alchemy_cms 7.0.14 → 7.0.16

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4f009c36ef6be6cd2543d594e6e818b899fb03105db7afa1e043ac6eff667148
-  data.tar.gz: 39453909b852611f2b9610442cb596241037100965691fc6766b3f98fe6f1130
+  metadata.gz: d20bda02db92caa55198f4cc360bafb972b868e742215f1b19ab83976215b230
+  data.tar.gz: ab901f120f7a3c2f0878fb03a25e2d2de8e68aff1cd9240c58994b903e9781b8
 SHA512:
-  metadata.gz: 4c675c83bd57c8514dd1983051ba4dfef7af615f41001603fd25d2c556925a87e08d67307d4b610c3c9655572092cdf06e4d07bb5891dbdb3758b6cb7dccd721
-  data.tar.gz: 1feb5da7ff3d8bafb2aac4cc03ac52682795457d41f7a28cbd5e7eeca4816a8536149fe87a8f49470f3d6e9e7ed08eb194dc632a511639a0f259a2738ce0e06c
+  metadata.gz: adb1fd6328915e0648e8b94b45f91e2fb1051fbcf6b33ebf26d75a9de52fd2479991c0cb40dc8cc6d7972214291d195765d9ddda0ddc13bb69a0794941d45fcb
+  data.tar.gz: 2c9c34c568de4ed7492aaaa5f05959023493eba2951776fd1bedbf22a8e4bed65ce9e7480c42a2767334edba0d469d0277d8ea6ad616493c18a55f51e4135d31

data/.github/workflows/brakeman-analysis.yml

@@ -3,19 +3,27 @@
 
 name: Brakeman Scan
 
+concurrency:
+  group: brakeman-${{ github.ref_name }}
+  cancel-in-progress: ${{ github.ref_name != 'main' }}
+
+permissions:
+  contents: read
+  security-events: write
+
 on:
   push:
-    branches: [main]
+    branches:
+      - 7.0-stable
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [main]
-  schedule:
-    - cron: "40 4 * * 2"
+    branches:
+      - 7.0-stable
 
 jobs:
   brakeman-scan:
     name: Brakeman Scan
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       # Checkout the repository to the GitHub Actions runner
       - name: Checkout

data/.github/workflows/lint.yml

@@ -2,9 +2,16 @@ name: Lint
 
 on: [pull_request]
 
+concurrency:
+  group: lint-${{ github.ref_name }}
+  cancel-in-progress: ${{ github.ref_name != 'main' }}
+
+permissions:
+  contents: read
+
 jobs:
   Standard:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
@@ -16,7 +23,7 @@ jobs:
       - name: Lint Ruby files
         run: bundle exec standardrb
   Prettier:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout
         uses: actions/checkout@v3

data/.github/workflows/stale.yml

@@ -4,10 +4,13 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  pull-requests: write
+  issues: write
+
 jobs:
   stale:
-    runs-on: ubuntu-latest
-
+    runs-on: ubuntu-22.04
     steps:
       - uses: actions/stale@v5
         with:

data/.github/workflows/test.yml

@@ -1,10 +1,17 @@
 name: Test
 
-on: [push, pull_request]
+on:
+  push:
+    branches:
+      - 7.0-stable
+  pull_request:
+
+permissions:
+  contents: read
 
 jobs:
   RSpec:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     strategy:
       fail-fast: false
       matrix:
@@ -104,9 +111,11 @@ jobs:
         if: failure()
         with:
           name: Screenshots
-          path: spec/dummy/tmp/screenshots
+          path: |
+            spec/dummy/tmp/capybara
+            spec/dummy/tmp/screenshots
   Jest:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     env:
       NODE_ENV: test
     steps:

data/CHANGELOG.md

@@ -1,5 +1,23 @@
 # Changelog
 
+## 7.0.16 (2025-01-23)
+
+- [7.0-stable] Allow redirecting to other host in site redirect [#3160](https://github.com/AlchemyCMS/alchemy_cms/pull/3160) ([alchemycms-bot](https://github.com/alchemycms-bot))
+- [7.0-stable] fix missing logger issue in github actions [#3155](https://github.com/AlchemyCMS/alchemy_cms/pull/3155) ([alchemycms-bot](https://github.com/alchemycms-bot))
+- [7.0-stable] CI: Set workflow permissions [#3144](https://github.com/AlchemyCMS/alchemy_cms/pull/3144) ([tvdeyen](https://github.com/tvdeyen))
+- [7.0-stable] Use safe redirect paths in admin redirects [#3134](https://github.com/AlchemyCMS/alchemy_cms/pull/3134) ([tvdeyen](https://github.com/tvdeyen))
+- [7.0-stable] CI: Run actions on ubuntu-22.04 [#3127](https://github.com/AlchemyCMS/alchemy_cms/pull/3127) ([tvdeyen](https://github.com/tvdeyen))
+- [7.0-stable] Use alchemy_display_name for page actor names [#3028](https://github.com/AlchemyCMS/alchemy_cms/pull/3028) ([alchemycms-bot](https://github.com/alchemycms-bot))
+
+## 7.0.15 (2024-09-04)
+
+- [7.0-stable] Render Datetime ingredient in local time zone [#3017](https://github.com/AlchemyCMS/alchemy_cms/pull/3017) ([tvdeyen](https://github.com/tvdeyen))
+- [7.0-stable] Allow to set input_type on Datetime ingredient editor [#3014](https://github.com/AlchemyCMS/alchemy_cms/pull/3014) ([tvdeyen](https://github.com/tvdeyen))
+- [7.0-stable] Fix combining search filters and pagination [#2980](https://github.com/AlchemyCMS/alchemy_cms/pull/2980) ([alchemycms-bot](https://github.com/alchemycms-bot))
+- [7.0-stable] Remove call to missing content_positions task [#2961](https://github.com/AlchemyCMS/alchemy_cms/pull/2961) ([alchemycms-bot](https://github.com/alchemycms-bot))
+- [7.0-stable] Fix re-render of layoutpages form if validation fails [#2952](https://github.com/AlchemyCMS/alchemy_cms/pull/2952) ([alchemycms-bot](https://github.com/alchemycms-bot))
+- [7.0-stable] fix(ContactMessages): Use alchemy route proxy [#2927](https://github.com/AlchemyCMS/alchemy_cms/pull/2927) ([alchemycms-bot](https://github.com/alchemycms-bot))
+
 ## 7.0.14 (2024-06-04)
 
 - [7.0-stable] fix(RoutingConstraints): Allow Turbo Stream requests [#2914](https://github.com/AlchemyCMS/alchemy_cms/pull/2914) ([alchemycms-bot](https://github.com/alchemycms-bot))

data/Gemfile

@@ -32,6 +32,13 @@ group :development, :test do
     if rails_version == "7.1"
       gem "actioncable", "~> #{rails_version}.0"
     end
+
+    # concurrent-ruby v1.3.5 has removed the dependency on logger,
+    # effecting Rails 6.1 up to including 7.0.
+    # https://github.com/rails/rails/pull/54264
+    if ("6.1".to_f.."7.0".to_f).cover?(rails_version.to_f)
+      gem "concurrent-ruby", "< 1.3.5"
+    end
   else
     gem "launchy"
     gem "annotate"

data/app/components/alchemy/ingredients/datetime_view.rb

@@ -11,10 +11,11 @@ module Alchemy
       end
 
       def call
+        datetime = ingredient.value.in_time_zone(Rails.application.config.time_zone)
         if date_format == "rfc822"
-          ingredient.value.to_s(:rfc822)
+          datetime.try(:to_fs, :rfc822) || datetime.to_s(:rfc822)
         else
-          ::I18n.l(ingredient.value, format: date_format)
+          ::I18n.l(datetime, format: date_format)
         end.html_safe
       end
     end

data/app/controllers/alchemy/admin/base_controller.rb

@@ -31,6 +31,27 @@ module Alchemy
 
       private
 
+      def safe_redirect_path(path = params[:redirect_to], fallback: admin_path)
+        if is_safe_redirect_path?(path)
+          path
+        elsif is_safe_redirect_path?(fallback)
+          fallback
+        else
+          admin_path
+        end
+      end
+
+      def is_safe_redirect_path?(path)
+        mount_path = alchemy.root_path
+        path.to_s.match? %r{^#{mount_path}admin/}
+      end
+
+      def relative_referer_path(referer = request.referer)
+        return unless referer
+
+        URI(referer).path
+      end
+
       # Disable layout rendering for xhr requests.
       def set_layout
         request.xhr? ? false : "alchemy/admin"
@@ -107,13 +128,16 @@ module Alchemy
 
       # Does redirects for html and js requests
       #
+      # Makes sure that the redirect path is safe.
+      #
       def do_redirect_to(url_or_path)
+        redirect_path = safe_redirect_path(url_or_path)
         respond_to do |format|
           format.js {
-            @redirect_url = url_or_path
+            @redirect_url = redirect_path
             render :redirect
           }
-          format.html { redirect_to url_or_path }
+          format.html { redirect_to redirect_path }
         end
       end
 

data/app/controllers/alchemy/admin/languages_controller.rb

@@ -40,7 +40,7 @@ module Alchemy
       def switch
         @language = set_alchemy_language(params[:language_id])
         session[:alchemy_language_id] = @language.id
-        do_redirect_to request.referer || alchemy.admin_dashboard_path
+        do_redirect_to relative_referer_path || alchemy.admin_dashboard_path
       end
 
       private

data/app/controllers/alchemy/admin/layoutpages_controller.rb

@@ -17,6 +17,25 @@ module Alchemy
       def edit
         @page = Page.find(params[:id])
       end
+
+      def update
+        @page = Page.find(params[:id])
+        if @page.update(page_params)
+          @notice = Alchemy.t("Page saved", name: @page.name)
+          render "alchemy/admin/pages/update"
+        else
+          render :edit, status: :unprocessable_entity
+        end
+      end
+
+      private
+
+      def page_params
+        params.require(:page).permit(
+          :name,
+          :tag_list
+        )
+      end
     end
   end
 end

data/app/controllers/alchemy/admin/pages_controller.rb

@@ -183,14 +183,15 @@ module Alchemy
         respond_to do |format|
           format.js
           format.html do
-            redirect_to(
-              params[:redirect_to].presence || admin_pages_path,
-              allow_other_host: true
-            )
+            redirect_to(unlock_redirect_path, allow_other_host: true)
           end
         end
       end
 
+      def unlock_redirect_path
+        safe_redirect_path(fallback: admin_pages_path)
+      end
+
       # Sets the page public and updates the published_at attribute that is used as cache_key
       #
       def publish

data/app/controllers/alchemy/admin/resources_controller.rb

@@ -78,7 +78,7 @@ module Alchemy
           flash[:error] = resource_instance_variable.errors.full_messages.join(", ")
         end
         flash_notice_for_resource_action
-        do_redirect_to resource_url_proxy.url_for(search_filter_params.merge(action: "index"))
+        do_redirect_to resource_url_proxy.url_for(search_filter_params.merge(action: "index", only_path: true))
       end
 
       def resource_handler

data/app/controllers/alchemy/messages_controller.rb

@@ -97,7 +97,7 @@ module Alchemy
       else
         Language.current_root_page.urlname
       end
-      redirect_to show_page_path(
+      redirect_to alchemy.show_page_path(
         urlname: urlname,
         locale: prefix_locale? ? Language.current.code : nil
       )

data/app/controllers/concerns/alchemy/site_redirects.rb

@@ -12,7 +12,7 @@ module Alchemy
     private
 
     def enforce_primary_host_for_site
-      redirect_to url_for(host: current_alchemy_site.host), status: :moved_permanently
+      redirect_to url_for(host: current_alchemy_site.host), status: :moved_permanently, allow_other_host: true
     end
 
     def needs_redirect_to_primary_host?

data/app/models/alchemy/ingredients/datetime.rb

@@ -5,7 +5,7 @@ module Alchemy
     # A datetime value
     #
     class Datetime < Alchemy::Ingredient
-      allow_settings %i[date_format]
+      allow_settings %i[date_format input_type]
 
       def value
         ActiveRecord::Type::DateTime.new.cast(self[:value])

data/app/models/alchemy/page.rb

@@ -546,7 +546,7 @@ module Alchemy
     # does not respond to +#name+ it returns +'unknown'+
     #
     def creator_name
-      creator.try(:name) || Alchemy.t("unknown")
+      creator.try(:alchemy_display_name) || Alchemy.t("unknown")
     end
 
     # Returns the name of the last updater of this page.
@@ -555,7 +555,7 @@ module Alchemy
     # does not respond to +#name+ it returns +'unknown'+
     #
     def updater_name
-      updater.try(:name) || Alchemy.t("unknown")
+      updater.try(:alchemy_display_name) || Alchemy.t("unknown")
     end
 
     # Returns the name of the user currently editing this page.
@@ -564,7 +564,7 @@ module Alchemy
     # does not respond to +#name+ it returns +'unknown'+
     #
     def locker_name
-      locker.try(:name) || Alchemy.t("unknown")
+      locker.try(:alchemy_display_name) || Alchemy.t("unknown")
     end
 
     # Key hint translations by page layout, rather than the default name.

data/app/models/concerns/alchemy/picture_thumbnails.rb

@@ -102,11 +102,10 @@ module Alchemy
 
     # Show image cropping link for ingredient
     def allow_image_cropping?
-      settings[:crop] && picture &&
-        picture.can_be_cropped_to?(
-          settings[:size],
-          settings[:upsample]
-        ) && !!picture.image_file
+      settings[:crop] && picture&.can_be_cropped_to?(
+        settings[:size],
+        settings[:upsample]
+      ) && !!picture.image_file
     end
 
     private

data/app/views/alchemy/admin/layoutpages/edit.html.erb

@@ -1,4 +1,4 @@
-<%= alchemy_form_for [:admin, @page], class: 'edit_page' do |f| %>
+<%= alchemy_form_for [:admin, @page], url: alchemy.admin_layoutpage_path(@page), class: 'edit_page' do |f| %>
   <%= f.input :name, autofocus: true %>
   <div class="input string">
     <%= f.label :tag_list %>

data/app/views/alchemy/admin/resources/_per_page_select.html.erb

@@ -1,6 +1,6 @@
 <%= form_tag url_for, method: :get, class: 'per-page-select-form' do |f| %>
   <% search_filter_params.reject { |k, _| k == 'page' || k == 'per_page' }.each do |key, value| %>
-    <% if value.is_a? ActionController::Parameters %>
+    <% if value.respond_to?(:keys) %>
       <% value.each do |k, v| %>
         <%= hidden_field_tag "#{key}[#{k}]", v, id: nil %>
       <% end %>

data/app/views/alchemy/ingredients/_datetime_editor.html.erb

@@ -7,7 +7,8 @@
       datetime_editor, :value, {
         name: datetime_editor.form_field_name,
         id: datetime_editor.form_field_id,
-        value: datetime_editor.value
+        value: datetime_editor.value,
+        type: datetime_editor.settings[:input_type]
       }
     ) %>
   <% end %>

data/config/routes.rb

@@ -49,7 +49,7 @@ Alchemy::Engine.routes.draw do
       end
     end
 
-    resources :layoutpages, only: [:index, :edit]
+    resources :layoutpages, only: [:index, :edit, :update]
 
     resources :pictures, except: [:new] do
       collection do

data/lib/alchemy/permissions.rb

@@ -96,7 +96,7 @@ module Alchemy
         can :leave, :alchemy_admin
         can [:info, :help], :alchemy_admin_dashboard
         can :manage, :alchemy_admin_clipboard
-        can :edit, :alchemy_admin_layoutpages
+        can :update, :alchemy_admin_layoutpages
         can :tree, :alchemy_admin_pages
 
         # Resources

data/lib/alchemy/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module Alchemy
-  VERSION = "7.0.14"
+  VERSION = "7.0.16"
 
   def self.version
     VERSION

data/lib/tasks/alchemy/tidy.rake

@@ -7,7 +7,6 @@ namespace :alchemy do
     desc "Tidy up Alchemy database."
     task :up do
       Rake::Task["alchemy:tidy:element_positions"].invoke
-      Rake::Task["alchemy:tidy:content_positions"].invoke
       Rake::Task["alchemy:tidy:remove_orphaned_records"].invoke
       Rake::Task["alchemy:tidy:remove_trashed_elements"].invoke
       Rake::Task["alchemy:tidy:remove_duplicate_legacy_urls"].invoke

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: alchemy_cms
 version: !ruby/object:Gem::Version
-  version: 7.0.14
+  version: 7.0.16
 platform: ruby
 authors:
 - Thomas von Deyen
@@ -10,10 +10,9 @@ authors:
 - Hendrik Mans
 - Carsten Fregin
 - Martin Meyerhoff
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-06-04 00:00:00.000000000 Z
+date: 2025-01-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionmailer
@@ -1456,8 +1455,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - ImageMagick (libmagick), v6.6 or greater.
-rubygems_version: 3.5.9
-signing_key:
+rubygems_version: 3.6.3
 specification_version: 4
 summary: A powerful, userfriendly and flexible CMS for Rails
 test_files: []