refactor(core): consolidate Utils usage, extract authorize! helper, harden settings

blocknotes · blocknotes · commit f98976d40e9f · 2026-03-22T15:28:21.000+01:00
Consolidate to_class into BasicApp.authentication_plugin via Utils include. Use Utils.humanize in Field.create_field instead of inline logic. Extract repeated authorization checks in Router into a single authorize! helper method. Guard Settings#load_settings against nil authentication plugin and make it idempotent with @loaded flag so repeated calls (e.g. per-request) are a no-op.
diff --git a/lib/tiny_admin/basic_app.rb b/lib/tiny_admin/basic_app.rb
@@ -5,9 +5,11 @@ class BasicApp < Roda
     include Utils
 
     class << self
+      include Utils
+
       def authentication_plugin
         plugin = TinyAdmin.settings.authentication&.dig(:plugin)
-        plugin_class = plugin.is_a?(String) ? Object.const_get(plugin) : plugin
+        plugin_class = to_class(plugin) if plugin
         plugin_class || TinyAdmin::Plugins::NoAuth
       end
     end
diff --git a/lib/tiny_admin/field.rb b/lib/tiny_admin/field.rb
@@ -12,13 +12,13 @@ def initialize(name:, title:, type:, options: {})
     end
 
     def apply_call_option(target)
-      messages = (options[:call] || '').split(',').map(&:strip)
+      messages = (options[:call] || "").split(",").map(&:strip)
       messages.inject(target) { |result, msg| result&.send(msg) } if messages.any?
     end
 
     def translate_value(value)
       if options && options[:method]
-        method, *args = options[:method].split(',').map(&:strip)
+        method, *args = options[:method].split(",").map(&:strip)
         if options[:converter]
           Object.const_get(options[:converter]).send(method, value, options: args || [])
         else
@@ -30,10 +30,11 @@ def translate_value(value)
     end
 
     class << self
+      include Utils
+
       def create_field(name:, title: nil, type: nil, options: {})
         field_name = name.to_s
-        field_title = field_name.respond_to?(:humanize) ? field_name.humanize : field_name.tr('_', ' ').capitalize
-        new(name: field_name, title: title || field_title, type: type || :string, options: options || {})
+        new(name: field_name, title: title || humanize(field_name), type: type || :string, options: options || {})
       end
     end
   end
diff --git a/lib/tiny_admin/router.rb b/lib/tiny_admin/router.rb
@@ -9,7 +9,7 @@ class Router < BasicApp
     route do |r|
       TinyAdmin.settings.load_settings
 
-      r.on 'auth' do
+      r.on "auth" do
         r.run Authentication
       end
 
@@ -25,7 +25,7 @@ class Router < BasicApp
         # :nocov:
       end
 
-      r.post '' do
+      r.post "" do
         r.redirect TinyAdmin.settings.root_path
       end
 
@@ -48,32 +48,28 @@ def store
 
     def render_page(page)
       if page.respond_to?(:messages=)
-        page.messages = { notices: flash['notices'], warnings: flash['warnings'], errors: flash['errors'] }
+        page.messages = {notices: flash["notices"], warnings: flash["warnings"], errors: flash["errors"]}
       end
       render(inline: page.call)
     end
 
     def root_route(req)
-      if authorization.allowed?(current_user, :root)
+      authorize!(:root) do
         if TinyAdmin.settings.root[:redirect]
           req.redirect route_for(TinyAdmin.settings.root[:redirect])
         else
           page_class = to_class(TinyAdmin.settings.root[:page])
           attributes = TinyAdmin.settings.root.slice(:content, :title, :widgets)
           render_page prepare_page(page_class, attributes: attributes, params: request.params)
         end
-      else
-        render_page prepare_page(TinyAdmin.settings.page_not_allowed)
       end
     end
 
     def setup_page_route(req, slug, page_data)
       req.get slug do
-        if authorization.allowed?(current_user, :page, slug)
+        authorize!(:page, slug) do
           attributes = page_data.slice(:content, :title, :widgets)
           render_page prepare_page(page_data[:class], slug: slug, attributes: attributes, params: request.params)
-        else
-          render_page prepare_page(TinyAdmin.settings.page_not_allowed)
         end
       end
     end
@@ -99,9 +95,9 @@ def setup_collection_routes(req, slug, options:)
       )
 
       # Index
-      if options[:only].include?(:index) || options[:only].include?('index')
+      if options[:only].include?(:index) || options[:only].include?("index")
         req.is do
-          if authorization.allowed?(current_user, :resource_index, slug)
+          authorize!(:resource_index, slug) do
             context = Context.new(
               actions: custom_actions,
               repository: repository,
@@ -111,8 +107,6 @@ def setup_collection_routes(req, slug, options:)
             )
             index_action = TinyAdmin::Actions::Index.new
             render_page index_action.call(app: self, context: context, options: action_options)
-          else
-            render_page prepare_page(TinyAdmin.settings.page_not_allowed)
           end
         end
       end
@@ -134,9 +128,9 @@ def setup_member_routes(req, slug, options:)
         )
 
         # Show
-        if options[:only].include?(:show) || options[:only].include?('show')
+        if options[:only].include?(:show) || options[:only].include?("show")
           req.is do
-            if authorization.allowed?(current_user, :resource_show, slug)
+            authorize!(:resource_show, slug) do
               context = Context.new(
                 actions: custom_actions,
                 reference: reference,
@@ -147,8 +141,6 @@ def setup_member_routes(req, slug, options:)
               )
               show_action = TinyAdmin::Actions::Show.new
               render_page show_action.call(app: self, context: context, options: action_options)
-            else
-              render_page prepare_page(TinyAdmin.settings.page_not_allowed)
             end
           end
         end
@@ -161,7 +153,7 @@ def setup_custom_actions(req, custom_actions = nil, options:, repository:, slug:
         action_class = to_class(action)
 
         req.get action_slug.to_s do
-          if authorization.allowed?(current_user, :custom_action, action_slug.to_s)
+          authorize!(:custom_action, action_slug.to_s) do
             context = Context.new(
               actions: {},
               reference: reference,
@@ -172,8 +164,6 @@ def setup_custom_actions(req, custom_actions = nil, options:, repository:, slug:
             )
             custom_action = action_class.new
             render_page custom_action.call(app: self, context: context, options: options)
-          else
-            render_page prepare_page(TinyAdmin.settings.page_not_allowed)
           end
         end
 
@@ -184,5 +174,13 @@ def setup_custom_actions(req, custom_actions = nil, options:, repository:, slug:
     def authorization
       TinyAdmin.settings.authorization_class
     end
+
+    def authorize!(action, param = nil)
+      if authorization.allowed?(current_user, action, param)
+        yield
+      else
+        render_page prepare_page(TinyAdmin.settings.page_not_allowed)
+      end
+    end
   end
 end
diff --git a/lib/tiny_admin/settings.rb b/lib/tiny_admin/settings.rb
@@ -19,9 +19,9 @@ class Settings
       %i[page_not_found] => Views::Pages::PageNotFound,
       %i[record_not_found] => Views::Pages::RecordNotFound,
       %i[repository] => Plugins::ActiveRecordRepository,
-      %i[root_path] => '/admin',
+      %i[root_path] => "/admin",
       %i[root page] => Views::Pages::Root,
-      %i[root title] => 'TinyAdmin',
+      %i[root title] => "TinyAdmin",
       %i[sections] => []
     }.freeze
 
@@ -67,6 +67,8 @@ def []=(*path, value)
     end
 
     def load_settings
+      return if @loaded
+
       # default values
       DEFAULTS.each do |(option, param), default|
         if param
@@ -78,17 +80,20 @@ def load_settings
       end
 
       @store ||= TinyAdmin::Store.new(self)
-      self.root_path = '/' if root_path == ''
+      self.root_path = "/" if root_path == ""
 
-      if authentication[:plugin] <= Plugins::SimpleAuth
+      if authentication[:plugin].is_a?(Module) && authentication[:plugin] <= Plugins::SimpleAuth
         logout_path = "#{root_path}/auth/logout"
-        authentication[:logout] ||= TinyAdmin::Section.new(name: 'logout', slug: 'logout', path: logout_path)
+        authentication[:logout] ||= TinyAdmin::Section.new(name: "logout", slug: "logout", path: logout_path)
       end
       store.prepare_sections(sections, logout: authentication[:logout])
+      @loaded = true
     end
 
     def reset!
       @options = {}
+      @store = nil
+      @loaded = false
     end
 
     private
