alchemy_cms 2.3.2 → 2.4.beta2

data/app/assets/stylesheets/alchemy/sitemap.css.scss

@@ -95,7 +95,6 @@ div.sitemap_page:hover a.sitemap_pagename_link {
 }
 
 div.sitemap_left_images {
-  width: 16px;
   margin-top: 3px;
   float: left;
   margin-right: 8px;

data/app/assets/stylesheets/alchemy/tables.css.scss

@@ -32,7 +32,7 @@ table tr td.tools {
   @include disable-user-select;
 }
 
-td.label, td.input, td.submit, td.select, td.value {
+td.label, td.input, td.submit, td.select, td.value, td.note {
   padding: 2px 0;
   vertical-align: top;
 }
@@ -45,6 +45,8 @@ td.input, td.submit, td.select, td.value {
   }
 }
 
+td.submit p.foot_note { float: left; padding-top: 1em }
+
 td.label {
   white-space: nowrap;
   width: 80px;

data/app/controllers/alchemy/admin/base_controller.rb

@@ -3,14 +3,14 @@ module Alchemy
     class BaseController < Alchemy::BaseController
 
       include Userstamp
-
+      before_filter { enforce_ssl if ssl_required? && !request.ssl? }
       before_filter :set_translation
 
       helper_method :clipboard_empty?, :trash_empty?, :get_clipboard, :is_admin?
 
       filter_access_to :all
 
-      rescue_from Exception, :with => :exception_handler
+      rescue_from Exception, :with => :exception_handler unless Rails.env == 'test'
 
       layout 'alchemy/admin'
 
@@ -24,16 +24,13 @@ module Alchemy
 
       # Logs the current exception to the error log.
       def exception_logger(e)
-        message = "\n+++++++++ Error: #{e} +++++++++++++\n\n"
-        e.backtrace.each do |line|
-          message += "#{line}\n"
-        end
-        logger.error(message)
+        Rails.logger.error("\n#{e.class} #{e.message} in #{e.backtrace.first}")
+        Rails.logger.error(e.backtrace[1..50].each { |l| l.gsub(/#{Rails.root.to_s}/, '') }.join("\n"))
       end
 
       # Displays an error notice in the Alchemy backend.
       def show_error_notice(e)
-        @notice = "Error: #{e}"
+        @notice = "Error: #{e.message[0..99]}"
         @trace = e.backtrace
         if request.xhr?
           render :action => "error_notice", :layout => false
@@ -86,18 +83,28 @@ module Alchemy
         current_user.admin?
       end
 
-      def render_errors_or_redirect(object, redirect_url, flash_notice, button = nil)
+      # Displays errors in a #errors div if any errors are present on the object.
+      # Or redirects to the given redirect url.
+      def render_errors_or_redirect(object, redirect_url, flash_notice)
         if object.errors.empty?
           @redirect_url = redirect_url
           flash[:notice] = t(flash_notice)
           render :action => :redirect
         else
-          render_remote_errors(object, button)
+          render_remote_errors(object)
         end
       end
 
-      def render_remote_errors(object, button = nil)
-        @button = button
+      # Displays an unordered list of objects errors in an errors div.
+      #
+      # Note: You have to have a hidden div with the id +#errors+ in your form, to make this work.
+      #
+      # You can pass a div id as second argument to display the errors in alternative div.
+      #
+      # Hint: If you use an alternative div, please use the +errors+ css class to get the correct styling.
+      #
+      def render_remote_errors(object, error_div_id = nil)
+        @error_div_id = error_div_id || '#errors'
         @errors = ("<ul>" + object.errors.full_messages.map { |e| "<li>#{e}</li>" }.join + "</ul>").html_safe
         render :action => :remote_errors
       end

data/app/controllers/alchemy/admin/elements_controller.rb

@@ -37,30 +37,31 @@ module Alchemy
       # Creates a element as discribed in config/alchemy/elements.yml on page via AJAX.
       def create
         @page = Page.find(params[:element][:page_id])
-        @element_name = params[:element][:name] # storing the original element name, because the model alters the params hash
-        @paste_from_clipboard = !params[:paste_from_clipboard].blank?
-        if @paste_from_clipboard
-          source_element = Element.find(element_from_clipboard[:id])
-          @element = Element.copy(source_element, {:page_id => @page.id})
-          if element_from_clipboard[:action] == 'cut'
-            @cutted_element_id = source_element.id
-            @clipboard.remove :elements, source_element.id
-            source_element.destroy
+        Element.transaction do
+          if @paste_from_clipboard = params[:paste_from_clipboard].present?
+            @element = paste_element_from_clipboard
+          else
+            @element = Element.new_from_scratch(params[:element])
+            if @page.can_have_cells?
+              @cell = find_or_create_cell
+              @element.cell = @cell
+            end
+            @element.save!
+          end
+          if @insert_at_top = @page.definition['insert_elements_at'] == 'top'
+            @element.move_to_top
           end
-        else
-          @element = Element.new_from_scratch(params[:element])
         end
-        put_element_in_cell if @page.can_have_cells?
-        if @element.save
+        @cell_name = @cell.nil? ? "for_other_elements" : @cell.name
+        if @element.valid?
           render :action => :create
         else
-          render_remote_errors(@element, 'form#new_alchemy_element button.button')
+          render_remote_errors(@element, params[:paste_from_clipboard].nil? ? nil : '#paste_element_errors')
         end
       end
 
-      # Saves all contents in the elements by calling save_content on each content
+      # Saves all contents in the elements by calling save_contents.
       # And then updates the element itself.
-      # If a Ferret::FileNotFoundError raises we gonna catch it and rebuilding the index.
       def update
         @element = Element.find_by_id(params[:id])
         if @element.save_contents(params)
@@ -102,16 +103,26 @@ module Alchemy
 
     private
 
-      def put_element_in_cell
-        element_with_cell_name = @paste_from_clipboard ? params[:paste_from_clipboard] : @element_name
-        cell_definition = Cell.definition_for(element_with_cell_name.split('#').last) if !element_with_cell_name.blank?
-        if cell_definition
-          @cell = @page.cells.find_or_create_by_name(cell_definition['name'])
-          @element.cell = @cell
-          return true
+      # Returns the cell for element name in params.
+      # Creates the cell if necessary.
+      def find_or_create_cell
+        if @paste_from_clipboard
+          element_with_cell_name = params[:paste_from_clipboard]
         else
-          return false
+          element_with_cell_name = params[:element][:name]
+        end
+        if element_with_cell_name.blank?
+          raise "No element with cell name given. Please provide the cell name after the element name (or id) seperated by #."
+        end
+        unless element_with_cell_name.include?('#')
+          return nil
         end
+        cell_name = element_with_cell_name.split('#').last
+        cell_definition = Cell.definition_for(cell_name)
+        if cell_definition.blank?
+          raise "Cell definition not found for #{cell_name}"
+        end
+        @page.cells.find_or_create_by_name(cell_definition['name'])
       end
 
       def element_from_clipboard
@@ -119,6 +130,23 @@ module Alchemy
         @clipboard.get(:elements, params[:paste_from_clipboard])
       end
 
+      def paste_element_from_clipboard
+        @source_element = Element.find(element_from_clipboard[:id])
+        new_attributes = {:page_id => @page.id}
+        if @page.can_have_cells?
+          new_attributes = new_attributes.merge({:cell_id => find_or_create_cell.id})
+        end
+        element = Element.copy(@source_element, new_attributes)
+        cut_element if element_from_clipboard[:action] == 'cut'
+        element
+      end
+
+      def cut_element
+        @cutted_element_id = @source_element.id
+        @clipboard.remove :elements, @source_element.id
+        @source_element.destroy
+      end
+
     end
   end
 end

data/app/controllers/alchemy/admin/pages_controller.rb

@@ -34,11 +34,14 @@ module Alchemy
         # Setting the locale to pages language. so the page content has its correct translation
         ::I18n.locale = @page.language_code
         render :layout => layout_for_page
+      rescue Exception => e
+        exception_logger(e)
+        render :file => Rails.root.join('public', '500.html'), :status => 500, :layout => false
       end
 
       def new
         @page = Page.new(:layoutpage => params[:layoutpage] == 'true', :parent_id => params[:parent_id])
-        @page_layouts = PageLayout.get_layouts_for_select(session[:language_id], @page.layoutpage?)
+        @page_layouts = PageLayout.layouts_for_select(session[:language_id], @page.layoutpage?)
         @clipboard_items = Page.all_from_clipboard_for_select(get_clipboard[:pages], session[:language_id], @page.layoutpage?)
         render :layout => false
       end
@@ -49,18 +52,18 @@ module Alchemy
         params[:page][:language_code] ||= parent.language ? parent.language.code : Language.get_default.code
         if !params[:paste_from_clipboard].blank?
           source_page = Page.find(params[:paste_from_clipboard])
-          page = Page.copy(source_page, {
+          @page = Page.copy(source_page, {
             :name => params[:page][:name].blank? ? source_page.name + ' (' + t('Copy') + ')' : params[:page][:name],
             :urlname => '',
             :title => '',
             :parent_id => params[:page][:parent_id],
             :language => parent.language
           })
-          source_page.copy_children_to(page) unless source_page.children.blank?
+          source_page.copy_children_to(@page) unless source_page.children.blank?
         else
-          page = Page.create(params[:page])
+          @page = Page.create(params[:page])
         end
-        render_errors_or_redirect(page, parent.layoutpage? ? admin_layoutpages_path : admin_pages_path, t("Page created", :name => page.name), '#alchemyOverlay button.button')
+        render_errors_or_redirect(@page, @page.valid? ? edit_admin_page_path(@page) : admin_pages_path, t("Page created", :name => @page.name))
       end
 
       # Edit the content of the page and all its elements and contents.
@@ -82,12 +85,15 @@ module Alchemy
         if @page.redirects_to_external?
           render :action => 'configure_external', :layout => false
         else
+          @page_layouts = PageLayout.layouts_with_own_for_select(@page.page_layout, session[:language_id], @page.layoutpage?)
           render :layout => false
         end
       end
 
       def update
         # fetching page via before filter
+        # storing old page_layout value, because unfurtunally rails @page.changes does not work here.
+        @old_page_layout = @page.page_layout
         if @page.update_attributes(params[:page])
           @notice = t("Page saved", :name => @page.name)
           @while_page_edit = request.referer.include?('edit')

data/app/controllers/alchemy/admin/resources_controller.rb

@@ -63,10 +63,9 @@ module Alchemy
         @_resource_handler ||= Alchemy::Resource.new(controller_path, alchemy_module)
       end
 
-      protected
+    protected
 
-
-      def render_errors_or_redirect(object, redirect_url, flash_notice, button = nil)
+      def render_errors_or_redirect(object, redirect_url, flash_notice)
         if object.errors.empty?
           @redirect_url = redirect_url
           flash[:notice] = t(flash_notice)
@@ -76,7 +75,7 @@ module Alchemy
           end
         else
           respond_to do |format|
-            format.js { render_remote_errors(object, button) }
+            format.js { render_remote_errors(object) }
             format.html { render :action => :new }
           end
         end

data/app/controllers/alchemy/admin/users_controller.rb

@@ -51,6 +51,7 @@ module Alchemy
 
       def update
         # User is fetched via before filter
+        params[:user].delete(:role) unless permitted_to?(:update_role)
         @user.update_attributes(params[:user])
         Notifications.admin_user_created(@user).deliver if params[:send_credentials]
         render_errors_or_redirect(

data/app/controllers/alchemy/base_controller.rb

@@ -15,15 +15,19 @@ module Alchemy
     def current_server
       # For local development server
       if request.port != 80
-        "http://#{request.host}:#{request.port}"
+        "#{request.protocol}#{request.host}:#{request.port}"
         # For remote production server
       else
-        "http://#{request.host}"
+        "#{request.protocol}#{request.host}"
       end
     end
 
+    # Returns the configuratin value of given key.
+    #
+    # Config file is in +config/alchemy/config.yml+
+    #
     def configuration(name)
-      return Alchemy::Config.get(name)
+      Alchemy::Config.get(name)
     end
 
     def multi_language?
@@ -56,6 +60,8 @@ module Alchemy
         session[:current_locale] = ::I18n.locale = params[:locale]
       elsif current_user && current_user.language.present?
         ::I18n.locale = current_user.language
+      elsif Rails.env == 'test' # OMG I hate to do this. But it helps...
+        ::I18n.locale = 'en'
       else
         ::I18n.locale = request.env['HTTP_ACCEPT_LANGUAGE'].try(:scan, /^[a-z]{2}/).try(:first)
       end
@@ -66,8 +72,7 @@ module Alchemy
       if params[:lang].blank? and session[:language_id].blank?
         set_language_to_default
       elsif !params[:lang].blank?
-        set_language_from(params[:lang])
-        ::I18n.locale = params[:lang]
+        ::I18n.locale = set_language_from(params[:lang])
       end
     end
 
@@ -95,9 +100,8 @@ module Alchemy
 
     def store_language_in_session(language)
       if language && language.id
-        return if language.id == session[:language_id]
-        session[:language_code] = language.code
         session[:language_id] = language.id
+        session[:language_code] = language.code
       else
         logger.warn "!!!! Language not found for #{language.inspect}. Setting to default!"
         set_language_to_default
@@ -159,6 +163,28 @@ module Alchemy
       render :file => Rails.root.join("public/404.html"), :status => 404, :layout => !@page.nil?
     end
 
+    # Enforce ssl for login and all admin modules.
+    #
+    # Default is +false+
+    #
+    # === Usage
+    #
+    #   #config.yml
+    #   require_ssl: true
+    #
+    # === Note
+    #
+    # You have to create a ssl certificate if you want to use the ssl protection
+    #
+    def ssl_required?
+      (Rails.env == 'production' || Rails.env == 'staging') && configuration(:require_ssl)
+    end
+
+    # Redirects request to ssl.
+    def enforce_ssl
+      redirect_to url_for(protocol: 'https')
+    end
+
   protected
 
     def permission_denied
@@ -171,7 +197,7 @@ module Alchemy
           elsif request.xhr?
             respond_to do |format|
               format.js {
-                render :js => "Alchemy.growl('#{t('You are not authorized')}', 'warning'); Alchemy.enableButton('button.button, a.button, input.button');"
+                render :js => "Alchemy.growl('#{t('You are not authorized')}', 'warning'); Alchemy.Buttons.enable();"
               }
               format.html {
                 render :partial => 'alchemy/admin/partials/flash', :locals => {:message => t('You are not authorized'), :flash_type => 'warning'}

data/app/controllers/alchemy/pictures_controller.rb

@@ -3,7 +3,7 @@ module Alchemy
 
     caches_page :show, :thumbnail, :zoom
 
-    before_filter :load_picture
+    before_filter :load_picture, :ensure_secure_params
 
     filter_access_to :show, :attribute_check => true, :model => Alchemy::Picture, :load_method => :load_picture
     filter_access_to :thumbnail
@@ -60,5 +60,20 @@ module Alchemy
       @picture ||= Picture.find(params[:id])
     end
 
+    def ensure_secure_params
+      token = params[:sh]
+      digest = Digest::SHA1.hexdigest(secured_params)[0..15]
+      bad_request unless token && (token == digest)
+    end
+
+    def secured_params
+      [params[:id], params[:size], params[:crop], params[:crop_from], params[:crop_size], Rails.configuration.secret_token].join('-')
+    end
+
+    def bad_request
+      render :text => "Bad picture parameters in #{request.path}", :status => 400
+      return false
+    end
+
   end
 end

data/app/controllers/alchemy/user_sessions_controller.rb

@@ -1,6 +1,7 @@
 module Alchemy
   class UserSessionsController < Alchemy::BaseController
 
+    before_filter { enforce_ssl if ssl_required? && !request.ssl? }
     before_filter :set_translation
     before_filter :check_user_count, :only => :login
 
@@ -20,9 +21,13 @@ module Alchemy
           if params[:send_credentials]
             Notifications.admin_user_created(@user).deliver
           end
+          flash[:notice] = t('Successfully signup admin user')
           redirect_to admin_dashboard_path
         end
       end
+    rescue Errno::ECONNREFUSED => e
+      flash[:error] = t(:signup_mail_delivery_error)
+      redirect_to admin_dashboard_path
     end
 
     def login
@@ -63,7 +68,7 @@ module Alchemy
       redirect_to root_url
     end
 
-    private
+  private
 
     def check_user_count
       if User.count == 0

data/app/helpers/alchemy/base_helper.rb

@@ -45,6 +45,20 @@ module Alchemy
       content_tag('span', '', :class => "icon #{icon_class}")
     end
 
+    # Returns a div with an icon and the passed content
+    # The default message type is info, but you can also pass
+    # other types like :warning or :error
+    #
+    # === Usage:
+    #
+    #   <%= render_message :warning do
+    #     <p>Caution! This is a warning!</p>
+    #   <% end %>
+    #
+    def render_message(type = :info, &blk)
+      content_tag :div, render_icon(type) + capture(&blk), :class => "#{type} message"
+    end
+
     # Returns an array of all pages in the same branch from current.
     # I.e. used to find the active page in navigation.
     def breadcrumb(current)