millas 0.2.13 → 0.2.15

package/src/admin/AdminAuth.js

@@ -1,6 +1,7 @@
 'use strict';
 
 const crypto = require('crypto');
+const Hasher = require('../auth/Hasher');
 
 /**
  * AdminAuth
@@ -166,7 +167,6 @@ class AdminAuth {
     const user       = await this._loadUserByEmail(normalised);
 
     // Always check password first — avoids leaking account existence
-    const Hasher = require('../auth/Hasher');
     const validPassword = user ? await Hasher.check(password, user.password) : false;
 
     if (!user || !validPassword) {

package/src/admin/ViewContext.js

@@ -60,7 +60,7 @@ class ViewContext {
   static base({ admin, user, csrfToken, flash = {}, activePage = null, activeResource = null }) {
     return {
       csrfToken,
-      adminPrefix:    admin._config.prefix,
+      adminPrefix:    admin._config.prefix.replace(/\/+$/, ''),
       adminTitle:     admin._config.title,
       adminUser:      user || null,
       authEnabled:    admin._auth?.enabled ?? false,

package/src/admin/handlers/ActionHandler.js

@@ -0,0 +1,103 @@
+'use strict';
+
+const ActivityLog = require('../ActivityLog');
+
+/**
+ * ActionHandler
+ *
+ * Handles bulk and per-row custom actions:
+ *   POST /admin/:resource/bulk-delete
+ *   POST /admin/:resource/bulk-action
+ *   POST /admin/:resource/:id/action/:action
+ */
+class ActionHandler {
+  constructor(admin) {
+    this._admin = admin;
+  }
+
+  async bulkDestroy(req, res) {
+    const admin = this._admin;
+    try {
+      const R = admin._resolve(req.params.resource, res);
+      if (!R) return;
+      if (!admin._perm(R, 'delete', req.adminUser)) {
+        return res.status(403).send(`You do not have permission to delete ${R._getLabelSingular()} records.`);
+      }
+      if (!admin._verifyCsrf(req, res)) return;
+
+      const ids = Array.isArray(req.body.ids) ? req.body.ids : [req.body.ids].filter(Boolean);
+      if (!ids.length) {
+        admin._flash(req, 'error', 'No records selected.');
+        return admin._redirectWithFlash(res, `${admin._config.prefix}/${R.slug}`, req._flashType, req._flashMessage);
+      }
+
+      await R.model.destroy(...ids);
+      ActivityLog.record('delete', R.slug, null, `${ids.length} ${R._getLabel()} (bulk)`, req.adminUser);
+      admin._flash(req, 'success', `Deleted ${ids.length} record${ids.length > 1 ? 's' : ''}.`);
+      admin._redirectWithFlash(res, `${admin._config.prefix}/${R.slug}`, req._flashType, req._flashMessage);
+    } catch (err) {
+      admin._error(req, res, err);
+    }
+  }
+
+  async bulkAction(req, res) {
+    const admin = this._admin;
+    try {
+      const R = admin._resolve(req.params.resource, res);
+      if (!R) return;
+      if (!admin._verifyCsrf(req, res)) return;
+
+      const actionIndex = Number(req.body.actionIndex);
+      const ids         = Array.isArray(req.body.ids) ? req.body.ids : [req.body.ids].filter(Boolean);
+      const action      = (R.actions || [])[actionIndex];
+
+      if (!action) {
+        admin._flash(req, 'error', 'Unknown action.');
+        return admin._redirectWithFlash(res, `${admin._config.prefix}/${R.slug}`, req._flashType, req._flashMessage);
+      }
+
+      if (!ids.length) {
+        admin._flash(req, 'error', 'No records selected.');
+        return admin._redirectWithFlash(res, `${admin._config.prefix}/${R.slug}`, req._flashType, req._flashMessage);
+      }
+
+      await action.handler(ids, R.model);
+      ActivityLog.record('update', R.slug, null, `Bulk action "${action.label}" on ${ids.length} records`, req.adminUser);
+      admin._flash(req, 'success', `Action "${action.label}" applied to ${ids.length} record${ids.length > 1 ? 's' : ''}.`);
+      admin._redirectWithFlash(res, `${admin._config.prefix}/${R.slug}`, req._flashType, req._flashMessage);
+    } catch (err) {
+      admin._error(req, res, err);
+    }
+  }
+
+  async rowAction(req, res) {
+    const admin = this._admin;
+    try {
+      const R = admin._resolve(req.params.resource, res);
+      if (!R) return;
+      if (!admin._verifyCsrf(req, res)) return;
+
+      const actionName = req.params.action;
+      const rowAction  = (R.rowActions || []).find(a => a.action === actionName);
+
+      if (!rowAction || !rowAction.handler) {
+        return res.status(404).send(`Row action "${actionName}" not found.`);
+      }
+
+      const record = await R.fetchOne(req.params.id);
+      const result = await rowAction.handler(record, R.model);
+
+      const redirect = (typeof result === 'string' && result.startsWith('/'))
+        ? result
+        : `${admin._config.prefix}/${R.slug}`;
+
+      ActivityLog.record('update', R.slug, req.params.id, `Action "${rowAction.label}" on #${req.params.id}`, req.adminUser);
+      admin._flash(req, 'success', rowAction.successMessage || `Action "${rowAction.label}" completed.`);
+      admin._redirectWithFlash(res, redirect, req._flashType, req._flashMessage);
+    } catch (err) {
+      admin._error(req, res, err);
+    }
+  }
+}
+
+module.exports = ActionHandler;

package/src/admin/handlers/ApiHandler.js

@@ -0,0 +1,113 @@
+'use strict';
+
+const LookupParser = require('../../orm/query/LookupParser');
+
+/**
+ * ApiHandler
+ *
+ * Handles the internal JSON API used by FK and M2M widgets:
+ *   GET /admin/api/:resource/options?q=&page=&limit=&field=&from=
+ *
+ * Returns paginated { id, label } pairs for autocomplete selects.
+ */
+class ApiHandler {
+  constructor(admin) {
+    this._admin = admin;
+  }
+
+  async options(req, res) {
+    const admin = this._admin;
+    try {
+      const slug = req.params.resource;
+      let R = admin._resources.get(slug);
+      if (!R) {
+        for (const resource of admin._resources.values()) {
+          if (resource.model && resource.model.table === slug) { R = resource; break; }
+        }
+      }
+      if (!R) return res.status(404).json({ error: `Resource "${slug}" not found` });
+      if (!R.hasPermission(req.adminUser || null, 'view')) {
+        return res.status(403).json({ error: 'Forbidden' });
+      }
+
+      const search  = (req.query.q    || '').trim();
+      const page    = Math.max(1, Number(req.query.page)  || 1);
+      const perPage = Math.min(Number(req.query.limit) || 20, 100);
+      const offset  = (page - 1) * perPage;
+      const pk      = R.model.primaryKey || 'id';
+
+      // Label column resolution — priority:
+      //   1. resource.fkLabel (developer override)
+      //   2. resource.searchable[0]
+      //   3. Auto-detect: name > email > title > label > first string field
+      //   4. pk fallback
+      let labelCol = R.fkLabel || (R.searchable && R.searchable[0]) || null;
+      if (!labelCol && R.model) {
+        const fields = typeof R.model.getFields === 'function'
+          ? R.model.getFields()
+          : (R.model.fields || {});
+        const preferred = ['name', 'email', 'title', 'label', 'full_name',
+                           'fullname', 'username', 'display_name', 'first_name'];
+        for (const p of preferred) {
+          if (fields[p]) { labelCol = p; break; }
+        }
+        if (!labelCol) {
+          const skip = new Set(['password', 'token', 'secret', 'hash', 'remember_token']);
+          for (const [col, def] of Object.entries(fields)) {
+            if (def.type === 'string' && !skip.has(col) && col !== pk) {
+              labelCol = col; break;
+            }
+          }
+        }
+      }
+      labelCol = labelCol || pk;
+
+      // Resolve fkWhere from the source resource's field definition
+      const fieldName = (req.query.field || '').trim();
+      const fromSlug  = (req.query.from  || '').trim();
+      let fkWhere = null;
+      if (fieldName && fromSlug) {
+        const sourceResource = admin._resources.get(fromSlug)
+          || [...admin._resources.values()].find(r => r.model?.table === fromSlug);
+        if (sourceResource) {
+          const fieldDef = (sourceResource.fields() || []).find(f => f._name === fieldName);
+          if (fieldDef && fieldDef._fkWhere) fkWhere = fieldDef._fkWhere;
+        }
+      }
+
+      const applyScope = (q) => {
+        if (!fkWhere) return q;
+        if (typeof fkWhere === 'function') return fkWhere(q) || q;
+        for (const [key, value] of Object.entries(fkWhere)) {
+          LookupParser.apply(q, key, value, R.model);
+        }
+        return q;
+      };
+
+      let countQ = applyScope(R.model._db().count(`${pk} as total`));
+      if (search) countQ = countQ.where(labelCol, 'like', `%${search}%`);
+      const [{ total }] = await countQ;
+
+      let rowQ = applyScope(R.model._db()
+        .select([`${pk} as id`, `${labelCol} as label`])
+        .orderBy(labelCol, 'asc')
+        .limit(perPage)
+        .offset(offset));
+      if (search) rowQ = rowQ.where(labelCol, 'like', `%${search}%`);
+      const rows = await rowQ;
+
+      return res.json({
+        data:     rows,
+        total:    Number(total),
+        page,
+        perPage,
+        hasMore:  offset + rows.length < Number(total),
+        labelCol,
+      });
+    } catch (err) {
+      return res.status(500).json({ error: err.message });
+    }
+  }
+}
+
+module.exports = ApiHandler;

package/src/admin/handlers/AuthHandler.js

@@ -0,0 +1,76 @@
+'use strict';
+
+const AdminAuth = require('../AdminAuth');
+
+/**
+ * AuthHandler
+ *
+ * Handles the three admin authentication routes:
+ *   GET  /admin/login
+ *   POST /admin/login
+ *   GET  /admin/logout
+ */
+class AuthHandler {
+  constructor(admin) {
+    this._admin = admin;
+  }
+
+  async loginPage(req, res) {
+    const admin = this._admin;
+
+    // Already logged in → redirect to dashboard
+    if (AdminAuth.enabled && AdminAuth._getSession(req)) {
+      return res.redirect(
+        (req.query.next && decodeURIComponent(req.query.next)) ||
+        admin._config.prefix + '/'
+      );
+    }
+
+    const flash = AdminAuth.getFlash(req, res);
+    return admin._render(req, res, 'pages/login.njk', {
+      adminTitle:  admin._config.title,
+      adminPrefix: admin._config.prefix,
+      flash,
+      next:  req.query.next || '',
+      error: null,
+    });
+  }
+
+  async loginSubmit(req, res) {
+    const admin  = this._admin;
+    const { email, password, remember, next } = req.body;
+    const prefix = admin._config.prefix;
+
+    if (!AdminAuth.enabled) {
+      return res.redirect(next || prefix + '/');
+    }
+
+    try {
+      await AdminAuth.login(req, res, {
+        email,
+        password,
+        remember: remember === 'on' || remember === '1' || remember === 'true',
+      });
+
+      res.redirect(next || prefix + '/');
+    } catch (err) {
+      return admin._render(req, res, 'pages/login.njk', {
+        adminTitle:  admin._config.title,
+        adminPrefix: prefix,
+        flash:       {},
+        next:        next || '',
+        error:       err.message,
+        email,
+      });
+    }
+  }
+
+  logout(req, res) {
+    const admin = this._admin;
+    AdminAuth.logout(res);
+    AdminAuth.setFlash(res, 'success', 'You have been logged out.');
+    res.redirect(`${admin._config.prefix}/login`);
+  }
+}
+
+module.exports = AuthHandler;

package/src/admin/handlers/ExportHandler.js

@@ -0,0 +1,70 @@
+'use strict';
+
+/**
+ * ExportHandler
+ *
+ * Handles resource data exports:
+ *   GET /admin/:resource/export.csv
+ *   GET /admin/:resource/export.json
+ */
+class ExportHandler {
+  constructor(admin) {
+    this._admin = admin;
+  }
+
+  async export(req, res) {
+    const admin = this._admin;
+    try {
+      const R      = admin._resolve(req.params.resource, res);
+      if (!R) return;
+
+      const format = req.params.format;
+      const search = req.query.search || '';
+      const sort   = req.query.sort   || 'id';
+      const order  = req.query.order  || 'desc';
+
+      const activeFilters = {};
+      if (req.query.filter) {
+        for (const [k, v] of Object.entries(req.query.filter)) {
+          if (v !== '') activeFilters[k] = v;
+        }
+      }
+
+      const result = await R.fetchList({
+        page: 1, perPage: 100000, search, sort, order, filters: activeFilters,
+      });
+      const rows = result.data.map(r => r.toJSON ? r.toJSON() : r);
+
+      const fields = R.fields()
+        .filter(f => f._type !== 'tab' && !f._hidden)
+        .map(f => f.toJSON());
+
+      const filename = `${R.slug}-${new Date().toISOString().slice(0, 10)}`;
+
+      if (format === 'json') {
+        res.setHeader('Content-Type', 'application/json');
+        res.setHeader('Content-Disposition', `attachment; filename="${filename}.json"`);
+        return res.json(rows);
+      }
+
+      // CSV
+      const header  = fields.map(f => `"${f.label}"`).join(',');
+      const csvRows = rows.map(row =>
+        fields.map(f => {
+          const v = row[f.name];
+          if (v === null || v === undefined) return '';
+          const s = String(typeof v === 'object' ? JSON.stringify(v) : v);
+          return `"${s.replace(/"/g, '""')}"`;
+        }).join(',')
+      );
+
+      res.setHeader('Content-Type', 'text/csv');
+      res.setHeader('Content-Disposition', `attachment; filename="${filename}.csv"`);
+      res.send([header, ...csvRows].join('\r\n'));
+    } catch (err) {
+      admin._error(req, res, err);
+    }
+  }
+}
+
+module.exports = ExportHandler;

package/src/admin/handlers/InlineHandler.js

@@ -0,0 +1,71 @@
+'use strict';
+
+const ActivityLog = require('../ActivityLog');
+const AdminAuth   = require('../AdminAuth');
+
+/**
+ * InlineHandler
+ *
+ * Handles inline related-record CRUD on the detail page:
+ *   POST /admin/:resource/:id/inline/:inlineIndex
+ *   POST /admin/:resource/:id/inline/:inlineIndex/:rowId/delete
+ */
+class InlineHandler {
+  constructor(admin) {
+    this._admin = admin;
+  }
+
+  async store(req, res) {
+    const admin = this._admin;
+    try {
+      const R = admin._resolve(req.params.resource, res);
+      if (!R) return;
+      if (!admin._verifyCsrf(req, res)) return;
+
+      const idx    = Number(req.params.inlineIndex);
+      const inline = (R.inlines || [])[idx];
+      if (!inline)           return res.status(404).send('Inline not found.');
+      if (!inline.canCreate) return res.status(403).send('Inline create is disabled.');
+
+      const data = {
+        ...req.body,
+        [inline.foreignKey]: req.params.id,
+      };
+      delete data._csrf;
+      delete data._method;
+      delete data._submit;
+
+      await inline.model.create(data);
+      ActivityLog.record('create', inline.label, null, `Inline ${inline.label} for #${req.params.id}`, req.adminUser);
+
+      AdminAuth.setFlash(res, 'success', `${inline.label} added.`);
+      res.redirect(`${admin._config.prefix}/${R.slug}/${req.params.id}`);
+    } catch (err) {
+      admin._error(req, res, err);
+    }
+  }
+
+  async destroy(req, res) {
+    const admin = this._admin;
+    try {
+      const R = admin._resolve(req.params.resource, res);
+      if (!R) return;
+      if (!admin._verifyCsrf(req, res)) return;
+
+      const idx    = Number(req.params.inlineIndex);
+      const inline = (R.inlines || [])[idx];
+      if (!inline)           return res.status(404).send('Inline not found.');
+      if (!inline.canDelete) return res.status(403).send('Inline delete is disabled.');
+
+      await inline.model.destroy(req.params.rowId);
+      ActivityLog.record('delete', inline.label, req.params.rowId, `Inline ${inline.label} #${req.params.rowId}`, req.adminUser);
+
+      AdminAuth.setFlash(res, 'success', 'Record deleted.');
+      res.redirect(`${admin._config.prefix}/${R.slug}/${req.params.id}`);
+    } catch (err) {
+      admin._error(req, res, err);
+    }
+  }
+}
+
+module.exports = InlineHandler;