zen_admin 0.9.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: f2dd3dea01b5b2f2f61dbe4b710f782f03350e8f8a5798ac3afa463d21732570
+  data.tar.gz: 89088d988f3a3b225253e8b429f41a9a786eb551779b54a54ab06b4860f08f02
+SHA512:
+  metadata.gz: a6842819ce0af246eef49871f612995b018029c96f33a93409cbb33722f6ed8ca4f886113b34ba1bf6eb6c1576c0689383993a30355771c7a97d26e4db055fca
+  data.tar.gz: 392fcfa165fa9b24ebeac3adae34af1dab06ebd1b6e8bd6b9ca1bc9ba0f0db933d843cdfcac49fb7310dfe120393da16c21eeb86364e65bbf6099def56ee1a28

data/README.md

@@ -0,0 +1,76 @@
+# ZenAdmin
+Rails engine for admin interface with Headless API and Bootstrap UI.
+
+## Installation
+Add this line to your application's Gemfile:
+
+```ruby
+gem "zen_admin"
+```
+
+And then execute:
+```bash
+$ bundle
+```
+
+Or install it yourself as:
+```bash
+$ gem install zen_admin
+```
+
+## Usage
+1. Mount the engine in your routes:
+   ```ruby
+   # config/routes.rb
+   mount ZenAdmin::Engine => "/admin"
+   ```
+
+2. Configure ZenAdmin:
+   ```ruby
+   # config/initializers/zen_admin.rb
+   ZenAdmin.configure do |config|
+     config.enable_ui = true
+     config.admin_path = "/admin"
+   end
+   ```
+
+3. Register your models:
+   ```ruby
+   # config/initializers/zen_admin.rb
+   ZenAdmin.register(User) do |resource|
+     resource.list do
+       field :email
+       field :name
+     end
+
+     resource.form do
+       field :email, type: :string, required: true
+       field :name, type: :string
+     end
+
+     resource.filters do
+       filter :email
+     end
+   end
+   ```
+
+4. Access the admin interface at `/admin`
+
+## API Endpoints
+- `GET /admin/api/schema/:resource` - Get resource schema
+- `GET /admin/api/resources/:resource_name` - List resources
+- `POST /admin/api/resources/:resource_name` - Create resource
+- `GET /admin/api/resources/:resource_name/:id` - Show resource
+- `PUT /admin/api/resources/:resource_name/:id` - Update resource
+- `DELETE /admin/api/resources/:resource_name/:id` - Delete resource
+
+## UI Pages
+- `/admin/ui/:resource_name` - List resources
+- `/admin/ui/:resource_name/new` - New resource form
+- `/admin/ui/:resource_name/:id/edit` - Edit resource form
+
+## Contributing
+Contribution directions go here.
+
+## License
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/setup"
+
+APP_RAKEFILE = File.expand_path("test/dummy/Rakefile", __dir__)
+load "rails/tasks/engine.rake"
+
+require "bundler/gem_tasks"

data/app/assets/stylesheets/zen_admin/application.css

@@ -0,0 +1,15 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or any plugin's vendor/assets/stylesheets directory can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any other CSS/SCSS
+ * files in this directory. Styles in this file should be added after the last require_* statement.
+ * It is generally better to create a new file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */

data/app/controllers/zen_admin/application_controller.rb

@@ -0,0 +1,27 @@
+module ZenAdmin
+  class ApplicationController < ActionController::Base
+    include ZenAdmin::ApplicationHelper
+    include ZenAdmin::Authenticatable
+    include Pundit::Authorization
+
+    def self.zen_admin_dashboard(template_path)
+      ZenAdmin.configuration.custom_dashboard = template_path
+    end
+
+    rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
+
+    before_action :authenticate_admin!
+    helper_method :current_admin_user
+
+    def pundit_user
+      current_admin_user
+    end
+
+    private
+
+    def user_not_authorized
+      flash[:alert] = "您没有执行此操作的权限。"
+      redirect_back fallback_location: root_path
+    end
+  end
+end

data/app/controllers/zen_admin/dashboard_controller.rb

@@ -0,0 +1,9 @@
+module ZenAdmin
+  class DashboardController < ApplicationController
+    def index
+      if ZenAdmin.configuration.custom_dashboard
+        render ZenAdmin.configuration.custom_dashboard
+      end
+    end
+  end
+end

data/app/controllers/zen_admin/sessions_controller.rb

@@ -0,0 +1,40 @@
+module ZenAdmin
+  class SessionsController < ApplicationController
+    skip_before_action :authenticate_admin!, only: [ :new, :create ], raise: false
+    layout false
+
+    def new
+    end
+
+    def create
+      # 1. 如果启用了 RBAC 且数据库表存在，优先走数据库验证
+      if ZenAdmin.configuration.rbac_enable && ActiveRecord::Base.connection.table_exists?("zen_admin_users")
+        user = ZenAdmin::User.find_by(username: params[:username])
+        if user&.authenticate(params[:password])
+          session[:zen_admin_user_id] = user.id
+          return redirect_to root_path, notice: "欢迎回来，#{user.username}！"
+        end
+        
+        # 如果开启了 RBAC 但数据库验证失败，且未找到用户，则不再尝试硬编码登录 (防止后门)
+        # 除非配置显式允许混合模式 (当前未实现，故严格安全优先)
+        flash.now[:alert] = "用户名或密码错误"
+        return render :new, status: :unprocessable_entity
+      end
+
+      # 2. 仅在未开启 RBAC 时，使用硬编码验证
+      if params[:username] == ZenAdmin.configuration.username &&
+         params[:password] == ZenAdmin.configuration.password
+        session[:zen_admin_user_id] = "config_admin"
+        redirect_to root_path, notice: "登录成功（基础模式）"
+      else
+        flash.now[:alert] = "用户名或密码错误"
+        render :new, status: :unprocessable_entity
+      end
+    end
+
+    def destroy
+      session[:zen_admin_user_id] = nil
+      redirect_to login_path, notice: "已安全退出"
+    end
+  end
+end

data/app/controllers/zen_admin/ui/resources_controller.rb

@@ -0,0 +1,331 @@
+module ZenAdmin
+  module Ui
+    class ResourcesController < ApplicationController
+      layout -> { turbo_frame_request? ? false : "zen_admin/application" }
+      before_action :set_time_zone
+      before_action :find_resource
+
+      def index
+        authorize @resource.model, policy_class: ZenAdmin::ResourcePolicy
+        
+        # 1. 强制为当前模型注入 Ransack 权限
+        if @resource.model.respond_to?(:ransack)
+          @resource.model.instance_eval do
+            def ransackable_attributes(auth_object = nil); column_names; end
+            def ransackable_associations(auth_object = nil); reflect_on_all_associations.map { |a| a.name.to_s }; end
+          end
+        end
+
+        if params[:scope] == 'trash'
+          # Accessing trash requires destroy permission
+          unless current_admin_user.can?("#{@resource.name}:destroy") || (current_admin_user.respond_to?(:super_admin?) && current_admin_user.super_admin?)
+            raise Pundit::NotAuthorizedError, "not allowed to access trash for #{@resource.name}"
+          end
+
+          @records = ZenAdmin::TrashItem.where(resource_type: @resource.model_name)
+                                       .order(created_at: :desc)
+                                       .page(params[:page]).per(params[:limit] || 10)
+        else
+          # 2. 正常列表：构建 Ransack 搜索
+          q_params = params[:q].to_unsafe_h rescue {}
+          
+          # 2.1 处理快捷页签 (Scopes)
+          @available_scopes = @resource.computed_scopes(self)
+          if @available_scopes.any?
+            active_scope = if params[:scope_name].present?
+                             @available_scopes.find { |s| s[:name].to_s == params[:scope_name].to_s }
+                           else
+                             @available_scopes.find { |s| s[:default] } || @available_scopes.first
+                           end
+            
+            if active_scope && active_scope[:query].present?
+              q_params.merge!(active_scope[:query])
+              @active_scope_name = active_scope[:name]
+            end
+          end
+          
+          # 3. 处理顶栏关键字
+          if params[:keyword].present?
+            @search_term = params[:keyword]
+            searchable_columns = @resource.model.columns.select { |c| [:string, :text].include?(c.type) }.map(&:name)
+            if searchable_columns.any?
+              search_key = searchable_columns.map { |name| "#{name}_cont" }.join("_or_")
+              q_params[search_key] = @search_term
+            end
+          end
+
+          # 4. 增强日期筛选逻辑：自动补全结束时间为 23:59:59
+          q_params.each do |key, value|
+            if key.to_s.end_with?("_lteq", "_lt") && value.present? && value.is_a?(String)
+              # 如果值看起来像纯日期 (YYYY-MM-DD)
+              if value =~ /^\d{4}-\d{2}-\d{2}$/
+                begin
+                  q_params[key] = Time.zone.parse(value).end_of_day
+                rescue
+                  # 解析失败保持原样
+                end
+              end
+            end
+          end
+
+          @q = @resource.model.ransack(q_params)
+          @q.sorts = 'created_at desc' if @q.sorts.empty? && @resource.model.column_names.include?("created_at")
+          
+          scope = @q.result(distinct: true)
+
+          # 预加载
+          includes_to_load = @resource.includes_list.dup
+          @resource.list_fields.each do |field|
+            field_name = field.name.to_sym
+            includes_to_load << field_name if @resource.model.reflect_on_association(field_name)
+            if @resource.model.reflect_on_association("#{field_name}_attachment".to_sym)
+              includes_to_load << { "#{field_name}_attachment": :blob }
+            end
+          end
+          scope = scope.includes(*includes_to_load.uniq) if includes_to_load.any?
+
+          respond_to do |format|
+            format.html do
+              if turbo_frame_request? && turbo_frame_request_id == 'modal'
+                render html: "<script>window.location.reload();</script>".html_safe, layout: false and return
+              end
+              @records = scope.page(params[:page]).per(params[:limit] || 10)
+            end
+            format.csv do
+              export_count = scope.respond_to?(:count) ? scope.count : scope.size
+              ZenAdmin::AuditLog.record(current_admin_user, @resource.model, 'export', note: "导出了 #{export_count} 条数据", request: request)
+              send_data generate_csv(scope), 
+                        filename: "#{@resource.model_name.underscore}_#{Time.current.strftime('%Y%m%d%H%M')}.csv",
+                        type: 'text/csv; charset=utf-8'
+            end
+          end
+        end
+      end
+
+      def show
+        @record = @resource.model.find(params[:id])
+        authorize @record, policy_class: ZenAdmin::ResourcePolicy
+        render layout: false if turbo_frame_request?
+      end
+
+                      def new
+                        @record = @resource.model.new
+                        
+                        # DEBUG LOGGING
+                        permission_key = "#{@resource.name}:create"
+                        has_permission = current_admin_user.can?(permission_key)
+                        is_super = current_admin_user.respond_to?(:super_admin?) && current_admin_user.super_admin?
+                        Rails.logger.error "🛑 SECURITY CHECK: User=#{current_admin_user.username} | Permission Key=[#{permission_key}] | Has Permission?=#{has_permission} | Is Super?=#{is_super}"
+                
+                        # 显式双重校验，防止 Pundit 策略推断异常
+                        unless has_permission || is_super
+                          raise Pundit::NotAuthorizedError, "not allowed to create? this #{@resource.name}"
+                        end
+                
+                        authorize @record, policy_class: ZenAdmin::ResourcePolicy
+                        render layout: false if turbo_frame_request?
+                      end          
+                def create
+                  @record = @resource.model.new(permitted_params)
+                  authorize @record, policy_class: ZenAdmin::ResourcePolicy
+                  respond_to do |format|
+                    if @record.save
+                      ZenAdmin::AuditLog.record(current_admin_user, @record, 'create', changes: @record.attributes, request: request)
+                      format.html { redirect_to ui_resource_index_path(@resource.name), notice: t('zen_admin.messages.created', resource: @resource.label) }
+                      format.turbo_stream { flash.now[:notice] = t('zen_admin.messages.created', resource: @resource.label) }
+                    else
+                      format.html { render :new, status: :unprocessable_entity, layout: (false if turbo_frame_request?) }
+                    end
+                  end
+                end
+          
+                def edit
+                  @record = @resource.model.find(params[:id])
+                  
+                  # 显式双重校验
+                  unless current_admin_user.can?("#{@resource.name}:update") || (current_admin_user.respond_to?(:super_admin?) && current_admin_user.super_admin?)
+                    raise Pundit::NotAuthorizedError, "not allowed to update? this #{@resource.name}"
+                  end
+          
+                  authorize @record, policy_class: ZenAdmin::ResourcePolicy
+                  render layout: false if turbo_frame_request?
+                end
+      def update
+        @record = @resource.model.find(params[:id])
+        authorize @record, policy_class: ZenAdmin::ResourcePolicy
+        respond_to do |format|
+          if @record.update(permitted_params)
+            ZenAdmin::AuditLog.record(current_admin_user, @record, 'update', changes: @record.saved_changes, request: request)
+            format.html { redirect_to ui_resource_index_path(@resource.name), notice: t('zen_admin.messages.updated', resource: @resource.label) }
+            format.turbo_stream { flash.now[:notice] = t('zen_admin.messages.updated', resource: @resource.label) }
+          else
+            format.html { render :edit, status: :unprocessable_entity, layout: (false if turbo_frame_request?) }
+          end
+        end
+      end
+
+      def destroy
+        @record = @resource.model.find_by(id: params[:id])
+        if @record
+          authorize @record, policy_class: ZenAdmin::ResourcePolicy
+          if params[:permanent] == 'true'
+            ZenAdmin::AuditLog.record(current_admin_user, @record, 'destroy', changes: @record.attributes, request: request)
+            @record.destroy
+            notice_msg = "已永久删除该数据。"
+          else
+            ZenAdmin::TrashItem.move_to_trash(@record, current_admin_user)
+            ZenAdmin::AuditLog.record(current_admin_user, @record, 'move_to_trash', note: "移至回收站", request: request)
+            notice_msg = t('zen_admin.messages.moved_to_trash', resource: @resource.label)
+          end
+        else
+          @trash_item = ZenAdmin::TrashItem.find(params[:id])
+          authorize @resource.model, :destroy?, policy_class: ZenAdmin::ResourcePolicy
+          @trash_item.destroy
+          notice_msg = "已从回收站彻底清除。"
+        end
+        redirect_to ui_resource_index_path(@resource.name, scope: params[:scope]), notice: notice_msg
+      end
+
+      def restore
+        @trash_item = ZenAdmin::TrashItem.find(params[:id])
+        authorize @resource.model, :create?, policy_class: ZenAdmin::ResourcePolicy
+        result = @trash_item.restore!
+        if result[:success]
+          ZenAdmin::AuditLog.record(current_admin_user, @resource.model, 'restore', note: "从回收站恢复了: #{@trash_item.resource_label}", request: request)
+          redirect_to ui_resource_index_path(@resource.name), notice: t('zen_admin.messages.restored', resource: @resource.label)
+        else
+          redirect_to ui_resource_index_path(@resource.name, scope: 'trash'), alert: result[:message]
+        end
+      end
+
+      def empty_trash
+        authorize @resource.model, :destroy?, policy_class: ZenAdmin::ResourcePolicy
+        items = ZenAdmin::TrashItem.where(resource_type: @resource.model_name)
+        count = items.count
+        items.destroy_all
+        ZenAdmin::AuditLog.record(current_admin_user, @resource.model, 'empty_trash', note: "清空了 #{@resource.label} 的回收站", request: request)
+        redirect_to ui_resource_index_path(@resource.name), notice: "已彻底清空回收站。"
+      end
+
+      def bulk_action
+        ids = params[:ids] || []
+        action_name = params[:bulk_operation].to_sym
+        definition = @resource.batch_actions[action_name]
+        
+        if ids.any? && definition
+          # 权限校验：删除操作查 destroy，自定义操作查对应权限点
+          if action_name == :delete
+            authorize @resource.model, :destroy?, policy_class: ZenAdmin::ResourcePolicy
+          else
+            # 检查自定义权限 (如 posts:publish)
+            unless current_admin_user.can?("#{@resource.name}:#{action_name}") || (current_admin_user.respond_to?(:super_admin?) && current_admin_user.super_admin?)
+              raise Pundit::NotAuthorizedError, "not allowed to perform #{action_name} on #{@resource.name}"
+            end
+          end
+
+          records = @resource.model.where(id: ids)
+          if definition[:method] && @resource.model.respond_to?(definition[:method])
+            @resource.model.send(definition[:method], records)
+          elsif definition[:handler]
+            instance_exec(records, &definition[:handler])
+          end
+          ZenAdmin::AuditLog.record(current_admin_user, @resource.model, "bulk_#{action_name}", changes: { count: records.count, ids: ids }, request: request) unless @zen_admin_audited
+          redirect_to ui_resource_index_path(@resource.name), notice: "操作成功。"
+        else
+          redirect_to ui_resource_index_path(@resource.name), alert: "操作失败。"
+        end
+      end
+
+      def member_action
+        @record = @resource.model.find(params[:id])
+        action_name = params[:operation].to_sym
+        definition = @resource.member_actions[action_name]
+        
+        if definition
+          # 权限校验
+          unless current_admin_user.can?("#{@resource.name}:#{action_name}") || (current_admin_user.respond_to?(:super_admin?) && current_admin_user.super_admin?)
+            raise Pundit::NotAuthorizedError, "not allowed to perform #{action_name} on #{@resource.name}"
+          end
+
+          instance_exec(@record, &definition[:handler]) if definition[:handler]
+          @record.send(definition[:method]) if definition[:method] && @record.respond_to?(definition[:method])
+          ZenAdmin::AuditLog.record(current_admin_user, @record, "member_#{action_name}", request: request) unless @zen_admin_audited
+          redirect_back fallback_location: ui_resource_index_path(@resource.name), notice: "操作成功。"
+        else
+          redirect_back fallback_location: ui_resource_index_path(@resource.name), alert: "操作未定义。"
+        end
+      end
+
+      private
+
+      def set_time_zone
+        tz = ZenAdmin.configuration.try(:time_zone) || Time.zone.name
+        Time.zone = tz
+      end
+
+      def generate_csv(scope)
+        require 'csv'
+        model_class = @resource.model
+        physical_columns = model_class.column_names
+        associations = model_class.reflect_on_all_associations
+        multi_assoc_names = associations.select { |a| [:has_many, :has_and_belongs_to_many].include?(a.macro) }.reject { |a| a.name.to_s.start_with?('rich_text') || a.name.to_s.include?('attachment') }.map(&:name)
+        rich_text_names = associations.select { |a| a.options[:class_name] == "ActionText::RichText" || a.name.to_s.start_with?("rich_text_") }.map { |a| a.name.to_s.gsub(/^rich_text_/, "").to_sym }
+        attachment_names = associations.select { |a| a.options[:class_name] == "ActiveStorage::Attachment" || a.name.to_s.end_with?("_attachment") }.map { |a| a.name.to_s.gsub(/_attachment$/, "").to_sym }
+        all_export_fields = (physical_columns + multi_assoc_names + rich_text_names + attachment_names).uniq
+        
+        CSV.generate(headers: true) do |csv|
+          csv << all_export_fields.map { |f| model_class.human_attribute_name(f) }
+          scope.find_each do |record|
+            csv << all_export_fields.map do |field|
+              value = record.send(field) rescue nil
+              if value.is_a?(Time) || value.is_a?(DateTime) || value.is_a?(ActiveSupport::TimeWithZone)
+                tz = ZenAdmin.configuration.try(:time_zone) || Time.zone.name
+                value.in_time_zone(tz).strftime("%Y-%m-%d %H:%M")
+              elsif value.respond_to?(:attached?)
+                value.attached? ? Rails.application.routes.url_helpers.rails_blob_url(value, host: request.base_url) : "无"
+              elsif value.class.name.include?("ActionText")
+                value.to_plain_text
+              elsif value.is_a?(ActiveRecord::Associations::CollectionProxy) || value.is_a?(Array)
+                value.map { |i| i.try(:name) || i.try(:title) || i.try(:username) || i.to_s }.join(", ")
+              elsif value.is_a?(ActiveRecord::Base)
+                value.try(:name) || value.try(:title) || value.try(:username) || "##{value.id}"
+              elsif field.to_s.end_with?("_id")
+                assoc_name = field.to_s.gsub(/_id$/, "")
+                if record.respond_to?(assoc_name) && (assoc = record.send(assoc_name))
+                  assoc.try(:name) || assoc.try(:title) || value
+                else
+                  value
+                end
+              else
+                value.to_s
+              end
+            end
+          end
+        end.sub(/^\n/, "\xEF\xBB\xBF")
+      end
+
+      def find_resource
+        resource_name = params[:resource_name]
+        begin
+          model = resource_name.classify.constantize
+          @resource = ZenAdmin::Registry.instance[model]
+        rescue NameError
+          @resource = nil
+        end
+        @resource = ZenAdmin::Registry.instance.all.find { |r| r.name == resource_name } unless @resource
+        if @resource.nil?
+          available = ZenAdmin::Registry.instance.all.map(&:name).join(", ")
+          raise ActiveRecord::RecordNotFound, "资源 '#{resource_name}' 未注册。可用资源: [#{available}]"
+        end
+      end
+
+      def permitted_params
+        param_key = @resource.model.model_name.param_key
+        permit_list = @resource.form_fields.map do |field|
+          field.type == :multi_select ? { field.name => [] } : field.name
+        end
+        params.require(param_key).permit(permit_list)
+      end
+    end
+  end
+end

data/app/helpers/zen_admin/application_helper.rb

@@ -0,0 +1,80 @@
+module ZenAdmin
+  module ApplicationHelper
+    def sort_url(field_name)
+      current_sorts = params[:sort].to_s.split(',').map { |s| s.split(':') }
+      found = false
+      new_sorts = []
+
+      current_sorts.each do |col, dir|
+        if col == field_name.to_s
+          found = true
+          if dir == 'asc'
+            new_sorts << [col, 'desc']
+          end
+        else
+          new_sorts << [col, dir]
+        end
+      end
+
+      unless found
+        new_sorts.unshift([field_name.to_s, 'asc'])
+      end
+
+      sort_param = new_sorts.map { |cd| cd.join(':') }.join(',')
+      query_params = request.query_parameters.merge(sort: sort_param)
+      query_params.delete(:sort) if sort_param.blank?
+      
+      "#{request.path}?#{query_params.to_query}"
+    end
+
+    def current_sort_direction(field_name)
+      current_sorts = params[:sort].to_s.split(',').map { |s| s.split(':') }
+      pair = current_sorts.find { |col, dir| col == field_name.to_s }
+      pair ? pair[1] : nil
+    end
+
+    # Delegate Active Storage helpers to main_app to fix Action Text rendering in engine
+    def rails_blob_path(*args, **options)
+      main_app.rails_blob_path(*args, **options)
+    end
+
+    def rails_blob_url(*args, **options)
+      main_app.rails_blob_url(*args, **options)
+    end
+
+    def rails_representation_path(*args, **options)
+      main_app.rails_representation_path(*args, **options)
+    end
+
+    def rails_representation_url(*args, **options)
+      main_app.rails_representation_url(*args, **options)
+    end
+
+    def rails_storage_proxy_path(*args, **options)
+      main_app.rails_storage_proxy_path(*args, **options)
+    end
+
+    def rails_storage_proxy_url(*args, **options)
+      main_app.rails_storage_proxy_url(*args, **options)
+    end
+
+    def zen_highlight(text, phrases)
+      return text if phrases.blank? || text.blank? || !text.is_a?(String)
+      highlight(text, phrases, highlighter: '<mark class="p-0 bg-warning">\\1</mark>')
+    end
+
+    def menu_item_visible?(item, user)
+      case item[:type]
+      when :resource
+        user.can?("#{item[:object].name}:index")
+      when :link
+        item[:object][:permission].blank? || user.can?(item[:object][:permission])
+      when :group
+        # A group is visible if ANY of its children are visible
+        item[:items].any? { |sub_item| menu_item_visible?(sub_item, user) }
+      else
+        false
+      end
+    end
+  end
+end

data/app/javascript/controllers/application.js

@@ -0,0 +1,9 @@
+import { Application } from "@hotwired/stimulus"
+
+const application = Application.start()
+
+// Configure Stimulus development experience
+application.debug = false
+window.Stimulus   = application
+
+export { application }

data/app/javascript/controllers/bulk_actions_controller.js

@@ -0,0 +1,55 @@
+import { Controller } from "@hotwired/stimulus"
+
+export default class extends Controller {
+  static targets = ["checkbox", "selectAll", "actionButton"]
+
+  connect() {
+    this.updateButtonState()
+  }
+
+  toggleAll() {
+    const isChecked = this.selectAllTarget.checked
+    this.checkboxTargets.forEach(checkbox => {
+      checkbox.checked = isChecked
+    })
+    this.updateButtonState()
+  }
+
+  toggle() {
+    const allChecked = this.checkboxTargets.every(checkbox => checkbox.checked)
+    this.selectAllTarget.checked = allChecked
+    this.updateButtonState()
+  }
+
+  updateButtonState() {
+    const anyChecked = this.checkboxTargets.some(checkbox => checkbox.checked)
+    this.actionButtonTargets.forEach(button => {
+      button.disabled = !anyChecked
+    })
+  }
+
+  submit(event) {
+    const button = event.currentTarget
+    const actionName = button.dataset.actionName
+    const confirmMessage = button.dataset.confirm
+    const customUrl = button.dataset.url
+    const count = this.checkboxTargets.filter(c => c.checked).length
+
+    if (confirmMessage && !confirm(confirmMessage.replace("{count}", count))) {
+      return
+    }
+
+    const form = document.getElementById('bulk_action_form')
+    const input = document.getElementById('bulk_operation_input')
+    
+    if (form && input) {
+      // 如果有自定义 URL，则修改表单提交地址
+      if (customUrl) {
+        form.action = customUrl
+      }
+      
+      input.value = actionName
+      form.requestSubmit()
+    }
+  }
+}