feat(conditional-approval): users want conditional triggers of conditional approval (#600)

Co-authored-by: Nicolas Alexandre <[email protected]>

BREAKING CHANGE:  Introduction of a new permission module call Ability. The previous permission system PermissionChecker doesn't exist anymore.

Author: matthv

.gitignore

@@ -14,6 +14,7 @@
 /spec/dummy/tmp/
 /tmp/
 .byebug_history
+/out
 
 ## Specific to RubyMotion:
 .dat*

Gemfile

@@ -35,3 +35,4 @@ gem 'ipaddress', '0.8.3'
 gem 'openid_connect', '1.4.2'
 gem 'json'
 gem 'json-jwt', '1.15.0'
+gem 'deepsort'

Gemfile.lock

@@ -4,6 +4,7 @@ PATH
     forest_liana (7.8.0)
       arel-helpers
       bcrypt
+      deepsort
       forestadmin-jsonapi-serializers (>= 0.14.0)
       groupdate (>= 5.0.0)
       httparty
@@ -89,6 +90,7 @@ GEM
     concurrent-ruby (1.1.10)
     crass (1.0.6)
     date (3.3.3)
+    deepsort (0.4.5)
     diff-lcs (1.5.0)
     docile (1.4.0)
     erubi (1.12.0)
@@ -254,6 +256,7 @@ DEPENDENCIES
   arel-helpers (= 2.14.0)
   bcrypt
   byebug
+  deepsort
   forest_liana!
   forestadmin-jsonapi-serializers
   groupdate (= 5.2.2)

app/controllers/forest_liana/actions_controller.rb

@@ -2,12 +2,14 @@ module ForestLiana
   class ActionsController < ApplicationController
 
     def get_smart_action_hook_request
-      begin
+      if params[:data] && params[:data][:attributes] && params[:data][:attributes][:collection_name]
         params[:data][:attributes]
-      rescue => error
+      else
+        error = 'parameters data attributes missing'
         FOREST_REPORTER.report error
         FOREST_LOGGER.error "Smart Action hook request error: #{error}"
-        {}
+
+        raise ForestLiana::Errors::HTTP422Error.new("Error in smart action load hook: cannot retrieve action from collection")
       end
     end
 

app/controllers/forest_liana/application_controller.rb

@@ -3,6 +3,9 @@
 
 module ForestLiana
   class ApplicationController < ForestLiana::BaseController
+    rescue_from ForestLiana::Ability::Exceptions::AccessDenied, with: :render_error
+    rescue_from ForestLiana::Errors::HTTP422Error, with: :render_error
+
     def self.papertrail?
       Object.const_get('PaperTrail::Version').is_a?(Class) rescue false
     end
@@ -96,6 +99,18 @@ def deactivate_count_response
 
     private
 
+    def render_error(exception)
+      errors = {
+        status: exception.error_code,
+        detail: exception.message,
+      }
+
+      errors['name'] = exception.name if exception.try(:name)
+      errors['data'] = exception.data if exception.try(:data)
+
+      render json: { errors: [errors] }, status: exception.status
+    end
+
     def force_utf8_encoding(json)
       if json['data'].class == Array
         # NOTICE: Collection of records case

app/controllers/forest_liana/resources_controller.rb

@@ -1,5 +1,6 @@
 module ForestLiana
   class ResourcesController < ForestLiana::ApplicationController
+    include ForestLiana::Ability
     begin
       prepend ResourcesExtensions
     rescue NameError
@@ -14,24 +15,11 @@ class ResourcesController < ForestLiana::ApplicationController
     end
 
     def index
+      action = request.format == 'csv' ? 'export' : 'browse'
+      forest_authorize!(action, forest_user, @resource)
       begin
-        if request.format == 'csv'
-          checker = ForestLiana::PermissionsChecker.new(@resource, 'exportEnabled', @rendering_id, user: forest_user)
-          return head :forbidden unless checker.is_authorized?
-        else
-          checker = ForestLiana::PermissionsChecker.new(
-            @resource,
-            'browseEnabled',
-            @rendering_id,
-            user: forest_user,
-            collection_list_parameters: get_collection_list_permission_info(forest_user, request)
-          )
-          return head :forbidden unless checker.is_authorized?
-        end
-
         getter = ForestLiana::ResourcesGetter.new(@resource, params, forest_user)
         getter.perform
-
         respond_to do |format|
           format.json { render_jsonapi(getter) }
           format.csv { render_csv(getter, @resource) }
@@ -55,16 +43,8 @@ def index
 
     def count
       find_resource
+      forest_authorize!('browse', forest_user, @resource)
       begin
-        checker = ForestLiana::PermissionsChecker.new(
-          @resource,
-          'browseEnabled',
-          @rendering_id,
-          user: forest_user,
-          collection_list_parameters: get_collection_list_permission_info(forest_user, request)
-        )
-        return head :forbidden unless checker.is_authorized?
-
         getter = ForestLiana::ResourcesGetter.new(@resource, params, forest_user)
         getter.count
 
@@ -88,10 +68,8 @@ def count
     end
 
     def show
+      forest_authorize!('read', forest_user, @resource)
       begin
-        checker = ForestLiana::PermissionsChecker.new(@resource, 'readEnabled', @rendering_id, user: forest_user)
-        return head :forbidden unless checker.is_authorized?
-
         getter = ForestLiana::ResourceGetter.new(@resource, params, forest_user)
         getter.perform
 
@@ -106,10 +84,8 @@ def show
     end
 
     def create
+      forest_authorize!('add', forest_user, @resource)
       begin
-        checker = ForestLiana::PermissionsChecker.new(@resource, 'addEnabled', @rendering_id, user: forest_user)
-        return head :forbidden unless checker.is_authorized?
-
         creator = ForestLiana::ResourceCreator.new(@resource, params)
         creator.perform
 
@@ -130,10 +106,8 @@ def create
     end
 
     def update
+      forest_authorize!('edit', forest_user, @resource)
       begin
-        checker = ForestLiana::PermissionsChecker.new(@resource, 'editEnabled', @rendering_id, user: forest_user)
-        return head :forbidden unless checker.is_authorized?
-
         updater = ForestLiana::ResourceUpdater.new(@resource, params, forest_user)
         updater.perform
 
@@ -154,37 +128,37 @@ def update
     end
 
     def destroy
-      checker = ForestLiana::PermissionsChecker.new(@resource, 'deleteEnabled', @rendering_id, user: forest_user)
-      return head :forbidden unless checker.is_authorized?
+      forest_authorize!('delete', forest_user, @resource)
+        begin
+        collection_name = ForestLiana.name_for(@resource)
+        scoped_records = ForestLiana::ScopeManager.apply_scopes_on_records(@resource, forest_user, collection_name, params[:timezone])
 
-      collection_name = ForestLiana.name_for(@resource)
-      scoped_records = ForestLiana::ScopeManager.apply_scopes_on_records(@resource, forest_user, collection_name, params[:timezone])
-
-      unless scoped_records.exists?(params[:id])
-        return render serializer: nil, json: { status: 404 }, status: :not_found
-      end
+        unless scoped_records.exists?(params[:id])
+          return render serializer: nil, json: { status: 404 }, status: :not_found
+        end
 
-      scoped_records.destroy(params[:id])
+        scoped_records.destroy(params[:id])
 
-      head :no_content
-    rescue => error
-      FOREST_REPORTER.report error
-      FOREST_LOGGER.error "Record Destroy error: #{error}\n#{format_stacktrace(error)}"
-      internal_server_error
+        head :no_content
+      rescue => error
+        FOREST_REPORTER.report error
+        FOREST_LOGGER.error "Record Destroy error: #{error}\n#{format_stacktrace(error)}"
+        internal_server_error
+      end
     end
 
     def destroy_bulk
-      checker = ForestLiana::PermissionsChecker.new(@resource, 'deleteEnabled', @rendering_id, user: forest_user)
-      return head :forbidden unless checker.is_authorized?
-
-      ids = ForestLiana::ResourcesGetter.get_ids_from_request(params, forest_user)
-      @resource.destroy(ids) if ids&.any?
+      forest_authorize!('delete', forest_user, @resource)
+      begin
+        ids = ForestLiana::ResourcesGetter.get_ids_from_request(params, forest_user)
+        @resource.destroy(ids) if ids&.any?
 
-      head :no_content
-    rescue => error
-      FOREST_REPORTER.report error
-      FOREST_LOGGER.error "Records Destroy error: #{error}\n#{format_stacktrace(error)}"
-      internal_server_error
+        head :no_content
+      rescue => error
+        FOREST_REPORTER.report error
+        FOREST_LOGGER.error "Records Destroy error: #{error}\n#{format_stacktrace(error)}"
+        internal_server_error
+      end
     end
 
     private

app/controllers/forest_liana/smart_actions_controller.rb

@@ -1,5 +1,9 @@
 module ForestLiana
   class SmartActionsController < ForestLiana::ApplicationController
+    rescue_from ForestLiana::Ability::Exceptions::TriggerForbidden, with: :render_error
+    rescue_from ForestLiana::Ability::Exceptions::RequireApproval, with: :render_error
+    rescue_from ForestLiana::Ability::Exceptions::ActionConditionError, with: :render_error
+    include ForestLiana::Ability
     if Rails::VERSION::MAJOR < 4
       before_filter :smart_action_pre_perform_checks
     else
@@ -8,39 +12,70 @@ class SmartActionsController < ForestLiana::ApplicationController
 
     private
 
+    def smart_action_pre_perform_checks
+      get_smart_action_request
+      find_resource
+      check_permission_for_smart_route
+      ensure_record_ids_in_scope
+    end
+
     def get_smart_action_request
       begin
         params[:data][:attributes]
+        @parameters = ForestLiana::Ability::Permission::RequestPermission::decodeSignedApprovalRequest(params.permit!)
       rescue => error
         FOREST_REPORTER.report error
         FOREST_LOGGER.error "Smart Action execution error: #{error}"
         {}
       end
     end
 
-    def smart_action_pre_perform_checks
-      check_permission_for_smart_route
-      ensure_record_ids_in_scope
+    def find_resource
+      begin
+        @resource = SchemaUtils.find_model_from_collection_name(@parameters[:data][:attributes][:collection_name])
+        if @resource.nil? || !SchemaUtils.model_included?(@resource) ||
+          !@resource.ancestors.include?(ActiveRecord::Base)
+          render serializer: nil, json: { status: 404 }, status: :not_found
+        end
+        @resource
+      rescue => error
+        FOREST_REPORTER.report error
+        FOREST_LOGGER.error "Find Collection error: #{error}\n#{format_stacktrace(error)}"
+        render serializer: nil, json: { status: 404 }, status: :not_found
+      end
+    end
+
+    def check_permission_for_smart_route
+      smart_action_request = @parameters[:data][:attributes]
+      if !smart_action_request.nil? && smart_action_request.has_key?(:smart_action_id)
+        forest_authorize!(
+          'action',
+          forest_user,
+          @resource,
+          {parameters: params, endpoint: request.fullpath.split('?').first, http_method: request.request_method}
+        )
+      else
+        FOREST_LOGGER.error 'Smart action execution error: Unable to retrieve the smart action id.'
+        render serializer: nil, json: { status: 400 }, status: :bad_request
+      end
     end
 
     def ensure_record_ids_in_scope
       begin
-        attributes = get_smart_action_request
+        attributes = @parameters[:data][:attributes]
 
         # if performing a `selectAll` let the `get_ids_from_request` handle the scopes
         return if attributes[:all_records]
 
-        resource = find_resource(attributes[:collection_name])
-
         # user is using the composite_primary_keys gem
-        if resource.primary_key.kind_of?(Array)
+        if @resource.primary_key.kind_of?(Array)
           # TODO: handle primary keys
           return
         end
 
-        filter = JSON.generate({ 'field' => resource.primary_key, 'operator' => 'in', 'value' => attributes[:ids] })
+        filter = JSON.generate({ 'field' => @resource.primary_key, 'operator' => 'in', 'value' => attributes[:ids] })
 
-        resources_getter = ForestLiana::ResourcesGetter.new(resource, { :filters => filter, :timezone => attributes[:timezone] }, forest_user)
+        resources_getter = ForestLiana::ResourcesGetter.new(@resource, { :filters => filter, :timezone => attributes[:timezone] }, forest_user)
 
         # resources getter will return records inside the scope. if the length differs then ids are out of scope
         return if resources_getter.count == attributes[:ids].length
@@ -53,54 +88,5 @@ def ensure_record_ids_in_scope
         render serializer: nil, json: { error: 'Smart Action: failed to evaluate permissions' }, status: :internal_server_error
       end
     end
-
-    def check_permission_for_smart_route
-      begin
-
-        smart_action_request = get_smart_action_request
-        if !smart_action_request.nil? && smart_action_request.has_key?(:smart_action_id)
-          checker = ForestLiana::PermissionsChecker.new(
-            find_resource(smart_action_request[:collection_name]),
-            'actions',
-            @rendering_id,
-            user: forest_user,
-            smart_action_request_info: get_smart_action_request_info
-          )
-          return head :forbidden unless checker.is_authorized?
-        else
-          FOREST_LOGGER.error 'Smart action execution error: Unable to retrieve the smart action id.'
-          render serializer: nil, json: { status: 400 }, status: :bad_request
-        end
-      rescue => error
-        FOREST_REPORTER.report error
-        FOREST_LOGGER.error "Smart Action execution error: #{error}"
-        render serializer: nil, json: { status: 400 }, status: :bad_request
-      end
-    end
-
-    def find_resource(collection_name)
-      begin
-          resource = SchemaUtils.find_model_from_collection_name(collection_name)
-
-          if resource.nil? || !SchemaUtils.model_included?(resource) ||
-            !resource.ancestors.include?(ActiveRecord::Base)
-            render serializer: nil, json: { status: 404 }, status: :not_found
-          end
-          resource
-      rescue => error
-        FOREST_REPORTER.report error
-        FOREST_LOGGER.error "Find Collection error: #{error}\n#{format_stacktrace(error)}"
-        render serializer: nil, json: { status: 404 }, status: :not_found
-      end
-    end
-
-    # smart action permissions are retrieved from the action's endpoint and http_method
-    def get_smart_action_request_info
-      {
-        # trim query params to get the endpoint
-        endpoint: request.fullpath.split('?').first,
-        http_method: request.request_method
-      }
-    end
   end
 end