cache
+  before_save :update_virtual, :update_published_datetime, :set_allowed_children_cache
 
   # Associations
   acts_as_tree order: 'position ASC'
@@ -220,15 +220,8 @@ class Page < ActiveRecord::Base
     slug_child
   end
 
-  def update_status
-    self.published_at = Time.zone.now if published? && published_at == nil
-
-    if !published_at.nil? && (published? || scheduled?)
-      self[:status_id] = Status[:scheduled].id if published_at > Time.zone.now
-      self[:status_id] = Status[:published].id if published_at <= Time.zone.now
-    end
-
-    true
+  def update_published_datetime
+    self.published_at = Time.zone.now if published? && published_at.blank?
   end
 
   def default_child

data/app/models/site.rb

@@ -7,6 +7,8 @@ class Site < ActiveRecord::Base
   belongs_to :created_by, class_name: 'User'
   belongs_to :updated_by, class_name: 'User'
   belongs_to :production_homepage, class_name: 'ProductionPage'
+  has_many :admins_sites
+  has_many :admins, through: :admins_sites, class_name: 'User'
 
   default_scope { order('position ASC') }
 

data/app/models/status.rb

@@ -19,12 +19,8 @@ class Status
     @@statuses.find { |status| status.id.to_s == id.to_s }
   end
 
-  def self.find_all
-    @@statuses.dup
-  end
-
   def self.selectable
-    find_all - [self['Scheduled']]
+    @@statuses
   end
 
   def self.selectable_values

data/app/models/trusty_cms/config.rb

@@ -81,7 +81,8 @@ module TrustyCms
               TrustyCms::Config.initialize_cache
             end
             TrustyCms::Config.initialize_cache if TrustyCms::Config.stale_cache?
-            Rails.cache.read('TrustyCms::Config')[key]
+            config_cache = Rails.cache.read('TrustyCms::Config')
+            config_cache ? config_cache[key] : nil
           end
         end
       end

data/app/models/user.rb

@@ -7,7 +7,6 @@ class User < ActiveRecord::Base
          :recoverable, :rememberable, :trackable, :validatable
 
   alias_attribute :created_by_id, :id
-
   attr_accessor :skip_password_validation
 
   validate :password_complexity
@@ -18,6 +17,13 @@ class User < ActiveRecord::Base
   # Associations
   belongs_to :created_by, class_name: 'User'
   belongs_to :updated_by, class_name: 'User'
+  has_many :admins_sites, foreign_key: 'admin_id', class_name: 'AdminsSite', dependent: :destroy
+  has_many :sites, through: :admins_sites
+
+  # Roles
+  # Admin - all permissions
+  # Editor - all permissions except for users, sites editing
+  # Content Editor - all permissions except for users, sites, publishing and deleting
 
   def role?(role)
     case role
@@ -40,12 +46,16 @@ class User < ActiveRecord::Base
     designer
   end
 
+  def editor?
+    designer
+  end
+
   def content_editor?
     content_editor
   end
 
-  def scoped?
-    site_id.present?
+  def scoped_site?
+    sites.present?
   end
 
   def locale
@@ -67,4 +77,5 @@ class User < ActiveRecord::Base
 
     errors.add :password, 'Complexity requirement not met. Length should be 12 characters and include: 1 uppercase, 1 lowercase, 1 digit and 1 special character.'
   end
-end
+
+end

data/app/views/admin/layouts/_choose_site.html.haml

@@ -1,7 +1,9 @@
 - unless current_user.site
   %label{:for=>'layout_site_id', :class => 'admin_only'}
     Site
-    - sites = Site.all.map { |s| [s.name, s.id] }
-    - selection = {:include_blank => Layout.is_shareable?}
-    - selection[:selected] = current_site.id if @layout.new_record? && ! Layout.is_shareable?
+    :ruby
+      user_sites = current_user.admins_sites.pluck(:site_id)
+      sites = Site.where(:id => user_sites).map { |s| [s.name, s.id] }
+      selection = {:include_blank => Layout.is_shareable?}
+      selection[:selected] = current_site.id if @layout.new_record? && ! Layout.is_shareable?
     = select :layout, :site_id, sites, selection

data/app/views/admin/layouts/_site_chooser.html.haml

@@ -1,9 +1,9 @@
-- if current_user.admin? && !current_user.scoped? && defined?(Site) && defined?(controller) && controller.sited_model? && controller.template_name == 'index' && Site.several?
+- if current_user.scoped_site? && defined?(Site) && defined?(controller) && controller.sited_model? && controller.template_name == 'index' && Site.several?
   .site_chooser
     %ul.nav
       %li
         = "Current Site: #{current_site.name}"
         %ul.expansion
-          - Site.all.each do |site|
+          - current_user.sites.each do |site|
             %li
               = link_to( site.name, "#{request.path}?site_id=#{site.id}", :class => site == current_site ? 'fg site-link' : 'site-link')

data/app/views/admin/pages/_fields.html.haml

@@ -1,3 +1,5 @@
+= javascript_include_tag 'admin/validations/scheduled_status_validation'
+
 = fields.hidden_field :lock_version
 = fields.hidden_field :parent_id
 = fields.hidden_field :class_name
@@ -41,16 +43,23 @@
         = fields.label :class_name, t('page_type')
         = fields.select :class_name, [[t('select.normal'), '']] + Page.descendants.map { |p| [p.display_name, p.name] }.sort_by { |p| p.first }
     - layout.edit_status do
-      .status
-        = fields.label :status_id, t('status')
-        = fields.select :status_id, status_to_display
+      - if current_user.admin? || current_user.editor?
+        .status
+          = fields.label :status_id, t('status')
+          = fields.select :status_id, Status.selectable.map { |s| [s.name, s.id] }
     - layout.edit_published_at do
       .published-date
-        #published_at{:class => (@page.published? ? nil : 'hidden')}
-          = fields.label :published_at, t('published_on')
-          = fields.text_field :published_at, :class=> 'date', :type=>'date', :value => (@page.published_at? ? I18n.localize(@page.published_at.to_date, :format =>:default) : nil)
+        #published_at{:class => (@page.published? ? '' : 'hidden')}
+          = fields.label :published_at, t('publish_datetime')
+          = fields.text_field :published_at,
+            class: 'datetime',
+            type: 'datetime-local',
+            value: (@page.published_at? ? @page.published_at.strftime('%Y-%m-%dT%H:%M') : nil)
     = render_region :layout_row, :locals => {:f => fields}
 
+.error.hidden
+  %span#published-at-error
+
 - render_region :form_bottom, :locals => {:f => fields} do |form_bottom|
   - form_bottom.edit_buttons do
     - @buttons_partials.each do |partial|

data/app/views/admin/pages/_node.html.haml

@@ -18,5 +18,5 @@
       - unless simple
         %td.actions
           = page.add_child_option
-          - if current_user.admin?
+          - if current_user.editor? || current_user.admin?
             = page.remove_option

data/app/views/admin/snippets/_choose_site.html.haml

@@ -1,5 +1,6 @@
 - unless current_user.site
   %label{:for=>'snippet_site_id', :Class => 'admin_only'}
     Site
-    - sites = Site.all.map { |s| [s.name, s.id] }
+    - user_sites = current_user.admins_sites.pluck(:site_id)
+    - sites = Site.where(:id => user_sites).map { |s| [s.name, s.id] }
     = select :snippet, :site_id, sites, :include_blank => Snippet.is_shareable?, :selected => @snippet.site_id || current_site.id

data/app/views/admin/users/_choose_site.html.haml

@@ -1,4 +1,5 @@
 - if current_user.admin?
   %label{:for=>'user_admin'} Can edit site
-  = select :user, :site_id, [['<any>', '']] + Site.all.map { |s| [s.name, s.id] }
+  .caption (hold ctrl or cmd to select multiple)
   .caption A user with no site is able to act (to whatever extent their status allows) on any site.
+  = select :user, :site_ids, options_for_select(Site.all.map { |s| [s.name, s.id] }, selected: @user.site_ids), {}, { multiple: true }

data/app/views/admin/users/_form.html.haml

@@ -25,7 +25,9 @@
           = f.check_box 'admin', :class => 'checkbox'
           = f.label :admin, t('admin'), :class => 'checkbox'
           = f.check_box 'designer', :class => 'checkbox'
-          = f.label :designer, t('designer'), :class => 'checkbox'
+          = f.label :designer, t('editor'), :class => 'checkbox'
+          = f.check_box 'content_editor', :class => 'checkbox'
+          = f.label :content_editor, t('content_editor'), :class => 'checkbox'
 
     - form.edit_notes do
       %fieldset

data/bin/rails

@@ -3,8 +3,8 @@
 # installed from the root of your application.
 
 ENGINE_ROOT = File.expand_path('..', __dir__)
-ENGINE_PATH = File.expand_path('../lib/trusty/cms/engine', __dir__)
-APP_PATH = File.expand_path('../test/dummy/config/application', __dir__)
+ENGINE_PATH = File.expand_path('../lib/trusty_cms/engine', __dir__)
+APP_PATH = File.expand_path('../spec/dummy/config/application', __dir__)
 
 # Set up gems listed in the Gemfile.
 ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../Gemfile', __dir__)

data/config/application.rb

@@ -20,6 +20,7 @@ module TrustyCms
     Rails.autoloaders.log!
     # Enable the asset pipeline
     config.assets.enabled = true
+    config.active_record.legacy_connection_handling = false
 
     # Version of your assets, change this if you want to expire all your assets
     config.assets.version = '1.0'

data/config/initializers/devise.rb

@@ -187,7 +187,7 @@ Devise.setup do |config|
   # ==> Configuration for :timeoutable
   # The time you want to timeout the user session without activity. After this
   # time the user will be asked for credentials again. Default is 30 minutes.
-  # config.timeout_in = 30.minutes
+  config.timeout_in = 8.hours
 
   # ==> Configuration for :lockable
   # Defines which strategy will be used to lock an account.