alchemy_cms 3.5.0 → 3.6.0

data/app/controllers/alchemy/admin/attachments_controller.rb

@@ -44,11 +44,7 @@ module Alchemy
         else
           render_errors_or_redirect(
             @attachment,
-            admin_attachments_path(
-              per_page: params[:per_page],
-              page: params[:page],
-              q: params[:q]
-            ),
+            admin_attachments_path(search_params),
             Alchemy.t("File successfully updated")
           )
         end
@@ -57,11 +53,7 @@ module Alchemy
       def destroy
         name = @attachment.name
         @attachment.destroy
-        @url = admin_attachments_url(
-          per_page: params[:per_page],
-          page: params[:page],
-          q: params[:q]
-        )
+        @url = admin_attachments_url(search_params)
         flash[:notice] = Alchemy.t('File deleted successfully', name: name)
       end
 
@@ -75,9 +67,18 @@ module Alchemy
 
       private
 
+      def search_params
+        params.except(:attachment, :id).permit(
+          :file_type,
+          :page,
+          {q: resource_handler.search_field_name},
+          :tagged_with
+        )
+      end
+
       def handle_uploader_response(status:)
         if @attachment.valid?
-          render succesful_uploader_response(file: @attachment, status: status)
+          render successful_uploader_response(file: @attachment, status: status)
         else
           render failed_uploader_response(file: @attachment)
         end

data/app/controllers/alchemy/admin/base_controller.rb

@@ -138,17 +138,13 @@ module Alchemy
       #
       def options_from_params
         case params[:options]
-        when ''
+        when '', nil
           {}
         when String
           JSON.parse(params[:options])
-        when Hash
-          params[:options]
-        when Array
-          params[:options]
         else
-          {}
-        end.symbolize_keys
+          params[:options].permit!.to_h
+        end.deep_symbolize_keys
       end
 
       # This method decides if we want to raise an exception or not.

data/app/controllers/alchemy/admin/essence_pictures_controller.rb

@@ -1,6 +1,7 @@
 module Alchemy
   module Admin
     class EssencePicturesController < Alchemy::Admin::BaseController
+      FLOAT_REGEX = /\A\d+(\.\d+)?\z/
       authorize_resource class: Alchemy::EssencePicture
 
       before_action :load_essence_picture, only: [:edit, :crop, :update]
@@ -92,7 +93,7 @@ module Alchemy
       # aspect ratio, don't specify a size or only width or height.
       #
       def ratio_from_size_or_params
-        if @min_size.value?(0) && @options[:fixed_ratio]
+        if @min_size.value?(0) && @options[:fixed_ratio].to_s =~ FLOAT_REGEX
           @options[:fixed_ratio].to_f
         elsif !@min_size[:width].zero? && !@min_size[:height].zero?
           @min_size[:width].to_f / @min_size[:height].to_f

data/app/controllers/alchemy/admin/languages_controller.rb

@@ -7,14 +7,9 @@ module Alchemy
       end
 
       def new
-        @language = Language.new
-        @language.page_layout = configured_page_layout || @language.page_layout
-      end
-
-      private
-
-      def configured_page_layout
-        Config.get(:default_language).try('[]', 'page_layout')
+        @language = Language.new(
+          page_layout: Config.get(:default_language)['page_layout']
+        )
       end
     end
   end

data/app/controllers/alchemy/admin/pictures_controller.rb

@@ -31,7 +31,7 @@ module Alchemy
         @picture = Picture.new(picture_params)
         @picture.name = @picture.humanized_name
         if @picture.save
-          render succesful_uploader_response(file: @picture)
+          render successful_uploader_response(file: @picture)
         else
           render failed_uploader_response(file: @picture)
         end
@@ -136,12 +136,16 @@ module Alchemy
       end
 
       def redirect_to_index
-        do_redirect_to admin_pictures_path(
-          filter: params[:filter].presence,
-          page: params[:page].presence,
-          q: params[:q].presence,
-          size: params[:size].presence,
-          tagged_with: params[:tagged_with].presence
+        do_redirect_to admin_pictures_path(search_params)
+      end
+
+      def search_params
+        params.except(:id, :picture_ids).permit(
+          :filter,
+          :page,
+          {q: resource_handler.search_field_name},
+          :size,
+          :tagged_with
         )
       end
 

data/app/controllers/alchemy/admin/resources_controller.rb

@@ -97,7 +97,7 @@ module Alchemy
         when :destroy
           verb = "removed"
         end
-        flash[:notice] = Alchemy.t("#{resource_handler.resource_name.classify} successfully #{verb}", default: Alchemy.t("Succesfully #{verb}"))
+        flash[:notice] = Alchemy.t("#{resource_handler.resource_name.classify} successfully #{verb}", default: Alchemy.t("Successfully #{verb}"))
       end
 
       def is_alchemy_module?

data/app/controllers/alchemy/attachments_controller.rb

@@ -5,6 +5,7 @@ module Alchemy
 
     # sends file inline. i.e. for viewing pdfs/movies in browser
     def show
+      response.headers['Content-Length'] = @attachment.file.size.to_s
       send_file(
         @attachment.file.path,
         {
@@ -17,6 +18,7 @@ module Alchemy
 
     # sends file as attachment. aka download
     def download
+      response.headers['Content-Length'] = @attachment.file.size.to_s
       send_file(
         @attachment.file.path, {
           filename: @attachment.file_name,

data/app/controllers/alchemy/base_controller.rb

@@ -51,11 +51,10 @@ module Alchemy
 
     def permission_denied(exception = nil)
       if exception
-        Rails.logger.debug <<-WARN
-
-/!\\ Failed to permit #{exception.action} on #{exception.subject.inspect} for:
-#{current_alchemy_user.inspect}
-WARN
+        Rails.logger.debug <<-WARN.strip_heredoc
+          /!\\ Failed to permit #{exception.action} on #{exception.subject.inspect} for:
+          #{current_alchemy_user.inspect}
+        WARN
       end
       if current_alchemy_user
         handle_redirect_for_user

data/app/controllers/concerns/alchemy/admin/uploader_responses.rb

@@ -3,7 +3,7 @@ module Alchemy
     module UploaderResponses
       extend ActiveSupport::Concern
 
-      def succesful_uploader_response(file:, status: :created)
+      def successful_uploader_response(file:, status: :created)
         message = Alchemy.t(:upload_success,
           scope: [:uploader, file.class.model_name.i18n_key],
           name: file.name

data/app/helpers/alchemy/admin/base_helper.rb

@@ -312,9 +312,9 @@ module Alchemy
         }
         options = defaults.merge(options)
         content_for(:toolbar) do
-          content = <<-CONTENT
-#{options[:buttons].map { |button_options| toolbar_button(button_options) }.join}
-          #{render('alchemy/admin/partials/search_form', url: options[:search_url]) if options[:search]}
+          content = <<-CONTENT.strip_heredoc
+            #{options[:buttons].map { |button_options| toolbar_button(button_options) }.join}
+            #{render('alchemy/admin/partials/search_form', url: options[:search_url]) if options[:search]}
           CONTENT
           content.html_safe
         end
@@ -332,13 +332,18 @@ module Alchemy
 
       # Renders a textfield ready to display a datepicker
       #
-      # Uses a HTML5 +<input type="date">+ field.
       # A Javascript observer converts this into a fancy Datepicker.
       # If you pass +'datetime'+ as +:type+ the datepicker will also have a Time select.
+      # If you pass +'time'+ as +:type+ the datepicker will only have a Time select.
       #
-      # The date value gets localized via +I18n.l+. The format on Time and Date is +datepicker+
+      # The date value gets localized via +I18n.l+. The format on Time and Date is +datepicker+, +timepicker+
       # or +datetimepicker+, if you pass another +type+.
       #
+      # This helper always renders "text" as input type because:
+      # HTML5 supports input types like 'date' but Browsers are using the users OS settings
+      # to validate the input format. Since Alchemy is localized in the backend the date formats
+      # should be aligned with the users locale setting in the backend but not the OS settings.
+      #
       # === Date Example
       #
       #   <%= alchemy_datepicker(@person, :birthday) %>
@@ -347,13 +352,17 @@ module Alchemy
       #
       #   <%= alchemy_datepicker(@page, :public_on, type: 'datetime') %>
       #
+      # === Time Example
+      #
+      #   <%= alchemy_datepicker(@meeting, :starts_at, type: 'time') %>
+      #
       # @param [ActiveModel::Base] object
       #   An instance of a model
       # @param [String or Symbol] method
       #   The attribute method to be called for the date value
       #
-      # @option html_options [String] :type (date)
-      #   The type of text field
+      # @option html_options [String] :data-datepicker-type (type)
+      #   The value of the data attribute for the type
       # @option html_options [String] :class (type)
       #   CSS classes of the input field
       # @option html_options [String] :value (value of method on object)
@@ -366,7 +375,7 @@ module Alchemy
         value = date ? l(date, format: "#{type}picker".to_sym) : nil
 
         text_field object.class.name.demodulize.underscore.to_sym,
-          method.to_sym, {type: type, class: type, value: value}.merge(html_options)
+          method.to_sym, {type: "text", class: type, "data-datepicker-type" => type, value: value}.merge(html_options)
       end
 
       # Merges the params-hash with the given hash

data/app/helpers/alchemy/admin/tags_helper.rb

@@ -9,16 +9,16 @@ module Alchemy
       # @return [String]
       #   A HTML string containing <tt><li></tt> tags
       #
-      def render_tag_list(class_name, params)
+      def render_tag_list(class_name)
         raise ArgumentError, 'Please provide a String as class_name' if class_name.nil?
         li_s = []
         class_name.constantize.tag_counts.sort { |x, y| x.name.downcase <=> y.name.downcase }.each do |tag|
           tags = filtered_by_tag?(tag) ? tag_filter(remove: tag) : tag_filter(add: tag)
-          li_s << content_tag('li', name: tag.name, class: tag_list_tag_active?(tag, params) ? 'active' : nil) do
+          li_s << content_tag('li', name: tag.name, class: tag_list_tag_active?(tag) ? 'active' : nil) do
             link_to(
               "#{tag.name} (#{tag.count})",
               url_for(
-                params.delete_if { |k, _v| k == "page" }.merge(
+                tag_list_params.reject { |k, _v| k == "page" }.merge(
                   action: 'index',
                   tagged_with: tags
                 )
@@ -39,14 +39,14 @@ module Alchemy
       #   url params
       # @return [Boolean]
       #
-      def tag_list_tag_active?(tag, params)
-        params[:tagged_with].to_s.split(',').include?(tag.name)
+      def tag_list_tag_active?(tag)
+        tag_list_params[:tagged_with].to_s.split(',').include?(tag.name)
       end
 
       # Checks if the tagged_with param contains the given tag
       def filtered_by_tag?(tag)
-        if params[:tagged_with].present?
-          tags = params[:tagged_with].split(',')
+        if tag_list_params[:tagged_with].present?
+          tags = tag_list_params[:tagged_with].split(',')
           tags.include?(tag.name)
         else
           false
@@ -55,8 +55,8 @@ module Alchemy
 
       # Adds the given tag to the tag filter.
       def add_to_tag_filter(tag)
-        if params[:tagged_with].present?
-          tags = params[:tagged_with].split(',')
+        if tag_list_params[:tagged_with].present?
+          tags = tag_list_params[:tagged_with].split(',')
           tags << tag.name
         else
           [tag.name]
@@ -65,8 +65,8 @@ module Alchemy
 
       # Removes the given tag from the tag filter.
       def remove_from_tag_filter(tag)
-        if params[:tagged_with].present?
-          tags = params[:tagged_with].split(',')
+        if tag_list_params[:tagged_with].present?
+          tags = tag_list_params[:tagged_with].split(',')
           tags.delete_if { |t| t == tag.name }
         else
           []
@@ -84,17 +84,30 @@ module Alchemy
       #   ** :remove (ActsAsTaggableOn::Tag) - The tag that should be removed from the tag-filter
       #
       def tag_filter(options = {})
-        case
-        when options[:add]
-            taglist = add_to_tag_filter(options[:add]) if options[:add]
-        when options[:remove]
-            taglist = remove_from_tag_filter(options[:remove]) if options[:remove]
-          else
-            return params[:tagged_with]
+        if options[:add]
+          taglist = add_to_tag_filter(options[:add])
+        elsif options[:remove]
+          taglist = remove_from_tag_filter(options[:remove])
+        else
+          return tag_list_params[:tagged_with]
         end
         return nil if taglist.blank?
         taglist.uniq.join(',')
       end
+
+      def tag_list_params
+        params.permit(
+          :controller,
+          :content_id,
+          :element_id,
+          :options,
+          :swap,
+          :use_route,
+          :tagged_with,
+          :filter,
+          q: params.fetch(:q, {}).keys
+        )
+      end
     end
   end
 end

data/app/helpers/alchemy/base_helper.rb

@@ -14,7 +14,7 @@ module Alchemy
     # Logs a message in the Rails logger (warn level)
     # and optionally displays an error message to the user.
     def warning(message, text = nil)
-      Logger.warn(message, caller.first)
+      Logger.warn(message, caller(0..0))
       unless text.nil?
         warning = content_tag('p', class: 'content_editor_error') do
           render_icon('warning') + text

data/app/helpers/alchemy/pages_helper.rb

@@ -166,7 +166,7 @@ module Alchemy
       pages = page.children.accessible_by(current_ability, :see)
       pages = pages.restricted if options.delete(:restricted_only)
       if depth = options[:deepness]
-        pages = pages.where("#{Page.table_name}.depth <= #{depth}")
+        pages = pages.where('depth <= ?', depth)
       end
       if options[:reverse]
         pages.reverse!
@@ -246,15 +246,12 @@ module Alchemy
       end
 
       if options.delete(:reverse)
-        pages.to_a.reverse!
+        pages = pages.reorder('lft DESC')
       end
 
       if options[:without].present?
-        if options[:without].class == Array
-          pages = pages.to_a - options[:without]
-        else
-          pages.to_a.delete(options[:without])
-        end
+        without = options.delete(:without)
+        pages = pages.where.not(id: without.try(:collect, &:id) || without.id)
       end
 
       render 'alchemy/breadcrumb/wrapper', pages: pages, options: options

data/app/models/alchemy/attachment.rb

@@ -36,6 +36,10 @@ module Alchemy
 
     # We need to define this method here to have it available in the validations below.
     class << self
+      def searchable_alchemy_resource_attributes
+        %w(name file_name)
+      end
+
       def allowed_filetypes
         Config.get(:uploader).fetch('allowed_filetypes', {}).fetch('alchemy/attachments', [])
       end

data/app/models/alchemy/cell.rb

@@ -56,7 +56,7 @@ module Alchemy
       private
 
       def read_yml_file
-        ::YAML.load(ERB.new(File.read(yml_file_path)).result) || []
+        ::YAML.safe_load(ERB.new(File.read(yml_file_path)).result, [], [], true) || []
       end
 
       def yml_file_path

data/app/models/alchemy/element.rb

@@ -211,7 +211,8 @@ module Alchemy
     # Pass an element name to get next of this kind.
     #
     def next(name = nil)
-      previous_or_next('>', name)
+      elements = page.elements.published.where('position > ?', position)
+      select_element(elements, name, :asc)
     end
 
     # Returns previous public element from same page.
@@ -219,7 +220,8 @@ module Alchemy
     # Pass an element name to get previous of this kind.
     #
     def prev(name = nil)
-      previous_or_next('<', name)
+      elements = page.elements.published.where('position < ?', position)
+      select_element(elements, name, :desc)
     end
 
     # Stores the page into +touchable_pages+ (Pages that have to be touched after updating the element).
@@ -313,17 +315,9 @@ module Alchemy
 
     private
 
-    # Returns previous or next public element from same page.
-    #
-    # @param [String]
-    #   Pass '>' or '<' to find next or previous public element.
-    # @param [String]
-    #   Pass an element name to get previous of this kind.
-    #
-    def previous_or_next(dir, name = nil)
-      elements = page.elements.published.where("#{self.class.table_name}.position #{dir} #{position}")
+    def select_element(elements, name, order)
       elements = elements.named(name) if name.present?
-      elements.reorder("position #{dir == '>' ? 'ASC' : 'DESC'}").limit(1).first
+      elements.reorder(position: order).limit(1).first
     end
 
     # Returns all cells from given page this element could be placed in.

data/app/models/alchemy/element/definitions.rb

@@ -26,7 +26,7 @@ module Alchemy
       #
       def read_definitions_file
         if ::File.exist?(definitions_file_path)
-          ::YAML.load(ERB.new(File.read(definitions_file_path)).result) || []
+          ::YAML.safe_load(ERB.new(File.read(definitions_file_path)).result, [Regexp, Date], [], true) || []
         else
           raise LoadError, "Could not find elements.yml file! Please run `rails generate alchemy:scaffold`"
         end
@@ -46,7 +46,7 @@ module Alchemy
         definition
       else
         log_warning "Could not find element definition for #{name}. Please check your elements.yml file!"
-        return {}
+        {}
       end
     end
   end