user auth views and actions

user project permissions

site admin and project-level permissions

project publishing and deletion

protect api endpoints

views reflect user permission level for site and project

add sendgrid config

relative auth url

stop mailer if no admin users yet

typo fix

fix project update bug

remove auth check from add_images endpoint

update projects on sign-in or -out, update mailer from address

fix text editor syntax bug

Gemfile

@@ -30,6 +30,7 @@ gem 'active_model_serializers'
 gem 'bootsnap', require: false
 gem 'image_processing', '~> 1.2'
 gem 'aws-sdk-s3', require: false
+gem 'rack-cors', :require => 'rack/cors'
 
 group :development, :test do
   # Call 'byebug' anywhere in the code to stop execution and get a debugger console

Gemfile.lock

@@ -117,6 +117,7 @@ GEM
     pg (1.0.0)
     puma (3.11.3)
     rack (2.0.5)
+    rack-cors (1.0.2)
     rack-test (1.0.0)
       rack (>= 1.0, < 3)
     rails (5.2.0)
@@ -188,6 +189,7 @@ DEPENDENCIES
   listen (>= 3.0.5, < 3.2)
   pg (>= 0.18, < 2.0)
   puma (~> 3.7)
+  rack-cors
   rails (~> 5.2.0)
   spring
   spring-watcher-listen (~> 2.0.0)

app/controllers/application_controller.rb

@@ -2,9 +2,53 @@ class ApplicationController < ActionController::API
   include DeviseTokenAuth::Concerns::SetUserByToken
   include ActionController::MimeResponds
 
+  before_action :configure_permitted_parameters, if: :devise_controller?
+
   def fallback_index_html
     respond_to do |format|
       format.html { render body: Rails.root.join('public/index.html').read }
     end
   end
+
+  protected
+
+  def configure_permitted_parameters
+    devise_parameter_sanitizer.permit(:sign_up, keys: [:name])
+  end
+
+  def validate_user_approved
+    if user_signed_in? && current_user.approved?
+      return true
+    else
+      head :forbidden
+    end
+    false
+  end
+
+  def validate_user_read(project)
+    if project.public? || (user_signed_in? && current_user.approved? && (current_user.admin? || project.can_read.exists?(:id => current_user.id)))
+      return true
+    else
+      head :forbidden
+    end
+    false
+  end
+
+  def validate_user_write(project)
+    if user_signed_in? && current_user.approved? && (current_user.admin? || project.can_write.exists?(:id => current_user.id))
+      return true
+    else
+      head :forbidden
+    end
+    false
+  end
+
+  def validate_user_admin(project)
+    if user_signed_in? && current_user.approved? && (current_user.admin? || project.can_admin.exists?(:id => current_user.id))
+      return true
+    else
+      head :forbidden
+    end
+    false
+  end
 end

app/controllers/document_folders_controller.rb

@@ -1,12 +1,7 @@
 class DocumentFoldersController < ApplicationController
   before_action :set_document_folder, only: [:show, :update, :destroy]
 
-  # GET /document_folders
-  def index
-    @document_folders = DocumentFolder.all
-
-    render json: @document_folders
-  end
+  #TODO: validate permissions for (recursively determined?) containing project
 
   # GET /document_folders/1
   def show

app/controllers/documents_controller.rb

@@ -1,11 +1,13 @@
 class DocumentsController < ApplicationController
   before_action :set_document, only: [:show, :update, :destroy, :add_images, :set_thumbnail]
-
-  # GET /documents
-  def index
-    @documents = Document.all
-
-    render json: @documents
+  before_action only: [:create] do
+    @project = Project.find(params[:project_id])
+  end
+  before_action only: [:show] do
+    validate_user_read(@project)
+  end
+  before_action only: [:create, :update, :destroy, :set_thumbnail] do
+    validate_user_write(@project)
   end
 
   # GET /documents/1
@@ -15,7 +17,7 @@ def show
 
   # POST /documents
   def create
-    @document = Document.new(document_params)
+    @document = Document.new(new_document_params)
 
     if @document.save
       render json: @document, status: :created, location: @document
@@ -58,10 +60,15 @@ def set_thumbnail
     # Use callbacks to share common setup or constraints between actions.
     def set_document
       @document = Document.find(params[:id])
+      @project = @document.project
     end
 
     # Only allow a trusted parameter "white list" through.
-    def document_params
+    def new_document_params
       params.require(:document).permit(:project_id, :created_by_id, :title, :document_kind, :parent_id, :parent_type, :images => [], :content => {})
     end
+
+    def document_params
+      params.require(:document).permit(:title, :document_kind, :parent_id, :parent_type, :images => [], :content => {})
+    end
 end

app/controllers/highlights_controller.rb

@@ -3,12 +3,17 @@
 class HighlightsController < ApplicationController
   before_action :set_highlight, only: [:show, :update, :destroy, :set_thumbnail]
 
-  # GET /highlights
-  def index
-    @highlights = Highlight.all
-
-    render json: @highlights
+  before_action only: [:create] do
+    document = Document.find(params[:document_id])
+    @project = document.project
+  end
+  before_action only: [:show] do
+    validate_user_read(@project)
   end
+  before_action only: [:create, :update, :destroy, :set_thumbnail] do
+    validate_user_write(@project)
+  end
+
 
   # GET /highlights/1
   def show
@@ -108,6 +113,7 @@ def set_thumbnail
     # Use callbacks to share common setup or constraints between actions.
     def set_highlight
       @highlight = Highlight.find(params[:id])
+      @project = @highlight.project
     end
 
     # Only allow a trusted parameter "white list" through.

app/controllers/links_controller.rb

@@ -1,11 +1,21 @@
 class LinksController < ApplicationController
   before_action :set_link, only: [:show, :update, :destroy]
-
-  # GET /links
-  def index
-    @links = Link.all
-
-    render json: @links
+  before_action only: [:create] do
+    linkable_a_type = params[:linkable_a_type]
+    linkable_b_type = params[:linkable_b_type]
+    if linkable_a_type == 'Document'
+      @project = Document.find(params[:linkable_a_id]).project
+    elsif linkable_b_type == 'Document'
+      @project = Document.find(params[:linkable_b_type]).project
+    elsif linkable_a_type == 'Highlight'
+      @project = Highlight.find(params[:linkable_a_id]).project
+    end
+  end
+  before_action only: [:show] do
+    validate_user_read(@project)
+  end
+  before_action only: [:create, :update, :destroy] do
+    validate_user_write(@project)
   end
 
   # GET /links/1
@@ -15,7 +25,7 @@ def show
 
   # POST /links
   def create
-    @link = Link.new(link_params)
+    @link = Link.new(new_link_params)
 
     if @link.save
       render json: @link, status: :created, location: @link
@@ -25,13 +35,13 @@ def create
   end
 
   # PATCH/PUT /links/1
-  def update
-    if @link.update(link_params)
-      render json: @link
-    else
-      render json: @link.errors, status: :unprocessable_entity
-    end
-  end
+  # def update
+  #   if @link.update(link_params)
+  #     render json: @link
+  #   else
+  #     render json: @link.errors, status: :unprocessable_entity
+  #   end
+  # end
 
   # DELETE /links/1
   def destroy
@@ -42,10 +52,15 @@ def destroy
     # Use callbacks to share common setup or constraints between actions.
     def set_link
       @link = Link.find(params[:id])
+      @project = @link.linkable_a.project
     end
 
     # Only allow a trusted parameter "white list" through.
-    def link_params
+    def new_link_params
       params.require(:link).permit(:created_by_id, :linkable_a_id, :linkable_a_type, :linkable_b_id, :linkable_b_type)
     end
+
+    # def link_params
+    #   params.require(:link).permit()
+    # end
 end

app/controllers/projects_controller.rb

@@ -1,24 +1,44 @@
 class ProjectsController < ApplicationController
   before_action :set_project, only: [:show, :update, :destroy]
+  before_action :validate_user_approved, only: [:create]
+  # before_action only: [:show] do
+  #   validate_user_read(@project)
+  # end
+  before_action only: [:update, :destroy] do
+    validate_user_admin(@project)
+  end
 
   # GET /projects
   def index
-    @projects = Project.all.order(updated_at: :desc)
+    # @projects = Project.all.order(updated_at: :desc)
+    if user_signed_in? && current_user.approved?
+      if current_user.admin
+        @projects = Project.all
+      else
+        @projects = Project.is_public | current_user.readable_projects
+      end
+    else
+      @projects = Project.is_public
+    end
 
     render json: @projects
   end
 
   # GET /projects/1
   def show
-    render json: @project
+    render json: @project, include: ['user_project_permissions', 'user_project_permissions.user', 'contents_children', 'can_admin'], scope_name: :current_user #meta_object: { current_user_can_admin: true }, meta_key: :meta_object
+    # serialized_data = ProjectSerializer.new(@project, root: false)
+    # render json: { project: serialized_data, current_user_can_admin: true }
   end
 
   # POST /projects
   def create
     @project = Project.new(project_params)
+    @project.owner = current_user
 
     if @project.save
-      render json: @project, status: :created, location: @project
+      UserProjectPermission.create(project: @project, user: current_user, permission: 'admin')
+      render json: @project, include: ['user_project_permissions', 'user_project_permissions.user', 'contents_children', 'can_admin'], status: :created, location: @project
     else
       render json: @project.errors, status: :unprocessable_entity
     end
@@ -27,7 +47,7 @@ def create
   # PATCH/PUT /projects/1
   def update
     if @project.update(project_params)
-      render json: @project
+      render json: @project, include: ['user_project_permissions', 'user_project_permissions.user', 'contents_children', 'can_admin']
     else
       render json: @project.errors, status: :unprocessable_entity
     end

app/controllers/user_project_permissions_controller.rb

@@ -0,0 +1,51 @@
+class UserProjectPermissionsController < ApplicationController
+  before_action :set_user_project_permission, only: [:show, :update, :destroy]
+  before_action only: [:create] do
+    @project = Project.find(params[:project_id])
+  end
+  before_action only: [:show, :create, :update, :destroy] do
+    validate_user_admin(@project)
+  end
+
+  # GET /user_project_permissions/1
+  def show
+    render json: @user_project_permission
+  end
+
+  # POST /user_project_permissions
+  def create
+    @user_project_permission = UserProjectPermission.new(user_project_permission_params)
+
+    if @user_project_permission.save
+      render json: @user_project_permission, status: :created, location: @user_project_permission
+    else
+      render json: @user_project_permission.errors, status: :unprocessable_entity
+    end
+  end
+
+  # PATCH/PUT /user_project_permissions/1
+  def update
+    if @user_project_permission.update(user_project_permission_params)
+      render json: @user_project_permission
+    else
+      render json: @user_project_permission.errors, status: :unprocessable_entity
+    end
+  end
+
+  # DELETE /user_project_permissions/1
+  def destroy
+    @user_project_permission.destroy
+  end
+
+  private
+    # Use callbacks to share common setup or constraints between actions.
+    def set_user_project_permission
+      @user_project_permission = UserProjectPermission.find(params[:id])
+      @project = @user_project_permission.project
+    end
+
+    # Only allow a trusted parameter "white list" through.
+    def user_project_permission_params
+      params.require(:user_project_permission).permit(:project_id, :user_id, :permission)
+    end
+end