restarone · donrestarone · Dec 6, 2022 · Dec 6, 2022
diff --git a/app/controllers/comfy/admin/api_actions_controller.rb b/app/controllers/comfy/admin/api_actions_controller.rb
@@ -1,6 +1,7 @@
 class Comfy::Admin::ApiActionsController < Comfy::Admin::Cms::BaseController
-  before_action :ensure_authority_to_manage_api
-  before_action :set_api_action, except: :new
+  before_action :set_api_action
+  before_action :ensure_authority_for_read_api_actions_only_in_api, only: %i[ show index ]
+  before_action :ensure_authority_for_full_access_for_api_actions_only_in_api, only: %i[ new action_workflow ]
   before_action :set_current_user_and_visit
 
   def new

diff --git a/app/controllers/comfy/admin/api_clients_controller.rb b/app/controllers/comfy/admin/api_clients_controller.rb
@@ -1,7 +1,8 @@
 class Comfy::Admin::ApiClientsController < Comfy::Admin::Cms::BaseController
-  before_action :ensure_authority_to_manage_api
   before_action :set_api_client, only: %i[ show edit update destroy ]
   before_action :set_api_namespace
+  before_action :ensure_authority_for_read_api_clients_only_in_api, only: %i[ show index ]
+  before_action :ensure_authority_for_full_access_for_api_clients_only_in_api, only: %i[ new edit create update destroy ]
 
   # GET /api_clients or /api_clients.json
   def index

diff --git a/app/controllers/comfy/admin/api_forms_controller.rb b/app/controllers/comfy/admin/api_forms_controller.rb
@@ -1,6 +1,6 @@
 class Comfy::Admin::ApiFormsController < Comfy::Admin::Cms::BaseController
-  before_action :ensure_authority_to_manage_api
   before_action :set_api_namespace
+  before_action :ensure_authority_for_full_access_for_api_form_only_in_api, only: %i[ edit update ]
 
   before_action :set_api_form, only: %i[show edit update]
 

diff --git a/app/controllers/comfy/admin/api_namespaces_controller.rb b/app/controllers/comfy/admin/api_namespaces_controller.rb
@@ -1,18 +1,29 @@
 require 'will_paginate/array'
 
 class Comfy::Admin::ApiNamespacesController < Comfy::Admin::Cms::BaseController
-  before_action :ensure_authority_to_manage_api
-  before_action :set_api_namespace, only: %i[ show edit update destroy discard_failed_api_actions rerun_failed_api_actions export export_api_resources duplicate_with_associations duplicate_without_associations export_without_associations_as_json export_with_associations_as_json ]
+  before_action :set_api_namespace, only: %i[ show edit update destroy discard_failed_api_actions rerun_failed_api_actions export export_api_resources duplicate_with_associations duplicate_without_associations export_without_associations_as_json export_with_associations_as_json social_share_metadata api_action_workflow ]
+
+  before_action :ensure_authority_for_creating_api, only: %i[ new create import_as_json]
+  before_action :ensure_authority_for_viewing_all_api, only: :index
+
+  before_action :ensure_authority_for_full_read_access_in_api, only: [:show]
+  before_action :ensure_authority_for_full_access_in_api_namespace_only, only: %i[ edit update ]
+  before_action :ensure_authority_for_delete_access_in_api_namespace_only, only: %i[ destroy ]
+  before_action :ensure_authority_for_allow_exports_in_api, only: %i[ export export_api_resources export_without_associations_as_json export_with_associations_as_json ]
+  before_action :ensure_authority_for_allow_duplication_in_api, only: %i[ duplicate_with_associations duplicate_without_associations ]
+  before_action :ensure_authority_for_allow_social_share_metadata_in_api, only: %i[ social_share_metadata ]
+  before_action :ensure_authority_for_full_access_for_api_actions_only_in_api, only: %i[ api_action_workflow discard_failed_api_actions rerun_failed_api_actions ]
 
   # GET /api_namespaces or /api_namespaces.json
   def index
     params[:q] ||= {}
     @api_namespaces_q = if params[:categories].present?
-      ApiNamespace.includes(:categories).for_category(params[:categories]).ransack(params[:q])
+      ApiNamespace.filter_by_user_api_accessibility(current_user).for_category(params[:categories]).ransack(params[:q])
     else
-      ApiNamespace.ransack(params[:q])
+      ApiNamespace.filter_by_user_api_accessibility(current_user).ransack(params[:q])
     end
-
+    @api_namespaces_q.sorts = 'id asc' if @api_namespaces_q.sorts.empty?
+
     if params.dig(:q, :s) && params[:q][:s].match(/CMS (asc|desc)/)
       namespaces = @api_namespaces_q.result.sort_by { |namespace| namespace.cms_associations.size }
       namespaces = namespaces.reverse if params[:q][:s].match(/CMS desc/)
@@ -66,10 +77,16 @@ def create
   def update
     respond_to do |format|
       if @api_namespace.update(api_namespace_params)
-        format.html { handle_success_redirect }
+        format.html do
+          flash[:notice] = 'Api namespace was successfully updated.'
+          redirect_to @api_namespace
+        end
         format.json { render :show, status: :ok, location: @api_namespace }
       else
-        format.html { handle_error_redirect }
+        format.html do
+          flash[:error] = @api_namespace.errors.full_messages
+          render :edit, status: :unprocessable_entity
+        end
         format.json { render json: @api_namespace.errors, status: :unprocessable_entity }
       end
     end
@@ -184,6 +201,42 @@ def import_as_json
     end
   end
 
+  def social_share_metadata
+    respond_to do |format|
+      if @api_namespace.update(api_namespace_social_share_metadata_params)
+        format.html do
+          flash[:notice] = 'Social Share Metadata successfully updated.'
+          redirect_to @api_namespace
+        end
+        format.json { render :show, status: :ok, location: @api_namespace }
+      else
+        format.html do
+          flash[:error] = @api_namespace.errors.full_messages
+          render :edit, status: :unprocessable_entity
+        end
+        format.json { render json: @api_namespace.errors, status: :unprocessable_entity }
+      end
+    end
+  end
+
+  def api_action_workflow
+    respond_to do |format|
+      if @api_namespace.update(api_action_workflow_params)
+        format.html do
+          flash[:notice] = 'Action Workflow successfully updated.'
+          redirect_to api_namespace_api_actions_path(api_namespace_id: @api_namespace.id)
+        end
+        format.json { render :show, status: :ok, location: @api_namespace }
+      else
+        format.html do
+          flash[:error] = @api_namespace.errors.full_messages
+          redirect_to action_workflow_api_namespace_api_actions_path(api_namespace_id: @api_namespace.id)
+        end
+        format.json { render json: @api_namespace.errors, status: :unprocessable_entity }
+      end
+    end
+  end
+
   private
     # Use callbacks to share common setup or constraints between actions.
     def set_api_namespace
@@ -192,36 +245,28 @@ def set_api_namespace
 
     # Only allow a list of trusted parameters through.
     def api_namespace_params
-      api_actions_attributes =  [:id, :trigger, :action_type, :properties, :include_api_resource_data, :email, :email_subject, :custom_message, :payload_mapping, :request_url, :redirect_url, :redirect_type, :bearer_token, :file_snippet, :position, :custom_headers, :http_method, :method_definition, :_destroy]
       params.require(:api_namespace).permit(:name,
                                             :version,
                                             :properties,
                                             :requires_authentication,
                                             :namespace_type,
                                             :has_form,
-                                            social_share_metadata: [:title, :description, :image],
                                             non_primitive_properties_attributes: [:id, :label, :field_type, :content, :attachment, :allow_attachments, :_destroy],
-                                            new_api_actions_attributes: api_actions_attributes,
-                                            create_api_actions_attributes: api_actions_attributes,
-                                            show_api_actions_attributes: api_actions_attributes,
-                                            update_api_actions_attributes: api_actions_attributes,
-                                            destroy_api_actions_attributes: api_actions_attributes,
-                                            error_api_actions_attributes: api_actions_attributes,
                                             category_ids: []
                                            )
     end
 
-    def handle_success_redirect
-      flash[:notice] =  "Api namespace was successfully updated."
-      redirect_to api_namespace_api_actions_path(api_namespace_id: @api_namespace.id) and return  if params[:source] == 'action_workflow'
-
-      redirect_to @api_namespace
+    def api_action_workflow_params
+      api_actions_attributes =  [:id, :trigger, :action_type, :properties, :include_api_resource_data, :email, :email_subject, :custom_message, :payload_mapping, :request_url, :redirect_url, :redirect_type, :bearer_token, :file_snippet, :position, :custom_headers, :http_method, :method_definition, :_destroy]
+      params.require(:api_namespace).permit(new_api_actions_attributes: api_actions_attributes,
+                                            create_api_actions_attributes: api_actions_attributes,
+                                            show_api_actions_attributes: api_actions_attributes,
+                                            update_api_actions_attributes: api_actions_attributes,
+                                            destroy_api_actions_attributes: api_actions_attributes,
+                                            error_api_actions_attributes: api_actions_attributes)
     end
 
-    def handle_error_redirect
-      flash[:error] = @api_namespace.errors.full_messages
-      redirect_to action_workflow_api_namespace_api_actions_path(api_namespace_id: @api_namespace.id) and return  if params[:source] == 'action_workflow'
-
-      render :edit, status: :unprocessable_entity
+    def api_namespace_social_share_metadata_params
+      params.require(:api_namespace).permit(social_share_metadata: [:title, :description, :image])
     end
 end
diff --git a/app/controllers/comfy/admin/api_resources_controller.rb b/app/controllers/comfy/admin/api_resources_controller.rb
@@ -1,6 +1,8 @@
 class Comfy::Admin::ApiResourcesController < Comfy::Admin::Cms::BaseController
-  before_action :ensure_authority_to_manage_api
   before_action :set_api_resource
+  before_action :ensure_authority_for_read_api_resources_only_in_api, only: %i[ show ]
+  before_action :ensure_authority_for_delete_access_for_api_resources_only_in_api, only: %i[ destroy ]
+  before_action :ensure_authority_for_full_access_for_api_resources_only_in_api, only: %i[ new edit create update ]
 
   include ApiActionable
   # GET /api_resources/1 or /api_resources/1.json

diff --git a/app/controllers/comfy/admin/external_api_clients_controller.rb b/app/controllers/comfy/admin/external_api_clients_controller.rb
@@ -1,27 +1,28 @@
 class Comfy::Admin::ExternalApiClientsController < Comfy::Admin::Cms::BaseController
-    before_action :ensure_authority_to_manage_api
     before_action :set_external_api_client, only: %i[ show edit update destroy start stop clear_errors clear_state]
     before_action :set_api_namespace
+    before_action :ensure_authority_for_read_external_api_connections_only_in_api, only: %i[ show index ]
+    before_action :ensure_authority_for_full_access_for_external_api_connections_only_in_api, only: %i[ new edit create update destroy start stop clear_errors clear_state ]
 
-    # GET /api_clients or /api_clients.json
+    # GET /external_api_clients or /external_api_clients.json
     def index
       @external_api_clients = @api_namespace.external_api_clients
     end
 
-    # GET /api_clients/1 or /api_clients/1.json
+    # GET /external_api_clients/1 or /external_api_clients/1.json
     def show
     end
 
-    # GET /api_clients/new
+    # GET /external_api_clients/new
     def new
       @external_api_client = ExternalApiClient.new(api_namespace_id: @api_namespace.id)
     end
 
-    # GET /api_clients/1/edit
+    # GET /external_api_clients/1/edit
     def edit
     end
 
-    # POST /api_clients or /api_clients.json
+    # POST /external_api_clients or /external_api_clients.json
     def create
       @external_api_client = ExternalApiClient.new(external_api_client_params)
       respond_to do |format|
@@ -35,7 +36,7 @@ def create
       end
     end
 
-    # PATCH/PUT /api_clients/1 or /api_clients/1.json
+    # PATCH/PUT /external_api_clients/1 or /external_api_clients/1.json
     def update
       respond_to do |format|
         if @external_api_client.update(external_api_client_params)
@@ -48,38 +49,43 @@ def update
       end
     end
 
-    # DELETE /api_clients/1 or /api_clients/1.json
+    # DELETE /external_api_clients/1 or /external_api_clients/1.json
     def destroy
       @external_api_client.destroy
       respond_to do |format|
-        format.html { redirect_to api_namespace_api_clients_path(api_namespace_id: @api_namespace.id), notice: "Api client was successfully destroyed." }
+        format.html { redirect_to api_namespace_external_api_clients_path(api_namespace_id: @api_namespace.id), notice: "Api client was successfully destroyed." }
         format.json { head :no_content }
       end
     end
 
+    # GET /external_api_clients/1/start
     def start
       @external_api_client.run
       redirect_back(fallback_location: api_namespace_external_api_clients_path(api_namespace_id: @api_namespace.id))
     end
 
+    # GET /external_api_clients/1/stop
     def stop
       @external_api_client.stop
       redirect_back(fallback_location: api_namespace_external_api_clients_path(api_namespace_id: @api_namespace.id))
     end
 
+    # GET /external_api_clients/1/clear_errors
     def clear_errors
       @external_api_client.clear_error_data
       redirect_back(fallback_location: api_namespace_external_api_clients_path(api_namespace_id: @api_namespace.id))
     end
 
+    # GET /external_api_clients/1/clear_state
     def clear_state
       @external_api_client.clear_state_data
       redirect_back(fallback_location: api_namespace_external_api_clients_path(api_namespace_id: @api_namespace.id))
     end
+
     private
       # Use callbacks to share common setup or constraints between actions.
       def set_api_namespace
-        @api_namespace = ApiNamespace.find_by(id: params[:api_namespace_id])
+        @api_namespace = ApiNamespace.friendly.find(params[:api_namespace_id]) rescue nil
       end
 
 

diff --git a/app/controllers/comfy/admin/users_controller.rb b/app/controllers/comfy/admin/users_controller.rb
@@ -3,6 +3,7 @@ class Comfy::Admin::UsersController < Comfy::Admin::Cms::BaseController
   before_action :track_ahoy_visit,  only: %i[update], raise: false
   before_action :load_user, only: [:edit, :update, :destroy]
   before_action :ensure_authority_to_manage_users
+  before_action :set_default_api_accessibility_param, only: :update
 
   def index
     params[:q] ||= {}
@@ -77,7 +78,6 @@ def update_params
       :can_manage_blog,
       :can_manage_email,
       :can_manage_users,
-      :can_manage_api,
       :can_manage_analytics,
       :can_manage_files,
       :moderator,
@@ -87,11 +87,16 @@ def update_params
       :can_manage_subdomain_settings,
       :can_access_admin,
       :deliver_error_notifications,
-      category_ids: []
+      category_ids: [],
+      api_accessibility: {}
     )
   end
 
   def invite_params
     params.require(:user).permit(:email)
   end
+
+  def set_default_api_accessibility_param
+    params[:user].merge!(api_accessibility: {}) if params[:user].present? && params.dig(:user, :api_accessibility).blank?
+  end
 end