Add dashboard copy feature with security checks requiring editable permission #123

Author: alexandermeindl

app/controllers/dashboards_controller.rb

@@ -58,6 +58,13 @@ def new
     @dashboard = Dashboard.new project: @project,
                                author: User.current
     @dashboard.dashboard_type = assign_dashboard_type
+    if params[:copy].present?
+      @copy_from = Dashboard.visible.find_by id: params[:copy]
+      # Security: Only allow copying from dashboards the user can edit
+      # because block settings may contain sensitive data (credentials, API keys)
+      @copy_from = nil unless @copy_from&.editable?
+      @dashboard.copy_from @copy_from
+    end
     @allowed_projects = @dashboard.allowed_target_projects
   end
 
@@ -78,6 +85,17 @@ def create
     @dashboard.dashboard_type = assign_dashboard_type
     @dashboard.role_ids = params[:dashboard][:role_ids] if params[:dashboard].present?
 
+    # Copy layout and settings from source dashboard if copying
+    # Security: Only allow copying from dashboards the user can edit
+    # because block settings may contain sensitive data (credentials, API keys)
+    if params[:copy].present?
+      copy_from = Dashboard.visible.find_by id: params[:copy]
+      if copy_from&.editable?
+        @dashboard.layout = copy_from.layout.deep_dup
+        @dashboard.layout_settings = copy_from.layout_settings.deep_dup
+      end
+    end
+
     @allowed_projects = @dashboard.allowed_target_projects
 
     if @dashboard.save

app/models/dashboard.rb

@@ -139,6 +139,21 @@ def visible(user = User.current, **options)
     end
   end
 
+  def copy_from(source)
+    return if source.blank?
+
+    dashboard = source.is_a?(Dashboard) ? source : Dashboard.find_by(id: source)
+    return if dashboard.nil?
+
+    excluded_attrs = %w[id name author_id system_default locked created_at updated_at options]
+    self.attributes = dashboard.attributes.dup.except(*excluded_attrs)
+    # Deep copy layout and layout_settings from options
+    self.layout = dashboard.layout.deep_dup if dashboard.layout.present?
+    self.layout_settings = dashboard.layout_settings.deep_dup if dashboard.layout_settings.present?
+    self.role_ids = dashboard.role_ids.dup if dashboard.visibility == VISIBILITY_ROLES
+    self
+  end
+
   def initialize(attributes = nil, *args)
     super
     set_options_hash

app/views/dashboards/new.html.slim

@@ -1,5 +1,7 @@
 h2 = l :label_new_dashboard
 = labelled_form_for [@project, @dashboard],
                     html: { multipart: true, id: 'dashboard-form' } do |f|
+  - if @copy_from.present?
+    = hidden_field_tag :copy, @copy_from.id
   = render('form', f:)
   = submit_tag l(:button_create)

app/views/projects/show.html.slim

@@ -52,6 +52,9 @@
         = link_to sprite_icon('edit', entity_headline(object_name: :label_dashboard, type: :edit)),
                   edit_project_dashboard_path(@project, @dashboard),
                   class: 'icon icon-edit'
+        = link_to sprite_icon('copy', entity_headline(object_name: :label_dashboard, type: :copy)),
+                  new_project_dashboard_path(@project, copy: @dashboard.id),
+                  class: 'icon icon-copy'
 
     - if @dashboard&.deletable?
       = delete_dashboard_link project_dashboard_path(@project, @dashboard), @dashboard

app/views/welcome/index.html.slim

@@ -22,6 +22,9 @@
         = link_to sprite_icon('edit', entity_headline(object_name: :label_dashboard, type: :edit)),
                   edit_dashboard_path(@dashboard),
                   class: 'icon icon-edit'
+        = link_to sprite_icon('copy', entity_headline(object_name: :label_dashboard, type: :copy)),
+                  new_dashboard_path(copy: @dashboard.id),
+                  class: 'icon icon-copy'
     - if @dashboard&.deletable?
       = delete_dashboard_link dashboard_path(@dashboard), @dashboard
     = sidebar_action_toggle @dashboard_sidebar, @dashboard

config/locales/cs.yml

@@ -35,6 +35,7 @@ cs:
   alert_only_visible_by_admins: "Vidí je pouze uživatelé s oprávněními správce"
   alert_only_visible_by_yourself: "Vidíte jen vy"
   button_assign_to_me: "Přiřaďte mi"
+  button_copy_object: "Kopírovat %{object_name}"
   button_merge: "Sloučení"
   disabled_modules_info: "Moduly, které by neměly být k dispozici pro výběr v rámci projektů. Pokud jsou tyto moduly již aktivovány ve stávajících projektech, musíte nejprve změnit a znovu uložit příslušná nastavení projektu."
   emoji_support_info_html: 'Převod emoji do textu. Activate this option if :heart:, :+1: etc are to be converted to emojis. In the <a href="https://www.webfx.com/tools/emoji-cheat-sheet/" class="external">Emoji cheat sheet</a> the available emoji codes can be used.'

config/locales/de.yml

@@ -35,6 +35,7 @@ de:
   alert_only_visible_by_admins: Kann nur von Benutzer mit Admin-Rechten gesehen werden
   alert_only_visible_by_yourself: Kann nur von Dir selbst gesehen werden
   button_assign_to_me: Mir zuweisen
+  button_copy_object: "%{object_name} kopieren"
   button_merge: "Zusammenführen"
   disabled_modules_info: "Module, die nicht zur Auswahl innerhalb der Projekte zur Verfügung stehen sollen. Sind in bestehenden Projekten schon diese Module aktiviert worden, werden die Einstellungen für diese Projekte erst nach erneuten Abspeichern der jeweiligen Projekteinstellungen aktiv."
   emoji_support_info_html: 'Emojis im Text konvertieren. Aktivere diese Option, wenn :heart:, :+1: etc in Emojis konvertiert werden sollen. Im <a href="https://www.webfx.com/tools/emoji-cheat-sheet/" class="external">Emoji cheat sheet</a> können die zur Verfügung stehenden Emoji-Codes eingesetzt werden.'

config/locales/en.yml

@@ -35,6 +35,7 @@ en:
   alert_only_visible_by_admins: "Can only be seen by users with admin permissions"
   alert_only_visible_by_yourself: "Can only be seen by you"
   button_assign_to_me: Assign to me
+  button_copy_object: "Copy %{object_name}"
   button_merge: "Merge"
   disabled_modules_info: "Modules which should not be available for selection within the projects. If these modules already activated in existing projects, you will have to change and re-save the respective project settings first."
   emoji_support_info_html: 'Convert emojis in text. Activate this option if :heart:, :+1: etc are to be converted to emojis. In the <a href="https://www.webfx.com/tools/emoji-cheat-sheet/" class="external">Emoji cheat sheet</a> the available emoji codes can be used.'

config/locales/es.yml

@@ -35,6 +35,7 @@ es:
   alert_only_visible_by_admins: "Sólo puede ser visto por usuarios con permisos de administrador"
   alert_only_visible_by_yourself: "Sólo puede ser visto por ti"
   button_assign_to_me: Asignar a mi mismo
+  button_copy_object: "Copiar %{object_name}"
   button_merge: "Combinar"
   disabled_modules_info: "Módulos que no estarán disponibles para ser utilizados en los proyectos. Si estos módulos están actualmente activos en proyectos existentes, deberá modificar y guardar esos proyectos primero."
   emoji_support_info_html: 'Convertir emojis en texto. Activate this option if :heart:, :+1: etc are to be converted to emojis. In the <a href="https://www.webfx.com/tools/emoji-cheat-sheet/" class="external">Emoji cheat sheet</a> the available emoji codes can be used.'

config/locales/fr.yml

@@ -35,6 +35,7 @@ fr:
   alert_only_visible_by_admins: "Ne peut être vu que par les utilisateurs ayant les droits d'administrateur"
   alert_only_visible_by_yourself: "Ne peut être vu que par vous"
   button_assign_to_me: M'affecter
+  button_copy_object: "Copier %{object_name}"
   button_merge: Fusionner
   disabled_modules_info: "Les modules qui ne devraient pas être disponibles pour la sélection dans le cadre des projets. Si ces modules sont déjà activés dans des projets existants, vous devez d'abord modifier et sauvegarder à nouveau les paramètres projet respectifs."
   emoji_support_info_html: 'Convertir les emojis en texte. Activate this option if :heart:, :+1: etc are to be converted to emojis. In the <a href="https://www.webfx.com/tools/emoji-cheat-sheet/" class="external">Emoji cheat sheet</a> the available emoji codes can be used.'