RubyGems - alchemy_cms - Versions diffs - 5.1.10 → 5.2.0.b1 - Mend

alchemy_cms 5.1.10 → 5.2.0.b1

Files changed (57) hide show

checksums.yaml +4 -4
data/.github/workflows/ci.yml +2 -1
data/CHANGELOG.md +21 -29
data/Gemfile +2 -6
data/alchemy_cms.gemspec +3 -3
data/app/assets/stylesheets/alchemy/_variables.scss +2 -0
data/app/assets/stylesheets/alchemy/elements.scss +38 -5
data/app/assets/stylesheets/tinymce/skins/alchemy/content.min.css.scss +3 -3
data/app/assets/stylesheets/tinymce/skins/alchemy/skin.min.css.scss +7 -7
data/app/controllers/alchemy/admin/base_controller.rb +4 -9
data/app/controllers/alchemy/admin/trash_controller.rb +2 -0
data/app/decorators/alchemy/content_editor.rb +64 -0
data/app/decorators/alchemy/element_editor.rb +1 -25
data/app/helpers/alchemy/admin/contents_helper.rb +3 -8
data/app/helpers/alchemy/elements_helper.rb +0 -18
data/app/helpers/alchemy/pages_helper.rb +1 -1
data/app/models/alchemy/attachment.rb +5 -1
data/app/models/alchemy/content.rb +7 -0
data/app/models/alchemy/element/definitions.rb +5 -22
data/app/models/alchemy/element.rb +39 -1
data/app/models/alchemy/node.rb +1 -1
data/app/models/alchemy/page/page_elements.rb +9 -2
data/app/models/alchemy/page.rb +1 -1
data/app/models/alchemy/picture/transformations.rb +3 -3
data/app/models/alchemy/picture.rb +2 -2
data/app/models/alchemy/picture_variant.rb +1 -1
data/app/views/alchemy/admin/elements/_element.html.erb +1 -1
data/app/views/alchemy/admin/elements/_element_header.html.erb +2 -0
data/app/views/alchemy/essences/_essence_picture_view.html.erb +3 -3
data/config/brakeman.ignore +305 -17
data/config/initializers/dragonfly.rb +0 -8
data/config/locales/alchemy.en.yml +40 -24
data/lib/alchemy/deprecation.rb +1 -1
data/lib/alchemy/element_definition.rb +70 -0
data/lib/alchemy/elements_finder.rb +6 -2
data/lib/alchemy/engine.rb +1 -8
data/lib/alchemy/essence.rb +4 -4
data/lib/alchemy/filetypes.rb +13 -0
data/lib/alchemy/forms/builder.rb +1 -1
data/lib/alchemy/i18n.rb +4 -5
data/lib/alchemy/page_layout.rb +1 -0
data/lib/alchemy/resource.rb +3 -5
data/lib/alchemy/test_support/integration_helpers.rb +5 -5
data/lib/alchemy/upgrader/five_point_zero.rb +0 -32
data/lib/alchemy/version.rb +1 -1
data/lib/alchemy_cms.rb +1 -1
data/lib/generators/alchemy/install/install_generator.rb +1 -2
data/lib/tasks/alchemy/thumbnails.rake +2 -4
data/lib/tasks/alchemy/upgrade.rake +0 -20
data/package/admin.js +0 -2
data/package/src/__tests__/i18n.spec.js +0 -23
data/package/src/i18n.js +3 -1
data/package.json +1 -1
metadata +20 -17
data/lib/alchemy/dragonfly/processors/crop_resize.rb +0 -35
data/lib/alchemy/error_tracking/airbrake_handler.rb +0 -13
data/lib/alchemy/error_tracking.rb +0 -14

data/app/models/alchemy/element.rb CHANGED Viewed

@@ -37,6 +37,7 @@ module Alchemy
       "taggable",
       "compact",
       "message",
+      "deprecated",
     ].freeze
     SKIPPED_ATTRIBUTES_ON_COPY = [
@@ -60,7 +61,7 @@ module Alchemy
     #
     acts_as_list scope: [:page_id, :fixed, :parent_element_id]
-    stampable stamper_class_name: Alchemy.user_class.name
+    stampable stamper_class_name: Alchemy.user_class_name
     has_many :contents, dependent: :destroy, inverse_of: :element
@@ -124,6 +125,9 @@ module Alchemy
     # class methods
     class << self
+      deprecate :trashed, deprecator: Alchemy::Deprecation
+      deprecate :not_trashed, deprecator: Alchemy::Deprecation
       # Builds a new element as described in +/config/alchemy/elements.yml+
       #
       # - Returns a new Alchemy::Element object if no name is given in attributes,
@@ -227,10 +231,12 @@ module Alchemy
       self.folded = true
       remove_from_list
     end
+    deprecate :trash!, deprecator: Alchemy::Deprecation
     def trashed?
       position.nil?
     end
+    deprecate :trashed?, deprecator: Alchemy::Deprecation
     # Returns true if the definition of this element has a taggable true value.
     def taggable?
@@ -247,6 +253,38 @@ module Alchemy
       definition["compact"] == true
     end
+    # Defined as deprecated element?
+    #
+    # You can either set true or a String on your elements definition.
+    #
+    # == Passing true
+    #
+    #     - name: old_element
+    #       deprecated: true
+    #
+    # The deprecation notice can be translated. Either as global notice for all deprecated elements.
+    #
+    #     en:
+    #       alchemy:
+    #         element_deprecation_notice: Foo baz widget is deprecated
+    #
+    # Or add a translation to your locale file for a per element notice.
+    #
+    #     en:
+    #       alchemy:
+    #         element_deprecation_notices:
+    #           old_element: Foo baz widget is deprecated
+    #
+    # == Pass a String
+    #
+    #     - name: old_element
+    #       deprecated: This element will be removed soon.
+    #
+    # @return Boolean
+    def deprecated?
+      !!definition["deprecated"]
+    end
     # The element's view partial is dependent from its name
     #
     # == Define elements

data/app/models/alchemy/node.rb CHANGED Viewed

@@ -7,7 +7,7 @@ module Alchemy
     before_destroy :check_if_related_essence_nodes_present
     acts_as_nested_set scope: "language_id", touch: true
-    stampable stamper_class_name: Alchemy.user_class.name
+    stampable stamper_class_name: Alchemy.user_class_name
     belongs_to :language, class_name: "Alchemy::Language"
     belongs_to :page, class_name: "Alchemy::Page", optional: true, inverse_of: :nodes

data/app/models/alchemy/page/page_elements.rb CHANGED Viewed

@@ -38,11 +38,17 @@ module Alchemy
       after_update :trash_not_allowed_elements!,
         if: :saved_change_to_page_layout?
-      after_update :generate_elements,
-        if: :saved_change_to_page_layout?
+      after_update(if: :saved_change_to_page_layout?) do
+        Alchemy::Deprecation.warn(
+          "Autogenerating elements on page_layout change is deprecated and will be removed from Alchemy 6.0"
+        )
+        generate_elements
+      end
     end
     module ClassMethods
+      deprecate :trashed_elements, deprecator: Alchemy::Deprecation
       # Copy page elements
       #
       # @param source [Alchemy::Page]
@@ -210,6 +216,7 @@ module Alchemy
       ])
       not_allowed_elements.to_a.map(&:trash!)
     end
+    deprecate :trash_not_allowed_elements!, deprecator: Alchemy::Deprecation
     # Deletes unique and already present definitions from @_element_definitions.
     #

data/app/models/alchemy/page.rb CHANGED Viewed

@@ -82,7 +82,7 @@ module Alchemy
     acts_as_nested_set(dependent: :destroy, scope: [:layoutpage, :language_id])
-    stampable stamper_class_name: Alchemy.user_class.name
+    stampable stamper_class_name: Alchemy.user_class_name
     belongs_to :language

data/app/models/alchemy/picture/transformations.rb CHANGED Viewed

@@ -197,12 +197,12 @@ module Alchemy
     # Use imagemagick to custom crop an image. Uses -thumbnail for better performance when resizing.
     #
     def xy_crop_resize(dimensions, top_left, crop_dimensions, upsample)
-      crop_argument = dimensions_to_string(crop_dimensions)
+      crop_argument = "-crop #{dimensions_to_string(crop_dimensions)}"
       crop_argument += "+#{top_left[:x]}+#{top_left[:y]}"
-      resize_argument = dimensions_to_string(dimensions)
+      resize_argument = "-resize #{dimensions_to_string(dimensions)}"
       resize_argument += ">" unless upsample
-      image_file.crop_resize(crop_argument, resize_argument)
+      image_file.convert "#{crop_argument} #{resize_argument}"
     end
     # Used when centercropping.

data/app/models/alchemy/picture.rb CHANGED Viewed

@@ -91,7 +91,7 @@ module Alchemy
     end
     # Create important thumbnails upfront
-    after_create -> { PictureThumb.generate_thumbs!(self) if has_convertible_format? }
+    after_create -> { PictureThumb.generate_thumbs!(self) }
     # We need to define this method here to have it available in the validations below.
     class << self
@@ -108,7 +108,7 @@ module Alchemy
       case_sensitive: false,
       message: Alchemy.t("not a valid image")
-    stampable stamper_class_name: Alchemy.user_class.name
+    stampable stamper_class_name: Alchemy.user_class_name
     scope :named, ->(name) { where("#{table_name}.name LIKE ?", "%#{name}%") }
     scope :recent, -> { where("#{table_name}.created_at > ?", Time.current - 24.hours).order(:created_at) }

data/app/models/alchemy/picture_variant.rb CHANGED Viewed

@@ -93,7 +93,7 @@ module Alchemy
       convert_format = render_format.sub("jpeg", "jpg") != picture.image_file_format.sub("jpeg", "jpg")
-      if render_format =~ /jpe?g/ && convert_format
+      if render_format =~ /jpe?g/ && (convert_format || options[:quality])
         quality = options[:quality] || Config.get(:output_image_jpg_quality)
         encoding_options << "-quality #{quality}"
       end

data/app/views/alchemy/admin/elements/_element.html.erb CHANGED Viewed

@@ -25,7 +25,7 @@
         <div id="element_<%= element.id %>_errors" class="element_errors"></div>
         <div id="element_<%= element.id %>_content" class="element-content-editors">
-          <%= render element.contents %>
+          <%= render element.contents.map { |content| Alchemy::ContentEditor.new(content) } %>
         </div>
         <% if element.taggable? %>

data/app/views/alchemy/admin/elements/_element_header.html.erb CHANGED Viewed

@@ -2,6 +2,8 @@
   <span class="element-handle">
     <% if element.definition.blank? %>
       <%= hint_with_tooltip Alchemy.t(:element_definition_missing) %>
+    <% elsif element.deprecated? %>
+      <%= hint_with_tooltip element.deprecation_notice %>
     <% else %>
       <% if element.public? %>
         <%= render_icon('window-maximize', style: 'regular', class: 'element') %>

data/app/views/alchemy/essences/_essence_picture_view.html.erb CHANGED Viewed

@@ -1,6 +1,6 @@
 <% content = local_assigns[:content] || local_assigns[:essence_picture_view] %>
 <%= Alchemy::EssencePictureView.new(
   content,
-  local_assigns[:options] || {},
-  local_assigns[:html_options] || {}
-).render %>
+  local_assigns[:options],
+  local_assigns[:html_options]
+).render %>

data/config/brakeman.ignore CHANGED Viewed

@@ -1,14 +1,65 @@
 {
   "ignored_warnings": [
+    {
+      "warning_type": "Cross-Site Scripting",
+      "warning_code": 2,
+      "fingerprint": "0551e3f9180b85fca4b17fe3c7cbbac1611d2ef8d385f77e9445c562c471d688",
+      "check_name": "CrossSiteScripting",
+      "message": "Unescaped parameter value",
+      "file": "app/views/alchemy/admin/elements/update.js.erb",
+      "line": 18,
+      "link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting",
+      "code": "j(Element.find(params[:id]).essence_error_messages.join(\"</li><li>\"))",
+      "render_path": [
+        {
+          "type": "controller",
+          "class": "Alchemy::Admin::ElementsController",
+          "method": "update",
+          "line": 55,
+          "file": "app/controllers/alchemy/admin/elements_controller.rb",
+          "rendered": {
+            "name": "alchemy/admin/elements/update",
+            "file": "app/views/alchemy/admin/elements/update.js.erb"
+          }
+        }
+      ],
+      "location": {
+        "type": "template",
+        "template": "alchemy/admin/elements/update"
+      },
+      "user_input": "params[:id]",
+      "confidence": "Weak",
+      "note": ""
+    },
+    {
+      "warning_type": "File Access",
+      "warning_code": 16,
+      "fingerprint": "154e5d85347ab40256b60182d3143830247b33b81de2ae9ac0622155a1de8e51",
+      "check_name": "SendFile",
+      "message": "Parameter value used in file name",
+      "file": "app/controllers/alchemy/admin/attachments_controller.rb",
+      "line": 65,
+      "link": "https://brakemanscanner.org/docs/warning_types/file_access/",
+      "code": "send_file(Attachment.find(params[:id]).file.path, :filename => Attachment.find(params[:id]).file_name, :type => Attachment.find(params[:id]).file_mime_type)",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Alchemy::Admin::AttachmentsController",
+        "method": "download"
+      },
+      "user_input": "params[:id]",
+      "confidence": "Weak",
+      "note": ""
+    },
     {
       "warning_type": "Mass Assignment",
       "warning_code": 70,
       "fingerprint": "1dd8f69d9b1bdd4017212f38098f03d2ecb2db06269fb940090f209eee7570c6",
       "check_name": "MassAssignment",
-      "message": "Parameters should be whitelisted for mass assignment",
+      "message": "Specify exact keys allowed for mass assignment instead of using `permit!` which allows any keys",
       "file": "app/controllers/alchemy/admin/resources_controller.rb",
-      "line": 130,
-      "link": "http://brakemanscanner.org/docs/warning_types/mass_assignment/",
+      "line": 136,
+      "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
       "code": "params.require(resource_handler.namespaced_resource_name).permit!",
       "render_path": null,
       "location": {
@@ -20,34 +71,170 @@
       "confidence": "Medium",
       "note": "Because we actually can't know all attributes each inheriting controller supports, we permit all resource model params. It is adviced that all inheriting controllers implement this method and provide its own set of permitted attributes. As this all happens inside the password protected /admin namespace this can be considered a false positive."
     },
+    {
+      "warning_type": "Cross-Site Scripting",
+      "warning_code": 2,
+      "fingerprint": "293a6f5581ba3f0e7aa4f81b38d68baf21f1219c8f3bae3eca6b3e1776b734df",
+      "check_name": "CrossSiteScripting",
+      "message": "Unescaped parameter value",
+      "file": "app/views/alchemy/admin/elements/order.js.erb",
+      "line": 17,
+      "link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting",
+      "code": "Element.trashed.where(:id => params[:element_ids]).pluck(:id).collect do\n \"#element_area [data-element-id=\\\"#{id}\\\"]\"\n end.join(\", \")",
+      "render_path": [
+        {
+          "type": "controller",
+          "class": "Alchemy::Admin::ElementsController",
+          "method": "order",
+          "line": 78,
+          "file": "app/controllers/alchemy/admin/elements_controller.rb",
+          "rendered": {
+            "name": "alchemy/admin/elements/order",
+            "file": "app/views/alchemy/admin/elements/order.js.erb"
+          }
+        }
+      ],
+      "location": {
+        "type": "template",
+        "template": "alchemy/admin/elements/order"
+      },
+      "user_input": "params[:element_ids]",
+      "confidence": "Weak",
+      "note": ""
+    },
     {
       "warning_type": "Dynamic Render Path",
       "warning_code": 15,
-      "fingerprint": "79e194e21561d40888d86ebc7fd2ab474fdb0ce32d605dbe9ac6e8984ecc5e92",
+      "fingerprint": "2eb67abb2b025c3446afa2f9b8d48c6b6a05379234a9228c9af4c25b7e672b00",
       "check_name": "Render",
       "message": "Render path contains parameter value",
-      "file": "app/views/alchemy/admin/contents/create.js.erb",
-      "line": 1,
-      "link": "http://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
-      "code": "render(action => \"alchemy/essences/#{Content.create(Element.find(params[:content][:element_id]), content_params).essence_partial_name}_editor\", { :content => Content.create(Element.find(params[:content][:element_id]), content_params) })",
-      "render_path": [{"type":"controller","class":"Alchemy::Admin::ContentsController","method":"create","line":21,"file":"app/controllers/alchemy/admin/contents_controller.rb"}],
+      "file": "app/views/alchemy/admin/elements/index.html.erb",
+      "line": 18,
+      "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
+      "code": "render(action => Page.find(params[:page_id]).all_elements.not_nested.unfixed.not_trashed.includes(*element_includes).map do\n Alchemy::ElementEditor.new(element)\n end, {})",
+      "render_path": [
+        {
+          "type": "controller",
+          "class": "Alchemy::Admin::ElementsController",
+          "method": "index",
+          "line": 13,
+          "file": "app/controllers/alchemy/admin/elements_controller.rb",
+          "rendered": {
+            "name": "alchemy/admin/elements/index",
+            "file": "app/views/alchemy/admin/elements/index.html.erb"
+          }
+        }
+      ],
       "location": {
         "type": "template",
-        "template": "alchemy/admin/contents/create"
+        "template": "alchemy/admin/elements/index"
       },
-      "user_input": "params[:content][:element_id]",
+      "user_input": "params[:page_id]",
       "confidence": "Weak",
-      "note": "This dynamic render path comes from the Contents essence not from any params or user mutated string. This can safely be ignored."
+      "note": ""
+    },
+    {
+      "warning_type": "Dynamic Render Path",
+      "warning_code": 15,
+      "fingerprint": "2eb67abb2b025c3446afa2f9b8d48c6b6a05379234a9228c9af4c25b7e672b00",
+      "check_name": "Render",
+      "message": "Render path contains parameter value",
+      "file": "app/views/alchemy/admin/elements/index.html.erb",
+      "line": 31,
+      "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
+      "code": "render(action => Page.find(params[:page_id]).all_elements.not_nested.unfixed.not_trashed.includes(*element_includes).map do\n Alchemy::ElementEditor.new(element)\n end, {})",
+      "render_path": [
+        {
+          "type": "controller",
+          "class": "Alchemy::Admin::ElementsController",
+          "method": "index",
+          "line": 13,
+          "file": "app/controllers/alchemy/admin/elements_controller.rb",
+          "rendered": {
+            "name": "alchemy/admin/elements/index",
+            "file": "app/views/alchemy/admin/elements/index.html.erb"
+          }
+        }
+      ],
+      "location": {
+        "type": "template",
+        "template": "alchemy/admin/elements/index"
+      },
+      "user_input": "params[:page_id]",
+      "confidence": "Weak",
+      "note": ""
+    },
+    {
+      "warning_type": "Dynamic Render Path",
+      "warning_code": 15,
+      "fingerprint": "2fa9bf5c73b4e6e3c272f0b14635f96efbd763e9a2c5b785caefffe3589ac461",
+      "check_name": "Render",
+      "message": "Render path contains parameter value",
+      "file": "app/views/alchemy/admin/essence_pictures/assign.js.erb",
+      "line": 2,
+      "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
+      "code": "render(action => Alchemy::ContentEditor.new(Content.find(params[:content_id])), {})",
+      "render_path": [
+        {
+          "type": "controller",
+          "class": "Alchemy::Admin::EssencePicturesController",
+          "method": "assign",
+          "line": 49,
+          "file": "app/controllers/alchemy/admin/essence_pictures_controller.rb",
+          "rendered": {
+            "name": "alchemy/admin/essence_pictures/assign",
+            "file": "app/views/alchemy/admin/essence_pictures/assign.js.erb"
+          }
+        }
+      ],
+      "location": {
+        "type": "template",
+        "template": "alchemy/admin/essence_pictures/assign"
+      },
+      "user_input": "params[:content_id]",
+      "confidence": "Weak",
+      "note": ""
+    },
+    {
+      "warning_type": "Dynamic Render Path",
+      "warning_code": 15,
+      "fingerprint": "384ec61125c6390d59fb7ebcf52792ba284bfd463d70d4ef552ab6c328e776f6",
+      "check_name": "Render",
+      "message": "Render path contains parameter value",
+      "file": "app/views/alchemy/admin/elements/fold.js.erb",
+      "line": 11,
+      "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
+      "code": "render(action => Alchemy::ElementEditor.new(Element.find(params[:id])), {})",
+      "render_path": [
+        {
+          "type": "controller",
+          "class": "Alchemy::Admin::ElementsController",
+          "method": "fold",
+          "line": 95,
+          "file": "app/controllers/alchemy/admin/elements_controller.rb",
+          "rendered": {
+            "name": "alchemy/admin/elements/fold",
+            "file": "app/views/alchemy/admin/elements/fold.js.erb"
+          }
+        }
+      ],
+      "location": {
+        "type": "template",
+        "template": "alchemy/admin/elements/fold"
+      },
+      "user_input": "params[:id]",
+      "confidence": "Weak",
+      "note": ""
     },
     {
       "warning_type": "Mass Assignment",
       "warning_code": 70,
       "fingerprint": "4b4dc24a6f5251bc1a6851597dfcee39608a2932eb7f81a4a241c00fca8a3043",
       "check_name": "MassAssignment",
-      "message": "Parameters should be whitelisted for mass assignment",
+      "message": "Specify exact keys allowed for mass assignment instead of using `permit!` which allows any keys",
       "file": "app/controllers/alchemy/admin/elements_controller.rb",
-      "line": 168,
-      "link": "http://brakemanscanner.org/docs/warning_types/mass_assignment/",
+      "line": 146,
+      "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
       "code": "params.fetch(:contents, {}).permit!",
       "render_path": null,
       "location": {
@@ -58,8 +245,109 @@
       "user_input": null,
       "confidence": "Medium",
       "note": "`Alchemy::Content` is a polymorphic association of any kind of model extending `Alchemy::Essence`. Since we can't know the attributes of all potential essences we need to permit all attributes. As this all happens inside the password protected /admin namespace this can be considered a false positive."
+    },
+    {
+      "warning_type": "Cross-Site Scripting",
+      "warning_code": 4,
+      "fingerprint": "6e6ed4f8b20c07868bc04a4dc419103ecce33bb514eff77790abd57246a4513f",
+      "check_name": "LinkToHref",
+      "message": "Potentially unsafe model attribute in `link_to` href",
+      "file": "app/views/alchemy/admin/nodes/_node.html.erb",
+      "line": 62,
+      "link": "https://brakemanscanner.org/docs/warning_types/link_to_href",
+      "code": "link_to((Unresolved Model).new.url, (Unresolved Model).new.url, :target => \"_blank\", :title => (Unresolved Model).new.url)",
+      "render_path": [
+        {
+          "type": "template",
+          "name": "alchemy/admin/nodes/_node",
+          "line": 71,
+          "file": "app/views/alchemy/admin/nodes/_node.html.erb",
+          "rendered": {
+            "name": "alchemy/admin/nodes/_node",
+            "file": "app/views/alchemy/admin/nodes/_node.html.erb"
+          }
+        }
+      ],
+      "location": {
+        "type": "template",
+        "template": "alchemy/admin/nodes/_node"
+      },
+      "user_input": "(Unresolved Model).new.url",
+      "confidence": "Weak",
+      "note": ""
+    },
+    {
+      "warning_type": "File Access",
+      "warning_code": 16,
+      "fingerprint": "6f642c32a45d9f6bbdff89c51873485c930479f4d72885ad0a1883c4372140bf",
+      "check_name": "SendFile",
+      "message": "Parameter value used in file name",
+      "file": "app/controllers/alchemy/attachments_controller.rb",
+      "line": 25,
+      "link": "https://brakemanscanner.org/docs/warning_types/file_access/",
+      "code": "send_file(Attachment.find(params[:id]).file.path, :filename => Attachment.find(params[:id]).file_name, :type => Attachment.find(params[:id]).file_mime_type)",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Alchemy::AttachmentsController",
+        "method": "download"
+      },
+      "user_input": "params[:id]",
+      "confidence": "Weak",
+      "note": ""
+    },
+    {
+      "warning_type": "File Access",
+      "warning_code": 16,
+      "fingerprint": "a1197cfa89e3a66e6d10ee060cd87af97d5e978d6d93b5936eb987288f1c02e6",
+      "check_name": "SendFile",
+      "message": "Parameter value used in file name",
+      "file": "app/controllers/alchemy/attachments_controller.rb",
+      "line": 12,
+      "link": "https://brakemanscanner.org/docs/warning_types/file_access/",
+      "code": "send_file(Attachment.find(params[:id]).file.path, :filename => Attachment.find(params[:id]).file_name, :type => Attachment.find(params[:id]).file_mime_type, :disposition => \"inline\")",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Alchemy::AttachmentsController",
+        "method": "show"
+      },
+      "user_input": "params[:id]",
+      "confidence": "Weak",
+      "note": ""
+    },
+    {
+      "warning_type": "Dynamic Render Path",
+      "warning_code": 15,
+      "fingerprint": "b9f63fd46d0ebd6684b649ab260f27df8a6422d44fed4769273d8e6a6a30397c",
+      "check_name": "Render",
+      "message": "Render path contains parameter value",
+      "file": "app/views/alchemy/admin/essence_files/assign.js.erb",
+      "line": 1,
+      "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
+      "code": "render(action => Alchemy::ContentEditor.new(Content.find_by(:id => params[:content_id])), {})",
+      "render_path": [
+        {
+          "type": "controller",
+          "class": "Alchemy::Admin::EssenceFilesController",
+          "method": "assign",
+          "line": 32,
+          "file": "app/controllers/alchemy/admin/essence_files_controller.rb",
+          "rendered": {
+            "name": "alchemy/admin/essence_files/assign",
+            "file": "app/views/alchemy/admin/essence_files/assign.js.erb"
+          }
+        }
+      ],
+      "location": {
+        "type": "template",
+        "template": "alchemy/admin/essence_files/assign"
+      },
+      "user_input": "params[:content_id]",
+      "confidence": "Weak",
+      "note": ""
     }
   ],
-  "updated": "2017-10-23 11:49:41 +0200",
-  "brakeman_version": "4.0.1"
+  "updated": "2021-01-04 16:29:42 +0100",
+  "brakeman_version": "4.10.1"
 }

data/config/initializers/dragonfly.rb CHANGED Viewed

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 require "dragonfly_svg"
-require "alchemy/dragonfly/processors/crop_resize"
 # Logger
 Dragonfly.logger = Rails.logger
@@ -10,10 +9,3 @@ if defined?(ActiveRecord::Base)
   ActiveRecord::Base.extend Dragonfly::Model
   ActiveRecord::Base.extend Dragonfly::Model::Validations
 end
-# Dragonfly 1.4.0 only allows `quality` as argument to `encode`
-Dragonfly::ImageMagick::Processors::Encode::WHITELISTED_ARGS << "flatten"
-Rails.application.config.after_initialize do
-  Dragonfly.app(:alchemy_pictures).add_processor(:crop_resize, Alchemy::Dragonfly::Processors::CropResize.new)
-end