diff --git a/app/controllers/admin/base_controller.rb b/app/controllers/admin/base_controller.rb deleted file mode 100644 index 0e48f5e6ee..0000000000 --- a/app/controllers/admin/base_controller.rb +++ /dev/null @@ -1,119 +0,0 @@ -# frozen_string_literal: true - -module Admin - class BaseController < Spree::BaseController - ssl_required - - helper 'spree/admin/navigation' - layout '/spree/layouts/admin' - - include I18nHelper - - before_action :authorize_admin - before_action :set_locale - before_action :warn_invalid_order_cycles, if: :html_request? - - # Warn the user when they have an active order cycle with hubs that are not ready - # for checkout (ie. does not have valid shipping and payment methods). - def warn_invalid_order_cycles - return if flash[:notice].present? - - warning = OrderCycleWarning.new(spree_current_user).call - flash[:notice] = warning if warning.present? - end - - # This is in Spree::Core::ControllerHelpers::Auth - # But you can't easily reopen modules in Ruby - def unauthorized - if spree_current_user - flash[:error] = t(:authorization_failure) - redirect_to '/unauthorized' - else - store_location - redirect_to main_app.root_path(anchor: "login?after_login=#{request.env['PATH_INFO']}") - end - end - - protected - - def model_class - const_name = controller_name.classify - return "Spree::#{const_name}".constantize if Spree.const_defined?(const_name) - - nil - end - - def action - params[:action].to_sym - end - - def authorize_admin - if respond_to?(:model_class, true) && model_class - record = model_class - else - # This allows specificity for each non-resource controller - # (to be consistent with "authorize_resource :class => false", see https://github.com/ryanb/cancan/blob/60cf6a67ef59c0c9b63bc27ea0101125c4193ea6/lib/cancan/controller_resource.rb#L146) - record = self.class.to_s. - sub("Controller", ""). - underscore.split('/').last.singularize.to_sym - end - authorize! :admin, record - authorize! resource_authorize_action, record - end - - def resource_authorize_action - action - end - - def flash_message_for(object, event_sym) - resource_desc = object.class.model_name.human - resource_desc += " \"#{object.name}\"" if object.respond_to?(:name) && object.name.present? - Spree.t(event_sym, resource: resource_desc) - end - - # Index request for JSON needs to pass a CSRF token in order to prevent JSON Hijacking - def check_json_authenticity - return unless request.format.js? || request.format.json? - - return unless protect_against_forgery? - - auth_token = params[request_forgery_protection_token] - return if auth_token && form_authenticity_token == CGI.unescape(auth_token) - - raise(ActionController::InvalidAuthenticityToken) - end - - private - - def html_request? - request.format.html? - end - - def json_request? - request.format.json? - end - - def render_as_json(data, options = {}) - ams_prefix = options.delete :ams_prefix - if each_serializer_required?(data) - render options.merge(json: data, each_serializer: serializer(ams_prefix)) - else - render options.merge(json: data, serializer: serializer(ams_prefix)) - end - end - - def each_serializer_required?(data) - ['Array', 'ActiveRecord::Relation'].include?(data.class.name) - end - - def serializer(ams_prefix) - unless ams_prefix.nil? || ams_prefix_whitelist.include?(ams_prefix.to_sym) - raise "Suffix '#{ams_prefix}' not found in ams_prefix_whitelist for #{self.class.name}." - end - - prefix = ams_prefix.andand.classify || "" - name = controller_name.classify - "::Api::Admin::#{prefix}#{name}Serializer".constantize - end - end -end diff --git a/app/controllers/admin/bulk_line_items_controller.rb b/app/controllers/admin/bulk_line_items_controller.rb index 01d9396698..99e3b68998 100644 --- a/app/controllers/admin/bulk_line_items_controller.rb +++ b/app/controllers/admin/bulk_line_items_controller.rb @@ -1,5 +1,5 @@ module Admin - class BulkLineItemsController < ::Admin::BaseController + class BulkLineItemsController < Spree::Admin::BaseController # GET /admin/bulk_line_items.json # def index diff --git a/app/controllers/admin/contents_controller.rb b/app/controllers/admin/contents_controller.rb index a3a0519259..1769732ec4 100644 --- a/app/controllers/admin/contents_controller.rb +++ b/app/controllers/admin/contents_controller.rb @@ -1,5 +1,5 @@ module Admin - class ContentsController < ::Admin::BaseController + class ContentsController < Spree::Admin::BaseController def edit @preference_sections = preference_sections.map do |preference_section| { name: preference_section.name, preferences: preference_section.preferences } diff --git a/app/controllers/admin/invoice_settings_controller.rb b/app/controllers/admin/invoice_settings_controller.rb index 7306eef3f2..bfa22205ec 100644 --- a/app/controllers/admin/invoice_settings_controller.rb +++ b/app/controllers/admin/invoice_settings_controller.rb @@ -1,5 +1,5 @@ module Admin - class InvoiceSettingsController < ::Admin::BaseController + class InvoiceSettingsController < Spree::Admin::BaseController def update Spree::Config.set(params[:preferences]) diff --git a/app/controllers/admin/manager_invitations_controller.rb b/app/controllers/admin/manager_invitations_controller.rb index 0d43aada2e..36b1554cf9 100644 --- a/app/controllers/admin/manager_invitations_controller.rb +++ b/app/controllers/admin/manager_invitations_controller.rb @@ -1,5 +1,5 @@ module Admin - class ManagerInvitationsController < ::Admin::BaseController + class ManagerInvitationsController < Spree::Admin::BaseController authorize_resource class: false def create diff --git a/app/controllers/admin/matomo_settings_controller.rb b/app/controllers/admin/matomo_settings_controller.rb index 0687d759f6..102f5b0ed5 100644 --- a/app/controllers/admin/matomo_settings_controller.rb +++ b/app/controllers/admin/matomo_settings_controller.rb @@ -1,5 +1,5 @@ module Admin - class MatomoSettingsController < ::Admin::BaseController + class MatomoSettingsController < Spree::Admin::BaseController def update Spree::Config.set(params[:preferences]) diff --git a/app/controllers/admin/product_import_controller.rb b/app/controllers/admin/product_import_controller.rb index 0480245f30..8a5b5834b9 100644 --- a/app/controllers/admin/product_import_controller.rb +++ b/app/controllers/admin/product_import_controller.rb @@ -1,7 +1,7 @@ require 'roo' module Admin - class ProductImportController < ::Admin::BaseController + class ProductImportController < Spree::Admin::BaseController before_action :validate_upload_presence, except: %i[index guide validate_data] def index diff --git a/app/controllers/admin/stripe_accounts_controller.rb b/app/controllers/admin/stripe_accounts_controller.rb index c9744a87b5..90b4e2c85c 100644 --- a/app/controllers/admin/stripe_accounts_controller.rb +++ b/app/controllers/admin/stripe_accounts_controller.rb @@ -1,7 +1,7 @@ require 'stripe/account_connector' module Admin - class StripeAccountsController < ::Admin::BaseController + class StripeAccountsController < Spree::Admin::BaseController def connect payload = params.slice(:enterprise_id) key = Openfoodnetwork::Application.config.secret_token diff --git a/app/controllers/admin/stripe_connect_settings_controller.rb b/app/controllers/admin/stripe_connect_settings_controller.rb index a93e012ecf..6f54722fc0 100644 --- a/app/controllers/admin/stripe_connect_settings_controller.rb +++ b/app/controllers/admin/stripe_connect_settings_controller.rb @@ -1,7 +1,7 @@ # This controller is used by super admin users to update the settings the app is using module Admin - class StripeConnectSettingsController < ::Admin::BaseController + class StripeConnectSettingsController < Spree::Admin::BaseController StripeConnectSettings = Struct.new(:stripe_connect_enabled) before_action :load_settings, only: [:edit] diff --git a/app/controllers/spree/admin/base_controller.rb b/app/controllers/spree/admin/base_controller.rb new file mode 100644 index 0000000000..4f9cdbb4d0 --- /dev/null +++ b/app/controllers/spree/admin/base_controller.rb @@ -0,0 +1,119 @@ +module Spree + module Admin + class BaseController < Spree::BaseController + ssl_required + + helper 'spree/admin/navigation' + layout '/spree/layouts/admin' + + include I18nHelper + + before_action :authorize_admin + before_action :set_locale + before_action :warn_invalid_order_cycles, if: :html_request? + + # Warn the user when they have an active order cycle with hubs that are not ready + # for checkout (ie. does not have valid shipping and payment methods). + def warn_invalid_order_cycles + return if flash[:notice].present? + + warning = OrderCycleWarning.new(spree_current_user).call + flash[:notice] = warning if warning.present? + end + + # This is in Spree::Core::ControllerHelpers::Auth + # But you can't easily reopen modules in Ruby + def unauthorized + if spree_current_user + flash[:error] = t(:authorization_failure) + redirect_to '/unauthorized' + else + store_location + redirect_to main_app.root_path(anchor: "login?after_login=#{request.env['PATH_INFO']}") + end + end + + protected + + def model_class + const_name = controller_name.classify + return "Spree::#{const_name}".constantize if Spree.const_defined?(const_name) + + nil + end + + def action + params[:action].to_sym + end + + def authorize_admin + if respond_to?(:model_class, true) && model_class + record = model_class + else + # This allows specificity for each non-resource controller + # (to be consistent with "authorize_resource :class => false", see https://github.com/ryanb/cancan/blob/60cf6a67ef59c0c9b63bc27ea0101125c4193ea6/lib/cancan/controller_resource.rb#L146) + record = self.class.to_s. + sub("Controller", ""). + underscore.split('/').last.singularize.to_sym + end + authorize! :admin, record + authorize! resource_authorize_action, record + end + + def resource_authorize_action + action + end + + def flash_message_for(object, event_sym) + resource_desc = object.class.model_name.human + resource_desc += " \"#{object.name}\"" if object.respond_to?(:name) && object.name.present? + Spree.t(event_sym, resource: resource_desc) + end + + # Index request for JSON needs to pass a CSRF token in order to prevent JSON Hijacking + def check_json_authenticity + return unless request.format.js? || request.format.json? + + return unless protect_against_forgery? + + auth_token = params[request_forgery_protection_token] + return if auth_token && form_authenticity_token == CGI.unescape(auth_token) + + raise(ActionController::InvalidAuthenticityToken) + end + + private + + def html_request? + request.format.html? + end + + def json_request? + request.format.json? + end + + def render_as_json(data, options = {}) + ams_prefix = options.delete :ams_prefix + if each_serializer_required?(data) + render options.merge(json: data, each_serializer: serializer(ams_prefix)) + else + render options.merge(json: data, serializer: serializer(ams_prefix)) + end + end + + def each_serializer_required?(data) + ['Array', 'ActiveRecord::Relation'].include?(data.class.name) + end + + def serializer(ams_prefix) + unless ams_prefix.nil? || ams_prefix_whitelist.include?(ams_prefix.to_sym) + raise "Suffix '#{ams_prefix}' not found in ams_prefix_whitelist for #{self.class.name}." + end + + prefix = ams_prefix.andand.classify || "" + name = controller_name.classify + "::Api::Admin::#{prefix}#{name}Serializer".constantize + end + end + end +end diff --git a/app/controllers/spree/admin/general_settings_controller.rb b/app/controllers/spree/admin/general_settings_controller.rb index 28b4331647..7c2ef6e695 100644 --- a/app/controllers/spree/admin/general_settings_controller.rb +++ b/app/controllers/spree/admin/general_settings_controller.rb @@ -1,6 +1,6 @@ module Spree module Admin - class GeneralSettingsController < ::Admin::BaseController + class GeneralSettingsController < Spree::Admin::BaseController def edit @preferences_general = [:site_name, :default_seo_title, :default_meta_keywords, :default_meta_description, :site_url, :bugherd_api_key] diff --git a/app/controllers/spree/admin/invoices_controller.rb b/app/controllers/spree/admin/invoices_controller.rb index 4ac9c7acbc..710fda1a3a 100644 --- a/app/controllers/spree/admin/invoices_controller.rb +++ b/app/controllers/spree/admin/invoices_controller.rb @@ -1,6 +1,6 @@ module Spree module Admin - class InvoicesController < ::Admin::BaseController + class InvoicesController < Spree::Admin::BaseController respond_to :json authorize_resource class: false diff --git a/app/controllers/spree/admin/mail_methods_controller.rb b/app/controllers/spree/admin/mail_methods_controller.rb index 2bb0418784..d3618488ed 100644 --- a/app/controllers/spree/admin/mail_methods_controller.rb +++ b/app/controllers/spree/admin/mail_methods_controller.rb @@ -1,6 +1,6 @@ module Spree module Admin - class MailMethodsController < ::Admin::BaseController + class MailMethodsController < Spree::Admin::BaseController after_action :initialize_mail_settings def update diff --git a/app/controllers/spree/admin/orders/customer_details_controller.rb b/app/controllers/spree/admin/orders/customer_details_controller.rb index 3ed4140701..56502d54a0 100644 --- a/app/controllers/spree/admin/orders/customer_details_controller.rb +++ b/app/controllers/spree/admin/orders/customer_details_controller.rb @@ -1,7 +1,7 @@ module Spree module Admin module Orders - class CustomerDetailsController < ::Admin::BaseController + class CustomerDetailsController < Spree::Admin::BaseController before_action :load_order before_action :check_authorization before_action :set_guest_checkout_status, only: :update diff --git a/app/controllers/spree/admin/orders_controller.rb b/app/controllers/spree/admin/orders_controller.rb index eb61ac1055..0b41e7003c 100644 --- a/app/controllers/spree/admin/orders_controller.rb +++ b/app/controllers/spree/admin/orders_controller.rb @@ -2,7 +2,7 @@ require 'open_food_network/spree_api_key_loader' module Spree module Admin - class OrdersController < ::Admin::BaseController + class OrdersController < Spree::Admin::BaseController include OpenFoodNetwork::SpreeApiKeyLoader helper CheckoutHelper diff --git a/app/controllers/spree/admin/overview_controller.rb b/app/controllers/spree/admin/overview_controller.rb index 79896b8f6f..d8bc38293a 100644 --- a/app/controllers/spree/admin/overview_controller.rb +++ b/app/controllers/spree/admin/overview_controller.rb @@ -1,7 +1,7 @@ # this clas was inspired (heavily) from the mephisto admin architecture module Spree module Admin - class OverviewController < ::Admin::BaseController + class OverviewController < Spree::Admin::BaseController def index @enterprises = Enterprise .managed_by(spree_current_user) diff --git a/app/controllers/spree/admin/payments_controller.rb b/app/controllers/spree/admin/payments_controller.rb index eaaa9972a7..0b5732caa1 100644 --- a/app/controllers/spree/admin/payments_controller.rb +++ b/app/controllers/spree/admin/payments_controller.rb @@ -2,7 +2,7 @@ module Spree module Admin - class PaymentsController < ::Admin::BaseController + class PaymentsController < Spree::Admin::BaseController before_action :load_order, except: [:show] before_action :load_payment, only: [:fire, :show] before_action :load_data diff --git a/app/controllers/spree/admin/reports_controller.rb b/app/controllers/spree/admin/reports_controller.rb index ac45e32f19..046d86204e 100644 --- a/app/controllers/spree/admin/reports_controller.rb +++ b/app/controllers/spree/admin/reports_controller.rb @@ -17,7 +17,7 @@ require 'open_food_network/orders_and_fulfillments_report' module Spree module Admin - class ReportsController < ::Admin::BaseController + class ReportsController < Spree::Admin::BaseController include Spree::ReportsHelper ORDER_MANAGEMENT_ENGINE_REPORTS = [ diff --git a/app/controllers/spree/admin/resource_controller.rb b/app/controllers/spree/admin/resource_controller.rb index 340cdd4d75..00a36c81dc 100644 --- a/app/controllers/spree/admin/resource_controller.rb +++ b/app/controllers/spree/admin/resource_controller.rb @@ -2,7 +2,7 @@ require 'action_callbacks' module Spree module Admin - class ResourceController < ::Admin::BaseController + class ResourceController < Spree::Admin::BaseController helper_method :new_object_url, :edit_object_url, :object_url, :collection_url before_action :load_resource, except: [:update_positions] rescue_from ActiveRecord::RecordNotFound, with: :resource_not_found diff --git a/app/controllers/spree/admin/search_controller.rb b/app/controllers/spree/admin/search_controller.rb index 4c2d9b92da..0be57cb0b3 100644 --- a/app/controllers/spree/admin/search_controller.rb +++ b/app/controllers/spree/admin/search_controller.rb @@ -1,6 +1,6 @@ module Spree module Admin - class SearchController < ::Admin::BaseController + class SearchController < Spree::Admin::BaseController # http://spreecommerce.com/blog/2010/11/02/json-hijacking-vulnerability/ before_action :check_json_authenticity, only: :index respond_to :json diff --git a/app/controllers/spree/admin/tax_settings_controller.rb b/app/controllers/spree/admin/tax_settings_controller.rb index 817db416d6..8be30677e0 100644 --- a/app/controllers/spree/admin/tax_settings_controller.rb +++ b/app/controllers/spree/admin/tax_settings_controller.rb @@ -1,6 +1,6 @@ module Spree module Admin - class TaxSettingsController < ::Admin::BaseController + class TaxSettingsController < Spree::Admin::BaseController def update Spree::Config.set(params[:preferences]) diff --git a/app/controllers/spree/admin/taxons_controller.rb b/app/controllers/spree/admin/taxons_controller.rb index 3702eb4e16..1b9b980da2 100644 --- a/app/controllers/spree/admin/taxons_controller.rb +++ b/app/controllers/spree/admin/taxons_controller.rb @@ -1,6 +1,6 @@ module Spree module Admin - class TaxonsController < ::Admin::BaseController + class TaxonsController < Spree::Admin::BaseController respond_to :html, :json, :js def create diff --git a/engines/order_management/app/controllers/order_management/reports/bulk_coop_controller.rb b/engines/order_management/app/controllers/order_management/reports/bulk_coop_controller.rb index ae2e8885d0..c1810a92b6 100644 --- a/engines/order_management/app/controllers/order_management/reports/bulk_coop_controller.rb +++ b/engines/order_management/app/controllers/order_management/reports/bulk_coop_controller.rb @@ -2,7 +2,7 @@ module OrderManagement module Reports - class BulkCoopController < ::Admin::BaseController + class BulkCoopController < Spree::Admin::BaseController before_filter :load_report_parameters before_filter :load_permissions diff --git a/engines/order_management/app/controllers/order_management/reports/enterprise_fee_summaries_controller.rb b/engines/order_management/app/controllers/order_management/reports/enterprise_fee_summaries_controller.rb index 415034f368..7cc1376034 100644 --- a/engines/order_management/app/controllers/order_management/reports/enterprise_fee_summaries_controller.rb +++ b/engines/order_management/app/controllers/order_management/reports/enterprise_fee_summaries_controller.rb @@ -2,7 +2,7 @@ module OrderManagement module Reports - class EnterpriseFeeSummariesController < ::Admin::BaseController + class EnterpriseFeeSummariesController < Spree::Admin::BaseController before_filter :load_report_parameters before_filter :load_permissions diff --git a/spec/controllers/admin/base_controller_spec.rb b/spec/controllers/spree/admin/base_controller_spec.rb similarity index 96% rename from spec/controllers/admin/base_controller_spec.rb rename to spec/controllers/spree/admin/base_controller_spec.rb index a63028ad9f..d5b1015635 100644 --- a/spec/controllers/admin/base_controller_spec.rb +++ b/spec/controllers/spree/admin/base_controller_spec.rb @@ -1,7 +1,7 @@ require 'spec_helper' -describe Admin::BaseController, type: :controller do - controller(Admin::BaseController) do +describe Spree::Admin::BaseController, type: :controller do + controller(Spree::Admin::BaseController) do def index before_filter :unauthorized render text: "" @@ -10,7 +10,7 @@ describe Admin::BaseController, type: :controller do it "redirects to Angular login" do spree_get :index - expect(response).to redirect_to root_path(anchor: "login?after_login=/admin/base") + expect(response).to redirect_to root_path(anchor: "login?after_login=/spree/admin/base") end describe "rendering as json ActiveModelSerializer" do diff --git a/spec/features/admin/variant_overrides_spec.rb b/spec/features/admin/variant_overrides_spec.rb index 74aeee3375..d28147818f 100644 --- a/spec/features/admin/variant_overrides_spec.rb +++ b/spec/features/admin/variant_overrides_spec.rb @@ -196,7 +196,7 @@ feature " expect(page).to have_content "Changes to one override remain unsaved." # Set a user without suficient permissions - allow_any_instance_of(Admin::BaseController).to receive(:current_spree_user).and_return(build(:user)) + allow_any_instance_of(Spree::Admin::BaseController).to receive(:current_spree_user).and_return(build(:user)) expect do click_button 'Save Changes'