#288: refinements, and test issues

Author: grtjn

app/templates/deploy/app_specific.rb

@@ -45,14 +45,31 @@ class ServerConfig
   #   # but it can be called without an environment
   # end
 
-  # Show-casing some useful overrides, as well as fixing some module doc permissions
+  # Show-casing some useful overrides, as well as adjusting some module doc permissions
   alias_method :original_deploy_modules, :deploy_modules
   alias_method :original_deploy_rest, :deploy_rest
+  alias_method :original_deploy, :deploy
   alias_method :original_clean, :clean
 
+  # Integrate deploy_packages into the Roxy deploy command
+  def deploy
+    what = ARGV.shift
+
+    case what
+      when 'packages'
+        deploy_packages
+      else
+        ARGV.unshift what
+        original_deploy
+    end
+  end
+
   def deploy_modules
-    # Uncomment deploy_packages if you would like to use MLPM to deploy MLPM packages.
-    # You can also move mlpm.json into src/ext/ and deploy plain modules (not REST extensions) that way.
+    # Uncomment deploy_packages if you would like to use MLPM to deploy MLPM packages, and
+    # include MLPM deploy in deploy modules to make sure MLPM depencencies are loaded first.
+
+    # Note: you can also move mlpm.json into src/ext/ and deploy plain modules (not REST extensions) that way.
+
     #deploy_packages
     original_deploy_modules
   end
@@ -63,59 +80,68 @@ def deploy_packages
                           -p #{ @ml_password } \
                           -H #{ @properties['ml.server'] } \
                           -P #{ @properties['ml.app-port'] }!
-    fix_permissions(@properties["ml.modules-db"])
+    change_permissions(@properties["ml.modules-db"])
   end
 
   def deploy_rest
     original_deploy_rest
-    fix_permissions(@properties["ml.modules-db"])
+    change_permissions(@properties["ml.modules-db"])
   end
 
-  def fix_permissions(where)
-    logger.info "Fixing permissions in #{where} for documents:"
-    if where.include? "content"
-      # This is useful to make sure alert configuration is accessible 
-      r = execute_query(
-        %Q{
-          xquery version "1.0-ml";
+  # Permissions need to be changed for executable code that was not deployed via Roxy directly,
+  # to make sure users with app-role can read and execute it. Typically applies to artifacts
+  # installed via REST api, which only applies permissions for rest roles. Effectively also includes
+  # MLPM, which uses REST api for deployment. It often also applies to artifacts installed with
+  # custom code (via app_specific for instance), like alerts.
+  def change_permissions(where)
+    logger.info "Changing permissions in #{where} for:"
+    r = execute_query(
+      %Q{
+        xquery version "1.0-ml";
 
-          for $uri in cts:uri-match("*alert*")
-          return (
-            $uri,
-            xdmp:document-set-permissions($uri, (
-              xdmp:permission("#{@properties["ml.app-name"]}-role", "read"),
-              xdmp:permission("#{@properties["ml.app-name"]}-role", "update"),
-              xdmp:permission("#{@properties["ml.app-name"]}-role", "execute")
-            ))
-         )
-        },
-        { :db_name => where }
-      )
-    else
-      r = execute_query(
-        %Q{
-          xquery version "1.0-ml";
-
-          for $uri in cts:uris()
+        let $new-permissions := (
+          xdmp:permission("#{@properties["ml.app-name"]}-role", "read"),
+          xdmp:permission("#{@properties["ml.app-name"]}-role", "update"),
+          xdmp:permission("#{@properties["ml.app-name"]}-role", "execute")
+        )
+
+        let $uris :=
+          if (fn:contains(xdmp:database-name(xdmp:database()), "content")) then
+
+            (: This is to make sure all alert files are accessible :)
+            cts:uri-match("*alert*")
+
+          else
+
+            (: This is to make sure all triggers, schemas, modules and REST extensions are accessible :)
+            cts:uris()
+
+        let $fixes := 
+          for $uri in $uris
+          let $existing-permissions := xdmp:document-get-permissions($uri)
+        
+          (: Only apply new permissions if really necessary (gives better logging too):)
           where not(ends-with($uri, "/"))
+            and count($existing-permissions[fn:string(.) = $new-permissions/fn:string(.)]) ne 3
+        
           return (
-            $uri,
-            xdmp:document-set-permissions($uri, (
-              xdmp:permission("#{@properties["ml.app-name"]}-role", "read"),
-              xdmp:permission("#{@properties["ml.app-name"]}-role", "update"),
-              xdmp:permission("#{@properties["ml.app-name"]}-role", "execute")
-            ))
-         )
-        },
-        { :db_name => where }
-      )
-    end
-
+            "  " || $uri,
+            xdmp:document-set-permissions($uri, $new-permissions)
+          )
+        return
+          if ($fixes) then
+            $fixes
+          else
+            "  no changes needed.."
+      },
+      { :db_name => where }
+    )
     r.body = parse_json r.body
     logger.info r.body
     logger.info ""
   end
-  
+
+  # Integrate clean_collections into the Roxy clean command
   def clean
     what = ARGV.shift
 
@@ -154,7 +180,7 @@ def clean_collections()
 # commands included into Roxy help. (ml -h)
 #
 
-#class Help
+class Help
 #  def self.app_specific
 #    <<-DOC.strip_heredoc
 #
@@ -177,4 +203,27 @@ def clean_collections()
 #        --whatever=value
 #    DOC
 #  end
-#end
+  class <<self
+    alias_method :original_deploy, :deploy
+
+    def deploy
+      # Concatenate extra lines of documentation after original deploy
+      # Help message (with a bit of indent to make it look better)
+      original_deploy + "  " +
+      <<-DOC.strip_heredoc
+        packages    # deploys MLPM modules and REST extensions using MLPM to the app-port
+      DOC
+    end
+    alias_method :original_clean, :clean
+
+    def clean
+      # Concatenate extra lines of documentation after original clean
+      # Help message (with a bit of indent to make it look better)
+      original_clean + "\n  " +
+      <<-DOC.strip_heredoc
+        collections WHAT
+            # removes all files from (comma-separated list of) WHAT collection(s) in the content database
+      DOC
+    end
+  end
+end

app/templates/gulpfile.js

@@ -275,8 +275,8 @@ gulp.task('build', ['optimize', 'images', 'fonts', 'statics', 'tinymce'], functi
 
   var msg = {
     title: 'gulp build',
-    subtitle: 'Deployed to the build folder',
-    message: 'Running `gulp serve-dist`'
+    subtitle: 'Deployed to the dist folder',
+    message: 'Ready to run `gulp serve-dev` or `gulp serve-prod`'
   };
   log(msg);
   notify(msg);
@@ -544,9 +544,9 @@ function init(env, done) {
         return answers.mlVersion < 8;
       }},
       {type: 'input', name: 'nodePort', message: 'Node app port?', default: 9070},
-      {type: 'input', name: 'guestAccess', message: 'Allow anonymous users to search data?', default: 'false'},
-      {type: 'input', name: 'readOnlyAccess', message: 'Disallow proxying update requests?', default: 'false'},
-      {type: 'input', name: 'appUsersOnly', message: 'Only allow access to users created for this app? Disallows admin users.', default: 'false'}
+      {type: 'list', name: 'guestAccess', message: 'Allow anonymous users to search data?', choices: ['false', 'true'], default: 0},
+      {type: 'list', name: 'readOnlyAccess', message: 'Disallow proxying update requests?', choices: ['false', 'true'], default: 0},
+      {type: 'list', name: 'appUsersOnly', message: 'Only allow access to users created for this app? Note: disallows admin users.', choices: ['false', 'true'], default: 0}
     ];
 
     if (typeof appName === 'undefined') {

app/templates/node-server/proxy.js

@@ -37,7 +37,7 @@ router.put('*', function(req, res) {
     res.status(401).send('Unauthorized');
   } else if (options.readOnlyAccess || (req.path === '/v1/documents' &&
     req.query.uri.match('/api/users/') &&
-    req.query.uri.match(new RegExp('/api/users/[^(' + req.session.user.name + ')]+.json')))) {
+    req.query.uri.match(new RegExp('/api/users/[^(' + req.session.user.username + ')]+.json')))) {
     // The user is trying to PUT to a profile document other than his/her own. Not allowed.
     res.status(403).send('Forbidden');
   } else {
@@ -83,8 +83,8 @@ router.delete('*', function(req, res) {
 
 function getAuth(options, session) {
   var auth = null;
-  if (session.user !== undefined && session.user.name !== undefined) {
-    auth =  session.user.name + ':' + session.user.password;
+  if (session.user !== undefined && session.user.username !== undefined) {
+    auth =  session.user.username + ':' + session.user.password;
   }
   else {
     auth = options.defaultUser + ':' + options.defaultPass;

app/templates/node-server/routes.js

@@ -20,19 +20,27 @@ router.get('/user/status', function(req, res) {
       res.send({
         authenticated: true,
         username: options.defaultUser,
-        profile: { fullname: 'Guest' }
+        profile: { fullname: 'Guest' },
+        guestAccess: options.guestAccess,
+        readOnlyAccess: options.readOnlyAccess,
+        appUsersOnly: options.appUsersOnly
       });
     } else {
-      res.send({authenticated: false});
+      res.send({
+        authenticated: false,
+        guestAccess: options.guestAccess,
+        readOnlyAccess: options.readOnlyAccess,
+        appUsersOnly: options.appUsersOnly
+      });
     }
   } else {
     delete headers['content-length'];
     var status = http.get({
       hostname: options.mlHost,
       port: options.mlHttpPort,
-      path: '/v1/documents?uri=/api/users/' + req.session.user.name + '.json',
+      path: '/v1/documents?uri=/api/users/' + req.session.user.username + '.json',
       headers: headers,
-      auth: req.session.user.name + ':' + req.session.user.password
+      auth: req.session.user.username + ':' + req.session.user.password
     }, function(response) {
       if (response.statusCode === 200) {
         response.on('data', function(chunk) {
@@ -42,17 +50,23 @@ router.get('/user/status', function(req, res) {
           }
           res.status(200).send({
             authenticated: true,
-            username: req.session.user.name,
-            profile: json.user || {}
+            username: req.session.user.username,
+            profile: json.user || {},
+            guestAccess: options.guestAccess,
+            readOnlyAccess: options.readOnlyAccess,
+            appUsersOnly: options.appUsersOnly
           });
           req.session.user.profile = json.user || {};
         });
       } else if (response.statusCode === 404) {
         //no profile yet for user
         res.status(200).send({
           authenticated: true,
-          username: req.session.user.name,
-          profile: req.session.user.profile || {}
+          username: req.session.user.username,
+          profile: req.session.user.profile || {},
+          guestAccess: options.guestAccess,
+          readOnlyAccess: options.readOnlyAccess,
+          appUsersOnly: options.appUsersOnly
         });
       } else {
         res.send({authenticated: false});
@@ -98,20 +112,23 @@ router.post('/user/login', function(req, res) {
       } else if (response.statusCode === 404) {
         // authentication successful, but no profile defined
         req.session.user = {
-          name: username,
+          username: username,
           password: password
         };
         res.status(200).send({
           authenticated: true,
           username: username,
-          profile: {}
+          profile: {},
+          guestAccess: options.guestAccess,
+          readOnlyAccess: options.readOnlyAccess,
+          appUsersOnly: options.appUsersOnly
         });
       } else {
         console.log('code: ' + response.statusCode);
         if (response.statusCode === 200) {
           // authentication successful, remember the username
           req.session.user = {
-            name: username,
+            username: username,
             password: password
           };
           response.on('data', function(chunk) {
@@ -122,7 +139,10 @@ router.post('/user/login', function(req, res) {
             res.status(200).send({
               authenticated: true,
               username: username,
-              profile: json.user || {}
+              profile: json.user || {},
+              guestAccess: options.guestAccess,
+              readOnlyAccess: options.readOnlyAccess,
+              appUsersOnly: options.appUsersOnly
             });
             req.session.user.profile = json.user || {};
           });

app/templates/package.json

@@ -13,8 +13,7 @@
     "del": "^2.0.2",
     "glob": "^6.0.0",
     "gulp": "^3.8.0",
-    "gulp-header": "1.8.2",
-    "gulp-angular-templatecache": "^1.6.0",
+    "gulp-angular-templatecache": "^1.9.1",
     "gulp-autoprefixer": "^2.2.0",
     "gulp-bump": "^1.0.0",
     "gulp-bytediff": "^1.0.0",

app/templates/ui/app/create/create.controller.js

@@ -53,8 +53,10 @@
         // 'perm:sample-role': 'read',
         // 'perm:sample-role': 'update'
       }).then(function(response) {
-        toast.success('Record created.');
+        toast.success('Created');
         $state.go('root.view', { uri: response.replace(/(.*\?uri=)/, '') });
+      }, function(response) {
+        toast.danger(response.data);
       });
     }
 

app/templates/ui/app/create/create.html

@@ -1,4 +1,4 @@
-<div class="create" ng-if="ctrl.currentUser">
+<div class="create" ng-show="ctrl.currentUser && !ctrl.currentUser.readOnlyAccess">
   <div class="row">
     <div class="col-sm-2"></div>
     <h2 class="col-sm-10">Create a Document</h2>
@@ -111,8 +111,8 @@ <h2 class="col-sm-10">Create a Document</h2>
     </div>
 
     <div class="row">
-      <a class="col-sm-offset-10 btn btn-default" ui-sref="root">Cancel</a>
-      <button class="btn btn-primary" ng-click="ctrl.submit()">Submit</button>
+      <a class="col-sm-offset-10 btn btn-default" ui-sref="root.landing">Cancel</a>
+      <button class="btn btn-primary" ng-click="ctrl.submit()">Create</button>
     </div>
   </form>
 </div>