trusty-cms 7.0.28 → 7.0.30

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 16753e005b09f59c333c5e9fd2af4bca3bd0e20f8d2da054500b3d262d1eecfa
-  data.tar.gz: c4159171a6a9f932b685cd3855bd0f931392053d4d797025e73aae1a5aa443fc
+  metadata.gz: 9ef6650284d438676ef388a1b002d3ff0acfe81dc068bcfafa9e1cb2814749f9
+  data.tar.gz: e6a980c1afa8435a04314a5b43b6788ecc4f743e9c7c32015245e15e0c8c0804
 SHA512:
-  metadata.gz: 3f91892e8c3e8b0aa0e3899b7796833a4e2a0e5074eacf92f5e47b7e216559b5c4d32f487f03fb725775d960d20f0cd15cea678a0a14ef42aa65c9d07cb531c2
-  data.tar.gz: f5735dc96aa6cf0c3c80686f36d48cd7d49f5b8865ffd4c2d02ab708170764b5bff91a7fb525acbff932e67c76b9adcd104f35e145ee71ce61c4c897e42c597f
+  metadata.gz: 33d9139d690d376c8d4547b3d8c20cec750671050a9aa9378a197c3c28ab79cb04fda4403b17f2da86bdad23c5699d3dfdeef5f16db1469ad17c546464df89b8
+  data.tar.gz: f728eb8f4da2af5477ba994c9ccad2d5ac46620f0893295734a66035601c2317dc750985ec3b9d52518c786eebd1f5056a4f8dd301cb2beb4001f82e7d96835c

data/Gemfile

@@ -15,6 +15,7 @@ group :development, :test do
   gem 'activestorage-validator'
   gem 'acts_as_list'
   gem 'database_cleaner'
+  gem 'devise-two-factor'
   gem 'factory_bot_rails', '6.4.4'
   gem 'file_validators'
   gem 'launchy', '~> 3.0.1'

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    trusty-cms (7.0.28)
+    trusty-cms (7.0.30)
       RedCloth (= 4.3.3)
       activestorage-validator
       acts_as_list (>= 0.9.5, < 1.3.0)
@@ -11,6 +11,7 @@ PATH
       ckeditor (>= 4.2.2, < 4.4.0)
       delocalize (>= 0.2, < 2.0)
       devise
+      devise-two-factor
       drb
       execjs (~> 2.7)
       haml (>= 5.0, < 6.0)
@@ -32,6 +33,7 @@ PATH
       ransack (~> 4.2.1)
       rdoc (>= 5.1, < 7.0)
       roadie-rails
+      rqrcode
       sass-rails
       stringex (>= 2.7.1, < 2.9.0)
       tzinfo (>= 1.2.3, < 2.1.0)
@@ -133,6 +135,7 @@ GEM
       xpath (~> 3.2)
     childprocess (5.1.0)
       logger (~> 1.5)
+    chunky_png (1.4.0)
     ckeditor (4.3.0)
       orm_adapter (~> 0.5.0)
       terrapin
@@ -159,6 +162,11 @@ GEM
       railties (>= 4.1.0)
       responders
       warden (~> 1.2.3)
+    devise-two-factor (6.1.0)
+      activesupport (>= 7.0, < 8.1)
+      devise (~> 4.0)
+      railties (>= 7.0, < 8.1)
+      rotp (~> 6.0)
     diff-lcs (1.5.1)
     docile (1.4.1)
     drb (2.2.1)
@@ -346,6 +354,11 @@ GEM
     roadie-rails (3.3.0)
       railties (>= 5.1, < 8.1)
       roadie (~> 5.0)
+    rotp (6.3.0)
+    rqrcode (3.1.0)
+      chunky_png (~> 1.0)
+      rqrcode_core (~> 2.0)
+    rqrcode_core (2.0.0)
     rspec-core (3.13.2)
       rspec-support (~> 3.13.0)
     rspec-expectations (3.13.3)
@@ -430,6 +443,7 @@ DEPENDENCIES
   activestorage-validator
   acts_as_list
   database_cleaner
+  devise-two-factor
   factory_bot_rails (= 6.4.4)
   file_validators
   launchy (~> 3.0.1)

data/INSTALL.md

@@ -6,8 +6,9 @@ From within the directory containing your TrustyCMS instance:
 
 2. Add the following gems to your Gemfile:
 
-- gem 'trusty-cms'
-- gem 'rails-observers'
+    - gem 'trusty-cms'
+    - gem 'rails-observers'
+    - gem 'devise-two-factor'
 
 3. Run `bundle install`
 
@@ -20,5 +21,22 @@ From within the directory containing your TrustyCMS instance:
 
 7. Add utf8 encoding to your db.yml
 
-8. Run `bundle exec rake db:setup`, `bundle exec rake trusty_cms:install:migrations`, then
+8. Set up encryption keys required for Rails’ native encryption (used by features like two-factor authentication):
+
+    - Run the encryption initializer command:
+
+    ```bash
+    ./bin/rails db:encryption:init
+    ```
+
+    - This will output three secrets. Copy the values and set them as environment variables in your preferred environment file (e.g., `.env`, `.env.development`, or via system environment settings):
+
+    ```env
+    ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
+    ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
+    ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
+    ```
+    - **Important**: Use different keys for each environment (development, test, production) unless two environments (e.g., development and staging) share a database — in that case, they **must** use the same keys.
+
+9. Run `bundle exec rake db:setup`, `bundle exec rake trusty_cms:install:migrations`, then
    `bundle exec rake db:bootstrap`.

data/README.md

@@ -26,7 +26,6 @@ TrustyCMS features:
 * An advanced plugin system
 * Asset management & searching
 * Serve multiple sites (domains) from a single instance
-* Social sharing buttons
 * Reusable bits of content (Snippets)
 * Allows Rails controllers/actions to use Trusty CMS layouts as their "layout"
 * Operates in two modes: dev and production depending on the URL

data/app/assets/stylesheets/admin/modules/_buttons.scss

@@ -18,7 +18,6 @@
   text-decoration: none;
 }
 
-
 .cancel-button {
   @include button;
   background-color: $light-red;
@@ -30,3 +29,7 @@
     color: $white;
   }
 }
+
+.button-margin-top {
+  margin-top: 0.5em;
+}

data/app/assets/stylesheets/admin/partials/_forms.scss

@@ -111,3 +111,7 @@ textarea {
 #search-input {
   max-width: 25em;
 }
+
+.form-margin-top {
+  margin-top: 0.5em;
+}

data/app/controllers/admin/security_controller.rb

@@ -0,0 +1,78 @@
+require 'rqrcode'
+
+class Admin::SecurityController < ApplicationController
+  before_action :authenticate_user!
+  before_action :set_user
+  before_action :set_template_names
+  before_action :ensure_otp_secret, only: %i[show edit]
+  before_action :set_two_factor_variables, only: %i[show edit]
+
+  def show
+    set_standard_body_style
+    render :edit
+  end
+
+  def edit
+    render
+  end
+
+  def update
+    if @user.update(security_params)
+      sign_out(@user)
+      redirect_to new_user_session_path, notice: t('security_controller.password_updated')
+    else
+      flash[:error] = t('security_controller.error_updating_password')
+      render :edit
+    end
+  end
+
+  def verify_two_factor
+    if @user.validate_and_consume_otp!(params[:otp_attempt])
+      @user.update!(otp_required_for_login: true)
+      redirect_to admin_security_path, notice: t('security_controller.two_factor_enabled')
+    else
+      flash[:error] = t('security_controller.two_factor_invalid_code')
+      redirect_to admin_security_path
+    end
+  end
+
+  def disable_two_factor
+    if @user.update(otp_required_for_login: false, otp_secret: nil)
+      redirect_to admin_security_path, notice: t('security_controller.two_factor_disabled')
+    else
+      flash[:error] = t('security_controller.two_factor_disabled_error')
+      redirect_to admin_security_path
+    end
+  end
+
+  private
+
+  def set_user
+    @user = current_user
+  end
+
+  def set_template_names
+    @controller_name = 'user'
+    @template_name = 'security'
+  end
+
+  def ensure_otp_secret
+    return if @user.otp_secret.present?
+
+    @user.update!(otp_secret: User.generate_otp_secret)
+  end
+
+  def set_two_factor_variables
+    @two_factor_enabled = @user.otp_required_for_login
+
+    return if @two_factor_enabled
+
+    otp_uri = @user.otp_provisioning_uri(@user.email, issuer: 'TrustyCMS')
+    qr = RQRCode::QRCode.new(otp_uri)
+    @qr_png_data = qr.as_png(size: 200).to_data_url
+  end
+
+  def security_params
+    params.require(:user).permit(:password, :password_confirmation)
+  end
+end

data/app/controllers/admin/sessions_controller.rb

@@ -0,0 +1,43 @@
+class Admin::SessionsController < Devise::SessionsController
+  def create
+    user = find_user
+
+    if authenticated?(user)
+      handle_successful_authentication(user)
+    else
+      handle_failed_authentication
+    end
+  end
+
+  private
+
+  def find_user
+    User.find_by(email: params[:user][:email])
+  end
+
+  def authenticated?(user)
+    user&.valid_password?(params[:user][:password])
+  end
+
+  def handle_successful_authentication(user)
+    if user.otp_required_for_login
+      start_two_factor_session(user)
+      redirect_to admin_two_factor_path
+    else
+      sign_in(:user, user)
+      redirect_to after_sign_in_path_for(user)
+    end
+  end
+
+  def handle_failed_authentication
+    self.resource = resource_class.new(sign_in_params)
+    clean_up_passwords(resource)
+    flash.now[:alert] = t('invalid_email_or_password')
+    render :new
+  end
+
+  def start_two_factor_session(user)
+    session[:pre_2fa_user_id] = user.id
+    session[:pre_2fa_started_at] = Time.current.to_i
+  end
+end

data/app/controllers/admin/two_factor_controller.rb

@@ -0,0 +1,42 @@
+class Admin::TwoFactorController < ApplicationController
+  skip_before_action :authenticate_user!
+  before_action :load_pre_2fa_user
+
+  MAX_2FA_SESSION_DURATION = 5.minutes.freeze
+
+  def show; end
+
+  def create
+    if @user.validate_and_consume_otp!(params[:otp_attempt])
+      session.delete(:pre_2fa_user_id)
+      session.delete(:pre_2fa_started_at)
+      sign_in(:user, @user)
+      redirect_to after_sign_in_path_for(@user)
+    else
+      reset_session
+      redirect_to new_user_session_path, alert: t('two_factor_controller.invalid_code')
+    end
+  end
+
+  private
+
+  def load_pre_2fa_user
+    if current_user
+      redirect_to after_sign_in_path_for(current_user) and return
+    end
+
+    @user = User.find_by(id: session[:pre_2fa_user_id])
+
+    if !@user&.otp_required_for_login || session_expired?
+      reset_session
+      redirect_to new_user_session_path, alert: t('two_factor_controller.session_expired')
+    end
+  end
+
+  def session_expired?
+    started_at = session[:pre_2fa_started_at]
+    return true unless started_at
+
+    Time.current.to_i - started_at > MAX_2FA_SESSION_DURATION
+  end
+end

data/app/controllers/admin/users_controller.rb

@@ -45,6 +45,15 @@ class Admin::UsersController < Admin::ResourceController
     end
   end
 
+  def disable_2fa
+    user = User.find(params[:id])
+    user.update(
+      otp_required_for_login: false,
+      otp_secret: nil,
+    )
+    redirect_to admin_users_path
+  end
+
   private
 
   def user_params

data/app/controllers/application_controller.rb

@@ -6,6 +6,7 @@ class ApplicationController < ActionController::Base
 
   protect_from_forgery with: :exception
   before_action :authenticate_user!
+  before_action :configure_permitted_parameters, if: :devise_controller?
   before_action :set_timezone
   before_action :set_user_locale
   before_action :set_javascripts_and_stylesheets
@@ -44,6 +45,12 @@ class ApplicationController < ActionController::Base
     end
   end
 
+  protected
+
+  def configure_permitted_parameters
+    devise_parameter_sanitizer.permit(:sign_in, keys: [:otp_attempt])
+  end
+
   private
 
   def set_mailer

data/app/models/standard_tags.rb

@@ -931,22 +931,6 @@ module StandardTags
     end
   end
 
-  desc 'Widget of sharing icons'
-  tag 'rad_share_widget' do |tag|
-    attributes = tag.attr.to_options
-    url = attributes[:url].nil? ? request.url : attributes[:url]
-    message = attributes[:message].nil? ? "Check out #{tag.locals.page.title}." : attributes[:message]
-    email_subject = attributes[:email_subject].nil? ? tag.locals.page.title : attributes[:email_subject]
-    email_message = attributes[:email_message].nil? ? "I thought you might be interested in this: #{url}" : "#{attributes[:email_message]} #{url}"
-    email_action_url = attributes[:email_action_url].nil? ? '/rad_social/mail' : attributes[:email_action_url]
-    request.env['action_controller.instance'].render_to_string partial: 'widget/horizontal_widget',
-                                                               locals: { url: url,
-                                                                         message: message,
-                                                                         email_subject: email_subject,
-                                                                         email_message: email_message,
-                                                                         email_action_url: email_action_url }
-  end
-
   private
 
   def render_children_with_pagination(tag, opts = {})

data/app/models/trusty_cms/config.rb

@@ -145,10 +145,6 @@ module TrustyCms
         @default_settings ||= %w{defaults.locale defaults.page.filter defaults.page.parts defaults.page.fields defaults.page.status}
       end
 
-      def user_settings
-        @user_settings ||= ['user.allow_password_reset?']
-      end
-
       # A convenient drying method for specifying a prefix and options common to several settings.
       #
       #   TrustyCms.config do |config|

data/app/models/user.rb

@@ -3,7 +3,7 @@ class User < ActiveRecord::Base
   self.table_name = 'admins'
 
   # :confirmable, :lockable, :timeoutable and :omniauthable
-  devise :database_authenticatable, :registerable,
+  devise :two_factor_authenticatable, :registerable,
          :recoverable, :rememberable, :trackable, :validatable
 
   alias_attribute :created_by_id, :id

data/app/views/admin/configuration/edit.html.haml

@@ -23,13 +23,6 @@
               %p
                 = edit_config default_setting
 
-        - form.edit_users do
-          %fieldset
-            %h4 Passwords
-            - TrustyCms.config.user_settings.each do |user_setting|
-              %p
-                = edit_config user_setting
-
       - render_region :form_bottom do |form_bottom|
         - form_bottom.edit_buttons do
           .buttons

data/app/views/admin/configuration/show.html.haml

@@ -1,4 +1,4 @@
-#preferences.box
+%fieldset
   - render_region :user do |user|
     - user.preferences do
       %h3
@@ -13,10 +13,6 @@
           = t('email_address')
         %span.uri
           = current_user.email
-      %p.ruled
-        %label
-          = t('password')
-        %big •••••
       %p.ruled
         %label
           = t('language')
@@ -25,7 +21,25 @@
       .actions
         = button_to t("edit_preferences"), edit_admin_user_path(current_user), :method => :get
 
-#config.box
+%fieldset
+  - render_region :user do |user|
+    - user.preferences do
+      %h3
+        = t('security')
+      %p.ruled
+        %label
+          = t('password')
+        %span.value
+          ••••••••••••••••••
+      %p.ruled
+        %label
+          = t('two_factor_authentication')
+        %span
+          = current_user.otp_required_for_login ? t('enabled') : t('disabled')
+      .actions
+        = button_to t('edit_security_settings'), admin_security_path, :method => :get
+
+%fieldset
   - render_region :trusty_config do |config|
     - config.site do
       %h3
@@ -40,11 +54,6 @@
         %p.ruled
           = show_config default_setting
 
-    - config.users do
-      %h4 Passwords
-      - TrustyCms.config.user_settings.each do |user_setting|
-        %p.ruled
-          = show_config user_setting
   - if current_user.admin?
     .actions
-      = button_to t("edit_configuration"), edit_admin_configuration_path, :method => :get
+      = button_to t("edit_configuration"), edit_admin_configuration_path, :method => :get

data/app/views/admin/preferences/edit.html.haml

@@ -27,12 +27,9 @@
               = f.label :email,  t("email_address"), :class => 'optional'
               = f.text_field 'email', :class => 'textbox', :maxlength => 255
 
-          - form.edit_password do
-            = render 'admin/users/password_fields', :f => f
-
         - render_region :form_bottom, :locals => {:f => f} do |form_bottom|
           - form_bottom.edit_buttons do
             .buttons
               = save_model_button @user
               = t('or')
-              = link_to t('cancel'), admin_pages_url, class: 'alt'
+              = link_to t('cancel'), admin_configuration_path, class: 'alt'

data/app/views/admin/security/edit.html.haml

@@ -0,0 +1,57 @@
+- @page_title = @user.name + ' - Security'
+- body_classes << 'edit_security'
+
+- render_region :main do |main|
+  - main.edit_header do
+    %h1
+      = t('security')
+
+  - main.edit_form do
+    %fieldset
+      %h3
+        = t('change_password')
+      = form_for @user, :url => admin_security_path, :html => { :method => :put, 'data-onsubmit_status' => "#{t('saving_changes')}&#8230;" } do |f|
+        - render_region :form, :locals => {:f => f} do |form|
+          - form.edit_password do
+            %fieldset#change-password
+              %p
+                = f.label :password, t('new_password')
+                = f.password_field 'password', :value => '', :maxlength => 40, :autocomplete => 'new-password'
+              %p
+                = f.label :password_confirmation, t('password_confirmation')
+                = f.password_field 'password_confirmation', :value => '', :maxlength => 40, :autocomplete => 'new-password'
+
+        - render_region :form_bottom, :locals => {:f => f} do |form_bottom|
+          - form_bottom.edit_buttons do
+            .buttons
+              = save_model_button @user
+
+  - main.two_factor do
+    %fieldset
+      %h3
+        = t('two_factor_authentication')
+
+      - if @two_factor_enabled
+        %fieldset
+          %p
+            = t('security_controller.two_factor_is_enabled')
+          = button_to t('disable'),
+            disable_two_factor_admin_security_path,
+            method: :post,
+            data: { confirm: t('security_controller.two_factor_disable_confirm') },
+            class: "button button-margin-top"
+      - else
+        %fieldset
+          %p
+            = t('security_controller.scan_qr_instructions')
+          = image_tag @qr_png_data, alt: t('security_controller.qr_alt')
+          %p
+            = t('security_controller.manual_key_instructions')
+          %strong= @user.otp_secret
+
+          .form-margin-top
+            = form_with url: verify_two_factor_admin_security_path, method: :post do |form|
+              %div
+                = form.label :otp_attempt, t('security_controller.enter_qr_code')
+                = form.text_field :otp_attempt, autofocus: true, size: 6, maxlength: 6
+              = form.submit t('security_controller.verify_and_enable')

data/app/views/{devise → admin}/sessions/new.html.haml

@@ -1,10 +1,10 @@
 - body_classes << 'login_form'
 .login-form-content
   .visual
-    = image_tag('/assets/admin/default_safe_login.svg', alt: 'web browser with padlock on top')
+    = image_tag('/assets/admin/default_safe_login.svg', alt: 'Web browser with padlock on top')
   .login
-    %h1 Log in
-    = form_for(resource, as: resource_name, url: authenticate_path) do |f|
+    %h1 Log In
+    = form_for(resource, as: resource_name, url: user_session_path) do |f|
       .field
         = f.label :email
         = f.email_field :email, autofocus: true, autocomplete: 'email'
@@ -18,8 +18,8 @@
             Remember Me
       %br
       .actions
-        = f.submit 'Log in'
+        = f.submit 'Log In'
         - if devise_mapping.recoverable? && controller_name != 'passwords' && controller_name != 'registrations'
           = link_to 'Forgot your password?', new_password_path(resource_name)
       - if flash.alert
-        .error= flash.alert
+        .error= flash.alert

data/app/views/admin/two_factor/show.html.haml

@@ -0,0 +1,14 @@
+- body_classes << 'login_form'
+.login-form-content
+  .visual
+    = image_tag('/assets/admin/default_safe_login.svg', alt: 'Web browser with padlock on top')
+  .login
+    %h1
+      = t('two_factor_authentication')
+    = form_with url: admin_two_factor_path, method: :post, local: true do |form|
+      .field
+        = form.label :otp_attempt, t('security_controller.enter_qr_code')
+        = form.text_field :otp_attempt, autofocus: true, maxlength: 6, size: 6
+      %br
+      .actions
+        = form.submit t('security_controller.verify_code')

data/app/views/admin/users/_form.html.haml

@@ -15,9 +15,6 @@
       = f.label :email, t('email_address') , :class => 'optional'
       = f.text_field 'email', :class => 'textbox', :maxlength => 255
 
-    - form.edit_password do
-      = render 'password_fields', :f => f
-
     - form.edit_roles do
       - if current_user.admin?
         %fieldset.multi_option

data/app/views/admin/users/index.html.haml

@@ -11,8 +11,14 @@
             %th.user== #{t('name')} / #{t('username')}
           - thead.roles_header do
             %th.roles= t('roles')
+          - thead.two_factor_status_header do
+            %th.two_factor_status
+              = t('two_factor_authentication_status')
+          - thead.disable_two_factor_header do
+            %th.disable_two_factor
+              Disable 2FA
           - thead.actions_header do
-            %th.actions{:style=>'width:9em'}= t('modify')
+            %th.actions= t('modify')
           - thead.last_sign_in_at_header do
             %th.last_sign_in_at= "Last Sign In"
     %tbody
@@ -24,6 +30,21 @@
                 = link_to user.name, edit_admin_user_url(user)
             - tbody.roles_cell do
               %td.roles= roles(user)
+            - tbody.two_factor_status_cell do
+              %td.two_factor
+                - if user.otp_required_for_login
+                  = t('enabled')
+                - else
+                  = t('disabled')
+            - tbody.disable_two_factor_cell do
+              %td.actions
+                - if user.otp_required_for_login
+                  - if !current_user.admin?
+                    %span.action.disabled
+                      %i.fas.fa-minus-circle
+                      Disable
+                  - else
+                    = button_to 'Disable', disable_2fa_admin_user_path(user), method: :patch, data: { confirm: "Are you sure you want to disable 2FA for this user?" }
             - tbody.actions_cell do
               %td.actions
                 - if !current_user.admin?

data/app/views/devise/passwords/edit.html.haml

@@ -8,16 +8,14 @@
       = f.hidden_field :reset_password_token
       .field
         = f.label :password, 'New password'
-        %br/
         - if @minimum_password_length
           %em
             (#{@minimum_password_length} characters minimum)
-          %br/
+
         = f.password_field :password, autofocus: true, autocomplete: 'new-password'
+      %br/
       .field
         = f.label :password_confirmation, 'Confirm new password'
-        %br/
         = f.password_field :password_confirmation, autocomplete: 'new-password'
       .actions
         = f.submit 'Change my password'
-    = render 'devise/shared/links'

data/config/initializers/active_record_encryption.rb

@@ -0,0 +1,5 @@
+ActiveRecord::Encryption.configure(
+  primary_key: ENV["ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY"],
+  deterministic_key: ENV["ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"],
+  key_derivation_salt: ENV["ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT"]
+)